Spring sports and outdoor activities are the highlights of the day for millions of students nationwide. For coaches and parents, however, hectic schedules can easily become overwhelming. Social sites such as Shutterfly have made keeping track of everything easier, allowing users (anyone over the age of 13) to upload photos, home addresses, e-mail addresses, gender information, phone numbers, school names, jersey numbers, and game schedules all in one place. Because of its capability to manage schedules along with teammate contact information, Shutterfly has grown in popularity over the past few years. In fact, the American Youth Soccer Organization has partnered with the social site, and coaches from over 50,000 soccer teams encourage parents and fellow coaches to utilize the service. But, Shutterfly isn’t as safe as its privacy policy states it is.
In a recent article published by Mother Jones, it’s revealed that Shutterfly’s whole site isn’t protected with SSL—a strong form of Internet security that’s used to prevent hackers from accessing user/member data. The login pages are protected. However, team pages that include detailed student information are without SSL.
SSL stands for Secure Sockets Layer. It’s a protocol that provides assurance that a site is legimate, that the connection hasn’t been modified by a hacker, and that no one is intercepting information flowing between the user and the site. You can tell which sites are secure because they begin with “https” instead of “http.” Sites without SSL are easier for hackers to grab information from such as usernames, passwords, and personal information because this information can be sent across an insecure connection.
Technology experts agree that it doesn’t matter if a site is using SSL on its login page if they’re not using it elsewhere. Seth Schoen, senior staff technologist at the Electronic Frontier Foundation explains, “If Gmail applied the same logic, anyone on a wifi network with you could see all of the e-mails that you read and write while you’re logged in.”
The Mother Jones article, which was published May 3, 2013 brings to light another alarming fact—Shutterfly has been aware of the security issues for at least six months but hasn’t taken action to fix them. Sensitive student information can easily be obtained by anyone with basic tech skills, a quick download of a program called Cookie Cadger, and a computer with the right equipment.
Shutterfly isn’t the only site that boycotts SSL. Eteamz is another social sharing site designed to cater to youth sporting teams. It works in much the same way as Shutterfly, and since 2008, has had several million users. Pinterest and Reddit are also not SSL-protected across their entire site.
Is this a real concern? There are no news reports of information being hacked from non-SSL forms, but security experts do recognize it as a risk. And it’s a risk that users don’t have to take with other social sites available that offer the same functionality and SSL protection such as Facebook and Google.
In 2011, thousands of Facebook pages were hacked by the software program Firesheep that works in the same way as Cookie Cadger. (Cookie Cadger is more up-to-date and works across new browsers.) At a TED Conference, a hacker used the program to tweet from Ashton Kutcher’s Twitter account. These events prompted Facebook, Twitter, and Google to step up their security. For more information on how to protect your WiFi workflow read, How to Surf Safely With A VPN-For-Hire.
Additional ISM articles of interest
ISM Monthly Update for Division Heads Vol. 8 No. 7 YouTube For Your Classes: Is it Safe?
