After seeing the devastation from Hurricanes Harvey and Irma, many in our kehilla wanted to help the victims in any way they could. Some of us donated money, while others donated their time and went to neighborhoods in Houston and Miami to help homeowners clean up and to provide other life necessities. Having helped during Superstorm Sandy cleaning out houses in Long Beach, it is heartening to see the outpouring of chesed from our community. But sadly, there are fraudsters who take advantage of situations like this for illicit financial gain.
When we see stories about fraud stemming from these events on the news, they usually report on fake internet donation sites, unscrupulous thieves passing themselves off as contractors and an uptick in hurricane relief phishing emails. Yet, something I’ve noticed seems so benign, if I weren’t indirectly affected by it I wouldn’t have even thought about it. I’m talking about harvesting personal information from unprotected Google Drive documents used in many communities or among friends as a free and convenient way to mobilize and assist the hurricane victims.
Here’s an example of how a good thing can be used for bad.
Chesed USA has a dedicated group of volunteers who mobilize anytime there is an emergency in the community. They keep track of the volunteers in a Google Drive spreadsheet that is made public so anyone in their kehilla can join. To publicize the spreadsheet, a link was posted on all the areas shul and yeshiva websites. Within the spreadsheet is a listing of each volunteer with their name, mobile number, address, email address and availability. There is also a comments field so each person can let the chesed coordinators know of any issues that may preclude that person from helping in a specific incident.
One person (let’s call her Malky) said in the comments field that she and her family will be in Eretz Yisroel for Rosh Hashanah through Sukkot. Malky had no clue that what she posted was not advisable in a public document; in fact, she felt pretty good that she had advised the group that she will be available to help anytime except that time.
Needless to say, unfortunately when Malky and family returned home they found their house ransacked and many family heirlooms gone. But something else happened as well; some people on the spreadsheet started receiving a large number of robocalls on their mobile phones and other solicitations via email. Some were sent phishing emails with information they had put into the spreadsheet. It seems that because the spreadsheet was public, nefarious individuals were searching and came across this list of 250+ kehilla members and their information.
I created the story above based on an experience I had of being asked to join a carpool list for a friend who needed people to drive him to therapy twice a week. A shared Google Drive spreadsheet was created so friends and the frum community at large could sign up to drive him. We were asked to fill in our name, mobile number and the dates we were available (no email addresses were posted). As I use a Google voice number when I don’t want to give out my mobile number, I started noticing within a few weeks that I was receiving a lot of calls on that number to pay off my student loan (my loan was paid off decades ago) or refinance my house. I even received a call from the IRS in Washington saying that I was going to be arrested shortly for not paying my taxes (if you don’t know about this scam, look it up on Google). I decided to change my Google voice number on the web document and see what happens. To my surprise, my robocall volume went down after a few weeks but of course they haven’t ceased yet.
While I am not certain that my mobile number was taken from that sheet, it made me think how easy it is to search for public documents that contain an abundance of information.
If you are a business you should check out G Suite from Google Cloud as a more secure alternative to Google Drive, although there is a fee involved.
The following steps are a few of the fundamental things every person should do in order to minimize the threat of data leaking from documents if you are using Google Drive:
- Never post confidential personal information to the web unless you know it is protected. Ask questions of the person who created any form that they ask you to input information into if you are unsure.
- Change your defaults to maximum privacy in Google Drive. If you need to have specific people access certain documents, send them a link via email.
- Create folders on your Google Drive that can be either public or private. By creating folders, you can add files to the folders that will take on the security characteristics of the folder itself.
- If you need to keep your documents public, remember that the information is potentially viewable by everyone. Only ask for minimal information if possible.
It is always a good rule of thumb to make sure you know what information you’re posting and who has the ability to read it. Many of us do not want our email or mobile numbers exposed on the internet so think before you post.
By Moishe Zahler
