I am telling you what the system is showing and how you can help get the system working. The SUAC cannot fix this problem for you as we do not have the tools to do so. Your option, other than what I described earlier is to have a council staff member open a ticket with BSA IT and wait for a resolution, which I suspect will not be quick.
@edavignon
How will this person registering in my.scouting help them show up in the list of MBCs in our council?
Why do they even NEED a my.scouting registration to show up as a counselor?
The problem is they have no Scoutbook account with the MID where they are registered as an MBC. I have asked the developers to investigate why a MID with a current registration does not have an account, however, a SB account is required in order to be listed as an MBC in Scoutbook.
Care to educate us about how it is a serious legal risk? I donât think it is, but you seem to be very sure. How is it such a big risk?
@Matt.Johnson Data privacy is a hugely complicated and nuanced issue. The mere fact that someone in a position of authority would glibly assert that the primary identification numbers used by the organization are not PII belays a huge (lack of) education issue. The CPO for BSA would have a very different view (assuming they even have a CPO and that they are worth their salt).
Data privacy laws vary by state. Since BSA is a national organization they should comply with the most strict data privacy laws in the country to be safe.
@JamesBrown13 well as General Council has advised SUAC it is a safe and fine process I think we are covered.
@DonovanMcNeil Ask the GC how publishing someone elseâs PII (ID numbers) on a public forum comports with the NY state SHIELD act (or numerous other stateâs privacy laws).
I personally donât think BSA can survive another $850M settlement, but maybe those $100+ annual registration fees can cover it.
Having work in healthcare and dealing with having served as a HIPAA compliance officer it comes back to the definitions.
DHS defines personally identifiable information or PII as any information that permits the identity of an individual to be directly or indirectly inferred
78943474412 Does not do that
78943474412 78943474412 who is a tiger cub in pack 32 does not do it as their are many pack 32âs
78943474412 who is a tiger cub in pack 32 in mickey mouse council comes really close to it (still a number of cubs in den)
78943474412 who is the newest tiger cub in pack 32 in mickey mouse council rings the bell for sure
Ron
ScoutBook ID is quite sufficient.
<img src=âhttps://d1kn0x9vzr5n76.cloudfront.net/images/users/282000/281779.BD804AFE27.100.jpgâ class=âimageSmall ui-corner-all ui-shadow profilePopupâ data-userid=â281779â>
Shows up on every results page. You can get the list of people for your entire council by simply not specifying a zip code or name on the search form.
Scoutbook ID is unquestionably PII. So is your BSA ID and council because itâs unique within a council.
If your BSA ID and council were not able to identify you then youâd need to share more than that here on the forum for the SUAC people to be able to find and fix an issue. The fact that only that information is sufficient proves, beyond any doubt, that a person can be looked up with that information. Thus it âpermits the identity of an individual to be directly or indirectly inferredâ.
If they have access to the system. Only admins have access. I donât get it.
First, âonly for those with accessâ isnât a requirement for a data breach.
Second, anyone in the council can get a complete list of names, addresses, phone numbers, etc. that maps to the SB IDs by simply listing the MBs though the SB interface.
But then they have everything. I donât get it.
Then they have the info, I donât get it either.
In both examples, they have all of the info, of course they have the info. If you give me a BSA ID, I canât connect it to anyone.
@JamesBrown13 - ok⊠here is my grand lodge of new jersey member id number 4045⊠let me know what you find sport.
Iâm not in your council, âsportâ. Only the several hundred / thousand people in your council could map that number to you.
Scoutbook IDs are universal (UUIDs) so if you care to share your SB ID I can pull that up.
You are one of the folks with special access to the DB so you can get names and other information without any piece of information.
If you know a way that someone without special access can retrieve PII with just a BSA Member ID or SB User ID, say so and Iâll send you private message so you can explain the process and I can get the developers to plug the hole.
@Matt.Johnson Since SB IDs are UUIDs, I can find info on anyone via the SB ID.
Itâs not particularly complicated. Here are the instructions for Chrome.
Go to SB and do a MB search that returns any results. You could search for yourself or just leave all the fields blank and hit search.
Now that you have a results page with at least one person, right click on the personâs picture (or the avatar if they donât have a pic) and select âInspectâ from the browser menu.
Youâll see an image tag highlighted.
<img src=âhttps://d1kn0x9vzr5n76.cloudfront.net/images/users/282000/281779.BD804AFE27.100.jpg â class=âimageSmall ui-corner-all ui-shadow profilePopupâ data-userid=â281779â >
Simply substitute the scoutbook ID you are interested in for the one at the end of the line (bold in the example above) and hit enter.
Now left click on the personâs picture. Youâll see the information for the SB ID you just put in.
Picture, first name and initial of last name, what council and unit they are in, what position they hold, Scouting experience and other profile info they share.
As far as I can tell, they donât even have to be a MBC. ANY person registered with SB can be viewed. I suspect both adults and youth, though I havenât specifically tested the youth info.
Just replied to Matt with the steps.
So this sounds different from the discussion about BSA Member IDs. It sounds like an argument that the access is âopenâ for anyone who already has registered leader access to the interface and trawls through with a series of semi-random Scoutbook UserIDs to pull up information. Iâm not arguing itâs not a vulnerability (I havenât played with it yet), but Iâm trying to clarify if youâre saying thereâs a similar attack path using BSA Member IDs.
ETA: I poked this and, unless I managed to do something wrong (always possible with me) inserting a known-good UserID did not get me access to their data. I already have access to the person whose UserID I tested, so itâs not like I was trawling for information I wouldnât already have seen as a unit admin.
Test mine. Itâs posted above.
I can confirm it works for someone well outside my council. I trolled the Scoutbook bug forum here and found several SB IDs. All of them worked and they are scattered across the country.
HOWEVER â NONE OF THIS has anything to do with whether sharing SB IDs or BSA IDs on a public forum is a violation of privacy laws. Whether or not there is easy access to the info, itâs STILL a violation.
Even if SB plugs this Mack Truck sized information hole (and thatâs only one of no doubt hundreds of similar issues), itâs still a violation for us to be sharing this PII in public.
It gives access to a photograph