I have lots of consistency issues between scoutbook and scoutNet re: merit badge counselors

@JamesBrown13

I am telling you what the system is showing and how you can help get the system working. The SUAC cannot fix this problem for you as we do not have the tools to do so. Your option, other than what I described earlier is to have a council staff member open a ticket with BSA IT and wait for a resolution, which I suspect will not be quick.

1 Like

@edavignon
How will this person registering in my.scouting help them show up in the list of MBCs in our council?

Why do they even NEED a my.scouting registration to show up as a counselor?

The problem is they have no Scoutbook account with the MID where they are registered as an MBC. I have asked the developers to investigate why a MID with a current registration does not have an account, however, a SB account is required in order to be listed as an MBC in Scoutbook.

3 Likes

Care to educate us about how it is a serious legal risk? I don’t think it is, but you seem to be very sure. How is it such a big risk?

2 Likes

@Matt.Johnson Data privacy is a hugely complicated and nuanced issue. The mere fact that someone in a position of authority would glibly assert that the primary identification numbers used by the organization are not PII belays a huge (lack of) education issue. The CPO for BSA would have a very different view (assuming they even have a CPO and that they are worth their salt).

Data privacy laws vary by state. Since BSA is a national organization they should comply with the most strict data privacy laws in the country to be safe.

1 Like

@JamesBrown13 well as General Council has advised SUAC it is a safe and fine process I think we are covered.

2 Likes

@DonovanMcNeil Ask the GC how publishing someone else’s PII (ID numbers) on a public forum comports with the NY state SHIELD act (or numerous other state’s privacy laws).

I personally don’t think BSA can survive another $850M settlement, but maybe those $100+ annual registration fees can cover it.

1 Like

Having work in healthcare and dealing with having served as a HIPAA compliance officer it comes back to the definitions.

DHS defines personally identifiable information or PII as any information that permits the identity of an individual to be directly or indirectly inferred

78943474412 Does not do that
78943474412 78943474412 who is a tiger cub in pack 32 does not do it as their are many pack 32’s
78943474412 who is a tiger cub in pack 32 in mickey mouse council comes really close to it (still a number of cubs in den)
78943474412 who is the newest tiger cub in pack 32 in mickey mouse council rings the bell for sure

Ron

3 Likes

ScoutBook ID is quite sufficient.

<img src=“https://d1kn0x9vzr5n76.cloudfront.net/images/users/282000/281779.BD804AFE27.100.jpg” class=“imageSmall ui-corner-all ui-shadow profilePopup” data-userid=“281779”>

Shows up on every results page. You can get the list of people for your entire council by simply not specifying a zip code or name on the search form.

Scoutbook ID is unquestionably PII. So is your BSA ID and council because it’s unique within a council.

If your BSA ID and council were not able to identify you then you’d need to share more than that here on the forum for the SUAC people to be able to find and fix an issue. The fact that only that information is sufficient proves, beyond any doubt, that a person can be looked up with that information. Thus it “permits the identity of an individual to be directly or indirectly inferred”.

1 Like

If they have access to the system. Only admins have access. I don’t get it.

1 Like

First, “only for those with access” isn’t a requirement for a data breach.

Second, anyone in the council can get a complete list of names, addresses, phone numbers, etc. that maps to the SB IDs by simply listing the MBs though the SB interface.

1 Like

But then they have everything. I don’t get it.

Then they have the info, I don’t get it either.

In both examples, they have all of the info, of course they have the info. If you give me a BSA ID, I can’t connect it to anyone.

@JamesBrown13 - ok
 here is my grand lodge of new jersey member id number 4045
 let me know what you find sport.

1 Like

I’m not in your council, “sport”. Only the several hundred / thousand people in your council could map that number to you.

Scoutbook IDs are universal (UUIDs) so if you care to share your SB ID I can pull that up.

@JamesBrown13

You are one of the folks with special access to the DB so you can get names and other information without any piece of information.

If you know a way that someone without special access can retrieve PII with just a BSA Member ID or SB User ID, say so and I’ll send you private message so you can explain the process and I can get the developers to plug the hole.

1 Like

@Matt.Johnson Since SB IDs are UUIDs, I can find info on anyone via the SB ID.

It’s not particularly complicated. Here are the instructions for Chrome.

Go to SB and do a MB search that returns any results. You could search for yourself or just leave all the fields blank and hit search.

Now that you have a results page with at least one person, right click on the person’s picture (or the avatar if they don’t have a pic) and select “Inspect” from the browser menu.

You’ll see an image tag highlighted.

<img src=“https://d1kn0x9vzr5n76.cloudfront.net/images/users/282000/281779.BD804AFE27.100.jpg ” class=“imageSmall ui-corner-all ui-shadow profilePopup” data-userid=“281779” >

Simply substitute the scoutbook ID you are interested in for the one at the end of the line (bold in the example above) and hit enter.

Now left click on the person’s picture. You’ll see the information for the SB ID you just put in.

Picture, first name and initial of last name, what council and unit they are in, what position they hold, Scouting experience and other profile info they share.

As far as I can tell, they don’t even have to be a MBC. ANY person registered with SB can be viewed. I suspect both adults and youth, though I haven’t specifically tested the youth info.

Just replied to Matt with the steps.

So this sounds different from the discussion about BSA Member IDs. It sounds like an argument that the access is “open” for anyone who already has registered leader access to the interface and trawls through with a series of semi-random Scoutbook UserIDs to pull up information. I’m not arguing it’s not a vulnerability (I haven’t played with it yet), but I’m trying to clarify if you’re saying there’s a similar attack path using BSA Member IDs.

ETA: I poked this and, unless I managed to do something wrong (always possible with me) inserting a known-good UserID did not get me access to their data. I already have access to the person whose UserID I tested, so it’s not like I was trawling for information I wouldn’t already have seen as a unit admin.

Test mine. It’s posted above.

I can confirm it works for someone well outside my council. I trolled the Scoutbook bug forum here and found several SB IDs. All of them worked and they are scattered across the country.

HOWEVER – NONE OF THIS has anything to do with whether sharing SB IDs or BSA IDs on a public forum is a violation of privacy laws. Whether or not there is easy access to the info, it’s STILL a violation.

Even if SB plugs this Mack Truck sized information hole (and that’s only one of no doubt hundreds of similar issues), it’s still a violation for us to be sharing this PII in public.

1 Like

It gives access to a photograph