Overview
The full name of signers of petitions with more than 50,000 signatures may have been included in the PDF delivery document for decision makers, even when different privacy settings were selected.
Summary
On March 26th, 2019 we added a new feature allowing customers to configure the way that the names of petition signers were displayed when petitions were exported in PDFs for delivery to decision makers. Previously, all names were displayed in full, but the new feature allowed customers to choose from several different formats for name display: either full names, first names only, first names with initials, or initials only.
However, there was a defect with the implementation of this feature that caused this setting to be ignored for petitions with more than 50,000 signatures. The application uses a subtly different code path to generate PDFs for the largest campaigns, and the use of the new name privacy feature was incorrectly only implemented for the generation of smaller PDFs.
CSV delivery documents for both large and small petitions correctly adhered to the privacy rules configured in the organization’s settings.
Mitigation
We’ve released a code update to correct this issue.
Timeline
17 December 2019 at 1:35pm ET: ControlShift was informed of the issue by a customer, and we began investigating.
17 December 2019 at 5:04pm ET: ControlShift released a code update to correct this behavior.
17 December 2019 at 5:20pm ET: ControlShift notified customers.
We appreciate the customer who brought this issue to our attention, and we encourage anyone with security concerns to contact our team at privacy@controlshiftlabs.com.
We know that our customers rely on us to ensure their supporters' privacy, which is why we've endeavored to notify customers of this issues as soon as possible. As part of our broader commitment to data privacy, our security program includes third-party audits, automated static analysis, peer code review for security issues, and training for staff. We apologize for the oversight that led to this issue. If you have any questions, please email our team at privacy@controlshiftlabs.com.
We know that our customers rely on us to ensure their supporters' privacy, which is why we've endeavored to notify customers of this issues as soon as possible. As part of our broader commitment to data privacy, our security program includes third-party audits, automated static analysis, peer code review for security issues, and training for staff. We apologize for the oversight that led to this issue. If you have any questions, please email our team at privacy@controlshiftlabs.com.
Comments
0 comments
Please sign in to leave a comment.