Baby’s Days have fixed the Picture links on the Demo Site!

Hey readers, sorry again about the lack of blog posts this week!  Things are just so insane planning my wedding and working as a childminder; the blog will have to slow right down but there is still plenty of material to cover including a very sensitive issue with the legalities of Childminders using Baby’s Days.  I’m waiting for absolute clarity on this from The Information Commissioners Office before blogging properly but hopefully early next week I will know more.

If you are concerned about this in the interim as many seem to be on Facebook, you should read this and contact the ICO directly; note that you don’t have a contract with Baby’s Days, you accept their T&Cs.  I am more than sure if you approach Baby’s Days you will get their rose tinted view and not the actual facts to say the least, so the impartial link should help with that.

Today’s blog post is a quick one.  A while ago I posted about how individual photos were able to be viewed without any authentication by the person attempting to view them.  Baby’s Days fixed the issue whilst insisting I was a lair, but I proved the loophole was still present in the demo system in a follow up post; which you can read here.

Baby’s Days still insist that I was lying and that all individual photos required validation (which isn’t true as you can read from the comments in the blog, customers reported their photos were not individually password protected), Mark Kahl the director of Baby’s Days insists I am a liar and continues to post comments such as this in the official Baby’s Days Support Group:

Mark-Kahl-calls-me-a-bad childminder againAnyway, the reason for this blog post is because now photos on the demo do require authentication, isn’t that a bit weird.  Why has it suddenly changed?  These are the questions that Baby’s  Days customers should be asking.  Please make sure you  backup your data and don’t record data on any aspect of the system that can not be backed up.

I promise to blog later in the week, I’m going to blog about a company called Orange Moon and also about a childminder who encountered an inspector who was not so keen on Baby’s Days.  I’d also love to hear form anyone that has provided Baby’s Days with any planning records or other intellectual property over the years for another blog post I’m drafting.

Hope you all had a fab easter and that Tuesday doesn’t hurt too much!

Are all systems built equally?

So one thing that keeps coming up is thoughts like, “but if someone wants to find a way in they will”.  This is mainly from customers of Baby’s Days who seem to be saying that the 2 security issues I’ve found on the system, one about photos and the other abut parent comments not being stored securely, have come about because I’m “looking for issues”.

The two flaws I’ve posted about, I was not “looking” for; the first a parent told me about after he found it out by accident trying to download his child’s photos in bulk (as parents can not bulk down their children’s photos from their logins).  The second came up after I was looking at URL strings trying to find out if my own photos were stored somewhere on my own laptop in a temporary folder.  Both issues have cropped up quite by accident, there was no looking or probing involved.

Some other customers have also suggested that the same issue could come up with any of the EYFS online software providers and with this post I’m really hoping to clear up that misconception.

Before I continue it I want to make it clear that the issues I am talking about below aren’t necessarily connected to Baby’s Days uniquely, I am talking about computer programming as a whole.

The first question is, “Is it true that a determined “hacker” could get into any internet system if they tried hard enough?”  I’m not really qualified to answer that question with 100% certainty but from briefly reading around this area, it seems that if someone was dedicated enough they would find a way into almost any system.  As I’ve posted before Baby’s Days claims of being 100% secure are ludicrous but obviously some systems are easier to get into that others and some people are better at getting into them than other people.

So does this mean those that claim, “it’s ok that you found these flaws Hayley, anyone can find flaws in anything if they try hard enough” have a valid point?  It is my opinion that these people are missing the point somewhat; whilst their opinion is true it is rather short sighted.  I will try and explain this with a simple analogy.

All houses are houses and if you try hard enough despite the best security systems there will probably always be one clever burglar that could get in if he or she really wanted. If you had a suitcase of cash which house would you put it in?

House 1: The house with every external security system going, it was designed by an award winning architect and the structure is perfect.

House 2: This house has all the same features as house one in terms of external security.  But it was the first house this builder had ever made, and he didn’t quite get all the bricks lined up properly and there are a couple of little cracks here and there.

They are both houses, but you’re going to put your suitcase into house 1 aren’t you?  This is because although both houses carry the risk of getting broken into by some burglar, house 1 carries less risk than house 2.

So yes, “anyone can find flaws in anything if they try hard enough”, but the point is some systems are considerably harder than others to access.  It is deeply unfair on those systems that take time, money and effort to ensure the programme they create is on par with the award winning architect in House 1, to simply shrug issues like this away.

I understand that people don’t need the added stress and worry in life of thinking too much about these things and it’s far more convenient to just hope for the best.  But as a practitioner that should be working in accordance with the Data Protection Act, “well these days shit just happens doesn’t it?” wont curry any favours with the ICO unfortunately.

Please put that new feature of bulk download to good use and download your system to your home computer daily.  You really don’t want to be in the position I am in right now.

 

 

Can Baby’s Days access your system and info?

In their Privacy Policy Baby’s Days/Sys IQ Ltd state,

Our staff do not have access to any user passwords and are, therefore, unable to access the organisation’s account or data without receiving an invitation from the Master Administrator.

I have had a few blog readers and Facebook members tell me that Baby’s Days have accessed their systems without the user providing them with a user name and password.  If this has happened to you please comment below, if you post using the name Anon, Baby’s Days will not know it was you.

I’m hoping that some of the techie blog readers can help with some questions around this issue?

  1. Baby’s Days record users IP addresses.  In theory could they access a users system without a username and password using the IP address?
  2. If you stopped using Baby’s Days and they kept a record of your IP could they in theory still access your computer even if you no longer run the programme?
  3. If someone could access you computer using the IP address alone, can they change data on your laptop or only view it?

Obviously I could never say categorically that Baby’s Days have accessed users systems with IP addresses only.  But it would be interesting to learn if this is possible.

Pop back tomorrow when I will be blogging about a how all systems are not built equally.

 

 

Surely the ICO will prorect my data? Part 2.

So, this is the second post about the Information Commissioner’s Office, the first you can find by clicking here.  In a nutshell the first post said it’s not a simple process to retrieve my data back via the ICO; lots of blog readers say, “make a subject access request – it’s your data”, but it has now been confirmed that this isn’t the case by the ICO.

The data is the child’s, not the minders in the eyes of the law.  So if a minder would like to request it they need parental permission to do so and the minder would also need to supply their ID to Sys IQ Ltd to prove they are the person they are claiming to be.

Alternatively the parent can make the Subject Access Request themselves, they will need to provide proof of ID and also proof that they are the parent of the child.  Seems a bit weird to me when a few weeks ago I could access all the data with a simple password and Sys IQ Ltd could easily reinstate the system knowing only authorised users could access the system with the password.  But anyway I did as instructed by the ICO and sent Sys IQ Ltd 47 subject access requests for all the children ever entered onto the system, I also made a request for any data relating to me and my 3 colleagues.  So 50 Subject Access Requests for data that a few weeks ago I accessed easily and also gathered and compiled myself.  How absurd.

Baby’s Days have 40 days to respond to the requests, so I will update then.  But given how my co-minders request has gone for her daughters data and that Baby’s Days / Sys IQ Ltd have flatly and illegally refused to process my subject access request for my sons data, I’m not holding my breath.

image

Baby’s Days / Sys IQ Ltd is seemingly unaccountable for it’s actions and apparently entirely unregulated?!  (If anyone knows who they are regulated by please comment because I will be blogging on this topic later in the week).  As such it is extremely important that data is saved by the childmidner which in my opinion then makes a complete farce of the companies 100% security claims.  All the data could be taken from the childminders own laptop!

On their Website Baby’s Days say,

“There would be very little point in using a 3rd party company to store your paperwork in digital format if…. [it] cannot be recovered under any circumstances”

I couldn’t agree more, what is the point in my co-minder having paid Sys IQ Ltd almost £500 over the years if they are unable to return our data?!

Tomorrow I will be posting the information sent to me from Baby’s Days and the ICO regarding my co-minders daughters data and how Baby’s Days seem to have misled the ICO; so make sure you check back for more proof of how underhand this company can be tomorrow.

Be aware. Parents can access other children’s photos.

Hi folks, I’m definitely on the mend and have most blog posts for the next week already drafted.  I was going to post tonight about the ICO and their final decision about Baby’s Days / Sys IQ acting illegally and beyond the scope of the Data Protection Act; but I decided to post something more important, especially if you are a current Baby’s Days user.

Last night I received a blog comment from a parent of a child who is on a Baby’s Days subscription owned by a nursery.  The parent is a web developer and wanted to write a script so that photos from the diary would automatically download to his home computer when he ran a programme.

The parent quickly found he was able to access not only his child’s photos but also all of the other children’s photos on the system and also photographs of parents signatures!

From my limited understanding of this, this is because of the way the code is set up.  If you look at the code (which most parents wouldn’t, but they are perfectly entitled to) it provides a “path” if you like, direct to data.  Each parents path should lead them only to their child.  But in this case Baby’s Days had decided to basically remove the “fence” around the paths so that parents could access any path and whatever photos they wanted.

I know most parents provide permission for all parents to see their childs photos so this might not be a big deal to some (!!!) but also you have to remember parents access Baby’s Days on their phones.  If that phone is lost anyone picking it up would have access to the over 100,000 images this nursery has saved.  Also I’m pretty confident parents wouldn’t feel comfortable with anyone being able to save and copy their electronic signature?  Also you have to ask if this could happen with photos could it happen with medical forms or concerns forms?  Would a child be placed in danger by a parent accidentally coming across a “concern” form for example?  These are very important questions that anyone using Baby’s Days really needs to be asking themselves.

The parent contacted Baby’s Days and they were their usually sunny selves and seemed rather blasé about it.  They even said they would put the “fence” back for now so the paths only led to parents children, but they would take the fence down at a later date when they needed to talk to the nursery again?!

I’ve been planning a post for a while now about data security and the fact that Baby’s Days is designed more around security by obscurity, not by design.  Sadly what this parent has discovered is just the tip of the iceberg and as soon as I have more info I will of course be posting it here.

In the meantime if you are still using Baby’s Days please back up your data and think about what sorts of data you are storing there and what it could mean for the children in your care if it fell into the wrong hands.