Why does the WikiTree provide private data and photos to external sites like MyHeritage?

Question

I was fooling around on MyHeritage today, and right at the point where I was deciding that the site was junk, I noticed that the smart matches from WikiTree included privacy protected data and attachments, like photos.

In the matches for deceased, but private profiles, I can see full middle names, full DOB and location, full DOD and location, living private siblings and children and all private photos at the very least. They are also able to derive the sources out of the bio, which tells me that they have the biography as well.

Even for living people, they are providing access to exact year of birth and names of living siblings and children.

I get that WikiTree wants to share data, but what good is setting our profiles and attachments to privacy protected if that data can just be retrieved via a backdoor?

This has me really concerned!!

EDIT: I just did a test by adding my brother to MyHeritage, his profile is set to unlisted on WikiTree. Yet as soon as I added him to MyHeritage the smart match was created to his WikiTree profile providing UNLISTED, private data.

Comments

This is really concerning, Alison. While I understand that any information on the internet is potentially vulnerable, I did not believe that smart matches would be created by My Heritage. I'm now going to remove personal data from living profiles.

---

Gosh. Thank you for the heads up. I'm very concerned and upset about this. I have my granddaughter in here marked unlisted, and other living descendants and members of my family ... are they on my.heritage too? I can't check as I'm not a member of that site. I'm really worried about this.

   

 

---

Please don't worry.  See my answer below.

---

Thank you Ros.

I do hope someone from the team comes along and confirms thats why it is happening so that we can rest assured that what we deem private here, is absolutely private.

 

Answer 1

I think you are seeing all this because you are logged into WikiTree - and of course you will see private data of private profiles you created/are on the Trusted List for.

Example: I just searched on MyHeritage for my mother (who is red-locked on WT).  There she was, but only the decade was given for her birth/death.  It said 'see complete profile on WikiTree' - and I could; but I was LOGGED IN.  

The moment I logged out and searched for her on MyHeritage, and it said 'WikiTree', all I could see was the page anyone would see i.e. decades-only for her birth and death, and her thumbnail picture.

Comments

This is serious stuff. Can other people who log into Wiki tree see personal information on profiles other than their own? A breach of this nature, if it has occurred, could have serious implication

---

There is no breach.  If you log in to WikiTree, you can only see private-profile info on profiles you manage/are on the Trusted List for, just as usual.

If you search through My Heritage, then click on 'WikiTree' as part of your results: you are NOT logging in, you are just looking.

If you log in to WT, stay logged in, then go and search on MyHeritage, you will see all the info - because you are logged in to WT already.

---

How is MyHeritage getting the information from WikiTree? Are they using a web service to search for a match and to populate their smart match widget?

A web service call should know nothing about my active session in WikiTree.

---

What Allison said: MyHeritage should not be able to access private data on WikiTree. Period, end of story. If MH can access it, then so can anyone else, with a little bit of work.

Yet another bit of proof for my belief that online genealogy is strictly and only for keeping track of dead people. The only way to reliably protect the private data of the living is to not put it online.

---

As per my previous two answers:

MyHeritage cannot see private data.  Period, end of story.

If you are logged in, YOU can see private data of the profiles you manage.  You can't even see the private data of other people, unless you are on their Trusted List.

If you search via MH and see private data, it is because you are logged in to WT and it is WT you are looking at.  MH have not 'poached' WT profiles to sit on their servers.

---

Ros,

I appreciate your assurance. But I want to know how MH is getting my private info from my WikiTree session. That should be improbable if WikiTree is as secure as we are told it is.

What is actually occurring between MH and WT from a software/web communication level.

---

Yes, my concern too Allison. I'm much reassured by Ros that one can only see it if logged into wikitree at the same time, but, the burning question for me remains, how come it's viewable on my heritage at all in the first place? This seems to indicate to me that everything in the wikitree database is also in the my.heritage database, at least on some level. So although I'm reassured, I'm still extremely unhappy and uncomfortable with this revelation.

A team member needs to come into this thread, please, and explain to us all exactly why this is occuring (as Ros said?), and exactly what, of our information, wikitree has allowed my.heritage access to. Because once my.heritage have it, it's done! And then what?

---

My heritage is showing you a mirror of wikitree profiles. If you are logged in to both services you will see exactly what you would see if you were on wikitree. If you are not on the trusted list or not logged in, you would never see personal data that is privacy controlled.

---

That's actually not entirely true. I checked the smart match on one of my ancestors that I changed over a week ago, and it's clearly cached on MH. It's not a direct, current pull from WT.

Event if it was, the fact that private WT data is displayable in a MH UI component means that MH could easily grab that data.

MH is an aggregation site, they are only going to be successful if they have data people want. Taking data from WT is super easy thanks to this flaw.

---

There are often other sources of data for living people, available to all, including familysearch.org and facebook. I am extremely cautious about putting information out there that isn't already available from some other widely used on-line source. But if it is already out there, I feel that connecting the dots may help some other budding genealogist in my family.

Answer 2

Appreciate this is a long time after original event, and have read thro whole of thread (many good points made) but here is a scenario that may be viable:

1. Join WT - dummy burnable e-mail address;

2. Go thro steps to self certify as necessary to join "Trusted List(s)" , then randomly/focussed look at Profiles that have no current PM, take a few on at a time and gain full access to whatever those profiles contain - OK, not efficient and contrary to WT certification but that wouldn't deter malevolents.  The exceptionally detailed Biographies in some profiles of PMs seems counter to the good advice and general WT warnings about the living and that of their closest relatives is often well-detailed too.