Furry Website Leaks Real Identities

All you need is someone’s real name to find out if they’re secretly a furry.

A “feature” in the popular convention registration system ‘Convention Master’ lets anyone find out your fursona name just by typing your real name.

The software is used widely by many conventions, especially in the furry scene. Civet Solutions, the maker of the software, boast “over one hundred and fifty thousand registrations processed.” If you’ve ever attended a furry convention, there’s decent odds they have your data on file… and are now leaking it with no plans to ever stop.

This is a long article, but the most important part is that you can opt-out of your name being searchable. You just need to ask the convention to do so.

UPDATE NOTE: This article was updated with a section of feedback from Civet Solutions at the end of the article. Although the real name look-up feature in question will unfortunately not be removed from the software in future, I encourage you to read the update over to better understand their point of view and their future development plans.

The Issue

During online pre-registration, you enter your first and last name to see if you have an account at that convention. Unfortunately, anyone can do this. If you’ve ever pre-registered for that convention, or registered on site in a previous year, you have an account. And everyone can see you’ve attended that con with just your first and last name.

Even worse, your fursona name is also displayed.

Yep, that’s right. Anyone can find your fursona name if they know your real name.

Step 1: Enter Real Name
Step 2: You can see if that name is registered for the con, and even see their fursona name (badge name). This does not require special permissions, or even typing a captcha to do.

If you want to find out if one of your friends, neighbors, co-workers, twitch streamer, youtube personality, civic community leader, priest, teacher, or anyone else is secretly a furry, all you have to do is:

A) Google for a furry con near the subject, 
B) Go to the con’s website when pre-registration is open, 
C) Enter their name.

As you can see from the screenshot, the form doesn’t even require an exact match of real name, you just have to be kind of close.

If you’ve ever preregistered at a con using the software, you’re vulnerable. Even if you register at the event, the user database gets uploaded to the cloud after the convention. There your personal data will live forever, available for anyone to lookup.

Sidebar: Why some people are secretly furry

If you listen to the Convention Master team, or the conventions who use it, they’ll say this isn’t a big deal. After all, their con is great, so why wouldn’t you want everyone to know that you attend it?
 
A couple reasons:

1) Not everyone is comfortable with the world knowing they’re in the fandom. Don’t get me wrong, it’s great that the people that run cons are so comfortable with their identity on display. But the larger world still isn’t always so kind to furries. It’s a frequently misunderstood fandom thanks to many misrepresentations in popular media. Many in the public still only have an impression of furry from Vanity Fair, MTV and CSI. Only just a few months ago a councilman in Connecticut was forced to resign after a public furry profile of his went viral.

The reality is that many people are afraid to come out as a fur, for their own reasons. Conventions should respect the wishes of their attendees, and not make their databases publicly searchable.

2) There’s a safety concern here, too. If a stalker can confirm their target is going to be at a particular location on a particular weekend, they might be more likely to make the trip and show up themselves. Maybe you’ve never had someone stalk you online and in real-life, but if you’ve ever gone through that nightmare, you probably can relate to the desire to not broadcast your location to the general public.

To be fair, Civet Solutions is working on a new optional ‘breadcrumb removal’ feature that conventions can enable. Your name + fursona would still show up in the search, but it won’t show that you are attending for this particular year. It’s a slight improvement, sure, but kind of misses the larger point.

3) Some people just want to have a separate identity to escape into. For me personally, being able to escape into my fursona away from real life is a great comfort. It’s somewhere I can explore a different side of myself, to be someone else for a short while. Having my identity be linked back to real life kind of ruins that feeling for me. Personally, I can’t immerse myself in a character if I’m worried about being judged by the social mores of normal life.

Issue Part 2: Automated Attacks (Theoretical)

Perhaps you don’t think anyone will go to the trouble of looking you up personally. Never underestimate the amount of free time people on the internet have and the unfortunate dislike certain populations of the internet have for our fandom.

If you can lookup one name at a time, you can brute force the form and eventually get a list of everyone’s real & fursona names who have ever attended the convention. You don’t even need exact names — the form helpfully provides similar names. Then your attendance could end up on a publicly posted list along with everyone else, which is indexed in Google, and now your fursona name is in the top 10 Google results for your real name. And believe me, some of your friends and family are googling your real name to see what comes up (and your employers definitely are… more on that in a moment).

I notified Civet Solutions several weeks ago of this, and they’ve indicated they are investigating adding a rate limiting solution to this page sometime in the future. However, even if this is now rolled out, IP addresses can be cycled easily. Even if they add a captcha, there are captcha solving services that are surprisingly affordable.

But the general public is probably more interested in knowing which of their friends and coworkers are secretly a fur. In this case, an app could be designed that would check all websites using the software — even limited at only 10 name attempts an hour, such an app could cycle through your full LinkedIn or Facebook contact list in a day or two.

Many firms already employ software packages to monitor their employee’s social media activities (more than 70%). How long until one of those begins crawling these databases and even cross referencing fursona names to other furry sites? It’s not impossible — these packages already crawl a wide variety of other social media sites and there’s an arms race underway in this little known industry to build the most comprehensive platform.

Perhaps friends are understanding, but are you prepared to explain that scintillating artwork you recently commissioned to the HR department?

Disclosure

When I spoke to Civet Solutions, they didn’t acknowledge this issue to be a design flaw, or even a problem. They seem to believe this user lookup feature is of key importance to the design of their software, and I didn’t get the impression this would ever change in future.

Speaking with convention staff was a bit hit-or-miss. Some individuals seemed much more concerned about potential bad press than about fixing the issue. However, some were sympathetic to the privacy issues than others, so I proposed a few ideas for mitigation.

My first idea was simple: could I just register with a fake name? After all, why do they need my legal name anyway? Unfortunately, none I spoke with would tolerate using a pseudonym as they need your legal name for “legal reasons.” I’m not entirely sure what these “legal reasons” are, as there’s no law around this and there’s plenty of other events that don’t require an ID to attend, but I’ll give them the benefit of the doubt and assume maybe there’s something in their contract with the hotel. (I’m dubious, though.)

Eventually, I managed to find a solution with at least one of the conventions. There is a hidden option in the software to prevent your registration from being displayed on the kiosks. This is apparently not well known, so if you want to go this route, you’ll have to find someone fairly senior in the staff during registration — usually the Registration Lead. More details on this below.

My recommendation to conventions

This is a leak of customer data, and should be treated like any other.

Shut down your registration pages immediately, send e-mail notifications to all attendees their information may have leaked, and set up a different registration solution.

Literally any other software will do — no other registration platform lets unauthenticated users look up someone else’s registration for what should be dead-obvious reason.

If you’re so confident that none of your attendees consider this an issue, I encourage you to warn them on the registration page and in obvious signs in the on-site registration area that they’re being added to a publicly searchable directory. Maybe it has an effect on attendance numbers, but it’s the right thing to do.

What attendees can do today to recover privacy

If you don’t want to be publicly looked up, and have ever attended a convention using this software, here’s what you can do:

  1. Contact your convention to find out if they can / are willing to do a registration with the ‘hide from kiosk’ option. Most conventions have Telegram chats with responsive staff, so you might ask there.
  2. See if they’re willing to hide your registration from previous years.
  3. Find out who you need to talk to on-site, then wait until the convention starts and register in-person with the appropriate contact person (usually it’s the registration lead).

It’s up to the convention if they will do this. Not all conventions will — some may not care. Fortunately, the ones I spoke with were willing to perform this for me… although no one seemed to understand why I was bothered about it.

Also keep in mind this will prevent you from pre-registering online ever again, you will have to always do on-site reg once the flag is set.

My hope is enough people care about their privacy to at least ask their conventions about this. Sure, it may generate more work for the convention staff, and maybe causes more people to register on-site instead of pre-register, but hopefully this will show convention organizers that their fans DO care about privacy. In today’s society, you can’t expect them to value about your privacy if you don’t.

If they see enough people concerned about this, maybe it will even motivate convention runners to switch their software provider to a registrar which values customers privacy.

Tell your friends that private registration is an option! It took me weeks of asking to discover this, it’s not something that most registration staff even seem to know about.

Finally, please consider sharing this article for visibility — maybe we can get some positive change by showing we still care about our privacy!

Thanks

I want to thank to everyone who took the time to speak with me and patiently answer my questions — including both convention staffers and Civet Solutions representatives. I appreciate all the honest and timely answers I got. Even though we may disagree about the severity of the issue and how it should be resolved, being willing to engage me in a dialogue is commendable and not something many organizations would do. As I researched this issue, a number of people took time out of their busy schedule so I could better understand it. So a deep thank you to everyone involved, even if we respectfully disagree with each other.

Appendix: Affected Cons (Partial List)

Here is a list of conventions that use the vulnerable Convention Master software by Civet Solutions.

It’s not a full list — it’s just what I found via a quick google and DuckDuckGo search. With 150,000+ registrations processed, there’s probably a bunch more cons using the software. You should check your conventions registration page yourself to be sure (see if you can get your fursona name using only your real name in an incognito tab).

Known affected furry cons:
 — Alamo City Furry Invasion
 — Califur
 — Fur-Eh!
— Furlandia
 — Pacific Anthropomorphics Weekend
 — Scotiacon
 — Vancoufur
— Wild Prairie Fur Con

Known affected non-furry cons:
 — Arisia
 — RustyCon

Header image by Douglas Muth, used under CC-BY-SA 2.0 license. I think it was taken at Anthrocon, which if so, is one of the cons that does not use the vulnerable software. Props to the staff there for choosing a solution which protects their attendees privacy!

Update 2/18 10PM

Civet Solutions got in touch shortly after the original publication to provide some additional information on this issue.

Public real name search

They are planning a future update in which users can register using a ‘profile’ system using username/password instead of a real name. It is a pretty big overhaul, one that migrates to a whole new framework with a more modern interface. This was hoped to be released in mid 2017 and has been delayed. Due to this, they are unable to quote a release date for the profile based system.

However, even when that does eventually get released, it will still be up to conventions which system they want to use. They confirmed that the real name public search function will never be removed from the software. In fact, Civet indicates the real name search system is one of the major reasons that conventions choose to use them instead of their competitors.

Ultimately, it is up to the conventions to make choices that protect our privacy, and this will only happen if enough people complain to the conventions and opt-out of their personal data being looked up.

Hiding fursona name (sometimes)

A new update is planned for tonight that will hide fan name, if the name you’re searching on results in only one person. Now granted, anyone can still see that you’re a furry since you’re in the system, but at least they don’t get your fursona name. Also, if someone really wants to get your fursona name, they could just register under your name and then there would be two names in the system, thus showing your fursona name.

One name
Two+ names (note that this screenshot and several others from this update below I have modified from the original provided to me as the original version included what turned out to be a real fursona name. I have substituted a fake one (“Meriel”))

How conventions can opt you out

Civet Solutions kindly provided these steps + screenshots for convention staffers to follow so as to keep your name private.

If you are concerned about your information being leaked, simply ask the convention to “Hide” your account from the kiosk. They can do so (and have been able to since 9.0.0) by doing the following:

Then they simply check that checkbox and you will no longer be searchable (even by you) in the kiosk system. The downside is that you’ll have to arrange pre-reg through email or register at the door.

I recommend you contact your local conventions to see if they are willing to perform this for you.

Breadcrumbs

I briefly mentioned this in the original post, but I have some additional data and screenshots now. Basically conventions have a feature already that can slightly improve privacy. The system will still show that you have attended the con, but with this feature, people can’t see if you just attended previously, or if you’re attending again this year. It’s slightly better from a safety perspective, but doesn’t solve the root issue.

Before setting
After setting (note the * is now gone so at least people don’t know which year you’re attending the con)

Data residency

Convention Master is not sold as “software as a service,” but a solution that conventions host themselves.

That said, Civet Solutions will sometimes host the Convention Master software. Typically this is only done for the first year or so of a convention. They do not typically host the software as a matter of policy.

Legal reasons for identification

This rationale was clarified, and includes: hotel, health and safety issues (for instance, injuries), tax reasons for 501(C)3’s, membership reasons for 501(C)7’s — also age verification reasons, and persistent proof that they verified your age.

Update summary / my thoughts

These are steps in the right direction, and it is great to see Civet Solutions working on new options for conventions to use that are more privacy-focused.

However, as long as there’s an option for conventions to provide real name lookups to anyone on the internet, there will continue to be data leaks. Many people I’ve spoken with at conventions simply don’t understand why this is an issue, and so I don’t expect that even after the profile system is developed it will be used by 100% of conventions.

Civet is in a tough situation, because their lookup feature is one that conventions want and even choose the software because it provides it. It falls to us to tell the conventions that we want our privacy. If we don’t, nothing will change.

Already I’ve heard one report of this feature having been used today to discover a few coworkers are secretly in the fandom. In this case, it was well intentioned and within the fur community — but it’s still really unfortunate that this was possible in the first place. If they wanted to come out as furs, then that’s a fine choice. But it should always be your choice, and not a choice by a convention or a software package.

Update 2/20 12AM — Statement & Suggestions

Trapa, who I believe heads up Civet Solutions, has issued a statement earlier today.

It mostly just reiterates the earlier update, adds some inaccurate information on my interactions with Civet, and most importantly doesn’t promise to actually remove the real name search feature. Real name search would still be available as an option for conventions to choose, even after the profile system is deployed.

Publicly accessible real name search is a dangerous option, and shouldn’t be included in the product. A well intentioned con might enable it, not understanding the ramifications. For attendee privacy, it simply needs to be removed from the product.

On some of the other assertions in the statement… I had originally started writing a long response intending to clear my name in regards to some of the either misleading or just plain false statements about how this has all gone down, but I realized doing so is just going to generate more furry drama. I certainly could make some choice quotes, but it’s not productive as anything but entertainment value. We’re all merely human (err, animal people), and sometimes people make mistakes, have miscommunications, or say things in the heat of the moment that maybe they regret later. This is especially true when you’re working long hours like Trapa is, so I’m not going to pick on them for it. On my side, I know I’ve made mistakes and miscommunications and for those I’m sorry. So I’m going to try to sidestep a bunch of he-said-she-said as it’s a distraction away from the real goal of protecting fur privacy —and that means getting real name search removed permanently.

Instead, what is productive for me to do is to demonstrate my continued desire to cooperate and in doing so provide some useful suggestions that maybe Civet hasn’t thought about.

So in that spirit, I sat down and brainstormed today some additional ideas on tackling the problem. Basically thinking on the question, “what could Civet do quickly to fix this issue as a temporary workaround?”

I then PM’ed Trapa these ideas directly. Every code base is different, and I don’t know if these will fit with Convention Master or maybe not. I don’t claim to be an expert either. But they seem like they would work to me as fast temporary workarounds until the longer term solution can be implemented.

Workaround Suggestion 1: Comment it out

On the results page, simply comment out the code that displays all results. Remove the text references to ‘searching’. Change the button text from ‘I’m not any of the above, register as X’, to just ‘register as X’.

Essentially this converts it from a search page to a name entry confirmation page. That’s not a perfect user flow, but on the code side it should just be easy display code changes and gets rid of the privacy issue (when I say ‘display code’, I’m referring to the PHP code on the server side that would send across that table, not client JS code).

Since it’s just commenting stuff out and quick renames, this seems like it could probably be coded in fifteen minutes, aside from testing.

The downside is it would result in some duplicate users on the backend but it’s a good trade for privacy in my opinion. Some conventions may complain, but I think most are on board at this point and Civet has sufficient justification to force a change away from public name search.

Workaround Suggestion 2: Automatic do-not-show-in-kiosk flag

The do-not-show-in-kiosk flag already prevents registrations from showing, right?

  1. Could all old registrations be marked as do-not-show-in-kiosk retroactively, and…
  2. New registrations automatically have the flag applied?

-

Anyway, those are just some ideas that maybe could be a springboard for Trapa/Civet to think of other quick-to-implement ideas. They’re not the long term solution, but maybe could work for getting this patched up in the short term?

It’s a tough situation for Civet Solutions to be in, and I sympathize with the strong emotions going around right now. But if we can get a solution for getting rid of real name registration lookup quickly (and permanently!), that’ll be a great benefit to everyone.

Update 2/21 4PM

After getting a number of comments based on Trapa’s misleading statement (see previous update for my initial response), I realize I should clarify my position:

  1. I am not aware of Civet Solutions requesting any additional time before this blog was posted. Just to be sure, I’ve today double checked my PMs from Trapa and see no such request from him.
  2. In my interactions with them, Civet Solutions has consistently indicated public real name search to be a feature, not a issue, and not newsworthy. This is how the software has worked for years by design. Even now, the plan is to let conventions choose between real name and username search — do not be surprised when some furry conventions continue to use real name search.
  3. In my opinion, Civet Solutions could have easily patched out public real name search before the article was published. Commenting out a search result table should take no more than fifteen minutes to code (see previous update). This would protect attendees in the short term while the longer term username solution is developed.
  4. This is not a new issue to Civet Solutions. People have been complaining about public real name search for years at this point. Here’s one from 2016, but I’ve heard reports that people have been raising this issue since their last major security breach in 2009.

(Edit: Here is the 2016 conversation referenced in the tweet)

It is difficult to imagine how Civet Solutions could be so surprised at real name search being an issue when they have been warned before about it by multiple people and still not resolved it.

Update 2/24 7PM

After years of people complaining to them about the privacy problems of real name search, Civet Solutions has added username based login to Convention Master for conventions who wish to use it. (See previous updates above for links/rebuttal on some of the other assertions in that statement).

At the risk of sounding like a broken record: while it is great that conventions finally have a tool to protect user privacy, and I applaud Civet for adding username search, public facing real-name search needs to be removed from the product entirely.

Even outside the furry fandom, there is no reason that a convention should allow their attendees to be publicly looked up due to the safety and privacy concerns inherently involved (again, see above for an exhaustive rationale). Within the fandom, it is possible some furry conventions may not migrate to the username system, or may accidentally choose real-name lookup, not understanding the privacy implications.

It is my firm belief we should build software to support privacy by design. Leaving a privacy landmine in the software and passing the blame to conventions when they configure it incorrectly seems irresponsible and short-sighted as a course of action.