No. Firefly and Firefly4Mac simply identify files it suspects may contain SSNs or credit card numbers. You will have to inspect these identified files by hand.

Firefly sends a simple statistical report to the Security Office. This report contains the following information:

• The host name of the computer.
• The IP addresses of the computer.
• The disk location scanned.
• The number of files scanned.
• The number of files skipped.
• The numbers and types of possible matches encountered.
• The numbers and types of errors encountered.
• The date and time the scan started and finished.

This is done to help us report on general deployment of Firefly metrics to the Provost's and Chancellor's Office. Firefly and Firefly4Mac do not send us the names or contents of your files.

Some users have reported needing to add firefly.uiuc.edu to Internet Explorer's trusted sites list before the ClickOnce installer could install successfully. It is not necessary for all users, but seems to be required for older versions of Windows or Internet Explorer, even when the .Net framework is fully installed.

The instructions below will help in those cases.

1. From Internet Explorer's Tools menu, select Internet Options.
2. Select the Security tab.
3. In the box under Select a zone to view or change security settings, select Trusted Sites.
4. Click Sites.
5. At the bottom of the Trusted Sites window, un-check the box labeled Require server verification.
6. In the box under Add this website to the zone, enter http://firefly.uiuc.edu
7. Click Add.
8. Re-check the box labeled Require server verification.
9. Click Close on the Trusted Sites window.
10. Click OK to close the Internet Options window.
11. In Internet Explorer, visit http://firefly.uiuc.edu to install Firefly, or reload the page if your browser is already there.

Desktop computers will take at least several hours, and may need to scan overnight.

If you are scanning a server, please read the server scanning notes at https://wiki.cites.uiuc.edu/wiki/display/SecCom/SSN+Elimination+Program+Discussion

If you do not have access to this page, email securitysupport@uiuc.edu.

I see that Firefly version 1.0.X has been released; do I need to re-run the scan on the machines we have already scanned?

No. There's no need to re-scan. The new versions make the scan easier to use, but the overall effectiveness of the scan has not needed changes since the first release of version 1.0.0.

The bug-fixes in releases since version 1.0.0 are for problems that a majority of users did not encounter. If your error log has a large number of messages about skipped Excel files, Word documents, or Access Databases, the latest version will miss fewer of these files. Otherwise, you will not see a difference with the newer versions.

If you are unable to install Windows Firefly, please see "I was unable to install Windows Firefly through Internet Explorer" above.

If you are an IT Professional using Windows Firefly to scan your server, please visit
the Firefly IT Professional Discussion pages at
https://wiki.cites.uiuc.edu/wiki/display/SecCom/SSN+Elimination+Program+Discussion
for best practices recommendations.

If you are unable to run Firefly on your desktop computer, please submit a bug report to securitysupport@uiuc.edu, and we will assist you.

Firefly4Mac requires Spotlight, which is installed with OS X 10.4 and later. Firefly4Mac does not run on OS X 10.3

We do not recommend upgrading from OS X 10.3 just to run Firefly. Instead, use OS X 10.3's built in search mechanism. Search for terms such as Social Security Number, SSN, Credit Card Number, and CCN, and investigate any files returned by these searches.

We do recommend planning an upgrade to OS X 10.4 or greater, because Apple's support for OS X 10.3 is expected to end soon.

If you have problems with Firefly4Mac while running OS X 10.4 or later, please file a bug report in Jira, and we'll take care of the issue as quickly as possible.

Keep in mind that Firefly4Mac is provided to make your work easier. If it is not making your work easier, please feel free to use an alternative tool or check the machine manually using Apple's built in search.

Due to the variety of file formats in existence, Firefly cannot scan every file type. If you find that an important file was missed by Firefly, please email securitysupport@uiuc.edu. IT professionals can find full details about the file types Firefly can and cannot scan at https://wiki.cites.uiuc.edu/wiki/display/SecCom/SSN+Elimination+Program+Discussion

Having more files skipped than scanned is a normal and safe outcome. Of the unrecognized files, you will typically find that the majority are system configuration files and executable programs which do not need to be scanned. Most other SSN scanning programs do not report how many files are skipped. We choose to report this number as a measure of completeness, but this number does not indicate a problem.

Firefly is provided to make your work easier. If it is not making your work easier, feel free to use an alternative tool or ask the user to check the machine manually using operating system search mechanisms.

Please read Scanning on Unix and Linux Operating Systems for some alternatives to Firefly.

Additional discussion about alternative tools is available for IT professionals at https://wiki.cites.uiuc.edu/wiki/display/SecCom/SSN+Elimination+Program+Discussion

If you are an IT Professional and want to learn the full capabilities of Firefly, please visit
the Firefly IT Professional Discussion pages at
https://wiki.cites.uiuc.edu/wiki/display/SecCom/SSN+Elimination+Program+Discussion

Many faculty and staff members are surprised to find that they have personal and confidential information on their personal workstations. Most documents relating to individual students created before 2003 probably contain student Social Security numbers, which were used to identify students before Banner was deployed, or other FERPA-protected student information. Grant applications often contain sensitive personal information. Both faculty and staff members often have copies of resumes from job applicants, and these usually contain some personal information. And of course, it is not uncommon for workstations to contain personal information for the faculty or staff member who uses the computer. The data you are protecting might be your own.

You do not need to scan your computing cluster. If individuals log in to the cluster to use it for personal or University activities, then ask them to review the files they have stored to make sure they do not contain SSNs.

There is no obligation to scan dedicated data collection or similar devices.

No. It is not necessary to scan computer labs used by students.

Talk to your supervisor. If there is any chance that you or someone else who has occasion to use this computer has access to SSNs, then the computer should be scanned. This could be done either by each of the users individually (Firefly will only scan the portions of the drive you have access to) or by your unit's IT professional staff. However, do ask your supervisor about this. Do not assume someone else will do the scanning.

Generally, no. However, if the student is employed in a role that gives them access to administrative information, then the student should scan his or her workstation.

Home computers are much more vulnerable than computers professionally managed within the University environment. Use Firefly at home to both protect yourself by identifying personal files with SSNs and to ensure that work you've brought home is scanned as well. This is true regardless if the computer is owned by you personally or the University.

No. Firefly is only available for the MS Windows platform and Apple OS X version 10.3 and above.

No. They each take distinct approaches to finding SSNs. The Windows version is considerably more sophisticated in its search strategy and benefits from a much longer development cycle. The Mac version, nevertheless, is surprisingly successful with the much simpler approach it takes.

Perhaps. We are constantly fixing bugs and tuning the program. If you are using the Windows version and installed it from Internet Explorer, Firefly will automatically update to the latest version each time you run it. If you ran into some problem running the program, try rerunning it a week or two later to see if the latest version solved the problem.

The obligation of the Social Security Number (SSN) Elimination Program is to search your electronic files for SSNs--not to run Firefly or Firefly4Mac. These tools are merely provided to assist with the process. While great effort has gone into making Firefly and Firefly4Mac simple to install, the large number of computers and variety of hardware/software combinations on campus means that in some situations these tools will not function or install.

We strongly encourage you to avoid spending more than a few minutes struggling with Firefly or Firefly4Mac installation if it is problematic. Instead, spend that time using the normal search features of your operating system to find files that contain SSNs. Then remove, redact, or securely archive them.

For more pointers, see Windows Firefly fails on my computer or Firefly4Mac fails on my computer above, or read Scanning on Unix and Linux Operating Systems for some alternatives to Firefly.

Firefly for Windows creates a folder on your desktop called "Firefly Files". Inside this folder are dated copies of the HTML reports Firefly creates as well as a file that ends with ".csv". The CSV file can be opened by most spreadsheet programs and sort/filter the results with greater ease.

Firefly/Firefly4Mac might find a large number of suspect files. Try to the best of your ability to winnow out those files that are clearly false-positives (oddly named system files, for example) from those likely to contain true SSNs. If you have a large number of files that you need to examine, consider moving them all to a CD and looking through them at a more reasonable pace. Once these files are moved to a CD and taken off a networked computer's hard drive, the likelihood of them being stolen is greatly reduced.

Discuss this with your supervisor. Handling SSNs, even when a requirement of your job duties, brings with it the obligation to manage those SSNs securely--and the responsibility for doing this is yours. Consult with your unit IT professionals for further advice on how to best protect SSNs to which you have access.

Please don't! Contact Joanne Kaczmarek, Archivist for Electronic Records at (217) 333-6834 or jkaczmar@uiuc.edu. You can also read through What is a record? for more information.

• You can discuss questions or issues with using Firefly or Firefly4Mac with the IT Professionals that support your unit
• You can also contact the CITES Help Desk by live chat, phone, or email

It's important to note that units aren't being asked to do much during this phase of the program. Individuals are being asked to complete their personal review of electronic resources and remove, redact, or securely archive files containing SSNs and credit card numbers. Units, at this point in time are primarily being asked to account for SSN usage: who has access to them and what systems currently have them. After the completion of this portion of the program, units will be revisited and required to eliminate or, if granted permission, appropriately secure resources that include or touch SSNs.

No. Extending the deadline was considered but the timeframe is quite liberal for individuals to complete this scanning. The University SSN Policy was put into place 7 years ago, which should be a long enough time period for units to be able to account for their use of SSNs.

We recognize that regardless of the length of time available, the work entailed by this program will be disruptive and frustrating, but the risk and cost to the institution and campus community of SSN disclosures far exceeds this.

The immediate goal of the program is to eliminate SSNs unless a compelling business need can be documented. In many situations it is possible for units to remove SSNs from business and administrative systems and link to SSNs in the Enterprise Data Warehouse only when absolutely necessary. Legacy SSNs can often simply be removed from local systems. However, the Security Office will be providing extensive support to units in the form of both standards and guidelines for working with sensitive data over the coming year.

Please note that first a compelling and critical business necessity will need to be demonstrated to store or access SSNs, and then units will be expected to securely manage those systems that do so. Simply ensuring the security of SSNs does not entitle one to store them.

Units are not required to remediate their existing applications by the end of the program. Individuals, however, are required to eliminate SSNs from their personal files through deletion, redaction, or secure archiving by the February deadline. Once units have accounted for all their SSN stores, they should take this opportunity to begin planning for the elimination of these data.