Delivered-To: dfarber+@xxxxxxxxxxxxxxxxxx
Date: Sat, 10 Jan 2004 12:05:47 -0500
From:
To: Dave Farber <dave@xxxxxxxxxx>
Dave: Not mentioned in this article is that at the start of 2003,
NYU laid off its senior system and network security manager, who
had been with the university for nearly 18 years, in a budget-cutting
round. At the time of the layoff, the manager was working on privacy
issues, including HIPAA compliance.
http://www.nytimes.com/2004/01/10/nyregion/10identity.html
January 10, 2004
Students' Data on Web, and N.Y.U. on Defensive
By KAREN W. ARENSON
Three years ago, when Brian Frank entered New York University, he
signed up for intramural basketball, providing his name and his
university identification number, which was also his Social Security
number.
Yesterday morning, Mr. Frank, who is now a senior, learned from N.Y.U.
that these details had been posted on the Internet. He was among about
1,800 N.Y.U. students who received the same e-mail notification from
the university. In some cases, students' phone numbers were posted,
too.
"I'm furious," he said in a telephone interview from his home in
Parsippany, N.J., where he is spending his winter break. "It is an
egregious violation of student privacy."
Mr. Frank said that in an age of growing identity theft, he was
concerned that unscrupulous people might have found his personal
information and tried to use it.
N.Y.U. officials said the information was posted on an Internet page
run by Brian Ristuccia, a computer technician in Massachusetts who
found it on N.Y.U.'s Web site in a list of students interested in
intramural sports. The university said it was considering taking legal
action.
"We regret the concern that this may cause our students and former
students who were on the list, and we apologize to them," John
Beckman, an N.Y.U. spokesman, said yesterday.
He said that the university's own Web site is better protected now,
and that the information has been removed from Mr. Ristuccia's Web
site.
For his part, Mr. Ristuccia said he had removed the information on
Thursday "mostly because N.Y.U. had notified the affected students,
and that was the goal of my endeavor."
Computer privacy experts said that Mr. Frank had good reason to be
concerned.
"The students are at risk for identity theft," said Beth Givens,
director of the Privacy Rights Clearinghouse, a nonprofit consumer
advocacy organization based in San Diego. "Who knows how many
individuals got access to their names and Social Security numbers?
Just by putting this information on a so-called protected page, N.Y.U.
was exposing these students to risk."
She added, "This is not the first time I've heard about personal
information being posted on an internal Web site that is then tapped
into by someone who has no legitimate right of access."
Mari McQueen, associate editor of Consumer Reports, who led an
eight-month investigation into identity theft that was published in
the magazine's October 2003 issue, said that many universities used
Social Security numbers for student identification, and that the
practice opened the students to potential financial problems and
fraud.
"It is a very common practice, and one that needs to be curtailed,
given the abuses," she said.
She said that it was a particular problem for college students,
because they have no control over the use of the information.
"If you want to attend the university," she said, "you don't have any
choice."
Mr. Ristuccia, a 25-year-old computer system administrator for a
private company that he declined to identify, said in an interview
that he learned in late November about the information being available
on N.Y.U.'s Web site. He said a friend told him about it after finding
his sister on the list.
He said that he sent an e-mail message to N.Y.U.'s system
administrators in early December to tell them about the problem, but
that it was anonymous because "it is very common for an organization
faced with a security problem to blame the person that discovers the
problem."
He said that he also made a copy of the information - he called it a
mirror - "so that it would be difficult for N.Y.U. to claim that the
information never existed."
Mr. Beckman said the material had been accessible to people outside
N.Y.U. because an athletic official failed to activate the appropriate
security mechanisms. But he said the university had received no
previous notification of the problem. He also questioned why Mr.
Ristuccia had put the information on his own Web site. "That sounds
like a self-serving excuse to me," he said. "If you were really
concerned about the privacy of the students, you would not post their
information on your Web site."
He said that Mr. Ristuccia had also not responded when the university
first tried to reach him, but waited until the university followed up
with letters from its legal office.
Mr. Ristuccia, who has posted a commentary of the episode at
http://osiris.978.org/brianr/nyu-publication/, said yesterday that he
did not think he had broken any laws.
"There is a class of people who make a hobby of breaking into other
people's computer systems, but I don't advocate that type of thing,"
he said. "And that is not what I did. The information was available
with a search engine."
He said that N.Y.U. had erred by putting such information where it was
accessible.
Some computer advocacy experts said that problems like this are a
clear illustration of why universities should not use Social Security
numbers for student identification.
"A lot of universities have moved away from it," said Marc Rotenberg,
executive director of the Electronic Privacy Information Center in
Washington. "It was probably a mistake to use Social Security numbers
to identify students and to make the numbers accessible online. It is
not quite like publishing the number. But if someone was able to
access it without too much work, it is like publishing it online. But
this other person doesn't have clean hands, either."
Mr. Beckman said that N.Y.U. has been studying the feasibility of
using a different student identification system for more than a year,
and would probably make that change in the next couple of years. He
said the wide use of the numbers made changing the system a complex
undertaking.
Mr. Beckham said he did not know if this episode would prompt N.Y.U.
to speed up the conversion.
----------------- End Forwarded Message -----------------