Privacy concern sparks ID shift

Yale is moving forward with changes to its internal identification system that officials hope will better protect students’ personal information, such as Social Security numbers, from hackers like those who allegedly have invaded data networks at several universities in recent weeks.

Information and Technology Services officials have nearly finished phasing in the use of a Universal Personal Identifier, or UPI, as a replacement for Social Security numbers and other data that had been used to identify students throughout the University, Chief Information Officer Philip Long said. While students will retain their current NetIDs, Long said UPIs will be used to identify people checking books out of libraries, swiping at dining halls and signing in at Payne Whitney Gymnasium.

The UPIs were originally conceived as a way to streamline alumni database records, ease identification for international students, and prevent confusion between Yalies with similar names, Long said. But the new system promises to lessen threats of security breaches or identity theft, he said.

“Yale is improving the way it manages data, and we’re choosing an ID number that is quite deliberately not going to be used for anything else,” Long said. “You can post your number on a Web site. It’s not going to do anybody trying to get your information any good.”

While the University is taking steps to minimize the dissemination of student information, a proposed federal government initiative could force every American college and university to provide complete personal and academic records on every enrolled student — from Social Security numbers and ethnicity to degrees earned and financial aid received. A new federal database created with this information would replace the U.S. Department of Education’s current list, which since 1992 has only listed summary data from universities with students receiving federal financial aid.

The University’s security concerns have been heightened in the wake of a recent wave of attacks on university networks across the country, Long said. Last week, the University of Pennsylvania’s Wharton School of Business computer systems were temporarily shut down after network administrators discovered a “sniffer” program attempting to collect password information, Wharton Chief Information Officer Deidre Woods wrote in an e-mail. Wharton users were required to change their passwords in case any had been stolen during the intrusion, she said.

The University of California-Berkeley faced a larger problem when a laptop containing personal data on nearly 100,000 students, alumni and past applicants was declared stolen from a university office on Monday. Though Berkeley spokeswoman Maria Felde said university police believe the thief was more interested in the laptop itself than the information it contained, the system holds Social Security numbers of all students who received their doctorates from 1976 through 1999, graduate students enrolled at the university between 1989 and 2003 and graduate school applicants between fall 2001 and spring 2004, as well as some students’ birth dates and addresses.

Yale’s UPI system will reduce the danger of student Social Security numbers or other personal information being stolen if Yale computers are compromised, Long said.

“Our goal is that if something like that happens at Yale, the numbers they’ll be getting will be the UPIs, and that won’t have any value outside of Yale,” Long said. “Still, if they have names or certain confidential addresses on them, that’s still a problem. No system is ever completely secure.”

Though the numbers have already been created and distributed to students by ITS, and are displayed on many of the newer Yale ID cards, Long said the University is slowly adopting the new system on a departmental basis, since the expense of replacing every existing system at once would have been too great.

“We’re dealing with a massive number of systems — it’s not something that can just be switched out in a month or six months,” he said. “The way to keep the cost reasonable is to do it in the regular course of doing business. It’s being done as our systems receive routine maintenance.”

Though further background work on the UPI system will continue for another year or more, Long said students will begin to see the new numbers replace older authentication protocols this fall.

Comments