By Daniel Holevoet
The caller knew her name, her address, her number and that she went to Yale. But this was no job interview or screw date.
The man who called Shannon Monaghan ’08 located her information through University-run Web sites, which publicly display telephone numbers and contact information of Yale students.
The most conscientious Yalies will password-protect their laptops, shred personally identifying documents and be wary of online phishing schemes in order to protect their identity. In a more perfect world, this would be enough. But the harsh reality is that much of the information students seek to keep private is open to prying eyes everywhere — on University Web sites and the popular thefacebook.com.
The Yale phonebook is only one of a number of public services Yale offers that disclose student data. YaleStation, the Yale College Council portal, gives profiles for students, including each student’s name, NetID, e-mail, phone, address and names of roommates. The YaleStation service is available to anyone online without verification of Yale affiliation.
The Association of Yale Alumni maintains a list of legacy students and their associated relatives. Likewise, this information is available to the public, without credentials.
Monaghan said she is concerned by the amount of Yale student data that can be gathered. While she appreciates the ability to use the online Yale phonebook to find phone and room numbers of fellow students, she dislikes the fact that students’ records are put online without their consent or the option to modify what is displayed.
“It’s a little disconcerting,” she said.
Federal law regulates the amount of student data that can be published. According to Yale Chief Information Officer Philip Long, the University is in full compliance with federal regulations. He said students can decide to withhold information from being published.
The biggest concern, however, is the readiness by which students give their data to third parties, such as the popular networking site, thefacebook.com. Many students list complete profiles, with class, contact and housing information, as well as lists of friends, activities and interests.
While thefacebook.com is not limited by the same federal regulations as Yale ITS, it still claims to limit the availability of users’ profiles to others.
However, thefacebook.com was recently criticized for a loophole that could potentially reveal the complete contact information of anyone with a profile, including the names and phone numbers of the user’s friends.
Aaron Greenspan of Think Computer, a computer and security-consulting firm, discovered the potential security breach. After realizing that his W-2 tax information was being exposed on another Web site, Greenspan decided to investigate the security of other sites that had his personal data. When he checked thefacebook.com, it failed to pass his security analysis. Greenspan said clients who had used the export feature on the site had a freely accessible list of contacts available to anyone with the desire to collect random data by guessing profile numbers or target a specific user.
Greenspan, a Harvard graduate, wrote a short program to determine the extent of the problem, which he discovered was not limited to his alma mater’s section of the site.
This loophole has been partially corrected by the site’s administrators, but Greenspan said the modifications are only a “quick fix.” A student’s data is still available for several minutes after using the export feature, until the server purges it. During those minutes, Greenspan said anyone can access the contacts.
“There are many, many other problems,” he said, in reference to online portals. “[Security breaches] are not a unique phenomenon.”
He said it usually takes some type of disaster for these issues to be noted, and his warning to thefacebook.com was an attempt to avert such an occurrence.
Greenspan said Yale’s new computer identification system is better than using a student’s social security number, but not entirely fool-proof. The real issue, he said, is making sure Yale’s web and administration applications are protected, since a system is “only as secure as the weakest link.”
By Daniel Holevoet