Computer files not so secret

Like approximately 50 other Yalies every month, Rosa Ayala ’09 got busted.

The Record Industry Association of America spotted an illegal file on her computer and contacted ITS with her IP address in an attempt to curb the spread of illegally downloaded music. ITS then matched the song to Ayala’s computer, informed her of the copyright violation and instructed her to erase the forbidden file.

Although bemused by the ordeal, Ayala was neither surprised nor disconcerted by the availability of her information. She said that she, like many other students, does not expect the relatively mundane information stored on her computer to be private and has done little to ensure her data’s security, whether it be hiding her iTunes library or password protecting her personal data.

“I always assume that anything that I do on a network won’t be private,” she said. “The fact that you’re on a network or on the Internet, it’s not private. Someone can always see the information.”

But experts warn that such a relaxed approach could pose mounting dangers despite the best efforts of ITS and Information Security to protect students’ privacy.

College students’ desire to self-promote on sites such as Facebook and MySpace may put them at particular risk, Farber said. Ironically, the generation’s technological aptitude leads to both increased risks and relatively little anxiety about security. Like Ayala, most college students assume their information is available but seem unconcerned.

Farber said that once awareness of the dangers of such routine postings grows, users will monitor more closely what they make available. Just as it is nearly impossible to find resumes with Social Security numbers posted on the Internet, it will soon be increasingly rare to find birth dates, notes about siblings, and listings of marital status, he said.

Meanwhile, ITS’s management of students’ personal information files, which includes both securing it from intruders and making sure students abide by University rules and federal laws, will become increasingly important as students send more e-mails, save more searches and share more files. David Farber, professor emeritus of computer science and public policy at Carnegie Mellon University, said educational and industrial institutions are still catching up in terms of security, and students should become increasingly aware of how they disseminate and protect their data.

But the information available on University networks is uninteresting in most respects, Farber said. Grades and e-mails are not nearly as appealing as targets compared to Social Security numbers and credit card digits, so the risks for ITS are relatively small compared to those of major corporations such as T.J. Maxx, which accidentally gave away information on 47 million credit and debit cards in January.

Occasional security breaches, including impersonating e-mails such as the false Spring Fling announcement sent last week, reveal the potential holes in any security system. ITS continues to update institutional security, but much of the onus rests on individuals rather than network protections, which will always play catch-up to hackers, Farber said.

Last week, in a move illustrative of this shift to personal protection, ITS told students to change their personal passwords in the coming week and to continue to do so regularly.

But Ayala said ITS’s emphasis on self-protection and Farber’s insistence on reducing the amount of personal information online both conflict with the rising use of personal Internet pages that reveal rather than hide.

“My parents would never put their credit card number online but I pay my credit card online,” she said. “They’re always telling me that I shouldn’t be putting my information online like that, that people could see it. I do it because it’s more convenient. But the convenience is putting us more at risk as we push farther and become less protected.”

Contrary to ITS’s assertion that students should feel most threatened by hackers and other people aiming to steal individuals’ personal information, student concerns often center around how their information is managed within the University, not how vulnerable it is to those outside it.

“Your first gut reaction when you hear that people can look into your e-mails and your private life is that, this is my life, I don’t want anyone looking in there,” Colby Moore ’09 said. “I guess we expect it more in our day and age, we’re more accustomed to our lives being out in the open than 10 years ago, but it is still at times scary with technology increasing and what people can look at.”

Chief Information Officer and ITS Director Philip Long said in an e-mail that ITS does not track most student and faculty correspondence and downloads and will only access them if the information is requested by specific authorized personnel, including the court system and the University’s Executive Committee. University Security Systems collect further information.

“For undergraduates the Executive Committee has full authority to require access to all Yale information for students as specified in their approach, and that would include ITS-held information such as e-mail under proper request from the Executive Committee,” he said.

Only a small group of people — among them Information Security, ITS, the Executive Committee and student Computing Assistants — have access to the e-mails and personal files of Yale students, and then only in select circumstances, Long said.

Minh Vuong, the manager of student computing support, said students rarely express concern about their own privacy but should show a little more vigilance.

“I think computers can reveal almost everything about their owner since so many personal files are saved on their computer,” he wrote in an e-mail.

Comments