Computing Community Consortium (CCC)
Computing Research Policy Blog
Back to May 2001
CRN Table of Contents
[Published originally in the May 2001 edition of Computing Research
3, 4, 12.]
Protecting Personal Information in Academia
By Gene Spafford
Personnel actions in academia are often quite
sensitive in nature and require the exercise of great discretion. Promotion,
tenure, and hiring decisions all require careful deliberation and documentation.
They have a tendency to engender controversy-- and sometimes litigation-- when
decisions are contested or involve contradictory information. Thus, it is widely
recognized how important it is to treat such information with sensitivity and
With that in mind, consider the following
scenarios, derived from recent similar events. Could any of these occur in your
- A Ph.D. student nearing graduation and
interviewing for positions decided to use a WWW search engine to see which
pages referenced her thesis work. Upon searching for her name, she found a
link to the hiring pages at a university where she had interviewed. By
following links to unprotected pages, she was able to read some of the
e-mailed, confidential letters of reference written by her advisors, and
detailed comments made about her by members of the hiring committee.
- An assistant professor was being considered
for tenure and promotion. Because of a typo in the solicitation letter sent
out to potential references, replies sent electronically were undeliverable.
Not only were those letters returned to the sender, but they were also
copied to the staff member acting as "postmaster" at the college--
the spouse of the assistant professor, who was thus able to read
very sensitive comments about the candidate.
- A prominent research scientist in industry
was interviewing for a senior position at a university. For personal and
professional reasons, she wanted to interview in confidence, without
informing her current employer. However, when one of her current supervisors
browsed the WWW pages of the university to get details of her visit, he
found a seminar announcement on the main WWW page, very clearly labeling her
as a "job candidate."
- Disgruntled students of a senior professor
broke into the WWW servers at several universities where they suspected he
had applied for a position. At some sites, they completely deleted the
electronic records of the professor's application-- the only existing copy of
his application there. At other sites, they found online copies of reference
letters and altered the text to state false and uncomplimentary things about
the professor. Finally, at other sites with online application mechanisms,
they entered fake applications containing slanderous information.
- A recent Ph.D. was applying to a university
for a post-doc position. She was self-conscious about a medical condition
and wanted to keep it a secret from the hiring committee as it had no
bearing on her application. The personnel committee members at the site
where she applied went beyond her submitted application and letters, found
her WWW page at an ISP and its links to her role in a medical advocacy
group, and linked those into their internal hiring database. This was
disclosed when one of the committee members made a passing reference to her
activity during the interview.
- Three years after a contentious decision was
made on his tenure, a professor obtained a major grant including some
significant computing resources. These were located in the department
computing facility, to which he was given keys. One evening, while working
in the room with the machines, he found stored CD-ROMs containing archival
back-ups of files from faculty machines. Over the next few evenings, he
searched through these archives, reading correspondence, reference letters,
and other formal documents concerning his tenure case.
Do these sound dramatic? Perhaps, but they are
also all too possible, and they are based on real incidents. Some individuals
may knowingly violate privacy and confidentiality rules when confronted with
temptation; others may be exposed to privileged information via accident or
malice. Without proper backups and protection, critical information also may be
damaged or lost as a consequence of either chance or unauthorized activity.
Controls should be in place to prevent incidents involving critical data.
Often, the priority for expediency and economy
in our use of computing has replaced careful thought about privacy and security.
This becomes a particular concern in academic environments. Many universities
and colleges do not have sufficient resources to hire properly trained staff,
purchase up-to-date security resources, and keep information properly protected.
Worse, academic sites often function using outdated hardware and software,
running non-standard configurations, and in an environment where proper security
controls are seen as hindering scientific inquiry. However, as can be seen by
the examples given above-- and many other similar scenarios-- the lack of proper
controls can also lead to damaged reputations, lost opportunities, hurt
feelings, and even legal penalties.
It is beyond the scope of this article to give
a comprehensive tutorial in the issues surrounding the appropriate protection of
personnel information. However, the following are worth consideration, both in
the general case and specifically for personnel issues:
Organizations should have a
defined set of policies governing any online forum, WWW pages, or database
of personnel-related information. This should include coverage of procedures
and restrictions on the transmission, collection, and use of the data. Users
of these systems should be regularly reminded of the policies and the
reasons for their existence.
- Caution should be exercised as to what to
put on line instead of remaining paper-based. A software security flaw,
network break-in, or virus cannot damage or disclose paper contents.
it may seem more convenient to use online mechanisms, there is an increased
risk of loss-- and often that risk and loss are both dramatically more severe
than would be the case using well-understood physical mechanisms.
- Letters with confidential or sensitive
content should be encrypted if they must be sent or stored electronically
(e.g., using PGP). However, postal mail, courier services, and faxes are
still reliable methods of delivery that are far less prone to exposure of
material to an unintended audience.
- Administrative computing should be performed
on systems separate from those used for general use and research. These
machines should be configured with greater security constraints, and should
be placed behind their own firewalls.
- Access to sensitive data in WWW pages or
databases should require, at a minimum, a password. Use of SSL/TSL on WWW
servers, and Kerberos or SSH for interactive connections, should be
considered as minimum safeguards.
- University counsel should be consulted to
determine exposures and regulations concerning the placement and
dissemination of personnel information. In particular, careful consideration
should be given issues regarding the various fair employment and ADA acts,
HIPPA (Health Information Privacy Protection Act), and any state laws
governing public records ("sunshine laws"-- note that online
discussions in a list may constitute a "meeting" under some laws,
and thus eligible to be made available to the press and public). Systems
with student information may also be covered by FERPA (Family Educational
Right to Privacy Act).
- Management should ensure that the staff
maintaining the systems are competent and well trained. Security and
maintenance functions should be adequately funded, rather than covered as a
secondary issue-- if at all. It is almost always unwise to have students or
faculty charged with maintaining machines that may contain sensitive
information about them or their peers.
- All critical systems and files should be
backed up regularly. The backups should be tested periodically to ensure
that they work properly. Access to the backups should be regulated, now and
in the future (and possibly encrypted to prevent access if they fall into
the wrong hands). A defined procedure should be in place to govern safe
disposal of the backups when they are no longer used.
- A great deal of software currently in use
has not been designed with good security practices in mind. Furthermore,
much of the software in widespread use today has continued to evolve for
additional functionality, but with insufficient care given to meaningful
quality assurance. Thus, it is important to stay current with the latest
patches and advisories, and to design defense-in-depth strategies to protect
against flaws as yet unreported that may lead to compromises.
- Sending (or accepting) documents in formats
that readily support the spread of computer viruses is a bad idea, and
should be strongly discouraged. Microsoft Word is particularly notorious as
a vector of macro viruses; as a conservative practice, Word documents should
not be sent nor accepted as an attachment in email. Executables, including
files in Visual Basic, should also be discouraged.
- Anti-virus software should be installed on
critical computers, and the virus definitions kept up to date. This is
especially important for Windows-based systems, which are the target of
choice for most known viruses.
No matter the cause of disclosure, the
responsibility for protecting sensitive data lies squarely with the people
charged with maintaining the data involved. If the data are poorly protected, or
handled carelessly, then it is a matter of negligence. A hacker or program fault
may be to blame, but the people maintaining the data bear the responsibility.
For that reason, it is vital that proper precautions be taken to protect the
data in our care. This includes data relating to our students and staff, as well
as our faculty and candidates.
It is almost always faster and cheaper in the
near term to do things in an unsecure fashion. However, as a profession, we
should be setting good examples for others, even if this involves expending more
resources and devoting more time to management. Within the CS/CE context, these
issues are critical if we wish to maintain our peers' confidence in our ability
to execute our administrative functions correctly and fairly within our
institutions. Within the broader context of society, they reflect on fundamental
issues in the construction of tomorrow's societal infrastructure in a secure and
enduring form. As such, we should all be concerned that these systems be built--
and used-- correctly.
It is beyond the scope of this article to
provide detailed instructions on how to secure all web servers or other
computing platforms. There are many security measures that should be taken
depending on policy, platform, time, and personnel availability. As a start,
lists of security tools and practices can found via the CERT/CC site <http://www.cert.org>
or the CERIAS hotlist <http://www.cerias.org/hotlist/>. SANS also offers
pointers to useful resources and patches <http://www.sans.org/>.
One good book on security of web servers is Web
Security & Commerce by Simson Garfinkel and Gene Spafford, published by
O'Reilly and Associates, June 1997.
Gene Spafford is Professor of Computer
Sciences at Purdue University and an ACM representative on CRA's Board of
Copyright © 2007 Computing Research Association. All Rights
Reserved. Questions? E-mail: firstname.lastname@example.org.