Computer Privacy May Be Jeopardized on 'Net

In response to a Crimson investigation into computer privacy, the University closed a loophole in its computer system yesterday which had allowed students to view other users' transfers of pornographic and obscene material.

The Crimson learned that it was possible to identify users transferring pornography and to read the names of the files they transferred by looking at a public file.

This information was logged in a file that could be read by any user who knew its location.

According to a statement by Franklin Steen, director of Harvard Arts and Sciences Computer Services (HASCS), that log file was closed to student access yesterday.

But a week-long survey of the files, conducted last month on several computers, revealed the names of 21 undergraduates who had downloaded some 500 pornographic files.

Additionally, the electronic records show that seven graduate students--some of them University teaching fellows--downloaded pornographic images. One graduate student is a house tutor.

When contacted by The Crimson and told that their actions could be monitored by reading a publicly-available file, most of the students expressed shock and dismay.

"That bothers me a lot," said a sixth-year graduate student who has transferred many pornographic images, when he was told about the availability of the log file. "That's very embarrassing. I had no idea."

"Oh my god," said another graduate student who has copied images of sadomasochistic sex and bestiality and is a course head for a large Harvard class.

"You can never print my name," a sophomore said. "I had no clue you could ever find out I did that stuff."

"I see definite blackmail possibilities," the sixth-year graduate student said. He said he has taught several classes in the social sciences to under-graduates.

"I don't see any point in monitoring people and letting others see the information," the student said.

Steen said in an interview last week that he did not know the transmission of e-mail messages and transfers of files were recorded and publicly logged by Harvard's computers.

In what he called a "minor follow-up" to the interview at which he learned of the file's existence, Steen said he had checked with his technical assistants and found that access to the file could easily be restricted.

But Steen said that he had not ordered the filechanged because he had not received any complaintsabout the log file.

Student Reactions

One graduate student whose name is linked tothe transfers of pornographic images logged in thefile said he was "shocked" by Steen's response.

"This strikes me as reactive, not proactive,"the student said. "They know the file's aninvasion of privacy, but they're not doinganything about it. Why not?"

Of the students who were recorded downloadingporn, all seven graduate students interviewed saidthe log was an invasion of privacy.

Seven of the ten undergraduates said theirprivacy had been invaded; the other three saidthey were indifferent.

On Monday, one student contacted by the Crimsoncomplained to HASCS that the file should not bepublic, Steen said.

Another student who downloaded porn and wascontacted by the Crimson sought psychiatric helpat University Health Services (UHS) on Monday.

At that point, Steen ordered that public accessto the files be cut off. Yesterday HASCS engineerschanged the availability of the files on all 35HASCS computers, Steen said.

Steen said that as far as he knows, only theCrimson viewed the files.

But a survey of 15 students active in Harvard'scomputer community showed that some students havebeen aware of the file's existence for at least ayear. Students did not specify to what extent orwith what frequency they viewed the file.

"It is a grey area whether looking at the logfile breaks our rules," Steen said. "We say youcannot look at a user's files if they leave themopen by accident, but these files were [not] ownedby [any specific student]."

Steen acknowledged yesterday that theaccessibility of the log raised a question ofusers' rights to privacy.

"You pointed out a way in which our systems canbe used to violate privacy of individuals," hewrote in an e-mail message yesterday.

One student employed by HASCS said the filecould be changed in seconds, but that HASCS doesnot currently have time to be pro-active.

"They are so busy that unless someonecomplains, they just put it on a list and get toit when they can," the student said.

Last year Richard Steen, former acting directorof HASCS, complained that HASCS lacked theUniversity funding, staffing and space necessaryto meet the demands placed upon it.

Students close to HASCS said this week thatHASCS has only two Unix programmers and needs tohire more to adequately handle the work of serving10,000 users.

Other students agreed with Steen's decision notto change the file immediately.

"If there have been complaints and people areconcerned, then change the file," one Mathersophomore said. "But if people aren't concerned,then leave it alone."

Some students said that the recorded e-mailinformation--who e-mailed who and when they didit--is a greater invasion of privacy than the filetransfer information.

All of the students interviewed said they donot think that the e-mail information should havebeen public.

"It's a bad thing because I don't want peopleto know who I'm sending mail to or receiving itfrom," said Jefferson C. Tarr '96, co-founder ofthe student-run Digitas computer organization. "Itover steps privacy boundaries."

"It is a violation of privacy. That informationcould potentially be very bad. In the wrong handsthat information is very dangerous," Tarr said."It's sort of like Big Brother is watching, insome respects."

The log could be useful in containing illegalnet activity, however.

There are other illegal activities the filecould record, like the transfer of copyrightedsoftware or system password files, Tarr said.

"Of course, if you are stupid enough to try tocopy the password file that way, you probablydeserve to have it recorded," Tarr noted.

Issues of Privacy

The existence of the log file is the mostdramatic example of on-line activities beingpublic, but there at least six other ways in whichusers can monitor others' activities.

These include the "last," "finger," "ps,""mailq" and "w" commands and the viewing oftemporary directories which allow users to seewhat files other users are manipulating.

When combined, these commands allow a user topiece together some of the information in the logfile, as well providing users the means to observeothers' activities.

Steen said that the "last" and "finger"commands are currently of greatest concern to him.

The "last" command lists all the times usershave been logged into a Harvard computer, and alsoreports the name of the computer from which theylogged in.

Because many students now log in from thestudent network, the name of the machine fromwhich they are connecting is likely to be the nameof a machine in a student's dorm room.

So, it is possible to discover that a studentwas in their or another student's room at a giventime.

"Finger" is another Unix command that givessimilar information. It reports the name of thelast computer a student used and when they usedit.

Steen said this information should not be aseasily accessible as it is now.

"It's an invasion of privacy," he said. "We arediscussing them. There are technical issuesinvolved. You shouldn't know where people havebeen."

Many students involved with computers atHarvard said they know this information isavailable. One student even posted a message tothe "harvard.general" newsgroup last semesterwarning of the danger of the command.

Steen said he is discussing these issues withan ad hoc subdivision of the Standing Committee onInformation Technology (IT).

McKay Professor Harry R. Lewis '68, RegistrarGeorgene B. Herschbach, Steen, James S. Gwertzman'95 and Dean of the Division of Applied SciencesPaul C. Martin are on the ad hoc committee, whichmeets occasionally.

Steen said he is considering making the "last"command list the login times of only the user whois running it.

But it's unlikely that the "finger" commandwill be altered anytime soon.

"Some commands are so entrenched into Unix thatyou just can't remove them," Gwertzman said. "Inorder to verify some users, World Wide Web serversfinger the person accessing them and they won'twork if finger doesn't work."

The "mailq" command lists the usernames of thesender and recipient of e-mail messages that arecurrently being mailed.

"If you keep running mailq, you can get thesame information as what's in the syslog file,"said Richard B. Osterberg '96, the HarvardComputer Society's network director.

HASCS may eliminate the "w" command, whichlists the current activities of other users on acomputer, Steen said.

Eugene E. Kim '96 said yesterday thateliminating the "w" command would be an"overreaction."

"I am against that," said Kim, a formerpresident of HCS. He says that Steen is dealingresponsibly with privacy issues and called theavailability of the log file an "honest mistake."

Gwertzman said he was not opposed toeliminating the "w" command but said he wishedthere was another way of dealing with the issue.

Kim said that computer privacy is a "rising"issue at Harvard and in the outside world.

"We are in a transitional period," he said. "Asmore and more people get onto the Internet, theseare issues that need to be looked at."

Kim advocates mandatory first-year seminars onthe dangers of computer abuse.

"Just like peer counselors, I think thatfreshmen should be told early on about thecomputers," he said. "The rule is don't doanything on the Internet that you wouldn't bewilling to do in public."

Kim said he disagrees with Steen about the"last" command.

"It's not an invasion of privacy at all," Kimsaid. "It is a very useful command."

Other student leaders say they are unsure howmuch Harvard should restrict information.

"In today's world, I do think there should besome type of control over records of who logged inand where from," Tarr said.

"But there is some functionality with the lastand finger command--it's useful to see if someonelogged in since you sent them e-mail to see ifthey got it," Tarr added. "I don't know what todo."

Kim and others said the real solution to theseproblems is educating users and giving them priorknowledge of what is public and what is not.

"It is all a matter of what is advertised,"said one junior who is recorded as havingdownloaded sexual images. "The key is that Ididn't know that there was a file that recordedthat. If I had known, then it wouldn't be a bigdeal."

"It doesn't appear anywhere in the Harvardliterature," the sixth-year graduate student said."That's more of a concern. Now [that] I know, I'llchange my behavior."

Kim touted an HCS seminar on computer privacythat was offered last year and will occur againthis year as a way for students to learn moreabout what is public and what is not.

But only a handful of Harvard's 10,000 activeusers attend HCS's seminars. Likewise, HCSincludes information about privacy in its bookComputers at Harvard, which is distributed tofirst-years, but it is unclear how many studentsread the book.

Child Pornography

The issue of what activities can be observed isalso serious because some of the files studentsdownloaded are labeled as pictures of nakedchildren or teenagers.

John Russell, a spokesperson for the Departmentof Justice said Monday that the transport of childpornography is punishable by up to 10 years inprison and fines of up to $250,000.

Many students interviewed said they did notrealize the possession of child pornography isillegal.

"The trouble is, you don't know what's illegaland what's not," the graduate student course headsaid. "A lot of files aren't posted withdescriptions and sometimes you're not paying closeattention. You just don't know what you'redownloading."

Others said that downloading all the filesavailable and then viewing them at home is moreefficient then selecting which files to transfer.

"I end up with a lot of stuff on my machine," agraduate student said. "But I delete most of it,and everything that might be kiddie porn."

According to an FBI spokesperson in Washington,D.C. the agency could take legal action against aHarvard computer user if it had evidence that theuser transported obscene materials.

Currently the names of the files studentsdownloaded are still in the log file, though theycan only be read by someone with "super user"privileges.

Besides the legal criminality of possessingchild pornography, mental health clinicians saythere is a great deal of emotional stress involvedin obtaining and keeping porn.

Dr. Joseph Glennmullen, instructor ofpsychiatry, said copying hundreds of pornographicimages can be evidence of compulsive sexualbehavior.

"It historically involved things like buyingprinted pornography or visiting the Combat Zone inBoston, renting movies, prostitution," Glennmullensaid yesterday. "In recent years it has taken newforms."

"There's a tremendous amount of guiltassociated with it," Glennmullen added. "It is ashock to people to discover a [person] who doesthis, because they are not the sort of people youthink of as terrible people."

"People isually feel terrible, very embarrassedvery bad, feel like less than worth people feelpublicly humiliated, at risk..." Glennmullen said.

"They live in terror that someone in theirfamilies will discover it," Glennmullen said."There is a great deal of fear among men that ifthey died accidentally they wouldn't be able toremove the material before they died."

History of Unix

Steen said one reason that HASCS is dealingwith these issues on a case by case basis is thehistory of Unix, the operating system that runsmost of the HASCS machines.

"Unix was designed to share files andinformation," Kim said. "Not to make it secure."

"The point was just to make the computer work,"Tarr said. "The original designers never intendedUnix to be this operating system that governs theInternet. It was never supposed to be more thanthe system for two guys who wanted to program."

"All these mechanisms have been around sincethe early days of Unix," Tarr said. "And in thosedays the Internet was not used as commonly as itis today and issues of privacy were not asprevalent."

"So, although finger and last could be seen asan invasion of privacy, they were from days whenprivacy wasn't even an issue," Tarr says.

And it can be difficult to know how to modifythe commands so that less information is availablebut the rest of the Unix system still works.

"We're making the [log file] not readable,"Steen said this week. "But I don't know whatimpact that will have. It may affect somethingelse that needs it. We'll have to wait and see."

Gwertzman said that there is no way of dealingwith all the privacy issues in one comprehensiveaction.

"But we can only fix these problems as theycome up," Gwertzman said. "It would be hard todeal with these problems in any other way than acase-by-case basis."

Gwertzman points to Harvard's computerguidelines, available both on-line and in abooklet, as evidence that there is an overallprivacy policy.

"I think we have set up some guidelines, which,even though they are kind of vague, indicate whatwe are trying to do," Gwertzman said.

Steen says people have come to see Harvard'scomputer services differently now than in theirearly days.

"Instead of just maintaining the machines, wenow provide a utility, a service," Steen says. "Wehave to give advance notice of down-time. We'resubject to all sorts of scrutiny. People depend onus."DesignBenjamin I. LimaTracking Compute Usage Until yesterday, itwas possible for any student with a computeraccount to view the system's log file, whichrecords the names of files users transfer andpeople they email. This is a copy of a log filewith the specific details altered:

But Steen said that he had not ordered the filechanged because he had not received any complaintsabout the log file.

Student Reactions

One graduate student whose name is linked tothe transfers of pornographic images logged in thefile said he was "shocked" by Steen's response.

"This strikes me as reactive, not proactive,"the student said. "They know the file's aninvasion of privacy, but they're not doinganything about it. Why not?"

Of the students who were recorded downloadingporn, all seven graduate students interviewed saidthe log was an invasion of privacy.

Seven of the ten undergraduates said theirprivacy had been invaded; the other three saidthey were indifferent.

On Monday, one student contacted by the Crimsoncomplained to HASCS that the file should not bepublic, Steen said.

Another student who downloaded porn and wascontacted by the Crimson sought psychiatric helpat University Health Services (UHS) on Monday.

At that point, Steen ordered that public accessto the files be cut off. Yesterday HASCS engineerschanged the availability of the files on all 35HASCS computers, Steen said.

Steen said that as far as he knows, only theCrimson viewed the files.

But a survey of 15 students active in Harvard'scomputer community showed that some students havebeen aware of the file's existence for at least ayear. Students did not specify to what extent orwith what frequency they viewed the file.

"It is a grey area whether looking at the logfile breaks our rules," Steen said. "We say youcannot look at a user's files if they leave themopen by accident, but these files were [not] ownedby [any specific student]."

Steen acknowledged yesterday that theaccessibility of the log raised a question ofusers' rights to privacy.

"You pointed out a way in which our systems canbe used to violate privacy of individuals," hewrote in an e-mail message yesterday.

One student employed by HASCS said the filecould be changed in seconds, but that HASCS doesnot currently have time to be pro-active.

"They are so busy that unless someonecomplains, they just put it on a list and get toit when they can," the student said.

Last year Richard Steen, former acting directorof HASCS, complained that HASCS lacked theUniversity funding, staffing and space necessaryto meet the demands placed upon it.

Students close to HASCS said this week thatHASCS has only two Unix programmers and needs tohire more to adequately handle the work of serving10,000 users.

Other students agreed with Steen's decision notto change the file immediately.

"If there have been complaints and people areconcerned, then change the file," one Mathersophomore said. "But if people aren't concerned,then leave it alone."

Some students said that the recorded e-mailinformation--who e-mailed who and when they didit--is a greater invasion of privacy than the filetransfer information.

All of the students interviewed said they donot think that the e-mail information should havebeen public.

"It's a bad thing because I don't want peopleto know who I'm sending mail to or receiving itfrom," said Jefferson C. Tarr '96, co-founder ofthe student-run Digitas computer organization. "Itover steps privacy boundaries."

"It is a violation of privacy. That informationcould potentially be very bad. In the wrong handsthat information is very dangerous," Tarr said."It's sort of like Big Brother is watching, insome respects."

The log could be useful in containing illegalnet activity, however.

There are other illegal activities the filecould record, like the transfer of copyrightedsoftware or system password files, Tarr said.

"Of course, if you are stupid enough to try tocopy the password file that way, you probablydeserve to have it recorded," Tarr noted.

Issues of Privacy

The existence of the log file is the mostdramatic example of on-line activities beingpublic, but there at least six other ways in whichusers can monitor others' activities.

These include the "last," "finger," "ps,""mailq" and "w" commands and the viewing oftemporary directories which allow users to seewhat files other users are manipulating.

When combined, these commands allow a user topiece together some of the information in the logfile, as well providing users the means to observeothers' activities.

Steen said that the "last" and "finger"commands are currently of greatest concern to him.

The "last" command lists all the times usershave been logged into a Harvard computer, and alsoreports the name of the computer from which theylogged in.

Because many students now log in from thestudent network, the name of the machine fromwhich they are connecting is likely to be the nameof a machine in a student's dorm room.

So, it is possible to discover that a studentwas in their or another student's room at a giventime.

"Finger" is another Unix command that givessimilar information. It reports the name of thelast computer a student used and when they usedit.

Steen said this information should not be aseasily accessible as it is now.

"It's an invasion of privacy," he said. "We arediscussing them. There are technical issuesinvolved. You shouldn't know where people havebeen."

Many students involved with computers atHarvard said they know this information isavailable. One student even posted a message tothe "harvard.general" newsgroup last semesterwarning of the danger of the command.

Steen said he is discussing these issues withan ad hoc subdivision of the Standing Committee onInformation Technology (IT).

McKay Professor Harry R. Lewis '68, RegistrarGeorgene B. Herschbach, Steen, James S. Gwertzman'95 and Dean of the Division of Applied SciencesPaul C. Martin are on the ad hoc committee, whichmeets occasionally.

Steen said he is considering making the "last"command list the login times of only the user whois running it.

But it's unlikely that the "finger" commandwill be altered anytime soon.

"Some commands are so entrenched into Unix thatyou just can't remove them," Gwertzman said. "Inorder to verify some users, World Wide Web serversfinger the person accessing them and they won'twork if finger doesn't work."

The "mailq" command lists the usernames of thesender and recipient of e-mail messages that arecurrently being mailed.

"If you keep running mailq, you can get thesame information as what's in the syslog file,"said Richard B. Osterberg '96, the HarvardComputer Society's network director.

HASCS may eliminate the "w" command, whichlists the current activities of other users on acomputer, Steen said.

Eugene E. Kim '96 said yesterday thateliminating the "w" command would be an"overreaction."

"I am against that," said Kim, a formerpresident of HCS. He says that Steen is dealingresponsibly with privacy issues and called theavailability of the log file an "honest mistake."

Gwertzman said he was not opposed toeliminating the "w" command but said he wishedthere was another way of dealing with the issue.

Kim said that computer privacy is a "rising"issue at Harvard and in the outside world.

"We are in a transitional period," he said. "Asmore and more people get onto the Internet, theseare issues that need to be looked at."

Kim advocates mandatory first-year seminars onthe dangers of computer abuse.

"Just like peer counselors, I think thatfreshmen should be told early on about thecomputers," he said. "The rule is don't doanything on the Internet that you wouldn't bewilling to do in public."

Kim said he disagrees with Steen about the"last" command.

"It's not an invasion of privacy at all," Kimsaid. "It is a very useful command."

Other student leaders say they are unsure howmuch Harvard should restrict information.

"In today's world, I do think there should besome type of control over records of who logged inand where from," Tarr said.

"But there is some functionality with the lastand finger command--it's useful to see if someonelogged in since you sent them e-mail to see ifthey got it," Tarr added. "I don't know what todo."

Kim and others said the real solution to theseproblems is educating users and giving them priorknowledge of what is public and what is not.

"It is all a matter of what is advertised,"said one junior who is recorded as havingdownloaded sexual images. "The key is that Ididn't know that there was a file that recordedthat. If I had known, then it wouldn't be a bigdeal."

"It doesn't appear anywhere in the Harvardliterature," the sixth-year graduate student said."That's more of a concern. Now [that] I know, I'llchange my behavior."

Kim touted an HCS seminar on computer privacythat was offered last year and will occur againthis year as a way for students to learn moreabout what is public and what is not.

But only a handful of Harvard's 10,000 activeusers attend HCS's seminars. Likewise, HCSincludes information about privacy in its bookComputers at Harvard, which is distributed tofirst-years, but it is unclear how many studentsread the book.

Child Pornography

The issue of what activities can be observed isalso serious because some of the files studentsdownloaded are labeled as pictures of nakedchildren or teenagers.

John Russell, a spokesperson for the Departmentof Justice said Monday that the transport of childpornography is punishable by up to 10 years inprison and fines of up to $250,000.

Many students interviewed said they did notrealize the possession of child pornography isillegal.

"The trouble is, you don't know what's illegaland what's not," the graduate student course headsaid. "A lot of files aren't posted withdescriptions and sometimes you're not paying closeattention. You just don't know what you'redownloading."

Others said that downloading all the filesavailable and then viewing them at home is moreefficient then selecting which files to transfer.

"I end up with a lot of stuff on my machine," agraduate student said. "But I delete most of it,and everything that might be kiddie porn."

According to an FBI spokesperson in Washington,D.C. the agency could take legal action against aHarvard computer user if it had evidence that theuser transported obscene materials.

Currently the names of the files studentsdownloaded are still in the log file, though theycan only be read by someone with "super user"privileges.

Besides the legal criminality of possessingchild pornography, mental health clinicians saythere is a great deal of emotional stress involvedin obtaining and keeping porn.

Dr. Joseph Glennmullen, instructor ofpsychiatry, said copying hundreds of pornographicimages can be evidence of compulsive sexualbehavior.

"It historically involved things like buyingprinted pornography or visiting the Combat Zone inBoston, renting movies, prostitution," Glennmullensaid yesterday. "In recent years it has taken newforms."

"There's a tremendous amount of guiltassociated with it," Glennmullen added. "It is ashock to people to discover a [person] who doesthis, because they are not the sort of people youthink of as terrible people."

"People isually feel terrible, very embarrassedvery bad, feel like less than worth people feelpublicly humiliated, at risk..." Glennmullen said.

"They live in terror that someone in theirfamilies will discover it," Glennmullen said."There is a great deal of fear among men that ifthey died accidentally they wouldn't be able toremove the material before they died."

History of Unix

Steen said one reason that HASCS is dealingwith these issues on a case by case basis is thehistory of Unix, the operating system that runsmost of the HASCS machines.

"Unix was designed to share files andinformation," Kim said. "Not to make it secure."

"The point was just to make the computer work,"Tarr said. "The original designers never intendedUnix to be this operating system that governs theInternet. It was never supposed to be more thanthe system for two guys who wanted to program."

"All these mechanisms have been around sincethe early days of Unix," Tarr said. "And in thosedays the Internet was not used as commonly as itis today and issues of privacy were not asprevalent."

"So, although finger and last could be seen asan invasion of privacy, they were from days whenprivacy wasn't even an issue," Tarr says.

And it can be difficult to know how to modifythe commands so that less information is availablebut the rest of the Unix system still works.

"We're making the [log file] not readable,"Steen said this week. "But I don't know whatimpact that will have. It may affect somethingelse that needs it. We'll have to wait and see."

Gwertzman said that there is no way of dealingwith all the privacy issues in one comprehensiveaction.

"But we can only fix these problems as theycome up," Gwertzman said. "It would be hard todeal with these problems in any other way than acase-by-case basis."

Gwertzman points to Harvard's computerguidelines, available both on-line and in abooklet, as evidence that there is an overallprivacy policy.

"I think we have set up some guidelines, which,even though they are kind of vague, indicate whatwe are trying to do," Gwertzman said.

Steen says people have come to see Harvard'scomputer services differently now than in theirearly days.

"Instead of just maintaining the machines, wenow provide a utility, a service," Steen says. "Wehave to give advance notice of down-time. We'resubject to all sorts of scrutiny. People depend onus."DesignBenjamin I. LimaTracking Compute Usage Until yesterday, itwas possible for any student with a computeraccount to view the system's log file, whichrecords the names of files users transfer andpeople they email. This is a copy of a log filewith the specific details altered: