Virus Leaks Files From University Hall

Usually tight-lipped administrators seemed to loosen up this month, as their personal correspondence—including a memo concerning a case before the Administrative Board—found its way to mere acquaintances.

The administrative glasnost was not intentional, however, caused instead by a computer virus that swept across the Internet in early June and infected a number of University Hall machines.

When the Bugbear.b virus, which hit campus June 6, infects a machine, it sends messages to recipients on an individuals’ address book and past message history. In addition to a virus-laden attachment, such e-mails often contain text fragments from files on that machine, which may include documents and private correspondence.

Harvard students reported receiving a variety of seemingly misaddressed, unusual messages, mostly bearing harmless communications about scheduling.

But at least one message, sent from an infected machine on the second floor of University Hall and received by at least three Harvard undergraduates, contained a confidential memo from Secretary of the Faculty John B. Fox to Dean of the Faculty William C. Kirby.

In the letter, Fox advises Kirby on how to correspond with the father of Michael D. Wang, originally a member of the Class of 2005 who faced disciplinary action by the College following a series of thefts last spring.

“I gather that today he has sent you an intemperate message, so perhaps there is no need to correspond with the father further,” Fox wrote.

The letter continued to suggest that Kirby, a China scholar, might want to write to Wang’s father, a “brief handwritten note in Chinese.”

“Dr. Wang has clearly not fully absorbed American customs as yet,” Fox wrote, “so a message in his own idiom might reassure.”

Fox said he was aware of the leaked memo, but that he had not realized undergraduates had received it. He first heard about the accidental transmission from an individual outside Harvard.

“I have not known any of the recipients I had heard from,” he said.

Fox said he was concerned about the privacy issues, but that the e-mail had not leaked from his Macintosh computer, as Bugbear only affects Windows PCs.

“There’s an enormous amount of concern,” Fox said. “As I say this errant e-mail did not come from me…This is another machine, that picked up an e-mail of mine and forwarded it.”

Fox declined to comment on the content of the memo to Kirby, and said he hoped all students who received it would destroy the e-mail.

“I will have absolutely no comment on the content of that e-mail, and I will repeat to you that any recipient of that e-mail should destroy it immediately,” he said. “I would think that students at Harvard would adhere to the same guidelines [for educational privacy]...This is protection of student records; this is in their interest.”

Educational privacy law can penalize institutions who negligently or intentionally transmit their students’ records.

The student’s father, James C. Wang, said that he had not heard about the message that circulated and that Harvard had not contacted him to inform him of the accidental leak.

“I didn’t know anything about that,” he said.

After The Crimson sent him a copy of the e-mail, Wang, who has been a practicing doctor in California for almost two decades, wrote that he was concerned about the apparent lack of privacy and compared the situation to a breach of medical privacy.

“Technology is a double-edge sword. Most of physicians in this country don’t e-mail their patients because of concern of privacy leakage,” wrote Wang. “However, if indeed there is a violation of privacy, patients have the right to be informed by their service providers.”

Fox said he had not heard of any previous comparable instances of this at Harvard, and that there was not an inherent problem with using e-mail to correspond about confidential student data.

“The matter of computer security is not my responsibility, that’s [Director of Harvard Arts and Sciences Computer Services (HASCS)] Frank Steen’s responsibility,” he said. “I’ve never heard it suggested that we should not use e-mail to discuss student matters. It would be a major change if that were decided.”

Steen said that his department reacted quickly to the Bugbear virus, posting an announcement on their website and updating the virus definitions for the anti-virus software that all FAS affiliates are encouraged to install, and that the actual number of computers infected was minimal.

“The Bugbear virus, what I can gather from around campus, affected a minimum number of machines here; it was pretty small,” he said. “What was more disturbing, I would say, is that people were getting e-mails from others that looked like they were sort of private correspondence.”

But he said the number of e-mails was minimal. “I haven’t heard a lot of reports and I would have heard something if it was a lot,” he said.

In addition, most administrators in University Hall—including Kirby and Fox—use Macs and receive special security attention from HASCS.

“The University Hall machines have gone through a process of checking, they have a person over there who has worked through this with us on how they were used,” Steen said.

Steen said the Bugbear e-mails most likely came from machines belonging to deans’ assistants, many of whom use PCs.

He also said he would continue reviewing computer security policies.

“There’s going to be more discussion about what should and shouldn’t be sent over e-mail,” he said. “There’s common sense but there really ought to be some written comment to help guide people. There are guidelines in place and I think they need to be looked at in various offices that handle sensitive material.”

One other Bugbear-induced e-mail leak involving University Hall contained a note to Kirby from Harvard Magazine editor John Rosenberg. Rosenberg joked that Kirby had not done enough in a Lexington ballot initiative to raise property taxes for education. “I think you did not vote often enough; nor did I,” Rosenberg wrote. “We lost, 51.6%-48.4%…Layoffs are to begin almost immediately.”

In an e-mail, outgoing Dean of the College Harry R. Lewis ’68 offered his advice as a computer science professor: “Use a Mac. There are too few of them for people to bother writing viruses for!”

—Staff writer J. Hale Russell can be reached at jrussell@fas.harvard.edu.