Tracking the Digital Trail

In a given day, Harvard undergraduates might check e-mail a dozen times, swipe into doors all over campus, eat a meal in one of the House dining halls, or—if they’re splurging—go out to The Wrap using Crimson Cash.

Without thinking, they’ve left a rich digital trail on the University’s servers with information about their daily routine, ranging from meal times and purchases to whereabouts scores of times each day.

In the course of normal operations, Harvard also obtains and keeps sensitive information from the status of financial aid recipients to the job applications, transcripts, and medical records of its affiliates.

While the University has taken some steps to guard this information, much of it is still available to those with an internet connection and a little ingenuity.

Harvard ID numbers are issued to all students, faculty, administrators, and support staff and are supposed to be treated as confidential information, according to Franklin M. Steen, Director of Harvard Arts and Sciences Computer Services (HASCS).

But this approach has marked the crux of the problem for Harvard, which has made ID numbers easily available while continuing to use them as confidential identifiers.

By making a wealth of information—from grades in some classes to eRecruiting job applications to, until this January, medical records—accessible with just an ID and sometimes a publicly available password, the University has protected this data as if ID numbers were confidential.

But because the numbers are printed on every affiliate’s ID card and because they must be shared with others for a variety of mundane purposes, in practice, IDs fall far short of this bar.

A Crimson investigation in January found that anyone with an internet connection could obtain the University Health Services prescription drug histories of any Harvard affiliate. The Crimson also found that this loophole allowed anyone with an internet connection to find the ID number of any Harvard affiliate as well as contact information for students whose enrollment status the University is bound by law to keep secret.

The University is undertaking an audit in response to these issues that aims to implement secure passwords for all of its protected data.

Still, at a time when security lapses are becoming increasingly common both in higher education and more generally, these loopholes underscore the amount of sensitive data Harvard keeps on its affiliates and the risks inadequate security for this data might pose.

ID INSECURITY

The Crimson’s January investigation found that Harvard affiliates’ prescription records could be accessed with only a Harvard ID number and name, which are both widely available pieces of information.

While the now-deactivated iCommons polling tool made this possible by generating names and ID numbers for any University affiliate, a number of groups of students and staff are able to match up ID numbers and names anyway.

In addition, clubs regularly compile ID numbers from student members when planning barbecues or picnics in order to collect food and supplies from Harvard University Dining Services (HUDS) or when performing administrative tasks.

Students who work with HASCS as User Assistants (UAs) also have the ability to match ID numbers with student names in moments.

Recognizing the risk of this capability, HASCS requires UAs to sign an agreement with the General Counsel’s office promising not to share this information or use it improperly.

And the ID numbers of all residents of Mather House in the Class of 2007 were accidentally posted along with room and mailbox assignments to the House open list in August 2004.

A number of Harvard online applications continue to require no more than an ID number and a birthday or name to access.

For example, anyone with access to an ethernet jack or within a wireless network on campus can delete or register a Harvard network connection with only an individual’s ID and last name. This could permit someone to illegally share files which would be traceable to another person’s IP address.

Additionally, any user can download or post resumés, or accept or decline interviews, on another user’s eRecruiting account, provided one can obtain a Harvard ID and birthday.

The latter of which is listed for all undergraduates on the College’s online facebook at facebook.fas.harvard.edu, and is more widely accessible via websites like anybirthday.com.

Websites like Lexis-Nexis and Accurint also provide individuals’ social security numbers. Using a Harvard ID and the last four digits of a student’s social security number, it is possible to activate mail forwarding, which will send all campus mail to a different physical address.

Faculty and teaching fellows regularly post grades in spreadsheets listed by ID numbers, and this year all 311 students in Psychology 1, “Introduction to Psychology” had their ID numbers released during the fall semester.

And at least two pizza delivery services listed on the cash.harvard.edu website will allow students to order food using Crimson Cash by reading an ID number over the phone and did not ask for ID or name verification upon delivery when The Crimson placed an order.

With nothing more than a single ID number, anyone can spend others’ Crimson Cash.

Steen acknowledges that students with Crimson Cash balances are at much higher risk when their ID numbers are displayed.

“Originally you were supposed to use your card with the Crimson Cash and you needed to have it in your possession,” Steen says. “But you can lose your money and it’s of concern.”

According to Jami M. Snyder, communications coordinator for HUDS, vendors who accept Crimson Cash are supposed to physically swipe ID cards that are used for transactions.

“Those who fail to do so are liable for any fraudulent charges and would be charged accordingly,” Snyder writes in an e-mail. “Customers are urged to monitor their accounts closely, and to report any suspicious charges immediately.”

She adds that no complaints of fradulent charges have been filed.

But Steen said that the lax security surrounding students’ and staff’s ID numbers is not usually a serious risk.

“One of the key elements is that you need two pieces of information to do anything, including getting an e-mail account, which is something that we just changed for security reasons,” Steen says.

In response to The Crimson’s findings, University spokesman Joe Wrinn said in February that Harvard would conduct an audit of all websites that require ID numbers and other nonsecure items in order to grant access.

Gene Madden, associate director for information services at the Office of Risk Management and Audit Services, says that the audit is proceeding in priority order, addressing the most serious issues, such as noncompliance with Family Educational Rights and Privacy Act (FERPA) and Health Insurance Portability and Accountability Act regulations first. The audit also aims to stamp out the use of nonsecure items such as birthdays, social security numbers, and last names as passwords.

“I expect that we will be wrapping up the frontline systems by the end of the summer,” Madden says.

DAILY MOVEMENTS

The potential availability of some of the most widely used personal information—e-mail and swipe access—introduces an additional privacy concern.

Students enlisted as UAs are given access to a broad range of information to aid in their work helping with computer-related problems.

Steen confirmed that UAs can change Faculty of Arts and Sciences (FAS) account passwords, thereby gaining access to any e-mail inbox, where sensitive information is often stored, though he emphasized that while students have the power to do this, he knew of no instance when this had actually happened.

“That would lead to some serious disciplinary action,” Steen says.

But one does not need UA access in order to track people using their FAS e-mail accounts. Using scripts such as “friends” or commands such as “last” or “rwho,” intrepid computer stalkers can follow movements of anyone using telnet programs—like SecureCRT and Terminal—by matching the IP address at which the target is or was logged in with the physical location of that IP address on campus.

The “friends” script has a detailed listing of what Harvard IP addresses correspond to what buildings, allowing users to pull up with a few keystrokes where any user they have listed is logged into telnet on campus. Coordinator of Residential Computing Kevin S. Davis ’98 says that HASCS would not comment on the subject.

Harvard servers also hold another form of information used daily—swipe card data.

HUDS publicly discusses the data it receives from monitoring swipe action in the 14 residential dining halls across campus in order to allocate resources and staff. Snyder says, however, that the data is only ever distributed in aggregate—with no names or IDs attached.

While entry swipe data is not compiled centrally, according to Madden, each individual location has its own system for monitoring and storing the information, which could lead to variations in the amount of time that information is stored.

But Madden says that like the data, the information received from the central ID system is extremely minimal, containing only the necessities required by individual access points to verify identity.

“There is a central database of Harvard IDs that have been issued and that data is shared with at least some of the physical access systems,” Madden says. “But, they get a very stripped down access.”

CALL ON ME

A “serial whisperer” who harassed students over the telephone in 2001 may still be at large, but Harvard has no intention of increasing the protections for student contact information. Rather, at the conclusion of the 2004-2005 academic year, contact information for FAS students will be publicly available unless students opt out.

According to the FAS directory website, all student privacy levels will be reset “at the end of the 2004-2005 academic year” to the least restrictive security level, where it is displayed in “publicly accessible” Harvard directories including the harvard.edu phone book. Students must manually change the security level of their contact information to prevent it from becoming publicly available.

Previously, the directory default was set to level 4, “Display only within Harvard in print or online,” according to the website.

But Directory Services Product Manager Jane E. Hill writes in an e-mail that students have not yet raised any concerns about this issue.

The directory services on the harvard.edu website list students’ dorm rooms, mailing addresses, e-mail addresses, and room phone numbers.

According to Harvard University Police Department spokesman Steven G. Catalano, Harvard students report between 15 and 20 inappropriate phone calls each year.

In November 2001, HUPD located a man in Boca Raton, Fla. who had allegedly been making harassing phone calls for two years to Harvard female undergraduates. After the “serial whisperer” was identified, inappropriate calls to female students declined dramatically, but consistent reports of harassment continue.

And earlier this year, students were plagued by a wave of unsolicited calls from telemarketers hawking credit cards.

While students rarely use their room land-line phones, they are required for safety purposes to keep either the provided red phones connected, or to have a replacement phone connected at all times, according to University Information Systems Director of Telecommunications Nancy Kinchla.

And as the phone numbers for these telephones become publicly available on the Internet, these problems may become more prevalent.

THE VAULTS OF 20 GARDEN ST.

Directory information is but one facet of the reams of biographical data held by the University.

The Registrar’s Office houses the most personal of students’ data, including their social security numbers, grades, and family information.

According to Steen, this concentration of valuable data means that the Registrar’s Office has long been one of Harvard’s most secure locations.

“Long ago, the registrar’s system wasn’t connected to the network, it was a dial back system—you would call them and it would verify your phone number,” Steen says. “We’ve tried to simulate that same kind of protection and so before you can see anything it tries to verify who is seeking it.”

Executive Director of Information Services for the Registrar Pedro Moura also says that now, access to sensitive student data—including that of secure-flagged students protected under FERPA—is accessible only to people who have had long-standing professional relationships with the office.

“Sensitive student information is available only to a few full-time data professionals who built their careers on the integrity of their work,” Moura writes in an e-mail.

Both Steen and Moura say that to the best of their knowledge, no one has ever “hacked” into the registrar’s student data.

“The system is protected behind all kind of securities. It isn’t just hacking it, it’s finding it,” Steen says. “I don’t like to talk about it because you don’t want to give people a challenge.”

—Staff writer Joshua P. Rogers can be reached at jprogers@fas.harvard.edu.