Month After Email Revelations, HCS Confident About Security

A month after revelations that more than a million emails sent over Harvard Computer Society lists were public for years, HCS President Jason T. Goodman ’18 said he is confident there are no lingering security issues.

Goodman wrote in an emailed statement Wednesday that he believes HCS’ efforts to address the issue “successfully prompted list administrators to review their privacy settings and correct any prior misconfigurations.”

Of the over 1.4 million emails left public, some divulged students’ private information like grades, financial information, and at least one individual’s Social Security number. These emails remained publicly accessible until late February 2017, when The Crimson informed HCS of the public status of the emails.

HCS took several steps to address the issue, first restricting access to the archives of all existing lists whose membership is private. The group then sent “privacy check” emails to every list administrator reminding them of their list’s privacy setting, and temporarily took down the main list directory.

By Brandon A. Wright

At the time, over two dozen students and administrators contacted by The Crimson said they were unaware their email lists were public.

The list directory remained offline as of Wednesday evening, and several student- and staff-run lists—including lists for BGLTQ undergraduates and teaching fellows—have been made private.

Still, some individual email lists remain accessible through their web domain and public search engines. Goodman wrote that most, if not all, of these lists are intentionally public.

“Many lists legitimately want to be publicly discoverable,” Goodman wrote. “The option to make lists publicly accessible is still there, and we expect it is used appropriately.”

The College also worked to address students’ privacy concerns after The Crimson reported on the public status of the HCS email lists last month. At the time, Harvard sent messages to inform College affiliates who manage HCS email lists that their emails were public. The Freshman Dean’s Office as well as tutors from Adams, Pforzheimer, and Kirkland Houses all subsequently made their own email archives private.

Over the next few days, Assistant Dean of Student Life Alex Miller and Dean of Students Katherine G. O’Dair stepped forward to offer “assistance to any student organization who had questions or issues with their listserv in light of the HCS issue,” according to O’Dair.

“No student organizations have come forward to me about this being a problem or issue,” O’Dair wrote in an emailed statement Wednesday. “[Miller] has not heard from any student organization about this either.”

Though several legal experts said the dissemination of students’ academic information over the HCS email lists likely constitutes a violation of the Family Educational Rights and Privacy Act, neither the College nor the federal government has opened an investigation into the matter.

Robert Stasio, the former chief of operations for the National Security Agency Cyber Center, said he thinks the “biggest risk” posed by the once-public HCS email archives is that “hackers” could have used the emails to “gather really good information” about Harvard students. Then, hackers could have used that information to try and infect students’ laptops with malware in a technique known as “spearfishing,” Stasio said.

He said HCS list administrators should have encrypted their email archives from the beginning to ensure users’ privacy. Data encryption, a technique that scrambles information so it is unreadable unless the viewer possesses a key, is “very simple” to perform, Stasio said.

He added he did not think there was much HCS could further do to rectify the situation going forward, other than continue to notify email list users that they should take action to protect their identities.

“Once the cat’s out of the bag, the cat’s out of the bag,” Stasio said.

—Staff writer Hannah Natanson can be reached at hannah.natanson@thecrimson.com. Follow her on Twitter @hannah_natanson.

.