At least one member of Princeton’s admissions staff improperly accessed information about 11 students from Yale’s admissions notification website in early April, the university admitted in a press release last Friday.
The incident, first reported by the Yale Daily News last Thursday, raises concerns about the security of such web-based systems, which are used by many universities across the country to notify applicants of admissions decisions before they are notified by mail.
Harvard opted not to use such a system, deeming it too attractive to potential hackers.
“When we were thinking of switching [to computer-based notification programs], we were advised not to have a website by a number of technical experts on the faculty,” McGrath Lewis said.
Harvard will keep in place its optional e-mail-based notification system, which McGrath Lewis said worked “beautifully” for regular decision candidates this spring.
Princeton University President Shirley M. Tilghman wrote in an e-mail to the Princeton community, “I deeply regret the enormous strain that these events have caused, first and foremost, to the students whose rights were violated.”
Princeton Director of Admission Stephen LeMenager, who accessed Yale’s website from an admissions office computer, had been placed on administrative leave pending the outcome of an investigation. LeMenager told the Yale Daily News that he was testing the degree of security of Yale’s website.
Princeton admissions officials only had to know applicants’ names, birth dates and Social Security numbers in order to find out whether they had been accepted to Yale, as well as personal and academic profiles students had provided.
A common solution to hacking concerns is to have the school send its applicants a personal identification number by mail, which is the method used at schools such as the University of Pennsylvania.
Yale junior Alexander G. Clark, who developed the Yale admissions website, said he expects that personal identification numbers will be required to access Yale admissions information for the Class of 2007.
The Yale website was clearly labeled as containing information only intended for applicants. A disclaimer on the site read, “All information released on this site is intended for the personal use of the applicant. No one but the applicant should make use of this online facility.”
A Yale investigation found that confidential information on the website was accessed 18 times on the Princeton campus, though four of those times occurred at computers outside the admissions office.
Yale Deputy Director of Public Affairs Thomas P. Conroy said those four may not have been due to improper usage of the system.
“A student could certainly say to a sibling or parent that they could access their information for them,” Conroy said. “That’s fine—an applicant can give permission to anyone else to do it.”
According to a statement released by Princeton, at least one of the recorded incidents of accessing the website may have resulted from a Princeton student checking on the application of a sibling.
Conroy also said that it was possible that an applicant to Yale happened to be at Princeton when he or she decided to check the site.
The FBI will investigate whether Princeton violated the Family Educational Rights Privacy Act, known as the Buckley Amendment, which is supposed to safeguard student information. If Princeton is found guilty, the university could lose limited federal funding.
—Staff writer Eugenia B. Schraa can be reached at firstname.lastname@example.org.