Student Site Stirs Controversy

A sharp debate raged on Lowell House’s open e-mail list this week after security issues were raised concerning a new student-run web portal launched last Friday that promised a place to trade textbooks, read and give feedback on classes and plan a class schedule.

While its creator lauded it as a much-needed resource for students, critics said they were concerned that the site’s web-based e-mail function—which requires a user to provide their Faculty of Arts and Sciences (FAS) account password—poses a security risk.

Aaron J. Greenspan ’05, who helped create the site, said that Harvard-run portals such as my.harvard and the House websites failed to centralize information that could be helpful and convenient to students.

“That was my diagnosis of the problem,” Greenspan said. “There was nowhere to trade textbooks, the CUE [Committee on Undergraduate Education] Guide wasn’t always as complete as it could be and the House websites were lacking.”

So he and the Harvard Student Entrepreneurial Council created houseSYSTEM to combine different services that could be helpful to students, Greenspan said. Once registered, users can submit and view commentary on classes, buy and sell items like futons and check e-mail from their Faculty of Arts and Sciences (FAS) accounts.

The ability to check e-mail formed the crux of the back-and-forth over Lowell’s list. In order to access e-mail, houseSYSTEM must know a user’s Harvard password. The site asks for it on registration—and currently informs users supplying invalid passwords that the site will lack full functionality.

Several members of the Lowell e-mail list contended that supplying one’s FAS password to a third party raised concerns.

“I’m certainly not an expert in computer security or online security, but there are certain red flags that I recognize,” said Graham R. Stanton ’05. “They were asking for the password [to my e-mail account] which is just something that’s not done. It said, when I tried to log in, that I needed it, which to me probably tried to access my e-mail account or something similar.”

Daniel J. Ellard, a tutor in Lowell House, was the first to post to the list with such a warning, pointing out that the site asked for a substantial amount of personal information—including a Harvard ID number and e-mail login name and password.

Director of Residential Computing Kevin S. Davis ’98 said he could not comment on the site itself, but that once a password is given to a computer system—no matter how it is secured—the system is able to read it in the end.

“It’s possible to encrypt any piece of information such that it’s well secured,” said Davis, who is also a Crimson editor. “Even if they encrypt your password, they need to be able to decrypt it; otherwise you couldn’t get to your mail.”

But Green-span said his intent in creating houseSYSTEM was not to collect personal information but to provide an important service.

“The only guiding idea here is to improve student life,” he said. “It’s not to collect people’s passwords. It’s not to abuse information for some evil purpose. It’s for students to benefit, whatever those pieces of information might be, whether it’s getting a job or your e-mail or your packages. It’s all things we’re trying to centralize in a way that FAS should but does not.”

Greenspan defended the security of his site, saying that a student’s houseSYSTEM account is kept completely separate from his or her Harvard student account.

“We can’t access those and shouldn’t access those,” he said. “Our database is kept separate from that.”

He said he uses an encryption algorithm called MD5 to encode information that should be kept secure.