Email Lists Revealing Students’ Private Information Remained Public for Years

Grades, answer keys, and student group bank account numbers sent over HCS lists were available online until Monday

UPDATED: February 21, 2017 at 4:00 p.m.

More than 1.4 million emails—some divulging Harvard students’ grades, financial aid information, and at least one individual's Social Security number—sent over Harvard Computer Society email lists were open to the public until Monday.

Teaching fellows, resident tutors, College administrators, and thousands of undergraduates have used the email list service—which the student group made private Monday—for years. Emails sent over HCS lists contained the membership of certain BGLTQ undergraduate groups, bank account numbers for some student organizations, advance copies of a final exam, and answer keys to problem sets.

At times, teaching fellows used the lists to discuss students’ grades—a move some legal experts say may violate the Family Educational Rights and Privacy Act, a federal law designed to protect students’ privacy.

While only Harvard affiliates could access the directory of the email lists, the emails themselves were open to the public.

Over two dozen students who manage HCS lists said they never realized their emails were public. All College administrators who used the lists—including Dean of the College Rakesh Khurana—were also unaware their messages were public, according to Harvard spokesperson Rachael Dane.

HCS made the lists private after The Crimson contacted the organization last week. Jason T. Goodman ’18, the co-president of HCS, said he knew some email lists were public but was unaware of the scope of the issue.

“We occasionally received requests to make lists private from alumni that had inadvertently created public—made information public, but I would say infrequently,” Goodman said. “We didn’t think it was likely to be a common issue.”

Anyone with a Harvard email address could set up an email list through HCS. The default setting for HCS list archives was public, meaning users’ emails remained publicly available unless list owners specified otherwise.

“We assumed that, in the majority of cases, people had configured their lists correctly,” Goodman said.

Of the roughly 7,000 email lists logged in HCS’s online index, the vast majority—more than 5,500—had publicly accessible archives, according to a Crimson analysis of the lists. In an effort to protect students’ privacy, The Crimson delayed publication of this story until HCS gave all list administrators the opportunity to make their archived emails private.

James H. Waldo, the Chief Technology Officer of the School of Engineering and Applied Sciences who serves as the HCS faculty adviser, also said he was unaware that the majority of HCS’s email lists were public. He said he tends to have “a pretty loose connection with the Harvard Computing Society,” and that he played no role in setting up the group’s email list services.

Waldo said the default archive setting should have been private.

“The responsibility for determining whether the default is appropriate goes both to the people who are setting up the service and the people who are using the service,” he said. “The groups that knew that they were going to have people signing up who would want to have their identities not made public should have been aware of the ability to make their email list private when they signed up.”

Many HCS list users said they were surprised and concerned to learn their emails were publicly available. In particular, former Queer Resource Center staffer Marshall Craig ’16 said he was alarmed that the internal correspondence and membership of campus BGLTQ groups, including the Resource Center, had been discoverable by anyone with Internet access.

“Because it was managed by HCS, our understanding was that this was private—we were never given any indication to the contrary, and were never aware of any security concerns,” he said. “We feel strongly that identifying as BGLTQ is a personal decision, and concerned essentially that people will be outed against their will.”

Berkeley Brown ’18, the former chair of the Undergraduate Council’s Student Life Committee who previously maintained an HCS list for the body, said she was shocked to hear the majority of archived HCS emails were publicly available.

"Oh my god, yeah, every organization on campus I feel like uses the HCS lists, so, wow,” she said. “I can definitely see how it would be concerning for some groups, for sure.”

HCS took steps over the weekend to secure private information on its email server, first restricting access to the archives of all existing lists whose membership is private. HCS also sent emails to every single list administrator Saturday evening reminding them of their list’s privacy setting.

The group is additionally working to update the list creation process to “emphasize” the fact that the default setting for HCS email archives is public, according to Goodman. He added HCS will “reevaluate their default values” going forward. In the meantime, HCS temporarily disabled the email list directory Monday, Goodman wrote in an emailed statement.

Harvard sent its own messages to inform College affiliates who manage HCS email lists that their emails were public. Last week, the Freshman Dean’s Office and tutors from Adams, Pforzheimer, and Kirkland Houses made their archives private.

Dean of Students Katherine G. O’Dair wrote in an emailed statement Sunday that her office was working to ensure student privacy.

“OSL stands ready to assist any recognized student organization that has been impacted by this issue,” she wrote.

Current and former teaching fellows who relied on the lists for communication—including staff for Societies of the World 24: “Global Health Challenges: Complexities of Evidence-Based Policy,” a class offered this semester—also made their internal communications private last week.

In addition to SW 24 TFs, instructors for at least three other Harvard courses—Science of the Physical Universe 27: “Science and Cooking: From Haute Cuisine to Soft Matter Science,” Computer Science 51: “Introduction to Computer Science II,” and Economics 10a: “Principles of Economics”—left sensitive course information public.

Former CS 51 teaching fellow Randy J. Miller ’13 said he did not know he had inadvertently exposed private course information. He said he alone—and not other CS 51 affiliates or HCS staffers—was to blame.

“This was a long time ago, but I assume this is probably entirely my fault and not that of CS 51 because I was just doing this kind of thing on my own,” Miller said.

Jacob H. Rooksby, an associate dean at Duquesne University School of Law who specializes in intellectual property law as it relates to higher education, said the public dissemination of students’ academic information, though unintentional, “pretty clearly” constitutes a violation of FERPA.

Marc S. Rotenberg ’82, the president of the Electronic Privacy Information Center who has testified before Congress about online privacy issues, agreed with Rooksby.

"There are likely several privacy claims against the university if confidential student information was improperly disclosed,” Rotenberg wrote in an emailed statement.

Rooksby added that, if the Department of Education were to find Harvard in violation of FERPA, penalties resulting from either private claims or federal action would likely be insignificant.

“To me, there’s no private course of action,” he said. “The one and only possible penalty is that the Department of Education might remove federal funding, but that’s not going to happen—it has never happened in the history of FERPA.”

“At most, they would investigate and see if the practice had a pattern of repeatedly occurring. If so, they would write up a letter asking Harvard to rectify the situation, and give them time to do so,” Rooksby added.

Dane wrote in an emailed statement Monday that the University had “no comment” on the potential FERPA violation.

Waldo said teaching fellows should have “known better” than to send sensitive information over email lists run by students and thus not required to meet University information security standards.

Still, he said he thought the teaching fellows’ behavior, which he called “unwise,” did not merit a FERPA investigation.

“FERPA is really for systematic violations that are intentional of the right to privacy of the students. As far as I can tell, it does not outlaw being careless or stupid,” Waldo said.

—Brian P. Yu contributed reporting.

—Staff writer Hannah Natanson can be reached at hannah.natanson@thecrimson.com. Follow her on Twitter @hannah_natanson.

—Staff writer Derek G. Xiao can be reached at derek.xiao@thecrimson.com. Follow him on Twitter @derekgxiao.

This article has been revised to reflect the following corrections:

CORRECTION: February 20, 2017

A previous version of this article incorrectly indicated that Berkeley Brown ’18 is the chair of the Undergraduate Council’s Student Life Committee. In fact, she is the former chair.

CORRECTION: February 21, 2017

Due to incorrect information provided by the College, a previous version of this story incorrectly indicated that an email list managed by the Office of BGLTQ Student Life was public. In fact, the office did not manage the list.

CORRECTION: February 24, 2017

Due to incorrect information posted on two separate Harvard websites, a previous version of this story incorrectly indicated that James H. Waldo is the Chief Technology Officer of the University.

Tags