UPDATED: Feb. 26, 2017, at 11:27 a.m.
Until this month, at least 1.4 million emails maintained by the Harvard Computer Society were publicly accessible. Many emails contained information that should not and most likely were not meant to be public: student grades, bank account information, copies of exams, club membership lists, and at least one Social Security number. The possible consequences of such privacy breaches are concerning, especially given that Harvard administrators, faculty, and students alike have used these lists to circulate sensitive information. While this breach of privacy was inadvertent, it should serve as a stern reminder that internet security is a dangerous and serious issue that requires urgent preventative measures.
Most disconcerting about this situation is that none of the HCS students, managers, or even college administrators realized the potential security hazards of the default public setting for email lists maintained by HCS. Originally meant for use by students and student groups, HCS lists were also used by teaching staff and administrators, an unintentional but still careless use of a service run by undergraduates. The information that was circulated by teaching staff is especially alarming because it appears to have been a potential violation of the Family Educational Rights and Privacy Act.
Despite the questionable default settings, we do not solely fault HCS for this unfortunate situation. It is normal and acceptable for a student organization to create mailing lists for other student organizations. The lists, however, went beyond this scope: Teaching staff and students used these publicly accessible lists to share student grades, answer keys, and even Social Security numbers, and they should have reflected on potential security risks before disseminating such information. Security is the obligation of all Harvard community members, and Harvard needs to place a greater emphasis on ensuring the privacy of sensitive information by educating everyone who would potentially circulate it.
That said, HCS should use this as a learning opportunity, making serious efforts to ensure privacy and security from the earliest stages of list creation in the future. The most straightforward and beneficial change HCS could make would be to switch the default setting of email lists to private. Although groups have the responsibility for ensuring that the privacy settings match the demands of their group, a privacy-oriented default setting could help prevent accidents like these.
HCS could also stand to benefit from greater collaboration with Harvard University Information Technology. That group, Harvard's official IT arm, has recently focused on information security with measures like Harvard Key and two-step verification. Currently, HUIT has only a loose connection with HCS, even though Chief Technology Officer for the School of Engineering and Applied Sciences James H. Waldo is the organization’s faculty advisor. Although the students who run HCS may be well qualified, it is ultimately a student organization. The “pretty loose connection” James H. Waldo claims to play in advising HCS is unacceptable. Given popular demand for email list services and their importance to both informal and formal operations of the University, greater support from their faculty advisor and HUIT is well warranted.
It is ultimately the University’s responsibility to ensure the privacy and safety of students and their information. As a result, Harvard administrators, faculty, and students must all do their part to ensure that a privacy breach of this scale does not happen again. HCS should be proactive by better educating list administrators about list security settings. Students, teaching staff, and administrators can do their part by being sensible about the type of information they disseminate over publicly accessible lists. The fact that sensitive Harvard email lists remained public for years should serve as a learning experience for everyone involved, and we all should think more carefully about the security of our data to avoid such an incident in the future.
CORRECTION: Feb. 26, 2017
Due to incorrect information posted on two separate Harvard websites, a previous version of this story incorrectly indicated that James H. Waldo is the Chief Technology Officer of the University.