Search News


Browse Archives

News

Stumbling Upon Secure Data

October 1, 2007

Share This Story

Related Stories

FREE Daily News Alerts

Advertisement

Journalists, students and non, often find themselves walking the fine line separating personal privacy from their obligations to the public at large. So when a new hire at Western Oregon University’s student newspaper happened across a file containing former students’ Social Security numbers on the university’s public server in June, he and the student editor resolved to immediately inform the administration -- and also make a copy of the file for reporting purposes. The students subsequently published a special issue of the Journal, distributed during graduation week, detailing the security breach but void of any of the private information found in the file.

Still, as the Portland Oregonian reported, the student copy editor who initially found the file faced a disciplinary hearing Friday and penalties up to and including expulsion for allegedly violating the institution’s computer use policy. And while officials decided against expulsion Friday -- opting instead to require the student to complete a presentation on "acceptable computer use" and write a newspaper commentary on university policies, according to The Oregonian -- the adviser for the Journal got a letter in August indicating that her annual contract would not be renewed.

“I feel as an adviser, as many advisers do, that oftentimes we’re really forced between loyalty to the university and loyalty to an independent press,” Susan Wickstrom said Friday. “I feel like my job as an adviser is to be loyal to the student press. And in this case, it cost me my job.”

But the issue, said Mark Weiss, executive vice president of finance and administration at Western Oregon, was not the student newspaper's coverage of the security slip, but instead the making and keeping of copies of the data. "The fact that copies were made of confidential information contrary to our university policy ... that’s the only issue that I have.”

“From my perspective [the student] was given bad advice,” Weiss said. “And certainly a university employee, an adviser to the newspaper, should not have accepted any copies.”

In retelling the tale, Wickstrom said that she was “half-listening” and “in some proximity” while the student editors conferred about the newly found file, discovered during the Wednesday of “Dead Week” before finals. Within five minutes, the editor-in-chief left to inform administrators, and while Wickstrom said she could not remember the details of when students copied the file onto a disk, she said the editor did ask if she could keep it in her office. “I just said, 'OK,' I wasn’t even positive what was in the file. I just knew it was some evidence that they were using to work on a story.” She said she put the disk in an envelope and went home for the long weekend (she worked Monday through Wednesday).

On that Friday, June 8, she said she received a call from university computing telling her that security had let officials into the newsroom, where they searched the computers. “I was horrified,” Wickstrom said of the search.

“The one thing that I hope doesn’t get ignored by anybody is the fact that school officials searched a newsroom. That’s outrageous; we just don’t do that in this country,” said Mike Hiestand, a legal consultant and lawyer for the Student Press Law Center, who added that newsrooms, including college newsrooms, are protected from search by law. (Weiss confirmed that officials went to the college-owned newsroom to remove the copied files, but could not “confirm or deny” whether a search of the computers occurred when students and staff weren’t present).

Wickstrom said she talked to the editor-in-chief over the early June weekend and, learning that he’d already told the administration of the disk’s existence, advised that he return it to the administration. The student had in the meantime taken it from her office drawer without her knowing, Wickstrom said. Upon learning that, she volunteered to pick it up from his home and bring it to the administration -- which she said she did.

University officials deleted the file originally downloaded to the copy editor's personal laptop, the academic year ended, the four-page special edition of the Journal with the article -- which Weiss said he thought was balanced and which he had no problems with -- was distributed, and everyone went home.

In August, Wickstrom received a notice indicating that the university might not renew her contract because she “didn’t advise the students about the information that they had recovered adequately,” and for allowing students to take the disk off campus. Two days after a hearing, she received a letter via registered mail saying that her contract would not be renewed. Weiss declined to comment on Wickstrom’s case.

"What I did ask," Weiss said of the entire situation, "is that any copies of files that should not have been copied ... that we needed to erase them, destroy them. And that was the only goal we had and it was limited to those files that we were told were copied. It was our obligation to the privacy of those students to do that."

But Hiestand of the Student Press Law Center defended the right of the student journalists to keep the evidence while reporting the story. “Keeping that information so they can write a story was entirely appropriate. I trust that they took care of it and disposed it properly,” Hiestand said.

“It’s one of those things where I think the student newspaper covered the story exactly how a newspaper should cover a story. They found there was a problem with the security, as far as student files and things go, and they reported on that. They made a decision not to use names or anything like that.”

“To now target the adviser and, at least indirectly, the student newspaper -- that’s a poor choice.”

Elizabeth Redden
Go to comments (16) »

Get Hired!

See all postings »
Advertisement
Advertisement

Most Popular

More...
On the Job Market Together?

Comments on Stumbling Upon Secure Data

  • And who published it?
  • Posted by Rochelle , Librarian on October 1, 2007 at 7:00am EDT

  • This is ridiculous. Anyone who found the page and viewed it in their browser "kept a copy" of it in their browser history; did the university also dump the computers' caches? The fault lies with whoever it was who published the file on a live production server, not with the students' adviser.

  • Posted by John Lobell , Professor at Pratt Institute on October 1, 2007 at 7:40am EDT

  • I agree with Rochelle. Was the person in computing who made the information public fired? Too often it is the messenger who gets shafted. Making the disk was improper???? What if she and the students report it and it is no longer there, and they are asked “Exactly what did you see?”

    But worse is the student being required to “…and write a newspaper commentary on university policies…” What is this—Communism where they dictate to you the confession you have to present in public????

  • An Unconstitutional Attack on Freedom of the Press
  • Posted by John K. Wilson , Founder at collegefreedom.org on October 1, 2007 at 9:10am EDT

  • The retaliation against the student and the advisor is not only horrifying, it’s also unconstitutional. Once the administration foolishly made the file public via the web, it was no longer confidential information, and the administration could only punish people for fraudulent use of the data, not for having it. Arguably, the administration might have been able to secure the data if was held on university-owned property. But they can’t punish anyone for having the data as part of a newspaper investigation. The University should be giving the student an award for finding a file that people with evil intent might have easily discovered.

  • Open Records to Learn Intent
  • Posted by Michael Bugeja , Professor at Iowa State University on October 1, 2007 at 9:10am EDT

  • Searching a newsroom in the name of computer security and then appearing to target the newspaper adviser may indicate poor administrative judgment--the same type that may have led to the computer breach in the first place. We don't know that as of yet, of course; but that may be the news story yet to be told.

    We're operating increasingly in a technological environment that creates controversy on a regular basis because its servers are not programmed for the range of human activities that others may find private or otherwise objectionable. However, blaming an autonomous computer system seems like a waste of energy; an easier route in incidents similar to this is to blame people.

    Again, however, we don't know that in this case.

    Perhaps the only way to learn the intent behind these actions is to file an avalanche of open records requests including email, memos and other documents in the hope that procedures at this institution can be improved via transparency, disclosure and due process--values computers routinely disregard.

  • guilty?
  • Posted by steve on October 1, 2007 at 9:10am EDT

  • It’s interesting that in today’s world that it seems to be impossible to make a honest mistake where no one was harmed learn from it and move on. Today we always seem to have to search for the guilty and punish someone.
    The search for perfection creates progress but the requirement of perfection guarantees mediocrity.

  • Posted by Raoul Ohio on October 1, 2007 at 11:50am EDT

  • Rochelle and John have good points, but there are other aspects:

    1. Huge amounts of data, such as SS numbers, have been used freely for decades and are everywhere. In addition to being used as student ID's, it was standard to have SS numbers on checks into the 1990's.

    So everyone's SS number is "out there" in 1000's of places, and suddenly this is a security risk. Meanwhile, the technology and protocols for securing huge amounts of data are evolving rapidly. So it is simplistic to blame "whoever left the data out".

    2. People in the media often state something to the effect that "how dare they think rules apply to us, we are THE PRESS!". I don't think it is quite that simple.

  • Secure Data...
  • Posted by Polly Webster on October 1, 2007 at 12:35pm EDT

  • I recently went to a lecture by Bud Krogh, one of the Nixon "plumbers," who has written a book about his years at the White House. In his remarks Krogh reminded the audience that people who join the White House staff are sworn in and promise to uphold the Constitution of the United States--not to have blind loyalty or, eyes-wide-open loyalty to the President. Fire the advisor--the university's rules were broken. But don't harm the press or the reporter. They were doing their job. Without the Washington Post we might never have known twhat was going on att the White House.

  • A "free" press?
  • Posted by Ariel on October 1, 2007 at 2:40pm EDT

  • So would this press exist apart from the school? No. It's a dependent press run for the purposes of training journalism students under the auspices of the university. As such, it should be subject to the policies of the university.

    They should have followed the procedures/policies of the university.
    Their concern should have been for securing the sensitive information that they discovered.

    But no, they were undoubtedly too busy salivating over what a juicy story they just stumbled upon that they were motivated by nothing but their own, back-side covering self-interest (there's no other reason to make a copy of data they were not authorized to access - regardless of whether it was exposed).

    Now they want to wrap themselves in some so-called privileges of the press and whine and complain about it.

    First priority should have been securing the system and data in question, performing the necessary forensics to see if the data had been accessed, and if necessary notifying those individuals whose SSNs were involved. After all that was done, go ahead and report on it, but NOT BEFORE!

    The paper was clearly motivated by unethical self-interest here.

    I've been in the security and policy business too long to feel sorry for these people.

    I don't have a lot of sympathy for journalists who obstruct justice by refusing to reveal sources either.

    Sorry guys, but no liberty is absolute. It all comes with something called responsibility.

  • don't ignore the facts given in the article
  • Posted by T on October 1, 2007 at 3:45pm EDT

  • Ariel, I think you need to actually READ the article before spouting nonsense.

    According to Ariel, “They should have followed the procedures/policies of the university. Their concern should have been for securing the sensitive information that they discovered.”

    Which they did…

    Ariel continues, “But no, they were undoubtedly too busy salivating over what a juicy story they just stumbled upon that they were motivated by nothing but their own, back-side covering self-interest (there’s no other reason to make a copy of data they were not authorized to access — regardless of whether it was exposed).”

    Um…actually, it *IS* a rather juicy story when an organization has private information open to the public, thus violating student rights. I think a press agency [even a student-based one] would be remiss to journalism’s function as “public watchdog” to ignore this finding.

    Ariel opines, “Now they want to wrap themselves in some so-called privileges of the press and whine and complain about it.”

    Why not? It’s not like they did anything wrong…I mean, we don’t know how the “new hire” stumbled on the information, but the fact remains it wasn’t secure.

    Ariel continues, “First priority should have been securing the system and data in question, performing the necessary forensics to see if the data had been accessed, and if necessary notifying those individuals whose SSNs were involved. After all that was done, go ahead and report on it, but NOT BEFORE!”

    From the original article, enumerated for the literacy impaired:

    1-“So when a new hire at Western Oregon University’s student newspaper happened across a file containing former students’ Social Security numbers on the university’s public server in June,”

    2- “[the new hire] and the student editor resolved to immediately inform (emphasis mine) the administration”

    3- “— and also make a copy of the file for reporting purposes.”

    4-“The students subsequently published a special issue of the Journal, distributed during graduation week, detailing the security breach but void of any of the private information found in the file.”

    Ariel, perhaps you missed this time-line before crafting your commentary? Or perhaps you’re already biased?

    Ariel goes on to say, “The paper was clearly motivated by unethical self-interest here.
    I’ve been in the security and policy business too long to feel sorry for these people.
    I don’t have a lot of sympathy for journalists who obstruct justice by refusing to reveal sources either.
    Sorry guys, but no liberty is absolute. It all comes with something called responsibility.”

    Gee, might you be the sort who occasionally makes these security “errors” and just wants to pass the buck when someone catches you with your pants down? That might explain your defensive tone and ignorance of the facts as reported in the article to which you wrote your response.

  • Posted by Andy on October 1, 2007 at 4:35pm EDT

  • What do the actions of the administration teach students of journalism? If an administration can't be trusted to let journalists perform their role, how are students supposed to be educated in what journalism is? This sounds like a ridiculous breach of press rights.
    As a student journalist, this infuriates me. There should be room for students to learn, not punishment (especially for the adviser) for finding a fault in the administration's computer system.

  • Posted by Shawn on October 1, 2007 at 6:20pm EDT

  • This adviser's dismissal is beyond silly. The press exists as a watchdog and this paper did that wonderfully here. Printing out the documents as an example of how the public trust was breached by the university was an absolutely reasonable (prudent, even) move just in case some pinhead middle manager would try to cover their rear ends and deny this happened.

    So let me get this straight ... the school doesn't trust the press with keeping the documents safe when they were the ones who put them at risk in the first place? Thank God the guardians of the public trust broke into that big, bad bully newspaper's office and made sure that those files were safe and could in no way be comprimised or, you know, accessed on the Internet or something like that. That student newspaper sure is irresponsible.

  • Posted by Interested observer on October 1, 2007 at 8:15pm EDT

  • It is not the case that checks routinely used to have Social Security Numbers printed on them. I've had a checking account for 30 years and never had my SSN on my checks. Already back then, many of us understood that such data required protection.

    It is true that the SSN used to be printed on more i.d. cards than it is nowadays. And it does appear that not all publicly funded schools interpret their obligations under the Family Educational Rights and Privacy Act the same way. HOwever, with the passage of the Intelligence Reform and Terrorism Prevention Act of 2004, states no longer may use SSNs on drivers' licenses.

    Best practices for handling data with Social Security numbers call for it to be kept in an approved, secure environment -- storage in properly secured containers; no downloading onto personal computers, etc. -- and not shared unnecessarily. There are restrictions on how you can electronically convey it, etc. Many but not all states have laws requiring people whose numbers have been compromised by a data breach to be informed that such occurred.

    Given all that, I disagree that copying the file was prudent. Making extra copies (on a disk or personal computer) placed the data at risk even more so than it already was. The university might have taken the info off the server but the disk could have been stolen from the desk or from the student's home. I haven’t studied the legal liablity issues, but it seems to me that creating copies also increased the potential number of liable parties had actual identity thefts occurred.

    This would be a much better story if it played out this way: Students working on newspaper discover a file with SSNs on a university server. Advisor reminds them of stories in the press in the last few years about the theft and loss of notebook computers at the Veterans Administration and elsewhere. (Or maybe the students remember reading such news stories themselves, this only happened a couple of years ago, when the students already were of an age to follow the news.) They discuss how much anxiety such a loss creates (affected parties have to monitor their credit reports, etc.) and why for legal and ethical reasons, you wouldn’t want to risk becoming a party to such a breach.

    The advisor checks on the Internet to see what laws, regulations, policies cover such data and what the best practices are for handling it. She then immediately informs the university IT or security office of the breach, tells the students to go ahead and write their story but by no means to cite numbers or to print off, copy or download the file. The so-called watchdog function is fulfilled, the information is removed from the server, and the students and advisor look good, with no ensuing controversy.

  • Data or Evidence?
  • Posted by Prof Ed , Director, Faculty Development at California State University Channel Islands on October 3, 2007 at 4:15am EDT

  • The student reporters certainly documented that compromised data existed for a time. If they worried about perpetrators who would sweep the problem away and deny the event ever happened, they might retain evidence. Did those in positions of responsibility move to notify the individuals on the list to be alert for identity theft, or did they simply try to destroy evidence and intimidate those who who found it? The act of firing a newspaper advisor could be a diversion to focus attention still farther away from those who allowed the files to be constructed and posted.

  • Balancing tests, learning to live with consequences of choices
  • Posted by Interested Observer on October 3, 2007 at 8:50am EDT

  • Interesting how many people assume the university would have attempted a cover up. Press reports suggest that a number of government agencies have dealt with data breaches over the last few years. In cases I’ve seen mentioned in the press, the agencies have owned up to them – admitting there is a problem is the first step to working to ensure it is less likely to recur. I know of no cases where the reporters writing the story faced flat out denials or smears for reporting a breach. Yet in the case of a student newspaper, several people commenting here assume the university might have engaged in a cover up. Is there something I don’t know about the academic environment that suggests this is more likely at a university than within the government?

    My hope is that if students face this sort of situation in the future, someone will use the opportunity to talk about the types of situations that can come up with information a journalist uncovers. Discuss the Valerie Plame case or the publicly documented situation in 1961 when the New York Times learned of the planned Bay of Pigs action but withheld some details from publication at the request of the government. Or the news stories about the ongoing case where private individuals face charges of accepting into their custody classified government documents that they were not cleared to see.

    What you do with data and how you handle a story can affect third parties (Valerie Plame, the students whose SSNs were in the file that was copied), you have to take that into account along with your desire to write a story. At times you have to apply balancing tests. In this case, preserving copies of the data placed the former students at greater risk of identity theft than not doing so.

    I would have written the story about the mistaken posting to the server but not downloaded or copied the data with the student SSNs. If the university tried a cover-up, I would have been brave enough to say yes, I saw the data on the server but I was mindful of my obligations to protect the students involved from identity theft. I did not want to increase that risk so I did not copy it. If there was a cover-up, as a student, I would have taken it as a lesson in learning to live with the consequences of my own actions in deciding to protect the students from identity theft. Learning to live with the consequences of one’s actions is part of preparing for life after college.

  • Posted by Shawn on October 3, 2007 at 3:20pm EDT

  • You suggest the students should have taken it as an opportunity to learn to live with consequences, but what about the university? Should they not deal with the consequences of their mistakes, such as posting private data where anybody could find it? The students just did what any other student -- or identity thief -- could have done and made a copy of the info. They did it to cover their asses, sure, but that's exactly what the university is doing now.

    You suggest retaining the data put the at-risk students at greater comprimise than had they not. OK, how about had they not found it at all and had not identified this school's bumbling administration? The info would have been out there for all to see as opposed to one copy under lock and key. This is like a stable owner letting out 500 horses and then firing the ranch hand who successfully rounded up 499 of them while he was taking a nap.

  • Posted by Interested Observer on October 3, 2007 at 4:05pm EDT

  • Not every situation is suited to stark separation of the principals into only heroes or villains. Just because I argue against making the copy doesn't mean I believe the university didn't err in the initial breach. This isn't one of those "you're either for us or against us" situations where you have to pick a side to wholeheartedly support or condemn.
    I don't know why you assume WOU learned no lessons. News reports in The Oregonian and CHE suggest the univerdity did learn some and reportedly was grateful to the student who reported the breach.

Print
© Copyright 2009 Inside Higher Ed