Monday, May 07, 2007

Let's Play Good Idea, Bad Idea

Recently, a Chemistry professor at OSU had their house broken into. Among the stolen items were two laptops. Typically, when someone has their laptop stolen, it sucks for them, but that's the end of the story.

But this is Ohio. They do things differently here.

You see, the laptops were ones on which said professor stored class rosters. And, among other things, these class rosters included the social security numbers of approximately 3,500 current and former students. Which is bad. And so the university has had to find and contact these 3,500 some odd individuals and let them know their identity security has been breached. Some of these students were from many many years ago, and as such, private investigators and the like had to be hired. Which costs money. Apparently this has cost the chemistry department and the university something like $80,000 so far.

That was in February. In early April, some other computers on campus were hacked into and something like 14,000 SSNs were "exposed." These SSNs are a subset of everyone who receives a paycheck from OSU ... including various faculty and staff, which (it seems like) was enough to make people go from saying "this is a problem that should be fixed" to actually trying to, you know, fix it.

There is much specialness abounding in this situation. The most obvious one to me is that there is no reason why a professor should ever have students' SSNs. So why do they? Well, it's because at this prestigious university, SSNs have long been used as student ID numbers. (Yes, I have complained about this before.) What this means is that they are routinely included on all class rosters, grade lists, etc etc. Which means that someone somewhere along the way had to think that was a good idea. Sure, it might have been back before the days of identity theft when everyone was all good and moral ... but a lot of software (e.g., for grade submission) has been written since then that didn't need to include that information. And once it became obvious that this practice could cause problems, someone somewhere had to make the decision to "phase" in a solution (apparently they've been saying this for years) instead of doing a rapid change manouver.

Which is what they're trying to do now, but with a great deal more... panic. No one likes a lawsuit, so another brilliant decision that someone somewhere made was to hold individuals liable. Not just the poor sap who has SSNs stored in his mail from over a decade ago, but also the individual responsible for that computer, aka, your friendly local tech support guy who is really not enthused at the idea of policing a department's worth of computers for nine digit strings, but is rather motivated at the idea of keeping their job.

Best part is, someone has realized that all of this goes against FERPA regulations ... pesky laws. We're assured that it'll all be fixed by the start of Autumn quarter in September, and the Astronomy department is definitely being all pro-active in purging computers of these data records. Besides, it's not every day you learn that Professor X has found Famous Astronomers Y and Z's social security numbers on their computer ...


Anonymous said...

When is the US going to get past this stupid notion that it is sensible to allocate a person a password at birth in a semi-guessable systematic manner, not allow that person to change the password and insist that it be used for authentication to a large number of disperate entities?

SSNs are not secret. They should not be treated as secret. They definitely should never be used for authentication, as oppposed to identification. Anybody who uses them for authentication is acting entirely irresponsibly.

Yours sincerely,

Ed, from the UK where he is seriously worried that we might well wind up making the same sort of stupid mistakes over the next few years as the national identity register is introduced.

Stephen said...

There's always encryption.

As early as 1995, you could get an encrypting file system for Linux. Once set up, it just worked. If you leave the laptop on, when the screensaver kicked in, you needed a password to unlock it. If you powered it down, you needed the password to mount the data file system. Setting it up was non-trivial, though. Really stupid export laws, etc. What a pain.

This Linux filesystem should be portable to OS/X Macs now. I think there's a Windows solution too.

Jacob said...

While MIT switched away from using SSN as ID number to using newly assigned ID numbers during my time there, the problem of faculty/staff having private info on their laptops (what the heck for?) and then said laptops being stolen is not special to Ohio. It has happened repeatedly (repeatedly?!) at MIT in recent years. There was a Boston Globe article (and probably also some in The Tech) not many months ago about this common occurance at universities in the Boston area.

See, for example:

And I know that there are more recent articles than these from spring 2005:

mollishka said...

Ed: What would you suggest as an alternative to authentication?

Jacob: but wasn't this a leftover problem from Back When? They certainly didn't use SSNs as IDs when I went through ... the two independent problems seem to be (a) the mostly extinct problem of using SSNs as student IDs and people who shouldn't have had access to this information to begin with being sent it—sometimes unknowingly, and (b) poor (or a total lack of) encryption/people not realizing what is on their computers. The first problem can essentially be fixed at the flip of a few switches, but the second is clearly more difficult since it involves more people, and it's the one that since people can have really old information on their computers causes problems when laptops disappear.

Ed said...

What would you suggest as an alternative to authentication?

What I'm suggesting is that SSNs are fine for identification, that is as a number used to identify people. In this sense, it's like a name except that it doesn't vary (e.g., on marriage), doesn't have lots of different forms (middle name present/absent, just middle initial, short vs long form, etc) and is different for each person.

However, using it for authentication, like a password, is clearly broken. The odd thing is that the US seems to think that this is necessary. There's no equivalent in the UK, for example, and as far as I know in the rest of Europe either. While there's plenty of "identity theft" here I believe it's somewhat less of a problem than in the US so clearly the use of SSNs isn't helping to prevent it.

If some sort of general password is to be used for access to government facilities then it should be separate from a person's identification number and there should be a mechanism to allow it to be changed.

Michael said...

I just happen to be one of those 3,500 chemistry student's whose SSN and DOB was on Prof. Coleman's laptop. In case anyone was wondering if someone was in fact using the information to try and fraudulently obtain credit cards...they are.