OIT creates proposal to protect confidentiality

Taylor Beck '07 went to the registrar's office to change his courses for the semester. Beck, who always relies on his driver's license to remember his social security number, had forgotten to bring it with him, and thus could not complete his course-change form. Embarrassed, he asked the officer if she could look the number up for him. He never showed her any identification, and provided only his birthday, but she quickly found his social security number and gave it to him.

Beck was who he said he was. Someone less honest, however, could have followed the same simple steps and discovered Beck's social security number, leaving the door wide open for identity theft.

As part of growing efforts nationwide to combat identity theft after an incident at New York University last month, the University's Office of Information Technology recently introduced a proposal to protect confidential information about faculty, staff and students from abuse. The proposal codifies the proper use of personal information, such as social security numbers, birth dates and driver's license numbers.

"Up to this point, people have generally done the right thing," said Anthony Scaturro, the Univeristy's OIT security officer and author of the proposal. "We just want to build it into a codified proposal. We need a central program to bring consistency, so that one weak link doesn't undo all the good everyone else is doing."

The proposal will designate individuals who must be consulted before such information is shared or published. For instance, Dean of Undergraduate Students Kathleen Deignan would monitor the use of undergraduate students' confidential information, while Dean of the Faculty David Dobkin would supervise the use of faculty information.

"Anything that's personally identifiable — like a social security number or a credit card number or your mother's maiden name — cannot be used without appropriate permission," Scaturro said. "We can't have all the individuals with access to this information making the decisions about how to use it, because convincing just one to share it would be all it takes."

The proposal covers information in many different forms. In addition to techniques for protecting information on computers, one of the proposal's sections covers the proper disposal of paper, microfiche and diskettes. "It doesn't matter if the information is overheard in a public square or stolen from a computer," Scaturro said. "Our job is to make sure information is not exposed wherever it might be."

Besides making the administration aware of the need to protect information, OIT is also working on protecting computer systems from outside intrusion. As of now, any University website in which students enter personal information is protected by state-of-the-art 128-bit encryption, Scaturro said. But he added that a more comprehensive intrusion prevention system will be recommended to the University on Feb. 13.

"We're making sure passwords can't be guessed, and that the system is patched so that it isn't exposed to worms and viruses," he said. "But it's all a matter of how much risk I can reduce at a cost that isn't overkill. There has to be a balance."

Outside of OIT, the University's Office of the general counsel also helps ensure the confidentiality of University members' personal information. "As a general matter, the Office of the General Counsel is available to consult with members of the University community as questions regarding the handling of confidential information arise," University Counsel Clayton Marsh '85 wrote in an email.

Marsh said that his office ensures compliance with three federal privacy laws: the Family Education Rights and Privacy Act, which deals with student educational records; the Gramm-Leach-Bliley Act, which applies to financial information; and the Health Insurance Portability and Accountability Act, which applies to health information.

The issue of information security and identity theft at colleges and universities came to national attention last month in an incident at NYU. The social security numbers and names of several NYU students interested in intramural sports were inadvertently listed on a publicly accessible website, leading computer technician Brian Ristuccia to copy the information and post it elsewhere on the internet.

Get the best of the ‘Prince’ delivered straight to your inbox. Subscribe now »

Ristuccia claims he posted the information to force NYU to remove its website and notify the affected students, according to the New York Times. Listing social security numbers, however, could enable criminals to impersonate the NYU students in loan or other applications.

The incident showed the dangers of using social security numbers as personal identifiers. Princeton moved away from these numbers a few years ago, and now primarily employs PUID numbers, Scaturro said. The PUID numbers are randomly generated by computer, regardless of the students' social security numbers, Data Management Support Officer Kasia Hertz said.

The use of social security numbers also came into question in 2002, when University admissions officers used these numbers to determine whether students accepted to Princeton had also been accepted to Yale. Consequently, Yale changed its internet admissions notification system so that names and social security numbers alone did not ensure access.

At the University, Dean of Admissions Janet Rapelye wrote in an email that the admissions office uses ID numbers separate from social security numbers to identify applicants.

"We ask for social security numbers for our applicants because we have many students applying with the same name, sometime from the same state or town," she wrote. "When students apply, we issue an ID number immediately which we then use throughout the process, not the social security number. Currently, the staff has had training about strict confidentiality."

Rapelye wrote that in 2005, the University will have the capability to notify applicants online of their acceptance to the university. "At that point, we will consider when to have online notification because we are open to the idea," she wrote. "Security will be our highest priority."

In response to incidents such as those at NYU and Princeton and the growing prevalence of identity theft nationwide, the Office of the Inspector General at the U.S. Department of Education created an internet resource last December alerting students to be protective of their personal identifying information. The site, www.ed.gov/misused, provides advice such as memorizing your social security number and shredding pre-approved credit applications and other financial documents before discarding them.

"Too many students don't know the basics of protecting their identity," a Dec. 11 Department of Education press release stated. "Fortunately, with the proper safeguards, students can secure their personal information and prevent criminals from abusing their good name and record."