Student info must be kept private

The Recording Industry Association of America filed lawsuits against 25 university community members last Wednesday, claiming these individuals were illegally sharing music online. For those involved, and for the community as a whole, the suits served as a reminder that our online actions are not undertaken anonymously.

While total anonymity online is neither possible nor likely desirable, the University is currently making too much personal information about each of its students available through the web. Specifically, the University should stop making student addresses and phone numbers available to those searching from off-campus locations and it should stop linking students' Internet Protocol addresses with names that include their netids.

In January 2001, the Office of the Registrar signed off on a new policy that would allow access to full directory entries from off-campus locations. The change came in response to requests received by OIT and others to make such information available, since previously only email addresses were availble to off-campus searchers. However, this policy makes it possible for telemarketers to bring up a list of 100 student names, addresses and telephone numbers simply by searching for "John."

The University is also currently linking every student's computer to his or her name in an unnecessarily public way. Every device on the Internet is identified by a unique Internet Protocol address, or IP. A service known as DNS associates names to these IP addresses, letting us type www.google.com into our web browsers rather than 64.233.161.99. Another service, known as reverse DNS, goes the other way, mapping IP addresses to names. The owner of any particular IP address gets to decide what name is associated with a particular number.

Currently, OIT is associating every student's IP address with their netid. A reverse DNS lookup performed on the IP address of any student computer plugged into the campus network will return an entry of the form netid.student.princeton.edu.

The results of such a reverse DNS lookup are available to the operator of each and every website a student visits. Once someone knows a student's netid, they can enter that information into the campus directory search and, as we noted before, obtain their full name, dormitory address and telephone number.

There are, of course, some situations in which a student would want their IP address associated with their netid. For example, a student running his own web server might find such an association useful. However, for the vast majority of students, the current system offers no benefit and creates the potential for significant harm.

The Internet should not be an anonymous place — for legal and regulatory purposes, service providers can and should keep some information about their users. However, whenever possible, the University should act to make as little of our personal information available to the world as possible. They should modify their current policy to reflect that philosophy.