Students lobby for Internet privacy

A trio of graduate students is alleging in a new web-based petition that students who surf websites, connect to peer-to-peer networks or access online services from their dorm rooms are unwittingly leaving behind a wealth of personal information.

The students' website, www.princetonprivacy.org, illustrates a property of Dormnet — the service that provides Internet access to dorm rooms — that allows website operators, both on and off campus, to uncover such personal information as email, dorm telephone and campus address.

The petition has been signed by 75 students since its inception last week.

One of the originators of the petition, computer science graduate student Alex Halderman '03, said he has known about this problem from when he was an undergraduate, three years ago. "It has been a well-known trick for years," he said, adding that students have been using IP addresses to find out who has been using their file shares or visiting their website from campus.

Halderman said he contacted OIT about the problem but was told that it wasn't at "the top of their priority list."

During a Council of the Princeton University Community meeting last May, OIT policy advisor Rita Saltz said that the University was considering changing how IP's are assigned.

"The decision to associate a name with an IP address is based on history and would take a good deal of reworking and redesign to move away from, but we are looking into that," Saltz said.

The graduate students — Halderman, Harlan Yu and Jeff Dwoskin — came across the problem in early September during their seminar, COS 597E: Privacy: Technology and Policy, taught by computer science professor Ed Felten. They were discussing systems that would allow a user to surf the web anonymously when one of the students mentioned that "Princeton was the polar opposite" of these systems, Halderman said.

Support nonprofit student journalism. Donate to the ‘Prince.’ Donate now »

Inspired by this idea, Halderman gave a demonstration to the class showing how easily the information, including a map of the person's dorm, could be derived from the Princeton IP address. The students decided to expand this demonstration and add an online petition to publicize the issue.

At many other universities and outside service providers, IP addresses are a random combination of numbers and letters that can identify only a computer's network name. Any computer accessing the Internet from the University's Dormnet, however, bears the owner's NetID in place of a pseudonym.

As a result, anyone can use the University's website directory, Google or facebook.com to find out that person's name, email address, dorm room or phone number.

This information could be used to harass or stalk students, putting them at serious risk, Yu said. The issue could also potentially restrict a student from exercising free speech. For example, Yu said, students who know their personal information could be easily discovered might shy away from engaging in heated debate on political or social issues.

Get the best of the ‘Prince’ delivered to your doorstep or inbox. Subscribe now »

The problem isn't a new one. Last April, when the Recording Industry Association of America (RIAA) sued a number of University students, The Daily Princetonian used the IP addresses provided in the RIAA's subpoena to compile a list of the students sued.

Yu said that since students have not complained extensively about the issue, it's hard to argue for a change in the status quo. The solution, however, should be relatively simple, he said.

Since creating the website this weekend, the graduate students have been spreading the news through word of mouth.

Aaron Schneider '09 first found out about the issue through Yu, his preceptor, and said he might not have known about it otherwise. After reading over the website, Schneider decided to sign the online petition. It was "worthwhile," he said, "since it affects all of our [Princetonians'] privacy."

Yu said he is "optimistic" that OIT will change its current policy. Either way, it will let OIT know that "students care about privacy," he said.