The e-mails included personal details about each student including their names, e-mail and mailing addresses, dorm room addresses and student identification numbers, which, he said, were publicly accessible through the University’s web-based directory.
Li said he sent the e-mails in an effort to raise awareness about a perceived security breach in the University’s Lightweight Directory Access Protocol server that could allow anyone outside the community to access the personal information about students that Li included in his e-mails.
By sending out the e-mails, Li wrote on his blog, he hoped “to illustrate (by way of exaggeration) the kinds of malicious things one can do with this data.”
The University’s LDAP server is an online directory containing personal information on students, faculty and staff that enables mail clients to automatically complete princeton.edu e-mail addresses. The Office of Information Technology’s public help website lists instructions for connecting to the LDAP server, which has no security restrictions.
The information on the LDAP can be accessed by people outside of the Princeton network, Li said.
Under the Family Educational Rights and Privacy Act, the University is permitted to make certain information publicly available.
Section II of “Rights, Rules and Responsibilities” states that “the University may disclose the following types of ‘directory information’ without restriction unless the student otherwise requests: name; address; telephone number; e-mail address; photograph; student identification number; dates of attendance; major field of study; participation in officially recognized activities, organizations and athletic teams; weight and height of members of athletic teams; degrees and awards; academic institution attended immediately prior to Princeton University.”
It is unclear whether the University is permitted to reveal the other e-mail addresses to which students forward their princeton.edu e-mail messages, though University spokeswoman Emily Aronson noted that these addresses are not available through the University directory and that students may opt out of including their personal information online at any time.
“I’m not sure where the law draws the line when it comes to these kinds of information, if there is a line at all,” Li said in an e-mail. “The point is that the University has some freedom in choosing what information to publish and what to restrict. In this case, the school has made some puzzling choices.”
“The current system makes it easier to look up who’s forwarding emails to Gmail accounts than to find everybody majoring in geosciences,” Li said.
The e-mails Li sent out included a link to a website he started to raise awareness about the issue among students.
On the website, Li explains what he believes to be the inadequacy in security measures for the LDAP and lists contact information for OIT.
Until Sunday evening, the website also enabled visitors to search for a University e-mail address in the LDAP server and pull up associated information.
According to Li, he was contacted by Public Safety and decided in conjunction with the department to disable the website’s search functionality on Sunday.
A statement posted on the website after the deactivation of the search feature read: “Since this site was never supposed to facilitate burglary, I’ve stopped the display of personal information. The information is still publicly accessible, however.” Li’s site is subtitled “punishing email forwarding, one burglary at a time.”
According to Aronson, however, Public Safety was not involved in the situation.
“The University notified an individual student of the concerns about compromising students’ privacy and the University’s IT policy,” she said. “It seems this individual may have taken such action on their own after receiving the notification.”
Aronson said that the University became aware of the situation only on Sunday evening when one of the students who received an e-mail from Li thought it was spam and forwarded it to a University official.
“The University takes seriously the privacy of students’ information and works to ensure that students’ private information is kept confidential,” Aronson explained. “As soon as the Office of Information Technology was made aware of this, it began to put additional security protections in place.”
However, while Li said that OIT had been made aware of the security issue by other students in the past and that “there’s a much better awareness of this issue now on campus,” the University may be taking disciplinary measures against him for spreading awareness of the issue without contacting OIT first.
“Let’s just say there is a disciplinary investigation going on,” Li said in an interview on Tuesday night.
“This involved an individual engaged in unauthorized access of students’ information,” Aronson said of the e-mails, though all the information Li utilized was accessible to the general public. “Such actions can be considered a violation of University IT policy … It is not appropriate for an individual who has inadvertently or inappropriately accessed sensitive data to disseminate that information.”
The University’s IT policy states: “If you encounter or observe a gap in system or network security, you must report the gap to the appropriate office or authority, which may be the OIT Help Desk, the Library Systems Office or the appropriate system authority, either within or outside the University. You must refrain from exploiting any such gaps in security.”
Li said that he had met with a dean on Tuesday afternoon and added that “there’s going to be an ongoing conversation” between them.
“There are going to be some e-mails exchanged and both of us are going to make decisions on what the appropriate disciplinary action should be,” he said. “This is all like new territory for me, so I don’t know [what will happen next in the disciplinary procedure].”
When asked about the possible disciplinary actions, Aronson declined to comment on the specifics.
“University meetings and potential actions involving an individual student are private, as all students’ academic and related records are private, so it is not possible to answer your specific questions related to any potential action,” she said.
However, Li noted that despite the potential disciplinary action the reaction has been a promising one and he still hopes to see some good come out of publicizing the potential security issue.
“It was encouraging to see so many strong reactions elicited by this, positive and negative, and there’s some hope that the University might do something about this,” he explained.
While Li said he thought the existence of the LDAP directory was common knowledge, several students who received his e-mails said they didn’t know about it or how Li had discovered their information.
“I don’t consider myself a ‘hacker,’ and nothing I did required super-sophisticated coding skills or intricate knowledge of Princeton servers,” Li said in his e-mail. “I just followed OIT’s instructions to connect to the LDAP server.”
Though Li said instructions for accessing the LDAP server will soon be removed from the public OIT help site, he said he was still concerned about the general ease of sharing personal information on the Internet.
“It’s a double-edged sword,” he explained. “In this case, the school controls access to students’ data, so it’s up to the school to strike a balance on behalf of students between convenience and privacy … I think it makes sense to publish a limited set of information while requiring netID authentication to access more detailed information.”
He said the creation of the website was inspired by PleaseRobMe.com, which was founded to raise awareness about the potential dangers of disseminating personal information on Twitter and similar location-aware social networking services by plotting people’s positions on a map based on location data from the sites.
While Harvard, Yale and Stanford all allow their directories to be searched through a website and an LDAP, Li explained, they do not make as much information publicly available as Princeton does. New York University has an opt-in directory in which only information voluntarily supplied by students is published and available for use by those outside the university.
“That seems like a more conservative approach,” said Kurt Bu.chbinder ’14, one of the students who received an e-mail from Li, in reference to the NYU directory system. “It makes more sense to opt-in, rather than to opt-out,” he added, so that students uncomfortable with the public display of their information could more easily exclude it from the directory.
Buchbinder was unaware of the LDAP directory until he was contacted by Li, but said he had assumed the University had something of the sort. Upon receiving Li’s e-mail, Buchbinder forwarded it to his friend, a computer science major, in an attempt to figure out what was going on.
Buchbinder said that he didn’t mind some of his University-related personal information being available through LDAP but was “a little sensitive regarding my Gmail account.”
Patricia Wu ’13 expressed a different view of the situation.
“Honestly, I really don’t care very much,” she said regarding the University’s disclosure of personal information. “I’ve never had any problems in the past that I know of, so I don’t see anything wrong with it.”
Read More
U. investigating swastika graffiti in graduate student apartment building
Sena ChangGraffiti of a swastika was discovered in mid-July at Princeton’s Lakeside graduate housing complex, prompting Public Safety to boost patrols and investigate. The Department of Public Safety’s investigation is still ongoing, with no suspects identified.
Graffiti of a swastika was discovered in mid-July at Princeton’s Lakeside graduate housing complex, prompting Public Safety to boost patrols and investigate. The Department of Public Safety’s investigation is still ongoing, with no suspects identified.
U. discontinues Wintersession, citing budget constraints
Hayk YengibaryanThe University will discontinue the Office of Campus Engagement and Wintersession in September amid budget cuts, ending the six-year program that has offered winter session since 2021.
The University will discontinue the Office of Campus Engagement and Wintersession in September amid budget cuts, ending the six-year program that has offered winter session since 2021.
Princeton boosts financial aid despite potential budget cuts, new endowment tax
Devon RudolphThe financial aid increase comes amid a rocky financial picture for many elite universities, which are confronting the loss of research federal funding and an endowment tax passed by Congress in July. It could also reduce Princeton’s tuition-paying student population.
Princeton's recent announcement of a boosted financial aid program could allow the University to be exempt from the recently passed federal endowment tax.