indiana university
Content
CASE STUDY:
INDIANA UNIVERSITY COMPUTER
NETWORK
On Wednesday, March 11, 2009, over 2,000
Indiana University (IU) faculties received the
following e-mail message: “Are you aware that
Indiana University put your privacy at risk? Have
they contacted you about it?”
The sender of this message was Glen
Roberts of Oil City, Pennsylvania, who describes
himself on his web homepage as a talk show host,
privacy advocate, and Internet entrepreneur.
Searching the Internet, Roberts located an IU file
containing the names of 2,760 IU faculty, along
with their Social Security numbers, addresses, and
phone numbers, which Roberts had downloaded and
posted on his Web Site. The file had been created by
the University Graduate School to provide
information on the research interests of the faculty
members so that they could be notified of funding
opportunities that might be of interest to them.
All IU information on the Web is supposed
to be protected by a “safeword card.” According to
Norma Holland, director of university computing
services: “We have what is called a ‘firewall, ‘an
internet term that essentially prevents access to data
which are not public. The safeword card allows only
authorized and authenticated users to get to those
data.” But this sensitive file apparently was not
protected. According to Jeffrey Albert, associate
dean, this was an obsolete file that escaped
unnoticed when the system was being upgraded to
make it more secure. The university immediately
removed the file and disabled the old gateway
service.
The situation was called “an eye-opener” by
IU Vice President for Public Affairs Christopher
Simpson: “it was fortunate that more sensitive data
was not compromised. Although we are very
sensitive to the release of information like this, this
is vastly different from having individual access to
the university’s most sensitive proprietary
information. This is good wake-up call. That is
exactly how we are viewing it.”
But Roberts posed a question of other
potential security problems. “You must remember
that even though my page may have brought this to
your attention in an unpleasant manner, the real
danger lies in those who may have silently obtained
the information from your site with no one the
wiser,” he wrote in a Web page dialogue with Mark
S. Bruhn, IU information security officer.
Roberts claims the Privacy Act of 1974
“forbids such agencies (as IU) from even asking for
Social Security numbers in other than specifically
enumerated situations. That the SSN is included in
any such faculty internet research database is out
rage us,” Roberts wrote on his Web conversation
with Bruhn. “Even if the files are not meant to be
available to the public, the wholesale collection of
such information in an ‘Internet data base’
demonstrates a clear failure to understand even the
most basic precepts of personal privacy.”
Roberts’ Justification
Roberts was described by people at two Pennsylvania
newspapers as “an interesting fellow and a computer
whiz-bang.” According to the Erie Times, which did
a profile on Roberts several months prior to this
incident, he came to Oil City from the Chicago area,
where he published a paper that dealt with privacy
issues. He has done a short-wave radio program and
now does a radio program on the internet. Also, he
has been a network television consultant and
appeared on local talk shows. Roberts also publishes
several Web pages and works as a computer
consultant.
Roberts said he came across the IU file
during a check of his own domain. By typing “SSN”
into the Infoseek search engine, Roberts said, he
called up a list of entries that showed a name and
Social Security number. By opening that file, he
found the IU research database.
Roberts said he has been involved in
publicizing privacy issues for about 15 years. His
interest began, he said, by using the Freedom of
Information Act and obtaining copies of government
documents. He said he was surprised at the amount
of information available of which people are not
usually aware. He has been particularly interested in
the seemingly wide spread availability of individuals’
Social Security numbers, which are pathways to
other information and whose disclosure raises the
potential of unauthorized use a person’s identity.
Roberts states that the issue is this: “Should
the university be collecting this information and
putting it in data bases, with maybe not the intent to
pass it out all over the world but with intent that a
fair number of people may be accessing that
information?”
Roberts said he published the IU list because
the privacy issue does not usually become tangible to
people until they experience an invasion themselves.
“The bottom line is privacy is an extremely important
issue but it is only important when you see it affect
yourself firsthand,” he said. “That’s what I have done
with other Web pages. People can experience it
firsthand, and with that experience can be more
public debate and action on the issues.”
Faculty Reaction
Many of the faculty members on the published list
disagree with Roberts’ tactics. They were primarily
concerned that their Social Security numbers were
made easily available for the obvious reasons and
over a hundred faculty e-mailed protests to Roberts.
“I go to Roberts and say ‘I like people who
are watchdogs, but do you need to post this
information in a convenient location to make your
point?” said Kurt Zorn, of the IU School of Public
and Environmental Affairs. “I think he might have
done more damage by doing this than the university
did in its oversight. There might have been more
effective ways of calling attention to the problem.”
Law professor Ed Greenebaum added that
he believes Roberts made a judgment about the
university without any information, which is unfair.
“The impact is to expose us to a danger he says he is
trying to prevent, and it’s much more than it
otherwise would have been,” Greenebaum said.
“My concern is not with the university’s intent but
why this individual feels the need, inconsistently in
my view, to facilitate the distribution of our Social
Security numbers.”
With IU threatening to take legal action and
the heavy volume of protests from IU faculty,
Roberts removed the IU file from his Web page and
said he has no intention of posting the names and
Social Security numbers again.
Boone’s wife said the issue is an settling. “It
feels like such a violation,” she said. “You feel like
someone knows you but you don’t know them. That
is very uncomfortable.”
The situations has been frustrating to
Ackerman, who said the credit card companies told
him they could not put a block on his Social Security
Number. He was told he could contact three credit
agencies, which many banks use to check a person’s
credit, and they could put a hold on his records.
Ackerman also contacted the office of IU’s
legal counsel, which was unable to offer much
assistance. “At this point, we don’t even know if his
experience relates in any way to Roberts’ Web page,”
said Michael Klein, associate university counsel.
“There are some timing coincidences, but you just
don’t know.” However, the university is exploring
whether there is any legal liability Roberts might
incur if faculty members are damaged, financially or
otherwise.
Klein added that the university is reviewing
the issue of using Social Security numbers in its
course of running the school. “As an institution, we
are taking a look inward to determine if there are
some alternatives,” he said.
Berdasarkan ilustrasi kasus yang terjadi pada
Indiana University Computer Network, anda
diminta:
The Consequences
1. Mengidentifikasi 3 (tiga) isu utama dalam kasus
tersebut!
On March 27, religious studies professor James
Ackerman said he recently has been billed for phone
lines, Internet access, and credit card accounts that
are not his own. Although it has not been verified,
he believes someone picked up his name and Social
Security number from Roberts’ Web page.
2. Jelaskan gambaran tentang sistem keamanan
jaringan komputer yang dijalankan oleh Indiana
University dan Bagaimana penilaian anda
terhadap kualitas sistem keamanan jaringan
tersebut?
Within two weeks of the posting, Ackerman
received a bill for a month’s Internet time, had a call
from AT&T saying it was ready with a conference
call he did not order, got an inquiry from Ameritech
asking if he made a call from Germany to Portland,
Oregon, and discovered there were calling card
accounts opened in his name.
William Boone, an education professor, said
his wife received an inquiry from MCI’s frauds
department about calls originating from Germany
using the Boones’ calling card number. Although
there has been no proof that Roberts’s Web page
was the source of the information used in the fraud,
Boone and others believe the incidents are more
than a coincidence. “What are the chances two IU
professor are getting unauthorized calls from
Germany? What are the chances this is not related to
the World Wide Web issue?” Boone said.
3.
“Roberts claims that the Privacy Act of 1974
forbids the university from even asking for
Social Security Numbers (SSN)”
Mengapa SSN digunakan oleh Indiana University
untuk manajemen database-nya?
Adakah alternatif selain SSN yg dapat digunakan
dalam database Indiana University? Jelaskan!
4. Apakah anda setuju jika Roberts diperlakukan
sebagai seorang Hacker? Jelaskan argumentasi
anda?
5. Siapa yang seharusnya bertanggung atas kasus
yang menimpa Prof.James Ackerman dan
William Boone? Apa tanggung jawab Indiana
University atas kasus tersebut?
INDIANA UNIVERSITY COMPUTER
NETWORK
On Wednesday, March 11, 2009, over 2,000
Indiana University (IU) faculties received the
following e-mail message: “Are you aware that
Indiana University put your privacy at risk? Have
they contacted you about it?”
The sender of this message was Glen
Roberts of Oil City, Pennsylvania, who describes
himself on his web homepage as a talk show host,
privacy advocate, and Internet entrepreneur.
Searching the Internet, Roberts located an IU file
containing the names of 2,760 IU faculty, along
with their Social Security numbers, addresses, and
phone numbers, which Roberts had downloaded and
posted on his Web Site. The file had been created by
the University Graduate School to provide
information on the research interests of the faculty
members so that they could be notified of funding
opportunities that might be of interest to them.
All IU information on the Web is supposed
to be protected by a “safeword card.” According to
Norma Holland, director of university computing
services: “We have what is called a ‘firewall, ‘an
internet term that essentially prevents access to data
which are not public. The safeword card allows only
authorized and authenticated users to get to those
data.” But this sensitive file apparently was not
protected. According to Jeffrey Albert, associate
dean, this was an obsolete file that escaped
unnoticed when the system was being upgraded to
make it more secure. The university immediately
removed the file and disabled the old gateway
service.
The situation was called “an eye-opener” by
IU Vice President for Public Affairs Christopher
Simpson: “it was fortunate that more sensitive data
was not compromised. Although we are very
sensitive to the release of information like this, this
is vastly different from having individual access to
the university’s most sensitive proprietary
information. This is good wake-up call. That is
exactly how we are viewing it.”
But Roberts posed a question of other
potential security problems. “You must remember
that even though my page may have brought this to
your attention in an unpleasant manner, the real
danger lies in those who may have silently obtained
the information from your site with no one the
wiser,” he wrote in a Web page dialogue with Mark
S. Bruhn, IU information security officer.
Roberts claims the Privacy Act of 1974
“forbids such agencies (as IU) from even asking for
Social Security numbers in other than specifically
enumerated situations. That the SSN is included in
any such faculty internet research database is out
rage us,” Roberts wrote on his Web conversation
with Bruhn. “Even if the files are not meant to be
available to the public, the wholesale collection of
such information in an ‘Internet data base’
demonstrates a clear failure to understand even the
most basic precepts of personal privacy.”
Roberts’ Justification
Roberts was described by people at two Pennsylvania
newspapers as “an interesting fellow and a computer
whiz-bang.” According to the Erie Times, which did
a profile on Roberts several months prior to this
incident, he came to Oil City from the Chicago area,
where he published a paper that dealt with privacy
issues. He has done a short-wave radio program and
now does a radio program on the internet. Also, he
has been a network television consultant and
appeared on local talk shows. Roberts also publishes
several Web pages and works as a computer
consultant.
Roberts said he came across the IU file
during a check of his own domain. By typing “SSN”
into the Infoseek search engine, Roberts said, he
called up a list of entries that showed a name and
Social Security number. By opening that file, he
found the IU research database.
Roberts said he has been involved in
publicizing privacy issues for about 15 years. His
interest began, he said, by using the Freedom of
Information Act and obtaining copies of government
documents. He said he was surprised at the amount
of information available of which people are not
usually aware. He has been particularly interested in
the seemingly wide spread availability of individuals’
Social Security numbers, which are pathways to
other information and whose disclosure raises the
potential of unauthorized use a person’s identity.
Roberts states that the issue is this: “Should
the university be collecting this information and
putting it in data bases, with maybe not the intent to
pass it out all over the world but with intent that a
fair number of people may be accessing that
information?”
Roberts said he published the IU list because
the privacy issue does not usually become tangible to
people until they experience an invasion themselves.
“The bottom line is privacy is an extremely important
issue but it is only important when you see it affect
yourself firsthand,” he said. “That’s what I have done
with other Web pages. People can experience it
firsthand, and with that experience can be more
public debate and action on the issues.”
Faculty Reaction
Many of the faculty members on the published list
disagree with Roberts’ tactics. They were primarily
concerned that their Social Security numbers were
made easily available for the obvious reasons and
over a hundred faculty e-mailed protests to Roberts.
“I go to Roberts and say ‘I like people who
are watchdogs, but do you need to post this
information in a convenient location to make your
point?” said Kurt Zorn, of the IU School of Public
and Environmental Affairs. “I think he might have
done more damage by doing this than the university
did in its oversight. There might have been more
effective ways of calling attention to the problem.”
Law professor Ed Greenebaum added that
he believes Roberts made a judgment about the
university without any information, which is unfair.
“The impact is to expose us to a danger he says he is
trying to prevent, and it’s much more than it
otherwise would have been,” Greenebaum said.
“My concern is not with the university’s intent but
why this individual feels the need, inconsistently in
my view, to facilitate the distribution of our Social
Security numbers.”
With IU threatening to take legal action and
the heavy volume of protests from IU faculty,
Roberts removed the IU file from his Web page and
said he has no intention of posting the names and
Social Security numbers again.
Boone’s wife said the issue is an settling. “It
feels like such a violation,” she said. “You feel like
someone knows you but you don’t know them. That
is very uncomfortable.”
The situations has been frustrating to
Ackerman, who said the credit card companies told
him they could not put a block on his Social Security
Number. He was told he could contact three credit
agencies, which many banks use to check a person’s
credit, and they could put a hold on his records.
Ackerman also contacted the office of IU’s
legal counsel, which was unable to offer much
assistance. “At this point, we don’t even know if his
experience relates in any way to Roberts’ Web page,”
said Michael Klein, associate university counsel.
“There are some timing coincidences, but you just
don’t know.” However, the university is exploring
whether there is any legal liability Roberts might
incur if faculty members are damaged, financially or
otherwise.
Klein added that the university is reviewing
the issue of using Social Security numbers in its
course of running the school. “As an institution, we
are taking a look inward to determine if there are
some alternatives,” he said.
Berdasarkan ilustrasi kasus yang terjadi pada
Indiana University Computer Network, anda
diminta:
The Consequences
1. Mengidentifikasi 3 (tiga) isu utama dalam kasus
tersebut!
On March 27, religious studies professor James
Ackerman said he recently has been billed for phone
lines, Internet access, and credit card accounts that
are not his own. Although it has not been verified,
he believes someone picked up his name and Social
Security number from Roberts’ Web page.
2. Jelaskan gambaran tentang sistem keamanan
jaringan komputer yang dijalankan oleh Indiana
University dan Bagaimana penilaian anda
terhadap kualitas sistem keamanan jaringan
tersebut?
Within two weeks of the posting, Ackerman
received a bill for a month’s Internet time, had a call
from AT&T saying it was ready with a conference
call he did not order, got an inquiry from Ameritech
asking if he made a call from Germany to Portland,
Oregon, and discovered there were calling card
accounts opened in his name.
William Boone, an education professor, said
his wife received an inquiry from MCI’s frauds
department about calls originating from Germany
using the Boones’ calling card number. Although
there has been no proof that Roberts’s Web page
was the source of the information used in the fraud,
Boone and others believe the incidents are more
than a coincidence. “What are the chances two IU
professor are getting unauthorized calls from
Germany? What are the chances this is not related to
the World Wide Web issue?” Boone said.
3.
“Roberts claims that the Privacy Act of 1974
forbids the university from even asking for
Social Security Numbers (SSN)”
Mengapa SSN digunakan oleh Indiana University
untuk manajemen database-nya?
Adakah alternatif selain SSN yg dapat digunakan
dalam database Indiana University? Jelaskan!
4. Apakah anda setuju jika Roberts diperlakukan
sebagai seorang Hacker? Jelaskan argumentasi
anda?
5. Siapa yang seharusnya bertanggung atas kasus
yang menimpa Prof.James Ackerman dan
William Boone? Apa tanggung jawab Indiana
University atas kasus tersebut?
