Protecting Confidential Online Information

by Gene Spafford (to appear in Computing Research News)

Introduction

Personnel actions in academia are often quite sensitive in nature and require the exercise of great discretion. Promotion, tenure, and hiring decisions all require careful deliberation and documentation. They have a tendency to engender controversy--and sometimes litigation--when decisions are contested or involve contradictory information. Thus, it is widely recognized how important it is to treat such information with sensitivity and care.

With that in mind, consider the following scenarios, derived from recent, similar events. Could any of these occur in your department?

A PhD student nearing graduation and interviewing for positions decided to use a WWW search engine to see which pages referenced her thesis work. Upon searching for her name, she found a link to the hiring pages at a university where she had interviewed. By following links to unprotected pages, she was able to read some of the emailed, confidential letters of reference written by her advisors, and detailed comments made about her by members of the hiring committee.
An assistant professor was being considered for tenure and promotion. Because of a typo in the solicitation letter sent out to potential references, replies sent electronically were undeliverable. Not only were those letters returned to the sender, but they were also copied to the staff member acting as "postmaster" at the college--the spouse of the assistant professor, who was thus able to read very sensitive comments about the candidate.
A prominent research scientist in industry was interviewing for a senior position at a university. For personal and professional reasons, she wanted to interview in confidence, without informing her current employer. However, when one of her current supervisors browsed the WWW pages of the university to get details of her visit, he found a seminar announcement on the main WWW page, very clearly labeling her as a "job candidate."
Disgruntled students of a senior professor broke into the WWW servers at several universities where they suspected he had applied for a position. At some sites, they completely deleted the electronic records of the professor's application--the only existing copy of his application there. At other sites, they found on-line copies of reference letters and altered the text to state false and uncomplimentary things about the professor. Finally, at other sites with on-line application mechanisms, they entered fake applications containing slanderous information.
A recent PhD was applying to a university for a post-doc position. She was self-conscious about a medical condition and wanted to keep it a secret from the hiring committee as it had no bearing on her application. The personnel committee members at the site where she applied went beyond her submitted application and letters, found her WWW page at an ISP and its links to her role in a medical advocacy group, and linked those into their internal hiring database. This was disclosed when one of the committee made a passing reference to her activity during the interview.
Three years after a contentious decision was made on his tenure, a professor obtained a major grant including some significant computing resources. These were located in the department computing facility, to which he was given keys. One evening, while working in the room with the machines, he found stored CD-ROMs containing archival back-ups of files from faculty machines. Over the next few evenings, he searched through these archives, reading correspondence, reference letters, and other formal documents concerning his tenure case.

Do these sound dramatic? Perhaps, but they are also all too possible, and they are based on real incidents. Some individuals may knowingly violate privacy and confidentiality rules when confronted with temptation; others may be exposed to privileged information via accident or malice. Without proper backups and protection, critical information also may be damaged or lost as a consequence of either chance or unauthorized activity. Controls should be in place to prevent incidents involving critical data.

Often, the priority for expediency and economy in our use of computing has replaced careful thought about privacy and security. This becomes a particular concern in academic environments. Many universities and colleges do not have sufficient resources to hire properly-trained staff, purchase up-to-date security resources, and keep information properly protected. Worse, academic sites often function using out-dated hardware and software, running non-standard configurations, and in an environment where proper security controls are seen as hindering scientific inquiry. However, as can be seen by the examples given above--and many other, similar scenarios--the lack of proper controls can also lead to damaged reputations, lost opportunities, hurt feelings, and even legal penalties.

Advice

It is beyond the scope of this note to give a comprehensive tutorial in the issues surrounding the appropriate protection of personnel information. However, the following are worth consideration, both in the general case and specifically for personnel issues:

1) Organizations should have a defined set of policies governing any on-line forum, WWW pages or database of personnel-related information. This should include coverage of procedures and restrictions on the transmission, collection, and use of the data. Users of these systems should be regularly reminded of the policies and the reasons for their existence.

2) Caution should be exercised as to what to put on line instead of remaining paper-based. A software security flaw, network break-in, or virus cannot damage or disclose paper contents. Although it may seem more convenient to use on-line mechanisms, there is an increased risk of loss--and often, that risk and loss are both dramatically more severe than would be the case using well-understood physical mechanisms.

3) Letters with confidential or sensitive content should be encrypted if they must be sent or stored electronically (e.g., using PGP). Postal mail, courier services and faxes are still reliable methods of delivery that are far less prone to exposure of material to an unintended audience, however.

4) Administrative computing should be performed on systems separate from general use and research. These machines should be configured with greater security constraints, and should be placed behind their own firewalls.

5) Access to sensitive data in WWW pages or databases should require, at a minimum, a password. Use of SSL/TSL on WWW servers, and Kerberos or SSH for interactive connections should be considered as minimum safeguards.

6) University counsel should be consulted to determine exposures and regulations concerning the placement and dissemination of personnel information. In particular, careful consideration should be given issues regarding the various fair employment and ADA acts, HIPPA (Health Information Privacy Protection Act), and any state laws governing public records ("sunshine laws"--note that on-line discussions in a list may constitute a "meeting" under some laws, and thus eligible to be made available to the press and public). Systems with student information may also be covered by FERPA (Family Educational Right to Privacy Act).

7) Management should ensure that the staff maintaining the systems are competent and well-trained. Security and maintenance functions should be adequately funded, rather than covered as a secondary issue--if at all. It is almost always unwise to have students or faculty charged with maintaining machines that may contain sensitive information about them or their peers.

8) All critical systems and files should be backed up regularly. The backups should be tested periodically to ensure that they work properly. Access to the backups should be regulated, now and in the future (and possibly encrypted to prevent access if they fall into the wrong hands). A defined procedure should be in place to govern safe disposal of the backups when they are no longer used.

9) A great deal of software currently in use has not been designed with good security practices in mind. Furthermore, much of the software in widespread use today has continued to evolve for additional functionality but with insufficient care given to meaningful quality assurance. Thus, it is important to stay current with the latest patches and advisories, and to design defense-in-depth strategies to protect against as-yet unreported flaws that may lead to compromises.

10) Sending (or accepting) documents in formats that readily support the spread of computer viruses is a bad idea, and should be strongly discouraged. Microsoft Word is particularly notorious as a vector of macro viruses; as a conservative practice, Word documents should not be sent nor accepted as an attachment in email. Executables, including files in Visual Basic, should also be discouraged.

11) Anti-virus software should be installed on critical computers, and the virus definitions kept up-to-date. This is especially important for Windows-based systems, which are the target of choice for most known viruses.

Concluding Remarks

No matter the cause of disclosure, the responsibility for protecting sensitive data lies squarely with the people charged with maintaining the data involved. If the data is poorly protected, or is handled carelessly, then it is a matter of negligence. A hacker or program fault may be to blame, but the people maintaining the data bear the responsibility. For that reason, it is vital that proper precautions be taken to protect the data in our care. This includes data relating to our students and staff, as well as our faculty and candidates.

It is almost always faster and cheaper in the near term to do things in an unsecure fashion. However, as a profession, we should be setting good examples for others, even if this involves expending more resources, and devoting more time to management. Within the CS/CE context, these issues are critical if we wish to maintain our peers' confidence in our ability to correctly and fairly execute our administrative functions within our institutions. Within the broader context of society, they reflect on fundamental issues in the construction of tomorrow's societal infrastructure in a secure and enduring form. As such, we should all be concerned that these systems be built--and used--correctly.

Sidebar:

It is beyond the scope of this article to provide detailed instructions on how to secure all web servers or other computing platforms. There are many security measures that should be taken depending on policy, platform, time, and personnel availability. As a start, lists of security tools and practices can found via the CERT/CC site <http://www.cert.org> or the CERIAS hotlist <http://www.cerias.org/hotlist/>. SANS also offers pointers to useful resources and patches <http://www.sans.org/>.

One good book on security of web servers is "Web Security & Commerce" by Simson Garfinkel and Gene Spafford, published by O'Reilly and Associates.

Jeff Vitter / Duke University / jsv@cs.duke.edu

Last modified: Mon Sep 16 01:15:06 EDT 2002