Access Hole Found in CHIP Documents Not Meant for Student Eyes Revealed ITS Acts Fast
By Corey Sherman ‘07
Editor-in-Chief
Late in January a tipster who preferred to remain anonymous brought to the attention of The News a trove of surprisingly accessible information on CHIP, the student-faculty portal introduced with great fanfare earlier this year. Until it was removed by Mr. Speyer on January 26th, the breadth of the information provided on CHIP surprised several students who happened on to Chip’s eContent tab. What is meant to just provide students with the Daily Notice, academic information such as grades, schedules and syllabi, meal menus and campus snapshots actually provided the school with much more information, some of it very sensitive.
Rarely do students explore the tabs at the top of the page, but the source showed a News editor that hidden in the eContent tab was some information that the school likely did not intend for public consumption.
For instance, the 2006 ITS budget, $866,290, was exactly 6 clicks away from the main CHIP page—the same number of clicks it would require a student to access grades through the “View Academic Information” link on the right side of the page.
Andrew Speyer, Director of ITS, said, “No [we were not aware of the problem]. It was either overlooked or something was changed in the permissions…The responsibility lies with ITS or Communications.”
eContent also contains the weekly “Faculty Notes” sent out to all faculty members before their weekly faculty meetings. Minutes of the Faculty Committee meeting are also available. The Faculty committee is the body that discusses questions of concern to the faculty including salaries, benefits and other professional issues. Faculty Notes contains mostly common knowledge that winds up being funneled from faculty to the students; Faculty Committee minutes include topics that most students, and even some faculty, would be very interested in knowing, such as sit-down lunches.
“I regret that it was there and that students had access to it,” Said Trevor Peard Faculty Committee Chair. “What’s confidential should remain confidential.” He continued, “Fault doesn’t need to be assigned, however.”
From a student perspective, sensitive information accessible to the CHIP user were documents, in the SAC’s portion of this page, that were used in the Prefect Selection processes from ’04-’05, ’05-’06 and ’06-07. Among the documents in that area were the acceptance, alternate and rejection lists, adviser rankings and most startling, the actual applications submitted by students. That information is supposed to be confidential to only the heads of the Prefect Program, Jim Yanelli and Emily Brenner and a few select administrators.
“Over the past several years, I have come to realize that with increased access to technology comes a commensurate loss of privacy,” said Mr. Yanelli, “sometimes the loss is calculated or deliberate and sometimes it’s accidental. When an individual or group’s privacy is compromised the results can be potentially harmful or embarrassing.”
Impact on the Community
In a January 26th email to the faculty Speyer stated that most of this information was “benign.” He did not deny, however that “It’s embarrassing, it’s an embarrassing situation. No one likes to be caught in a situation where information they thought was private is public.”
Even so, however, Speyer does not believe that this was caused by carelessness.
“Carelessness is a tough word. I would contribute it to a mistake. Carelessness would suggest that somebody wasn’t doing their job and they were sloppy or they were not paying attention. The people who were responsible for this are very dedicated people. I can’t answer what caused a mistake. The mistake is obviously a fairly serious one. I don’t think we’ll ever be able to trace who set that read permission or forgot to take that read permission off.”
Proper steps to prevent this from happening were clearly not taken, however. Speyer told The News, “Obviously we did not go through every single folder to check the permissions and the content. When we created folders we checked and double checked so we didn’t just do it blindly. Somewhere in between then and know, however, something changed or something got overlooked.”
According to Mr. Speyer ITS has commenced a security audit of all of the students’ permissions as a security precaution.
