Publication Date: Wednesday, June 25, 2003|
Editorial: Breach of security
Editorial: Breach of security
(June 25, 2003)needs special probe
Acutely sensitive student information on shared computer in open wireless network raises serious questions of Palo Alto school information safety
What started as a routine follow-up to a computer-security-policy story by a Weekly reporter erupted last week into the discovery of an alarming breach of privacy and security procedures.
Reporter Rachel Metz discovered a complete student psychological profile and other sensitive information in a shared computer accessible to anyone with a wireless-capacity laptop without even a password.
Other information included profiles of students with special health-risk conditions (such as hemophilia) -- complete with photos and full names. There were several class grade reports from teachers. The Weekly also confirmed that the same information was available through classroom computers.
Neither the computer on which they were stored (along with miscellaneous non-sensitive information) nor the files themselves had even the most rudimentary password protection.
Importantly, official student records and personnel information in district computers were apparently protected, and there is no evidence of any especial vulnerability of district computers to illegal access.
The district immediately shut down the system after being notified by the Weekly about the sensitive information: "That thing went down faster than you can say, 'Shut the door,'" Superintendent Mary Frances Callan said of the reaction after Metz revealed her findings to the district's technology director, Marie Scigliano, last Wednesday afternoon.
But what happened next is almost as disturbing as discovering the unprotected files: After slamming the system shut the district announced in an e-mail to staff and teachers that a "security breach" had occurred. Word spread that a Weekly reporter had "hacked" into school computers and that she had gotten into a classroom (one report said "broken into" -- untrue) to get to a classroom computer.
This attempt is a blatant and silly attempt to deflect responsibility for a serious failure by school district administrators to ensure that privacy laws and its own policies were followed.
Ironically, the Palo Alto school board just adopted a new computer-use/security policy on June 10, a project spearheaded by board member John Tuomy and Scigliano.
Instead of blaming the Weekly for investigating whether district computers were secure, district officials should be asking how it could happen that an outrageous breach of student privacy could have occurred and gone undetected for some time.
Scigliano told the Weekly they had been aware of security concerns relating to wireless connections for months, although clearly they did not know of the precise documents sitting there. The open "General" file was used, she said, for teachers and staff to transfer documents between district computers and home computers -- as they are not allowed behind-the-firewall access from home, again ironically, for security reasons.
This incident at the very least demonstrates an alarming lack of security training and poor monitoring of shared-computer spaces. If the district wants to have wireless systems available to students, they should be password-protected, at a minimum. Sensitive documents should be individually protected and stored only in secure locations behind a firewall.
These are basics of computer-security, not cutting-edge practices, and the district has no valid excuse for configuring its shared-file system the way it did. The district now insists that the system is secure and the public need not be concerned.
The security policies do in fact sound adequate, and the district is planning to install more sophisticated software this summer, Scigliano and Callan noted.
The policy, Scigliano said, specifies "multiple levels of security based upon the degree of the risk factor for network intrusion and compromise. We use industry-standard methods of providing data security such as, but not limited to, passwords, firewalls, intrusion detection, encryption or authentication to prevent unauthorized use, access or distribution of PAUSD data. Our policy requires strong authentication for access to district resources from outside the PAUSD network."
Yet something failed. It would be one thing if it were just a matter of some grade reports lying around. Finding a student's psychological evaluation (not read by the Weekly) and special health conditions with photos of other students is far more serious.
Doubts raised by discovering such documents -- essentially on a virtual table in open district offices, as Callan described it -- is alarming enough that it warrants a full investigation, the core of which should be an independent computer-security expert.
Parents, students, teachers and administrators alike deserve to know their system is as secure, both technically and in terms of safeguards against human error, as it can possibly be made.