A security breach on a search engine at McGill University in late April made a number of former students’ marks public. It could happen anywhere, says Yolande Chan, a Management Information Systems professor at Queen’s School of Business.
Chan, who conducts privacy-related research for the Globalization of Personal Data Project, said she wasn’t surprised to hear about the incident at McGill.
“I think it could have happened at almost any university. I don’t think we should scapegoat McGill.” As technology advances, Chan said, it provides new opportunities for failure. But human error is a factor, too.
“It is [likely] that this was an example of a human oversight as it was a technology failure,” she said. “I do not believe, as long as humans are involved and as long as technology outpaces our understanding of these consequences, that they can be prevented.”
Chan said although Canadians don’t have an explicit right to privacy in the constitution, Canadian courts have recognized that an individual has the right to a reasonable expectation of privacy.
Devin Glowinski, a McGill University graduate who found his transcripts online through the search engine on the university’s website, said he wasn’t surprised the website’s search function was able to circumvent security measures.
“I was shocked to actually see my personal transcripts posted publicly, but I understand that these things happen in this day and age.” He said his brother typed their last name into the search engine on the university’s homepage and found Glowinski’s transcript online, along with transcripts for students in finance, art history and English. He said he notified the university the morning after discovering the breach.
“They said it was a technical error due to them changing search engines and, through that process, the search engine found a back door into files that are normally only accessed through a encryption,” he said.
McGill University issued a message on their website on April 27 to advise the community of the breach. The leaked files included names and partial academic records of students who had attended McGill a number of years ago, according to the message.
“A preliminary investigation indicates that on Thursday April 26 various modifications to the software code of McGill’s search engine were made and that one of these changes caused the problem,” wrote provost Anthony C. Masi, who offered “sincere apologies” for the incident.
Sean Reynolds, Queen’s Chief Information Officer, wasn’t surprised to hear about information security issues, either.
Queen’s students can access a Google search engine from the University’s homepage, but there’s no production search engine like McGill’s available. Information Technology Services hopes to install one at some point this summer because he said it will be more effective than the standard options available from companies such as Google or Yahoo.
Reynolds said the objective will be to allow optimized access to public information, but not personal information.
“There’s a wealth of personal information in the systems at all academic institutions, and we have a high responsibility for the protection and care around that information,” he said.
If there is an issue of compromised privacy at Queen’s, Reynolds said the first step would be to stop whatever the issue was by disconnecting the compromised system.
The remediation process would be dealt with by technical staff.
“We are reviewing that incident management handling process,” he said. “It’s a priority. We identified a number of policies and procedures that need to be upgraded over the coming year.” The review will be conducted by Information Systems Security Manager George Farah. The department created the position October 2006 to help assess the risk and vulnerability of University computer systems.
“From the initial implementation of the search engine on campus, we’re making sure that that information is not in any way compromised,” Farah said.
Reynolds stressed the importance of student involvement in the protection of computer systems at Queen’s. One of the sources hackers use to attack Queen’s computers is other computer workstations at the University.
“If we could help students in of educating them in of their responsibility, by following all of the recommendations[for safe computing], it would make this place that much more secure from an information perspective,” Reynolds said. “There is a lot of rigour here at Queen’s to safeguard information.”
Arthur Cockfield, associate dean at the Faculty of Law, said universities’ approach to privacy has to change with the times.
Cockfield, who studies the link between law and technology, said one of the reasons people are concerned about privacy is technology’s growing ability to store and cross-reference massive amounts of information.
“If you think about previous eras at Queen’s University … information about you would have been kept in a dusty file cabinet in the basement at Richardson,” he said. “But a digital record is stored in the database. It can be copied and transferred at no cost. It’s a permanent record; it will never decay over time.”
Cockfield said that unless someone’s career has been hurt or someone has been mentally distressed by McGill’s accidental leak of their personal information, it probably wouldn’t be appropriate to pursue legal action.
Researchers at Queen’s have been investigating the intersection between technology and privacy and its relevant social implications for years, Cockfield said.
“We’re worried about it and are trying to get our heads around what are the appropriate policies, legal or otherwise, that should be put in place,” he said.
Cockfield was the chair of the committee that put together a for the University three years ago.
“In that policy, we strengthened privacy protection for students to make it more consistent with this changing legal environment,” he said.
The university no longer has a of its own, but is instead governed by the Freedom of Information and Protection of Privacy Act (FIPPA) and must comply with that legislation.
Diane Kelly is the University’s legal counsel, Access and Privacy co-ordinator and FIPPA coordinator. She deals with requests for access to information, concerns about privacy breaches, and she also heads up a privacy committee.
“We use that as an opportunity to brainstorm about areas of risk that we see on the campus,” she said of the committee, adding that although she is not personally involved, one of her main concerns is the privacy implications of social networking websites such as Facebook.
Queen’s was one of the first universities to appoint an Access and Privacy Co-ordinator, to ensure the University complies with privacy laws.
Kelly said FIPPA governs everything the university does when it comes to collecting, using and disclosing personal information.
“The legislation says that an individual should have control over his or her personal information, and if the University has to collect personal information—and clearly the University has to collect a lot of personal information—that information should be kept secure,” she said.
It depends on the context, but Kelly said along with marks and student numbers, personal information such as that required to obtain a student loan or accommodation in a particular course from the disabilities office should not be available to anyone else.
Any form a student fills out which asks for personal information has a notice statement explaining why the information is being collected.
“The individual must be told about the purposes for the collection, for the use, and for the disclosure,” she said.
David Lyon, research chair in the sociology department, said Queen’s is committed to safeguarding personal data.
“Our attempt to pursue appropriate privacy policies and to comply with legislation is taken very seriously indeed,” he said.
Lyon said the University has also worked to minimize the amount of personal data that’s collected from students and retained in their personal records.
“Queen’s is really quite good at resisting the temptation to collect personal data just in case and also to keep it longer than is necessary,” he said.
In recent years, the registrar’s office has reduced the amount of information required of incoming students. At one point, he said, students were required to give information such as whether he or she had family who had attended Queen’s.
Lyon said it’s impossible to guarantee personal, private information is being kept private, however.
“What is needed … is a kind of culture of care with regards to personal data. You have to overcome the idea that data are just figures or just names.”
All final editorial decisions are made by the Editor(s) in Chief and/or the Managing Editor. Authors should not be ed, targeted, or harassed under any circumstances. If you have any grievances with this article, please direct your comments to [email protected].