Universities started it: use the ss number for ID--will it trickle down to everyone in all schools?
Timothy Ivy for The New York Times
Brian Frank learned that his Social Security number was on the Web.
Published: January 10, 2004
Three years ago, when Brian Frank entered New York University, he signed up for intramural basketball, providing his name and his university identification number, which was also his Social Security number.
Yesterday morning, Mr. Frank, who is now a senior, learned from N.Y.U. that these details had been posted on the Internet. He was among about 1,800 N.Y.U. students who received the same e-mail notification from the university. In some cases, students' phone numbers were posted, too.
"I'm furious," he said in a telephone interview from his home in Parsippany, N.J., where he is spending his winter break. "It is an egregious violation of student privacy."
Mr. Frank said that in an age of growing identity theft, he was concerned that unscrupulous people might have found his personal information and tried to use it.
N.Y.U. officials said the information was posted on an Internet page run by Brian Ristuccia, a computer technician in Massachusetts who found it on N.Y.U.'s Web site in a list of students interested in intramural sports. The university said it was considering taking legal action.
"We regret the concern that this may cause our students and former students who were on the list, and we apologize to them," John Beckman, an N.Y.U. spokesman, said yesterday.
He said that the university's own Web site is better protected now, and that the information has been removed from Mr. Ristuccia's Web site.
For his part, Mr. Ristuccia said he had removed the information on Thursday "mostly because N.Y.U. had notified the affected students, and that was the goal of my endeavor."
Computer privacy experts said that Mr. Frank had good reason to be concerned.
"The students are at risk for identity theft," said Beth Givens, director of the Privacy Rights Clearinghouse, a nonprofit consumer advocacy organization based in San Diego. "Who knows how many individuals got access to their names and Social Security numbers? Just by putting this information on a so-called protected page, N.Y.U. was exposing these students to risk."
She added, "This is not the first time I've heard about personal information being posted on an internal Web site that is then tapped into by someone who has no legitimate right of access."
Mari McQueen, associate editor of Consumer Reports, who led an eight-month investigation into identity theft that was published in the magazine's October 2003 issue, said that many universities used Social Security numbers for student identification, and that the practice opened the students to potential financial problems and fraud.
"It is a very common practice, and one that needs to be curtailed, given the abuses," she said.
She said that it was a particular problem for college students, because they have no control over the use of the information.
"If you want to attend the university," she said, "you don't have any choice."
Mr. Ristuccia, a 25-year-old computer system administrator for a private company that he declined to identify, said in an interview that he learned in late November about the information being available on N.Y.U.'s Web site. He said a friend told him about it after finding his sister on the list.
He said that he sent an e-mail message to N.Y.U.'s system administrators in early December to tell them about the problem, but that it was anonymous because "it is very common for an organization faced with a security problem to blame the person that discovers the problem."
He said that he also made a copy of the information - he called it a mirror - "so that it would be difficult for N.Y.U. to claim that the information never existed."
Mr. Beckman said the material had been accessible to people outside N.Y.U. because an athletic official failed to activate the appropriate security mechanisms. But he said the university had received no previous notification of the problem. He also questioned why Mr. Ristuccia had put the information on his own Web site. "That sounds like a self-serving excuse to me," he said. "If you were really concerned about the privacy of the students, you would not post their information on your Web site."
He said that Mr. Ristuccia had also not responded when the university first tried to reach him, but waited until the university followed up with letters from its legal office.
Mr. Ristuccia, who has posted a commentary of the episode at http://osiris.978.org/brianr/nyu-publication/, said yesterday that he did not think he had broken any laws.
"There is a class of people who make a hobby of breaking into other people's computer systems, but I don't advocate that type of thing," he said. "And that is not what I did. The information was available with a search engine."
He said that N.Y.U. had erred by putting such information where it was accessible.
Some computer advocacy experts said that problems like this are a clear illustration of why universities should not use Social Security numbers for student identification.
"A lot of universities have moved away from it," said Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington. "It was probably a mistake to use Social Security numbers to identify students and to make the numbers accessible online. It is not quite like publishing the number. But if someone was able to access it without too much work, it is like publishing it online. But this other person doesn't have clean hands, either."
Mr. Beckman said that N.Y.U. has been studying the feasibility of using a different student identification system for more than a year, and would probably make that change in the next couple of years. He said the wide use of the numbers made changing the system a complex undertaking.
Mr. Beckham said he did not know if this episode would prompt N.Y.U. to speed up the conversion.
KAREN W. ARENSON
New York Times
Students' Data on Web, and N.Y.U. on Defensive