CASE STUDY: INDIANA UNIVERSITY
asking for
COMPUTER NETWORK
On Wednesday, March 11, 2015, over 2,000 Indiana
University (IU) faculties received the following e-mail
message: “Are you aware that Indiana University put
your privacy at risk? Have they contacted you about it?”
The sender of this message was Glen Roberts of Oil City,
Pennsylvania, who describes himself on his web
homepage as a talk show host, privacy advocate, and
Internet entrepreneur. Searching the Internet, Roberts
located an IU file containing the names of 2,760 IU
faculty, along with their Social Security numbers,
addresses, and phone numbers, which Roberts had
downloaded and posted on his Web Site. The file had
been created by the University Graduate School to
provide information on the research interests of the
faculty members so that they could be notified of
funding opportunities that might be of interest to them.
All IU information on the Web is supposed to be
protected by a “safeword card.” According to Norma
Holland, director of university computing services: “We
have what is called a ‘firewall, ‘an internet term that
essentially prevents access to data which are not public.
The safeword card allows only authorized and
authenticated users to get to those data.” But this
sensitive file apparently was not protected. According to
Jeffrey Albert, associate dean, this was an obsolete file
that escaped unnoticed when the system was being
upgraded to make it more secure. The university
immediately removed the file and disabled the old
gateway service. The situation was called “an eye-
opener” by IU Vice President for Public Affairs
Christopher Simpson: “it was fortunate that more
sensitive data was not compromised. Although we are
very sensitive to the release of information like this, this
is vastly different from having individual access to the
university’s most sensitive proprietary information. This
is good wake-up call. That is exactly how we are viewing
it.” But Roberts posed a question of other potential
security problems. “You must remember that even
though my page may have brought this to your
attention in an unpleasant manner, the real danger lies
in those who may have silently obtained the
information from your site with no one the wiser,” he
wrote in a Web page dialogue with Mark S. Bruhn, IU
information security officer. Roberts claims the Privacy
Act of 1974 “forbids such agencies (as IU) from even
Social Security numbers in other than specifically
enumerated situations. That the SSN is included in any
such faculty internet research database is out rage us,”
Roberts wrote on his Web conversation with Bruhn.
“Even if the files are not meant to be available to the
public, the wholesale collection of such information in
an ‘Internet data base’ demonstrates a clear failure to
understand even the most basic precepts of personal
privacy.”
Roberts’ Justification Roberts was described by people
at two Pennsylvania newspapers as “an interesting
fellow and a computer whiz-bang.” According to the Erie
Times, which did a profile on Roberts several months
prior to this incident, he came to Oil City from the
Chicago area, where he published a paper that dealt
with privacy issues. He has done a short-wave radio
program and now does a radio program on the internet.
Also, he has been a network television consultant and
appeared on local talk shows. Roberts also publishes
several Web pages and works as a computer consultant.
Roberts said he came across the IU file during a check of
his own domain. By typing “SSN” into the Infoseek
search engine, Roberts said, he called up a list of entries
that showed a name and Social Security number. By
opening that file, he found the IU research database.
Roberts said he has been involved in publicizing privacy
issues for about 15 years. His interest began, he said, by
using the Freedom of Information Act and obtaining
copies of government documents. He said he was
surprised at the amount of information available of
which people are not usually aware. He has been
particularly interested in the seemingly wide spread
availability of individuals’ Social Security numbers,
which are pathways to other information and whose
disclosure raises the potential of unauthorized use a
person’s identity. Roberts states that the issue is this:
“Should the university be collecting this information and
putting it in data bases, with maybe not the intent to
pass it out all over the world but with intent that a fair
number of people may be accessing that information?”
Roberts said he published the IU list because the privacy
issue does not usually become tangible to people until
they experience an invasion themselves. “The bottom
line is privacy is an extremely important issue but it is
only important when you see it affect yourself
firsthand,” he said. “That’s what I have done with other
Web pages. People can experience it firsthand, and with
that experience can be more public debate and action
on the issues.”
Faculty Reaction Many of the faculty members on the
published list disagree with Roberts’ tactics. They were
primarily concerned that their Social Security numbers
were made easily available for the obvious reasons and
over a hundred faculty e-mailed protests to Roberts. “I
go to Roberts and say ‘I like people who are watchdogs,
but do you need to post this information in a convenient
location to make your point?” said Kurt Zorn, of the IU
School of Public and Environmental Affairs. “I think he
might have done more damage by doing this than the
university did in its oversight. There might have been
more effective ways of calling attention to the
problem.” Law professor Ed Greenebaum added that he
believes Roberts made a judgment about the university
without any information, which is unfair. “The impact is
to expose us to a danger he says he is trying to prevent,
and it’s much more than it otherwise would have been,”
Greenebaum said. “My concern is not with the
university’s intent but why this individual feels the need,
inconsistently in my view, to facilitate the distribution of
our Social Security numbers.” With IU threatening to
take legal action and the heavy volume of protests from
IU faculty, Roberts removed the IU file from his Web
page and said he has no intention of posting the names
and Social Security numbers again.
The Consequences On March 27, religious studies
professor James Ackerman said he recently has been
billed for phone lines, Internet access, and credit card
accounts that are not his own. Although it has not been
verified, he believes someone picked up his name and
Social Security number from Roberts’ Web page. Within
two weeks of the posting, Ackerman received a bill for a
month’s Internet time, had a call from AT&T saying it
was ready with a conference call he did not order, got
an inquiry from Ameritech asking if he made a call from
Germany to Portland, Oregon, and discovered there
were calling card accounts opened in his name. William
Boone, an education professor, said his wife received an
inquiry from MCI’s frauds department about calls
originating from Germany using the Boones’ calling card
number. Although there has been no proof that
Roberts’s Web page was the source of the information
used in the fraud, Boone and others believe the
incidents are more than a coincidence. “What are the
chances two IU professor are getting unauthorized calls
from Germany? What are the chances this is not related
to the World Wide Web issue?” Boone said.
Boone’s wife said the issue is an settling. “It feels like
such a violation,” she said. “You feel like someone
knows you but you don’t know them. That is very
uncomfortable.” The situations has been frustrating to
Ackerman, who said the credit card companies told him
they could not put a block on his Social Security
Number. He was told he could contact three credit
agencies, which many banks use to check a person’s
credit, and they could put a hold on his records.
Ackerman also contacted the office of IU’s legal counsel,
which was unable to offer much assistance. “At this
point, we don’t even know if his experience relates in
any way to Roberts’ Web page,” said Michael Klein,
associate university counsel. “There are some timing
coincidences, but you just don’t know.” However, the
university is exploring whether there is any legal liability
Roberts might incur if faculty members are damaged,
financially or otherwise. Klein added that the university
is reviewing the issue of using Social Security numbers
in its course of running the school. “As an institution, we
are taking a look inward to determine if there are some
alternatives,” he said.
Berdasarkan ilustrasi kasus yang terjadi pada Indiana
University Computer Network, anda diminta:
1. Mengidentifikasi 3 (tiga) isu utama dalam kasus
tersebut!
2. Jelaskan gambaran tentang sistem keamanan
jaringan komputer yang dijalankan oleh Indiana
University dan Bagaimana penilaian anda terhadap
kualitas sistem keamanan jaringan tersebut?
3. “Roberts claims that the Privacy Act of 1974 forbids
the university from even asking for Social Security
Numbers (SSN)” Mengapa SSN digunakan oleh
Indiana University untuk manajemen database-nya?
Adakah alternatif selain SSN yg dapat digunakan
dalam database Indiana University? Jelaskan!
4. Apakah anda setuju jika Roberts diperlakukan
sebagai seorang Hacker? Jelaskan argumentasi
anda?
5. Siapa yang seharusnya bertanggung atas kasus yang
menimpa Prof.James Ackerman dan William Boone?
Apa tanggung jawab Indiana University atas kasus
tersebut?