From brian@ristuccia.com Thu Jan 8 13:49:20 2004 Date: Thu, 8 Jan 2004 13:49:20 -0500 From: Brian Ristuccia To: NYU Network Security Group Cc: ada Meloy , marilyn McMillan , jane.delfavero@nyu.edu Subject: Re: NYU files on your web page Message-ID: <20040108184920.GJ14062@osiris.978.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.28i Status: RO Content-Length: 3710 Lines: 71 On Thu, Dec 25, 2003 at 11:56:03AM -0500, NYU Network Security Group wrote: > Dear Brian, > > It has come to our attention that you are mirroring a page from NYU's > website which contains personal information: > > http://osiris.978.org/~brianr/mirrors/nyu-are-morons/indidetails.txt > > Please take down this page immediately and confirm to us when you have done > so. > Dear Ms. Jane DelFavero: The URL in question is a mirror of the contents of the public website at http://www.nyu.edu/classes/mia/public_html/cgi-bin/data/indidetails.txt as of December 5, 2003. This public website was found by doing a search on Temoa.com for one of the student names listed in that file. Privacy of the affected students has already been reduced by NYU's publication, and removing my mirror site will do little to restore it. In fact, removing my mirror may prevent affected students from discovering that their personal information was published by NYU, and will only serve to cover up and enable NYU's poor privacy practices. If NYU was really concerned about student privacy, it would have notified all of the affected students by now. Also, NYU would have stored personal information only on access-controlled machines not directly connected to the public Internet and it would have avoided using social security account numbers or taxpayer identification numbers except where required by law for social security or tax purposes. I know with certainty that NYU has not contacted at least one of the affected students to tell them about NYU's posting of their personal information on a public website. Considering the triviality of doing a preliminary notification via email, I have my doubts if NYU has made any notification effort at all. Current and prospective students won't just take my word for it if I say that NYU has poor privacy practices, but being able to review and corroborate the evidence on my mirror site will help them reach their own conclusions and make wise decisions about whether to trust NYU with their personal information. The mirror site also provides hard facts about NYU for journalists who wish to report on university privacy policies and practices. I must be honest and say that I fear that your request has little or nothing to do with protecting student privacy, and very much to do with limiting embarrassment and responsibility for NYU. This fear is among the most significant of those reasons leading to my decision to decline your request that my mirror site be removed. While I can understand NYU's embarrassment over being caught in such an egregious violation of student privacy and its desire to avoid penalties for violating any privacy policy or other contract with students, moral and ethical issues preclude me from doctoring or obscuring my copy of the site just to help NYU avoid the consequences of its actions. Despite my denial of NYU's request, I have acted today in response to a similar request by a current or former NYU student who expressed sincere concern about misuse of their personal information. As a result of their request, I have removed the original mirror and replaced it with a new page arranged in a manner which disassociates the names from the numbers and omits some of the other fields. A student searching by name or number is still likely to discover my documentation of NYU's publication, but an unscrupulous person seeking to defraud, impersonate, or harass will have much difficulty correctly matching the 2389 name entries with some 2300 different numbers. Please accept my sincere regrets, and allow me to wish for you a much better new year for network security and student privacy. -- Brian Ristuccia brian@ristuccia.com