A Princeton University student whose Web site revealed the breadth of student information publicly available on Princeton servers has drawn criticism from the university and support from some students who say privacy safeguards should be tightened.

The student, Dan Li, said he discovered last summer that anyone sending a request to the university’s LDAP server could determine some students’ student ID numbers, vacation away messages and dates, personal e-mail addresses, dorm addresses, and other information. Much of the data is not searchable using the student directory on Princeton’s Web site.

Mr. Li said he objected to the university’s making that information accessible to the public. Last week, he created a Web site, Do Not Forward @ Princeton, that allowed people to search for some of the additional information if they knew a student’s Princeton e-mail address. He also sent a message to hundreds of students’ Gmail addresses that he gleaned from the database asking students to voice their concerns to Princeton.

The information Mr. Li found does not appear to be protected by the Family Educational Rights and Privacy Act, or Ferpa, experts say. But the case offers a warning to institutions about the need to carefully manage student directory information at a time of heightened concerns about online privacy.

A Wednesday editorial in The Daily Princetonian, which initially reported the news,  commended Mr. Li and said he raised important concerns about the university’s handling of private student data. “The university must do a better job of making sure that private information remains private.” It pointed to New York University, which publishes students’ information only after they give their permission.

A spokeswoman for Princeton, Emily R. Aronson, said the university has begun to remove from public view the information Mr. Li found. “Students are always, and I emphasize always, able to request that their information be removed from the published directory, or that some of their public information is not included in their published directory listing,” Ms. Aronson said.

Ms. Aronson said Mr. Li had engaged in unauthorized use of information that was supposed to be available only to university programmers who needed to access the information for official university business. She pointed to a Princeton policy that states that anybody who finds a gap in the university’s online security must report it to the university and refrain from exploiting it.

But Mr. Li pointed to a page on the university’s helpdesk Web site that gave step-by-step instructions on how to access the university’s e-mail server and use a Unix search command to access the student information he found. The instructions were replaced on Monday by a notice forbidding unauthorized use of such information.

Mr. Li said he had been interviewed by campus security and was in discussions with campus officials about “what they’re going to do to me about this.” Ms. Aronson said she could not comment on the specifics of the student’s case, citing privacy concerns.

Tracy Mitrano, director of information-technology policy at Cornell University, said it did not appear that Princeton had violated Ferpa. But she said of Mr. Li, “I think that in some sense he may have done the community a service, because we all need to be more aware of privacy.”

Student information that was harmless in paper form presents new risks when it is published online, she said. Directory information could be combined with other publicly available information—say, through a Google search—to form a student profile that could create a liability for individuals in terms of physical safety, identity theft, or reputation impairments, she said.

She asked, “Should Ferpa be reviewed on the question of directory information, in light of the digital realm and the power of information systems to mine and recombine data?”