The Chronicle: Daily news: 06/27/2000 -- 01

Search The Site

More options | Back issues

Day pass

Home

Opinion & Forums
The Chronicle Review Commentary Forums Live Discussions

Careers
News & Advice My Career homepage Search jobs by position type by discipline/field by state/region by institution Tools & Resources Employer Profiles

Multimedia

Resource Center

Services
Help Contact us About The Chronicle Subscribe Day pass Manage your account Advertise with us Rights & permissions Employment opportunities /r

Tuesday, June 27, 2000

Privacy Expert Advises Colleges to Bar 2 Popular Internet Tools
By FLORENCE OLSEN

Philadelphia

A computer-privacy expert warned colleges Sunday against continuing to use two popular Internet tools -- Telnet and File Transfer Protocol -- because they offer easy routes for unauthorized people to gain access to personal data on campus networks.
Simson L. Garfinkel, the author of Database Nation: The Death of Privacy in the 21st Century, offered the warning in a keynote address at ResNet 2000, a symposium for residential-network administrators that will continue through Wednesday here at the University of Pennsylvania. Mr. Garfinkel said the main lesson of his new book, published by O'Reilly & Associates, is that students and faculty members cannot rely on themselves or on technology to protect their privacy when they use computer networks.
Campus-network administrators and off-campus Internet-service providers, or I.S.P.'s, vary widely in their commitment to protecting personal information stored in network log files and other databases generated automatically when people use the network, Mr. Garfinkel said.
Most network services, he said, create log files that capture personal information, including user names, network addresses, and the time and date those services were used. But few colleges and I.S.P.'s have enforceable policies to protect students or others from the misuse of information in those databases, Mr. Garfinkel said.
Log files, for example, are created on Web servers whenever users click on the "search" button. Mr. Garfinkel asked, Who has access to those log files? What computers are capturing those log files? What policies do institutions have for automatically deleting those files on a regular basis?
Even institutions and I.S.P.'s that do have privacy policies usually provide no way for people to control how information about them is collected and used, he said.
The amount of data that is now automatically collected as people conduct network transactions is minuscule compared with the amount that will be collected in the future, Mr. Garfinkel said. "We're moving into a regime in which far, far more information is going to be collected -- and frequently, that's going to be done over some sort of campus network," he added.
Even a new privacy "preferences" technology that the World Wide Web Consortium announced last week could be meaningless, because it is not backed by federal law or regulation, Mr. Garfinkel said. The industry consortium, which develops new protocols for the Web, has worked for several years on the Platform for Privacy Preferences Project, or P3P, a privacy-labeling system for Web sites.
"P3P is a great technology, but it's a technology that [only] works hand-in-hand with regulation," he said. Sites that claim to be P3P-compliant generate an encoded document that tells users in a standard, plain-language format how each site uses the personal information it collects.
But P3P "doesn't go far enough," Mr. Garfinkel said. The system's flexibility permits site owners to leave unlabeled many of the elements that are the most invasive of users' privacy -- such as the Common Gateway Interface, or C.G.I., scripts that run on Web servers. C.G.I. programs are easily exploited by network attackers, who can use them to steal personal data, experts say.
Mr. Garfinkel also urged the more than 300 residential-network managers and student-coordinators attending the conference to stop the common practice of using unencrypted passwords to secure network-user accounts. "But you won't," he chided. "And so you're going to keep having accounts broken into."

Easy-to-print version

E-mail this article

The race to map the human genome is largely complete, competing teams announce

Education Dept. fines Mount St. Clare College for withholding crime data

M.I.T. professor says Pentagon sought to silence his criticism of antimissile program

Eckerd College president to retire after endowment is found to be short $19-million

Study says law schools favor white applicants over their minority peers with the same grades

Oxford, angry over criticism of admissions policies, rules out honorary degree for Tony Blair

Privacy expert advises colleges to bar 2 popular Internet tools

British government plans an online university for vocational students