The Chronicle: Daily news: 07/26/2002 -- 01

Search The Site

More options | Back issues

Day pass

Home

Opinion & Forums
The Chronicle Review Commentary Forums Live Discussions

Careers
News & Advice My Career homepage Search jobs by position type by discipline/field by state/region by institution Tools & Resources Employer Profiles

Multimedia

Resource Center

Services
Help Contact us About The Chronicle Subscribe Day pass Manage your account Advertise with us Rights & permissions Employment opportunities /r

Friday, July 26, 2002

Princeton Admissions Official Breaks Into Yale Admissions Site
By JEFFREY R. YOUNG

At least one admissions official at Princeton University broke into Yale University's Web site for notifying students about admissions decisions in early April and retrieved personal information about 11 applicants to Yale.
A Princeton official has said he entered the site only to gauge the security of such online admissions systems, but the official was roundly criticized for what the university acknowledged was a "lapse of judgment."
Stephen E. LeMenager, an associate dean of admissions, has acknowledged that he made unauthorized use of Yale's admissions site, and he has been placed on administrative leave pending an investigation, said Marilyn Marks, director of media relations for Princeton.
"We do recognize that a serious lapse of judgment has occurred," said Ms. Marks. "Right now, we're trying to determine exactly what has happened and who was involved. We have begun what will be a very aggressive investigation, which will include independent outside investigators, that is just getting off the ground."
Yale officials are not taking the matter lightly. They notified law-enforcement officials and told the applicants about the incident, said Tom Conroy, Yale's deputy director of public affairs.
"It was clearly wrongful conduct," said Mr. Conroy. "The privacy of our students and applicants is paramount."
Ms. Marks said Princeton "will cooperate fully with any external investigation that may be conducted," in addition to conducting its own. Princeton's dean of admissions, Fred Hargadon, did not return telephone and e-mail messages Thursday.
For two weeks in April, Yale made its admissions decisions available to this year's applicants using a secure Web site, to give students a speedier way to find out whether they had been accepted. A student had to enter his or her Social Security number and birth date to gain access to the site and find out about the decision.
During that time, one or more officials at Princeton's admissions office used the identifying information for 11 Yale applicants who had also applied to Princeton to log on to Yale's Web site as if they were those students. In some cases, a snooping Princeton official tapped into the Yale site before the students themselves had. Because Yale's system is designed to reveal a decision only the first time an applicant logs on to the site -- with a multimedia fireworks display for a positive result -- those students were frustrated when they entered the site themselves.
The incident was first reported Thursday on the Web site of the Yale Daily News, the university's student newspaper. Mr. LeMenager told the newspaper that "it was really an innocent way for us to check out the security. ... That was our main concern of having an online-notification system, that it would be susceptible to people who had that information -- parents, guidance counselors, and admissions officers at other schools." Mr. LeMenager did not return calls for comment Thursday.
An investigation of the incident by Yale officials found that computers at Princeton, most of them in the admissions office, had been used to log into the admissions-notification site 18 times, though some were repeated entries into the same student's records, according to the student newspaper. Mr. Conroy stressed that "there were no [improper] accesses aside from the ones from Princeton."
Yale's Web site contained only limited information about applicants, said Mr. Conroy, and it did not include full application data. The main piece of information on the site was whether a student had been admitted to Yale, though the service also had, in the case of those admitted, "a profile of their academic and extracurricular interests ... supplied by the College Board," said Mr. Conroy. The College Board is the nonprofit group that owns the SAT test.
Yale's admissions Web site included the following disclaimer to discourage misuse: "All information released on this site is intended for the personal use of the applicant. Friends, family and other interested parties are asked to contact the applicant directly. No one but the applicant should make use of this online facility. Yale considers this information to be confidential and will investigate and act on any violation of its intended use."
Jonathan Zittrain, co-director of Harvard University's Berkman Center for Internet & Society, said that he would have to know more details about the case before determining whether Princeton's officials had broken the law.
He noted, however, that "there are strict limits on the use of the explanation that one was just testing the integrity of someone else's system to account for obtaining patently unauthorized access to it."
Calling the situation "unbelievable," he said that "my guess is that this is the sort of issue that is handled between institutions."
This was the first year Yale had used a Web site to deliver admissions decisions. It mailed the usual batch of admissions letters as well.
Several other colleges' admissions offices have set up similar online-notification systems in the past few years. But some of those colleges have taken greater steps to ensure that only applicants can see the decisions.
"We give students a user name and password, so another institution could not go in if they had a Social Security number" or other identifying information, said David D. Cuttino, dean of admissions and external affairs at Tufts University. He said that he did not know of any misuse of Tufts's system, which has been in place for a couple of years, and that "the response from students has been very positive."
Cornell University is starting a similar notification Web site this year. It plans to issue a unique personal identification number to applicants, who will then use it to set up a password.
"Social Security numbers should never be used for identification purposes," said Barbara Skoblick, associate director of undergraduate admissions systems at Cornell. "Personal information isn't necessarily private."
Mr. Zittrain, of Harvard, said that it is possible for colleges to set up secure Web services for students and applicants. "This certainly shouldn't be thought of as damning of the idea of online notification," he said.

Background article from The Chronicle:

Frustrated With Snail Mail, College Admissions Offices Turn to the Internet (11/2/2001)

Easy-to-print version

E-mail this article

Princeton admissions official breaks into Yale admissions site

U.S. Senate committee approves spending boosts for AmeriCorps and NSF

3 freshmen sue U. of North Carolina over assigned reading about Koran

Florida Memorial College fires 2 workers and expels 3 students amid grade-changing inquiry

Congress increases funds for network-security scholarships by $19.3-million

Law student sues Web-filtering company in a challenge to Millennium Copyright Act

Senate bill would increase NSF's spending for technology research