[BreachExchange] Privacy breaches in University file system affect 200 people

[Destry Winant]

https://www.stanforddaily.com/2017/11/17/privacy-breaches-in-university-file-system-affect-200-people/

Stanford is in the process of notifying some 200 people — a mix of
employees and former students — that their privacy may have been
breached due to incorrect settings in one of the University’s
file-sharing systems.

Until this week, files including sexual violence records based on
counseling sessions, confidential University statistics and emails to
the Office of Judicial Affairs — some with names and email addresses
attached — were left broadly available on an internet server that
students, faculty and staff from over 50 institutions regularly use.
Any Stanford faculty, student or staff member with a SUNet ID was able
to access the sensitive files; The Daily also found that an MIT
student username and password were able to grant access.

The University was unaware of the data breach until it was notified by
The Daily last Thursday. The Daily withheld reporting on the leak
until the University secured all confidential information and notified
affected parties.

“This is absolutely unacceptable and the campus is working diligently
and urgently to assure that shared files are secure throughout the
university,” wrote Stanford spokesperson Lisa Lapin in an official
statement Thursday. “A thorough university investigation is under way
as to the extent and duration of the file exposure.”

“We extend the deepest apology to the employees and former Stanford
students who expected that their personal information would be treated
with the greatest care by campus offices,” she added.

Stanford has used the Andrew File System (AFS) directory, where the
sensitive information was until recently kept unlocked, since the
1990s. Every user with a SUNet ID is allotted 5 GB of data for
personal storage and may also use the file system to access course
materials and other resources.

But the sprawling server — home to over two decades of information
from a range of departments in the University — compromised, among
other data, 247 emails addressed to the Office of Judicial Affairs and
at least 38 files recording confidential information on crimes, mostly
sexual assaults, described to campus mental health counselors, the
Office of Community Standards and other groups. The latter information
on sexual violence was intended for tracking and reporting under the
1990 Clery Act, which mandates disclosure of campus crime.

Michael Duff, assistant vice president and chief information security
officer, said that while the University can track overall AFS
activity, it cannot track who has accessed specific files and folders.
He said University IT also can not yet determine exactly how long many
files intended for privacy were accessible for.

Compromised personal data

Within each directory, some folders and files were secured against
general user access, even as the Clery files and confidential emails
were left open to Stanford community members as well as people from
the many other organizations that use AFS.

In the Vice Provost of Student Affairs (VPSA) directory, a file
containing emails addressed to the Office of Judicial Affairs detailed
concerns ranging from spousal assault to Honor Code violations to a
discrimination complaint against a current faculty member. All
correspondence included contact information for the sender, revealing
names, email addresses and often phone numbers.

One of the Clery files also included the name and email address of the
reporting party.

Most of the other Clery documents omitted names, noting instead basic
demographic information such as gender, age, class year and ethnicity,
as well as the accused student’s group affiliation at Stanford, in
addition to a summary of what they reported.

But in a community the size of Stanford, data can be identifying even
without names. Some of the documents described victim and assailant as
narrowly defined as a pair of roommates of a certain class year living
in a specific dormitory, or a student of a specific age and ethnicity
assaulted by an upperclassman in a particular student group. Many of
the files were also accompanied by dates.

In some cases, the level of detail present might have identified a
reporting student to an acquaintance in the same social circles — or
potentially to the individual they accused of assault.

In files where the involved parties may be identifiable, the
University must notify the individuals. According to Duff, that’s
where the University Privacy Office needed to make judgments on just
how revealing the previously-accessible information was.

“If the population that fits given descriptions is large enough, no
one would be able to identify that person,” Duff said. “It’s a whole
field into itself — identification or re-identification of the data so
that we can determine who we need to notify.”

Files recording sexual violence cases in a Clery Act folder were
generated when an individual or a “Campus Security Authority” — for
example, a counselor at Counseling and Psychological Services (CAPS) —
filled out a web form created by the University’s Sexual Violence
Advisory Board.

While many of the files are based on information disclosed to CAPS,
James Jacobs, director of Vaden Health, emphasized that Vaden had no
role in managing the Clery report files and that CAPS counseling
records, which are separate from Clery data, have not been
compromised.

“Vaden clinical records … have been and continue to be completely
separate, completely protected and not shared,” he said.

According to Jacobs, CAPS and other entities on campus no longer file
Clery reports with the AFS-linked system. Further, he said, CAPS
therapists are no longer among the campus entities expected to make
Clery reports.

The Clery files, which span from 2012 to 2015, were located within a
folder owned by the Stanford University Department of Public Safety
(SUDPS). However, according to the University, the summaries of
individuals’ cases were not intended for police use or investigation;
they were meant solely for fulfilling the University’s duties under
the Clery Act, which a non-officer employee of SUDPS oversees.

CAPS’ website states that chart notes from a counseling session —
recorded electronically — are kept for 10 years by law but protected
with “strict security measures … including physical safeguards,
encryption, and password protection.”

The University emphasized that because the Clery reports were
generated from a separate process than in-session counseling notes,
“SUDPS did not and does not have access to counseling records
maintained by CAPS.”

But due to the mistake in the Clery folder’s privacy settings, the
text entries to the Clery forms were essentially public.

In some cases, the Clery files potentially shed light on University
decisions that confounded and angered many students when they were
first announced.

One file described a sexual assault involving two members of the
Stanford Band. Another file detailed a student’s account of being
sexually assaulted by another student after at a campus event on the
Quad.

A handful of files dealt with students who recalled experiences of
sexual assault or molestation before they ever came to Stanford.

According to the University, it generally “would have been challenging
if not impossible to conduct an investigation” given the high level
information recorded in most of the forms.

Confidential University information

Other directories previously left unlocked on AFS include the Office
of the President and Provost, the Vice Provost for Student Affairs and
Vaden Health Center. Within these folders, however, subfolders and
files had varying degrees of privacy.

Files that were accessible included 10-year compilations of University
statistics produced each academic year by the Office of Institutional
Research and Decision Support. Specific datasets marked as
confidential range from statistics on faculty ethnic and gender
diversity to detailed breakdowns of financial support for graduate
students and levels of government-sponsored activity by school and
laboratory.

Some documents include data from other institutions as well, such as a
report comparing Stanford with its peer schools on metrics such as
median student income, financial aid, research funding sources and
faculty diversity. Stanford has since reached out to these schools to
apologize for the breach.

Documents like these were not publicly available elsewhere — for
example, on the University website — but were unlocked in AFS.

Budget planning resources, as well as memos between then-Provost
Condoleezza Rice and the Faculty Senate, were likewise open to anyone
with AFS access, including users from other schools.

What is AFS?

Named after Andrew Carnegie and Andrew Mellon of Carnegie Mellon
University, the Andrew File System has been in use at Stanford for
close to three decades and is also used by a variety of universities
and research laboratories. AFS allows a large number of users, each
with their own computers, to access a centralized digital workspace
owned by their institution or workplace.

Whenever Stanford affiliates log into a desktop machine with their
SUNet ID and password, they are accessing the data stored in their
personal AFS workspace. For example, students can download useful
files into their workspace on a library computer and retrieve that
file again when they log in to a dorm cluster computer.

At the same time, AFS allows individuals to use all the
institution-owned resources that they are granted access to from their
home computers. For instance, computer science majors often use AFS to
download and submit homework assignments by entering the directory
corresponding to their course.

“Essentially all of my assignments for CS classes are stored there,”
said Jorge Ochoa ’18, a computer science major. “I keep my code there
for safekeeping and because we have to upload our homework to AFS
anyways to turn it in for most classes.”

One of the biggest concerns is that while the data is now secure, it
is hard to know who may have seen or even saved files during the time
that it was accessible.

“I don’t usually need to look for things outside of my personal
folders, but I have clicked around a bit either out of curiosity or
trying to find class resources which are in a different directory,”
Ochoa said.

When asked specifically about the SUDPS and Judicial Affairs files
found by The Daily, however, Ochoa said he hadn’t seen any of the
information in question.

Andrew Milich ’19, a computer science student who has used AFS for
coursework, said that most students doing their homework would
probably not stumble into places they shouldn’t be.

“The file system is a little hard to work with,” he said, although he
admitted there could be a temptation to browse around. “You kind of
have to know what you’re looking for to find something.”

Duff emphasized that any student who finds a security problem in a
Stanford system is required by the Honor Code and Fundamental Standard
to report the issue immediately to the Information Security Office,
the University Privacy Office or another relevant department.

Every institution that employs AFS groups the folders used by its
member departments into a single top-level directory. Since AFS was
also designed to help different organizations share files, top-level
directories are typically visible to users from other organizations
that use AFS — meaning that organizations have to take charge of
protecting their own information from non-members.

According to Duff, each department at Stanford is responsible for
setting its folders and files to the correct accessibility level. That
means that the University “relies heavily” on these subgroups to
manage their files well. Centralized oversight is difficult, he said,
not just for AFS but also for all file-sharing systems, from Dropbox
to Google Drive.

“The challenge is how to achieve a zero error rate in the permissions
across the hundreds of millions of files [and] folders stored at
Stanford,” Duff said.

He added that the sheer scale of the systems needed to store
information for an organization the size of Stanford means that each
department must take charge of its own security.

The very top-level directory for Stanford, ir.stanford.edu, is
overseen by University IT and has the correct settings, according to
Duff.

Asked about what support Stanford provides to departments on setting
AFS access, Duff pointed to online documentation, saying that “those
using AFS are expected to understand how it works.”

However, Duff did describe actions that University IT can take to
better ensure information privacy. For one, he said, it can improve
awareness about privacy setting issues; right after The Daily informed
the University of the incorrectly shared files, Duff emailed
Stanford’s over 1,300 IT professionals with a note about the situation
and extra tips for managing permissions.

“Inevitably, there are going to be some folks who maybe don’t
understand how the permissions work, and they’re not IT people, these
are just regular staff members and employees,” Duff said. “Because AFS
has been here for so long, I do think there’s an element of, someone
else set up the permissions a long time ago and over time just kind of
forgot they were open and then other people starting dumping stuff in
there.”

According to Duff, a push to move Stanford away from AFS toward other
systems such as Box and Google Drive is underway; he hopes the process
will prompt departments to review outdated files.

Still, he warned that the permissions errors are not “something
there’s a 100 percent solution for.”

“As much as we will try, and we have tried for many years, to do all
this stuff right, the scale makes it really tough,” he said.

Duff said that University IT adjusted settings on particular AFS
folders to protect the mistakenly public data within two hours of
being notified. But cleaning up after the leaks is a longer process.
For instance, the University had to request the deletion of cached
webpages on Google to prevent people from finding sensitive
information even after it was locked.

Potential ramifications

According to Chief Privacy Officer Wendi Wright, the University is
“informing individuals in accordance with FERPA and state privacy
notification requirements, as applicable.”

Legally, the Family Educational Rights and Privacy Act (FERPA)
protects “any information that protects the privacy of student
education records” from being shared without written permission.

There are also additional state privacy laws — both statutory and
constitutional — covering both students and employees.

According to Robert Rabin, Stanford’s A. Calder Mackay Professor of
Law, the University could also be liable to tort lawsuits based on
public disclosure of private fact if victims of the data breach can
prove that a harm occurred (for example, that their information was
accessed and used during the period that it was available).

“There could be two different pathways to responsibility,” Rabin said.
“Vicarious liability is where the University is responsible for any
branch of the university in violation. The other pathway is negligent
supervision, that would be a direct claim that the University should
have exercised greater oversight over the branches.”

However, Rabin also said that going into court is an expensive and
time consuming process, especially when harms might not be tangible.
He was not confident such cases would be pursued, but did stress the
significance of the blunder.

“If a vice provost or the department of public safety or whoever is
not exercising sufficient caution about protecting student privacy,
then the university should be concerned about that,” Rabin said.

In addition to the strictly legal ramifications, Stanford Law
Professor and sexual assault activist Michele Dauber worries that
there may be consequences for those considering reporting sexual
assault in the future.

“One concern that I have is that when survivors find out that Stanford
was not adequately safeguarding information that they thought was
confidential, they may be even more reluctant to report sexual
assault,” she said. “We don’t want students to feel reluctant to
report, but an incident like this could have a chilling effect on the
willingness of victims to come forward.”

Dauber emphasized that this is especially worrisome given that the
last campus climate survey indicated a very low percentage of victims
actually report their experiences with sexual assault to anyone at the
University.

“The mistake was obviously inadvertent, and I’m sure whoever did it
feels terrible about it,” Dauber said. “I’m sure that it wasn’t like
Stanford wanted to do this, but this is important, and it’s important
to get it right.”