A recent incident in which a Princeton University official broke into Yale University's admissions notification Web site has called into question Internet security measures and the privacy of students.
Last Thursday, the Yale Daily News reported that Stephen LeMenager, Princeton's associate dean of admissions, had repeatedly accessed Yale's admissions Web site by using applicants' personal information.
The site, which Yale officials had created in order to inform prospective students about their application status prior to the time that they received mail notifications, informed applicants as to whether they had been accepted or rejected from Yale, and also contained information about admitted students' academic and extracurricular activities.
Developed solely for the use of Yale applicants, the site required students' Social Security numbers and birth dates in order to enter, according to the Yale Daily News. Additionally, the Web site included a disclaimer clarifying its intended audience.
"All information released on this site is intended for the personal
use of the applicant," the statement read. "No one but the applicant should make use of this online facility."
Yet, a security review conducted by Yale's Information Technology Services traced eighteen log-ons to this Web site back to computers at Princeton, most of which were in the admissions office.
Further investigation revealed that LeMenager had been involved with this unwarranted access, although his motive for doing so has not yet been clearly established. Last week, LeMenager told the Yale Daily News that he was merely using the Web site to verify whether it was indeed secure, although he has since been asked to step down from his position.
"We deeply regret the actions reported on Thursday, July 25 by the Yale Daily News, which represent a serious lapse of judgment by at least one member of our admissions staff," Princeton director for Media Relations Marilyn Marks said in a press release. "We take this matter very seriously, and we are investigating it as quickly and as thoroughly as possible."
And according to reports, Yale officials have notified the Federal Bureau of Investigation regarding this breach of privacy and whether it has violated any federal laws.
"We are deeply concerned about the privacy of our students. We have therefore notified appropriate law enforcement authorities as well as the applicants whose web locations were accessed," Yale Vice President and General Counsel Dorothy Robinson said in a press release. "We have also notified Princeton and expect that they will follow up appropriately."
Regardless of the actions that Yale has taken thus far, this incident has raised concern among college administrators about the potential for the misuse of admissions notification Web sites.
"This was one of the many examples of why private institutions should be aware of their security measures as much as other corporations," University Chief Privacy Officer Lauren Steinfeld said. "We care about the trust of our constituents and hold safe and adopting measures that provide privacy and secure safeguards."
In recent years, websites have become popular among both universities and prospective students as a way of expediting the admissions notification process.
Due to the fact that they are still in their early stages of inception, the margin for error and security breaches -- as confirmed by what occurred at Yale -- has caused some people to second-guess the use of such systems.
"A lot of schools have Web sites, and we hear about mistakes from time to time where someone saw or inadvertently said something," National Association for College Admission Counseling Joyce Smith said. "Our colleges are still learning about the use of this tool, and in general, admissions people have to be careful with the technology that's available to us."
Nevertheless, there are security measures to avoid these hazards, according to Penn Information Systems Security officer David Millar.
"Using a social security number and date of birth is not a good way because unfortunately, too many people have that information," Millar said.
At Penn, for example, applicants are assigned a password to use when entering the site. Millar said that these personal identification numbers provide a much greater safeguard for privacy.
"There needs to be a stronger way to authenticate a person, like sending a personal identification number to applicants in the mail," Millar said. "There are a range of ways to authenticate people, but this is a fairly common method."
If anything, the lesson that LeMenager's actions has taught universities is that they can never be too careful when implementing technology safeguards in order to prevent potentially hazardous situations from arising.
"A lot of what happens in privacy protection is working to evaluate and mitigate your risk through assessment and awareness where there isn't as much as there should be," Steinfeld said. "We should take home the message that privacy is an issue for us."
The Daily Pennsylvanian is an independent, student-run newspaper. Please consider making a donation to support the coverage that shapes the University. Your generosity ensures a future of strong journalism at Penn.
DonatePlease note All comments are eligible for publication in The Daily Pennsylvanian.