More than 25,000 pictures, apparently of Ohio University students, were inadvertently left without password protection on an otherwise secure OU Web site in what state and federal officials said might be a violation of federal privacy law.
OU restricted access to the pictures, which appeared to be headshots taken for OU identification cards, hours after a Post reporter called to inquire about them last Tuesday. Brice Bible, the university’s chief information officer, said in an interview yesterday that the only way someone could have located the Residence Life Web site containing the pictures was to abuse their access privileges.
The pictures, housed on a Web site used by OU resident assistants to file incident reports, were available to anyone who typed in the appropriate Web address. David M. Hendricks Jr., the Post reporter who discovered the pictures were publicly available, is a resident assistant, but he did not use his RA login and password to the Community Incident Report system to access the pictures.
Hendricks stumbled upon the pictures after adding different sets of words to the end of the Community Incident Report site. The site was not indexed by any search engine.
Bible said that only an RA or person with similar access to the system would know about the Web site in the first place to be able to find the pictures by guessing. But he acknowledged that the pictures lacked password protection.
“This is a perfect example of where there was one layer that was not as pat as we would want it to be,” he said. “To type in that site, you could not have just guessed what that site was, you would’ve had to (have) been in the CIR system … I think it’s a very minor issue.”
A network manager at the Massachusetts Institute of Technology, given specific information about how Hendricks discovered the pictures, wrote in an e-mail that adding or removing characters from a Web address is a common way to find hidden information.
“So the question is whether anyone bothered to go looking for the information. My guess would be that if they wanted the information, they would likely find it. There really is no excuse for leaving such information exposed on a Web site, even one that isn’t advertised anywhere, without requiring some level of login,” wrote Jeff Schiller, the network manager at MIT.
Jim Bradshaw, a spokesman for the federal Department of Education, said the public availability of the pictures might be a violation of Family Educational Rights and Privacy Act if OU does not consider student headshots directory information. Directory information typically includes a student’s name, address and telephone number.
A student complaint could trigger an investigation by the federal Department of Education, Bradshaw said.
OU does not consider pictures directory information, said Patrick Beatty, associate university registrar.
Posting a student’s picture on a Web site without a signed release is a violation of federal privacy law, according to guidelines posted by OU’s Office of Internal Audit in a university news release.
No names were listed on the site — only pictures with 10-character personal identification codes that also appear on student identification cards. Bible said none of that information could be used for identity theft.
Bible said officials in his department began investigating who might have accessed the pictures on Thursday, and they will notify those students whose pictures were exposed, even though the law does not require them to do so. He declined to provide any more details on the investigation because it is ongoing.
If the availability of the pictures violates Ohio or federal privacy law, OU must notify anyone whose picture was posted, said Sol Bermann, the state’s chief privacy officer. And even if the posting did not violate any laws, OU still has the option of sending out notifications, he said.
“OU doesn’t have to. Whether they want to is up to them,” Bermann said. “Even when it’s absent a law, you’ll often see notification.”
Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse, said OU should notify all people whose pictures were available.
“Oh, there’s no question the people should be notified, that’s without a doubt,” Stephens said.
Reader Comments
A question we should probably be asking ourselves is: Why is Mr. Hendricks randomly adding anything to a URL of a Community Incident Report page? That sort of action usually implies that one is trying to find a hole and gain deeper access to the system.
It is somewhat troubling because the reports themselves hold a large amount of personal information including the student's addresses, social security numbers, and PID number. Although Mr. Hendricks may have mistakenly stumbled onto a large amount of pictures, it seems that the discovery of those pictures could have been accidental while trying to gain access to fairly unguarded personal information.
I'm not implying that Mr. Hendricks is guilty of anything (in fact, I believe it probably was not malicious) but I would like to hear the reasoning behind why he was "adding different sets of words to the end of the Community Incident Report site."
So he was curious how the site worked, it's not the end of the world. If you give me a url that looks like that is how the site is processing my request I'll always play with it. You used to be able to do all sorts of fun stuff on facebook that way.
You can always access all sorts of information this way on all websites: this isn't anything that profound at all. If you know *exactly* how a website is put together (and the RAs had insider knowledge, clearly, as they had access to a system to which others did not know about), you can get at stuff that people didn't intend for you to see.
The trick, and this is very important, is that without that insider knowledge, you're guessing at needles in a haystack. This may seem obvious to someone who looks at URLs and thinks "Hey, maybe I can change the number on the end to do something else," but unless you have the URL to begin with, you're not going to think about it.
When asked if David Hendricks abused his RA power to get the photos, he actually did. The site wasn't publicly announced anywhere, and there's probably a terms of service on the site somewhere which states that only RAs may use it for intended purposes. He didn't use a username / password, but he certainly used insider info to get at the photos.
This is a very minor website bug, easily fixed. You don't report software bugs in the newspaper, you fix and move on unless something serious happens. This isn't serious, this is very commonplace.
To set the record straight, the relevant Federal law in this case is FERPA, and under this act, photographs are specifically named as "Directory Information" (see Section 99.3, http://www.ed.gov/legislation/FedRegister/finrule/2000-3/070600a.html).
It is certainly within the rights of OU to designate a subset of the items that FERPA lists as "Directory Informaton" at OU, but at that point, this becomes a violation of university policy, NOT federal law. I'm not familiar with Ohio state law, but I would be very surprised if there's anything there that designates a student's photograph as private.
However, most institutions do allow students to request "confidentiality", so if one or more of the 25,000 had done this, THAT could be considered a violation of FERPA.
No, Mr. Hendricks could have also the search feature of the OU website and back-tracked the RA's information. If the pictures were not protected with an OAK login, then they were exposed. End of discussion.
I'd venture to guess that 25,000 OU students have plenty more provocative pictures plastered all over MySpace and Facebook. I really don't see the issue.
silnan: Either post exactly how you would do it without knowing inside features of the RA website (behind the access) or don't say that they were exposed. "Back-track" the RA information? Interesting, no one online refers to exactly what that means. So we head to OU search, "backtrack" something, and hit pictures? Mind being a bit more specific?
Submit a comment to The Post