There’s nothing more exciting than when an old institution learns new tricks. Georgetown has recently made a number of strides in integrating modern technology into University life—GUTS and SafeRides now have tracking features, Blackboard has finally been updated, UIS has instituted a password reset function, and the University recently paired with EmergenSee to allow DPS to locate students in trouble. However, with all of these technological changes, there is reason to believe Georgetown isn’t doing all that it can when it comes to safeguarding our privacy.
We entrust Georgetown with large amounts of personally identifiable information. In their databases, they have our full names, our birthdays, our Social Security numbers, our emails, and our financial information. The last is particularly true for those who receive financial aid, and thus have had to fill out forms with detailed financial information. With all of this data sitting in Georgetown’s servers, it’s safe to assume that the school has it under lock and key, right? Wrong.
In 2006 a University server containing the names, birth dates, and Social Security numbers of over 40,000 elderly residents who were being researched was attacked, exposing these individuals to the threat of identity theft. Then in 2008, a hard drive was stolen from the Office of Student Affairs that contained the Social Security numbers of nearly 40,000 students, alumni, faculty, and staff. While the office has certainly instituted more safety precautions, this breach not only evidenced the vulnerability of the data, but also how much data Georgetown has on both current and former students. The data that is given to the school doesn’t just disappear upon graduation—it is saved for later use by the alumni association. That’s not to say that this data remains in Georgetown’s servers in perpetuity, but it does demonstrate that the information given to Georgetown isn’t as safe as we think.
The sheer amount of data that the University has is also threatened by our one entry point: our NetIDs. Our NetIDs give us access to Student Accounts Services with our financial information, all of our academic information, our health insurance information, our immunization records, and our biographical information. On top of that, our NetIDs access our email, where many students store information related to online banking, social media sites, or online shopping. This means that if someone was able to gain access to a NetID and password, he or she would be essentially given the keys to the digital kingdom. Identity theft is just one of a number of ways in which a cunning hacker could use the data that Georgetown has on its servers.
The question, of course, is how would they get my password? Well, luckily, UIS has just recently instituted a password recovery program. While seemingly meant to safeguard your ability to access your email, the recovery program is predicated on the use of security questions, which are notoriously easy to crack. The answer to questions such as “What is your father’s middle name?” or “Where were you born?” are easily accessible through social media or a simple Google search. As stated before, once a malicious individual has access to your NetID, he or she can do a lot more than withdraw you from all of your classes.
Perhaps the most egregious breach of privacy is the new EmergenSee app, which uses geolocation services for students in trouble. The University’s desire for us to all have this on our phones is commendable, until you read the terms of use. After opening the app, it prompts you with a message stating that the app “records video, audio, and takes photos without indicating that… [they] are being recorded.” This data is then uploaded to their servers. Not only is it illegal to record someone without their knowledge, but it is also a massive invasion of privacy. The app gives no indication of when these recordings would take place, how secure their servers are, or for how long they store this data. Basically, this app turns your phone into the ultimate tracking device, and it’s University sanctioned.
Clearly, the University’s foray into modern technology has a number of flaws. However, many of these are easily rectifiable. First, students should be required to sign up for double authentication for their NetID. This means that they can either download an app that gives them a randomly generated number or be given a SecurID that does the same whenever they sign into their account. That makes it harder for outsiders to access a student’s information. Second, the school should consider separating a student’s financial information from their NetID, which again safeguards against abuse. Finally, the University needs to work with EmergenSee to rectify this huge oversight in their terms of use. If the University is going to continue to digitalize, then it needs to ensure that potential threats to privacy are reduced.
