8/1/2002 Boulder, CO
Last week, Yale University accused rival Princeton of seeing the confidential decisions of 11 candidates that applied to both schools. According to reports, undergraduate admissions officers at Princeton purportedly used applicants’ last names, birth dates and social security numbers to gain entry to the system this past April. Although no official reason for the supposed breach was given by Princeton or Yale, observers speculate that Princeton could exploit the inside information to woo students being accepted at both schools with additional solicitations and improved financial aid packages.
Your bank, credit card company, phone company, hospital, health insurer and yes, your university, has your social security number and date of birth in their records. So while Yale felt Princeton “hacked” into its system, it’s really a privacy and permission issue. Information was collected for purposes of evaluating students for college admission but not for additional use. The admissions department, for example, did not have permission to start conducting criminal background checks or examining applicants’ credit reports or medical histories.
Students sent their information to the admissions departments at Yale and Princeton as a requirement for their applications to be processed. Their social security numbers were used to tie their application to their standardized SAT and ACT test scores. Even though the Princeton admissions department had the keys that unlocked the door to the Yale admissions site (students’ social security numbers and dates of birth), they did not have permission to use the information to peer into private areas of an applicant’s life.
Laws in the health care and financial/banking industries help protect consumers from the unauthorized use of information that has been collected for one purpose and then used for another. In the online world, the Federal Trade Commission has imposed stiff penalties on companies that publicly say they will “never ever” sell their customer information, but then turn around and auction the “asset” off to the highest bidder. Toysmart, for example, tried to sell its customer database when it filed for bankruptcy, but was ultimately blocked from selling because doing so would have violated their customer’s privacy. In addition, there are long-standing rules at the IRS that prohibit its employees from browsing needlessly through the tax return records of celebrities.
Prior to the rules, the U.S. president’s tax return was one of the most frequently examined tax returns by curiosity seekers inside the IRS. The IRS implemented a “fingerprinting” technology that digitally stamps each record every time it is accessed, making sure that employees who may have access to records safeguard the privacy of American taxpayers. A similar audit trail ultimately caught the Princeton admissions department red handed. Whenever you visit a Web site and request a page, the server receives the request and sends it back to your computer. In the process, your IP address (a string of four numbers that are your computer’s location information when you’re on the Internet) is recorded and saved in the server’s records of what pages were requested and by what computer.
What the Princeton admissions department didn’t realize was that anyone at Yale was tracking their non-permissioned access to the Yale system. Criminals’ alibis are now corroborated or disproved by credit card transaction information and cell phone location information that records where they were when a crime took place. A couple months ago, I wrote about how a college in Indiana accidentally posted the social security numbers of past students on a public section of their Web site and the ramifications of how this sensitive information can be used by thieves to open up fraudulent bank accounts or run up costly credit card or cell phone bills.
If businesses and organizations continue to use social security numbers as universal identifiers (there is no current federal legislation that discourages this practice), expect such incidents to continue to increase. The irony of the Yale-Princeton admissions debacle is that the Princeton admissions department didn’t realize that their privacy-violating Web browsing activities weren’t exactly private.