[ISN] Student reporter who discovered university security breach punished but not expelled

From: InfoSec News (alerts@private)
Date: Mon Oct 08 2007 - 01:05:26 PDT


http://www.splc.org/newsflash.asp?id=1621

By Moriah Balingit
SPLC staff writer
Copyright 2007 Student Press Law Center
October 5, 2007

OREGON -- When Western Oregon University student journalist Blair Loving 
opened up a mysteriously placed file on the university's public server 
last June, he thought he would find information about the College of 
Education. Instead, he uncovered a file containing the names, Social 
Security numbers, grade point averages and other sensitive information 
of former students.

Loving's decision to download the file so that the campus newspaper, the 
Western Oregon Journal, could report on the security breach nearly ended 
his tenure as a student and led to the dismissal of the paper's adviser, 
Susan Wickstrom, for allegedly mishandling a copy of the file and for 
failing to advise the students about the university's computer policies.

Loving learned at a disciplinary hearing Sept. 28 that he would not be 
expelled, but the infraction will remain on his record. Wickstrom was 
informed in August that her contract would not be renewed.

"I worked there for seven years ...and I really feel like I had an 
excellent relationship with the students," Wickstrom said. "So I was 
really shocked and stunned to not have my contract renewed."

Additionally, during the course of the university's investigation into 
the breach, computer technicians conducted a nighttime search of 
newsroom computers without informing newsroom staff, a move that has 
angered Wickstrom and other press advocates.


Stumbling on a story

Loving said he discovered the file while in the library on June 6, the 
Wednesday before finals week. He took it to Editor in Chief Gerry 
Blakney, who copied the information onto a disc and gave it to 
Wickstrom. Blakney and Loving then reported the breach to the 
university, which launched an investigation.

Vice President for Student Affairs Gary Dukes said the students whose 
information was in the file were informed immediately. He added that the 
file got out onto the server as the result of a "mechanics issue."

Though the paper's final publication date had already passed, editors at 
the Journal decided that the story was too important to hold until the 
following school year. So the week after Loving discovered the file, the 
paper published a four-page special edition with an article that 
detailed Loving's discovery of the security breach. The article did not 
include any student's private information. The paper also reported that 
the university was pursuing disciplinary action against Loving for 
violating the university's computer policy.

During the course of the university's investigation, the director of 
University Computing informed Wickstrom that computer technicians had 
been let into the newsroom after hours to search newsroom computers.

She was outraged. Neither she nor anyone on staff had been consulted or 
informed that the search was going to occur, she said.

"Nobody knew about it," she said. "I feel like the newsroom should have 
been protected by federal and state law."


Legal protections

Duane Bosworth, a Portland, Ore.-based attorney who specializes in media 
law, said Oregon has the broadest shield law in the nation, which 
heavily restricts when law enforcement can perform searches of 
newsrooms. The federal Privacy Protection Act provides similar 
protection.

"It's protective of all unpublished information period ... and it goes 
without saying that it includes information on computers," he said. 
"People think they can just barge into any sort of student setting."

Professor Kyu Ho Youm, a communication law professor at the University 
of Oregon School of Journalism and Communication, said the physical 
intrusion of university administrators could create a "chilling effect."

"The university administrators should give the students the benefit of 
the doubt instead of sending someone to search the newsroom without any 
sort of warning," he said.


University reaction

Two months after the university's investigation into the breach, 
university officials informed Wickstrom that her contract would not be 
renewed. In a letter addressed to Wickstrom, Dukes cited her failure to 
remind students of computer policies and mishandling of the disc that 
contained the information as reasons for her dismissal. The letter said 
that she left the disc in her unlocked office and later allowed it to be 
taken off campus.

Loving was found in violation of the university's policy regarding 
computer use, which prohibits "accessing clearly confidential files that 
may be inadvertently publicly readable." After a disciplinary hearing on 
Sept. 28, Loving told The Oregonian that he would not be expelled, but 
he has to publish an article in the Journal about the importance of 
computer policies and create a proposal to help students understand the 
computer policy. Dukes said the newspaper would not be compelled to 
publish the article that Loving writes.

When Loving was contacted by the Student Press Law Center, he said his 
attorney asked him not to comment.

Wickstrom called the punishment "Soviet" and said she felt the 
university was overreacting, especially since Loving informed the 
university of the breach so promptly.

"I feel that the university was fortunate that the person who opened 
[the file] told them right away rather than using the identities to buy 
meth," she said.

But Dukes said that students are not supposed to download files 
containing confidential information, even if they accidentally make it 
onto the public server.

"It's a violation to download information that you're not supposed to 
have access to," he said. "That's the bottom line and that's the issue."

Although Dukes could not comment on Wickstrom's case directly, he said 
that if a newspaper adviser became aware that a student journalist 
possessed a file that contained confidential information, the adviser 
should "be informing those students of the policy ...and advise them to 
be getting rid of that file or turn it over."

Wickstrom said she had about an average knowledge of university policy. 
But knowing the policy better would not have changed her actions, she 
said.

"I thought my major responsibility was to protect the students' right to 
gather information and their responsibility to seek the truth even if it 
revealed a university weakness," she said. "I didn't think that the 
information was in danger of being leaked from our newsroom or anything 
like that."

College Media Advisers and the Society of Professional Journalists have 
launched investigations into Wickstrom's dismissal.

"It's just shocking," said Kathy Lawrence, the CMA's chairwoman of 
adviser advocacy. "As far as I can tell all she did was act like an 
adviser."


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Mon Oct 08 2007 - 01:26:03 PDT