CASE STUDY: INDIANA UNIVERSITY COMPUTER NETWORK On Wednesday, March 12, 1997, over 2,000 Indiana University (IU)

faculties received the following e-mail message: Are you aware that Indiana University put your privacy at risk? Have they contacted you about it? The sender of this message was Glen Roberts of Oil City, Pennsylvania, who describes himself on his web homepage as a talk show host, privacy advocate, and Internet entrepreneur. Searching the Internet, Roberts located an IU file containing the names of 2,760 IU faculty, along with their Social Security numbers, addresses, and phone numbers, which Roberts had downloaded and posted on his Web Site. The file had been created by the University Graduate School to provide information on the research interests of the faculty members so that they could be notified of funding opportunities that might be of interest to them. All IU information on the Web is supposed to be protected by a safeword card. According to Norma Holland, director of university computing services: We have what is called a firewall, an internet term that essentially prevents access to data which are not public. The safeword card allows only authorized and authenticated users to get to those data. But this sensitive file apparently was not protected. According to Jeffrey Albert, associate dean, this was an obsolete file that escaped unnoticed when the system was being upgraded to make it more secure. The university immediately removed the file and disabled the old gateway service. The situation was called an eye-opener by IU Vice President for Public Affairs Christopher Simpson: it was fortunate that more sensitive data was not compromised. Although we are very sensitive to the release of information like this, this is vastly different from having individual access to the universitys most sensitive proprietary information. This is good wake-up call. That is exactly how we are viewing it. But Roberts posed a question of other potential security problems. You must remember that even though my page may have brought this to your attention in an unpleasant manner, the real danger lies in those who may have silently obtained the information from your site with no one the wiser, he wrote in a Web page dialogue with Mark S. Bruhn, IU information security officer. Roberts claims the Privacy Act of 1974 forbids such agencies (as IU) from even asking for Social Security numbers in other than specifically enumerated situations. That the SSN is included in

any such faculty internet research database is out rage us, Roberts wrote on his Web conversation with Bruhn. Even if the files are not meant to be available to the public, the wholesale collection of such information in an Internet data base demonstrates a clear failure to understand even the most basic precepts of personal privacy.

Roberts Justification Roberts was described by people at two Pennsylvania newspapers as an interesting fellow and a computer whiz-bang. According to the Erie Times, which did a profile on Roberts several months prior to this incident, he came to Oil City from the Chicago area, where he published a paper that dealt with privacy issues. He has done a shortwave radio program and now does a radio program on the internet. Also, he has been a network television consultant and appeared on local talk shows. Roberts also publishes several Web pages and works as a computer consultant. Roberts said he came across the IU file during a check of his own domain. By typing SSN into the Infoseek search engine, Roberts said, he called up a list of entries that showed a name and Social Security number. By opening that file, he found the IU research database. Roberts said he has been involved in publicizing privacy issues for about 15 years. His interest began, he said, by using the Freedom of Information Act and obtaining copies of government documents. He said he was surprised at the amount of information available of which people are not usually aware. He has been particularly interested in the seemingly wide spread availability of individuals Social Security numbers, which are pathways to other information and whose disclosure raises the potential of unauthorized use a persons identity. Roberts states that the issue is this: Should the university be collecting this information and putting it in data bases, with maybe not the intent to pass it out all over the world but with intent that a fair number of people may be accessing that information? Roberts said he published the IU list because the privacy issue does not usually become tangible to people until they experience an invasion themselves. The bottom line is privacy is an extremely important issue but it is only important when you see it affect yourself firsthand, he said. Thats what I have done with other Web pages. People can experience it firsthand, and with that experience can be more public debate and action on the issues.

Faculty Reaction Many of the faculty members on the published list disagree with Roberts tactics. They were primarily concerned that their Social Security numbers were made easily available for the obvious reasons and over a hundred faculty e-mailed protests to Roberts. I go to Roberts and say I like people who are watchdogs, but do you need to post this information in a convenient location to make your point? said Kurt Zorn, of the IU School of Public and Environmental Affairs. I think he might have done more damage by doing this than the university did in its oversight. There might have been more effective ways of calling attention to the problem. Law professor Ed Greenebaum added that he believes Roberts made a judgment about the university without any information, which is unfair. The impact is to expose us to a danger he says he is trying to prevent, and its much more than it otherwise would have been, Greenebaum said. My concern is not with the universitys intent but why this individual feels the need, inconsistently in my view, to facilitate the distribution of our Social Security numbers. With IU threatening to take legal action and the heavy volume of protests from IU faculty, Roberts removed the IU file from his Web page and said he has no intention of posting the names and Social Security numbers again. The Consequences On March 27, religious studies professor James Ackerman said he recently has been billed for phone lines, Internet access, and credit card accounts that are not his own. Although it has not been verified, he believes someone picked up his name and Social Security number from Roberts Web page. Within two weeks of the posting, Ackerman received a bill for a months Internet time, had a call from AT&T saying it was ready with a conference call he did not order, got an inquiry from Ameritech asking if he made a call from Germany to Portland, Oregon, and discovered there were calling card accounts opened in his name. William Boone, an education professor, said his wife received an inquiry from MCIs frauds department about calls originating from Germany using the Boones calling card number. Although there has been no proof that Robertss Web page was the source of the information used in the fraud, Boone and others believe the incidents are more than a coincidence. What are the chances two IU professor are getting unauthorized calls from Germany? What are the chances this is not related to the World Wide Web issue? Boone said.

Boones wife said the issue is an settling. It feels like such a violation, she said. You feel like someone knows you but you dont know them. That is very uncomfortable. The situations has been frustrating to Ackerman, who said the credit card companies told him they could not put a block on his Social Security Number. He was told he could contact three credit agencies, which many banks use to check a persons credit, and they could put a hold on his records. Ackerman also contacted the office of IUs legal counsel, which was unable to offer much assistance. At this point, we dont even know if his experience relates in any way to Roberts Web page, said Michael Klein, associate university counsel. There are some timing coincidences, but you just dont know. However, the university is exploring whether there is any legal liability Roberts might incur if faculty members are damaged, financially or otherwise. Klein added that the university is reviewing the issue of using Social Security numbers in its course of running the school. As an institution, we are taking a look inward to determine if there are some alternatives, he said. Berdasarkan ilustrasi kasus yang terjadi pada INDIANA UNIVERSITY COMPUTER NETWORK, anda diminta: 1. Mengidentifikasi 3 (tiga) isu utama dalam kasus tersebut! 2. Jelaskan gambaran tentang sistem keamanan jaringan yang diimplementasikan oleh Indiana University dan Bagaimana penilaian anda terhadap sistem keamanan tersebut? 3.
Roberts claims that the Privacy Act of 1974 forbids the university from even asking for Social Security Numbers (SSN)

Mengapa SSN digunakan oleh Indiana University untuk manajemen database-nya? Adakah alternatif selain SSN yg dapat digunakan dalam database Indiana University? Jelaskan! 4. Apakah anda setuju jika Roberts diperlakukan sebagai seorang Hacker? Jelaskan argumentasi anda? 5. Siapa yang seharusnya bertanggung atas kasus yang menimpa Prof.James Ackerman dan William Boone? Apa tanggung jawab Indiana University atas kasus tersebut?