Illustrations by Christine Hipp

“I mean, everything’s here,” said Emily Terson* as she ran her fingers through the pages of the thick manila folder sitting before her on the desk.

“You’ve got their name and address and all that info — of course Social Security [number], also their transcripts all the way through the beginning of their undergraduate education,” Terson said. “Financial statements, financial aid, letters of recommendation, evaluations, test scores, their application, resumè, emails, copies of their passport … it’s all here.”

Terson works as a student advising office assistant, where she files and transcribes the information of thousands of current and former students at UC Santa Cruz.

Filing cabinets of these folders line the walls, and only some of them are locked. Currently, these students’ information security falls to Terson’s personal discretion.

“It’s very casual and open … anyone can just come in. I could leave this folder on my desk, go out to lunch or even the bathroom, and somebody could just walk by and pick it up,” Terson said. “And nobody would know.”

The University of California runs on information. While students stress over books to read, papers to write and exams to pass, administrators worry about records to find and projections to make. As students prepare themselves to join an increasingly mediated society, they find themselves already embedded in one.

This is necessary — personal information, like Social Security numbers, transcripts, financial status and contact information verify the credibility of diplomas and other school-issued documents.

But for hundreds of thousands of people, this adds up to a lot of information, all of which needs to be tracked and organized by the school’s administration.

Security breaches have occurred on multiple locations in the UC system over the past several years, ranging from massive computer database infiltrations to the thefts of files and laptops containing sensitive information.

In 2006, the National Nuclear Security Administration ordered the University of California to pay a $3 million fine for security negligence following a breach at UC-maintained Los Alamos National Laboratory.

In 2009, health and other personal records — dating back to 1999 and containing information on 160,000 students, alumni and others at UC Berkeley — were accessed by a hack attack.

Just this past November, the credit card information of an estimated 5,000 persons was stolen from the cash register systems at UC Riverside.

Outside entities preying on student information are not the only concern.

During the 2009 occupation of Kerr Hall, concern arose about the security of the sensitive information contained within. While on official lockdown, protesters breached secured hallways and offices, leaving a reported $3,552 in damages to Information Technology Services (ITS).

A document containing confidential information is valuable, and therefore vulnerable, the moment it is created. The only protection for these documents is policy — and the information workers’ ethics.

Information workers are often students, ranging from volunteers to office assistants, ResNet employees and peer advisers. Sometimes, these student workers can be entrusted with as much information as full-time administrators — and occasionally, even more.

An information protection infrastructure at UCSC regulates everyday intelligence affairs, responds to suspected breaches in security and implements new safeguards.

Janine Roethe is the campus information security director, responsible for monitoring and instating security policies within the campus.

“At UCSC, most student information is digitally processed,” Roethe said in an email, in response to inquiries to the ITS department regarding student information security.

Roethe identified the central platform of this student information as MyUCSC, which is directly accessed by faculty, staff, students and alumni, averaging over 4 million logins a year.

“[MyUCSC] is a big, tentacular monster,” said advisor to the Cowell provost and UCSC alumnus Tony Soottinanchai, who works in the Cowell advising office and manages the Cowell mailroom. “It’s a huge system that’s all linked by ID numbers … you give it parameters and it spits out a report [based on those parameters].”

UCSC has the rights to MyUCSC data, while IBM owns and operates the software. However, several other university information applications also exist, including those used for Student Housing Services, UCSC Dining, the Student Health Center and Career Services. These are handled in-house.

While the university continues to migrate onto a digital domain of student information, much is still maintained on paper, including student files in the advising, international education and housing offices.

Soottinanchai confirmed that there is an undisclosed archive located on campus, with student records dating back to the campus’s creation in 1965.

Terson has access to historical student records. While there are protections in place for this information, she said that in her experience, these policies don’t extend far enough.

“If somebody wanted to mishandle this information, it’s got a lot of holes to infiltrate,” Terson said.

A digital encyclopedia on the UC website outlines protocol to protect university information from foul play, naming those responsible at the institutional, administrative and individual levels.

Information security is “the responsibility of … every individual, every department,” according to UC’s information technology (IT) security website, which also stresses that all members of the UC community must “[exercise] sound judgement and [serve] the best interests of the University.”

Terson regularly reads through email, handles and shreds personal mail (including bank statements) and interprets TA evaluations. Although her tasks are clerical in nature, she said she is nonetheless surprised at how much information she has access to.

Terson’s concern for information security at UCSC began early in her employment. She said the grounds on which she was hired bypassed some necessary security procedures.

Prior to holding this position at the university, Terson handled confidential information at another job, where she had signed a contract binding her to strict policies of her information authority.

The UC also has an information security contract, called the Access to Information Statement, which limits university employees’ handling of information strictly to their job-related duties. It stipulates that employees “may not disclose that information to others, except to the extent such disclosure … is relevant and necessary to the performance of those others’ official duties.”

Recent UCSC graduate Jocelyn Robancho has worked for the Cowell Housing Office for the past three years, and explained the employee policies in place there.

“Student employees get background checks and live scans,” Robancho said. “It’s a blanket requirement that they’ll have signed the [Access to Information Statement] by the time they get hired.”

Yet for Terson, a brief half-hour job interview meant the difference between being a regular student and being an employee with a wide domain over student information.

“I don’t remember signing any contract … I may have but my attention was never called to it,” Terson said. She was neither fingerprinted nor notified of any background checks.

Fourth-year David Goodman was interviewed for a job by the school’s ITS office on Delaware Avenue because of his programming skills. After being hired, Goodman quickly went to work developing a new program for the campus administration, now known as the Judicial Survey System.

To complete the project, Goodman required “full access” to the server.

According to policy, he would have been granted access only to the domains which he needed for the project.

“Generally … student workers only have access to what they need access to. They can’t get into the grades or judicial [offenses] … the kind of access they get is predetermined based on their job,” said Cowell Housing Office assistant Robancho. “If [they] need additional information for some reason, [they] need to obtain permission to access it.”

Because Goodman’s project revolved around judicial offenses, he was granted a higher degree of access. But he quickly discovered this translated to virtually unlimited domain.

“They gave me full access … it seemed like a domino effect,” Goodman said. “Once I was given access to the system, I could pretty much get access to anything … except grades.”

He saw both current and older data, some dating back to the 1990s, none of which was anonymous. The current data unfolded in real time, including judicial information.

“I didn’t really know at first, but I was handed the database so much that occasionally I’d see peoples’ names I knew, and I’d see the description of what they were in trouble for … there was a list of categories, anything from cheating to drinking … alcohol, racism,” Goodman said. “It was funny because of the few people I knew — I was like, ‘Oh, really?’”

Goodman did not have access to grades or other information stored on MyUCSC because they are handled by IBM. He nonetheless felt wary of how much access he did have.

“I tried not to look at it and just be really trustworthy — which I was,” Goodman said. “I had a lot of access to everything, but I never used it or anything. I just did my job.”

The student advising office where Terson works holds virtually all the information students in the department release to the school during their careers. Terson is particularly concerned about older files, some dating back to the 1980s, which she says have minimal security.

“All the old files with sensitive information, such as personal identification, finances, transcripts and recorded communications, are kept in a non-secure location,” Terson said. “[First, they go] in a manila folder in a different cabinet that sits beyond the locked door of the office. After another couple of years, they get put in the archives in a different unlocked room. Most of the cabinets in that room are unlocked. There is virtually no security.”

Several student workers on campus say university policy works effectively in their particular department.

Second-year Lauren Kincaid-Filbey works in the International Education and Education Abroad Program office on campus. She said information in the office is handled appropriately and securely.

“I can guarantee it’s safe from what I understand,” Kincaid-Filbey said. “When we were trained, we were told to handle these documents with care and behave professionally and by the books. I think we’re a very cool office and everyone is very good about it.”

Krysta Polaski is a second-year student worker at ResNet, and is also confident in the safety of the school’s IT procedures.

“It’s so secure,” Polaski said. “We only have access to what they give us access to — everything else is [digitally] locked.”

Goodman noted that while ResNet is relatively secure, information security remains in the hands of the students who work there.

“If people brought their computer in overnight [for servicing], where [student workers] would have access to all your data, usually people were pretty good about it and didn’t mess with it,” Goodman said.

Cowell provost advisor Soottinanchai’s personal experience with information access has been restricted.

“I certainly don’t have access to social security numbers, and I don’t know anybody that does,” Soottinanchai said. “As a mail room manager, it took me a long time to gain access to the housing information.”

Terson, on the other hand, was given the passcode to the student advising office and attached mailroom, which is valid for the full academic year regardless of her employment status. She also has the key to the locked filing cabinets.

Housing office assistant Robancho said information access is temporal for student employees.

“When students leave, we cancel their account,” Robancho said. “As soon as you don’t need the information, you can’t get access.”

However, Goodman, who continues to receive emails containing FixIt requests from the ResNet system and never received a notification his account there had been terminated, thinks he could log back in if he tried.

The UC’s information security effort is an ongoing one.

“Policies form the foundation of any security infrastructure,” the UCSC IT policies and guidelines website states. “New regulations, policies and procedures are constantly evolving.”

Improvements have been made in problem areas, such as the campus’s new WiFi system, EduRoam, which is offered alongside CruzNet, an unencrypted network.

“Anyone could just set up a laptop and leave it there for a couple of days, and collect everyone’s traffic and get everyone’s passwords [from CruzNet traffic],” Goodman said. “It’s pretty impossible to catch them over it. You’d need hi-tech radio equipment for it, and even then it’s still hard.”

Additionally, ID numbers were once directly linked to Social Security numbers. The two are now unrelated.

The UC’s security policy bulletin broadly stipulates, “When in doubt, maintain confidentiality.” In the meantime, the existing gaps are caulked exclusively by the integrity of student employees.

“It’s not that big a deal, but it’s a lot of information,” Terson said. “You can read anything you want to out of boredom.”

When students occupied Hahn Student Services in allegiance with UC Davis demonstrators last November, protesters and university personnel found themselves cooperating to solve an issue both parties acknowledged lay outside the bounds of civil disobedience.

At the height of the occupation, protesters escorted administrators into Hahn to lock filing cabinets and transfer the most sensitive files to more secure locations to ensure that the safety of student information would not be compromised.

In a time when our most sensitive data is thought to be churned through a faceless machine, UCSC’s student workers remind us that much of data maintenance and protection still weighs quite heavily on the shoulders of our peers.

 

*Names have been changed to protect identity.