Sunday, March 27, 2005

Swiping Away Security

Extra extra, hear all about it! The following is an article that The Diamondback, ostensibly a voice for the student body at Maryland, has refused to publish. Initially, they expressed great interest in publishing my story, and at least one high level editor remarked that it was going to be one of the "hottest" stories of the semester. However, due to the entrenched bureaucracy at the paper, the editors decided instead of letting an independent journalist contribute, it would be better to hand the story off to someone in-house.

The Diamondback has been stonewalling this story since February 7th. When a reporter finally came to meet with me, he did not even know that I was trying to get the story published for the rest of the student body to see. I successfully negotiated a byline with the reporter and his editor (actually, a double byline agreement where we would co-author a new version for the paper), but apparently the editor in chief of the paper did not want to give the impression "that just any student can come in and contribute." Heaven forbid!

I would have published this long ago on my own had I known the way the Diamondback would treat a concerned student trying to get his story published. Nevertheless, I am publishing it before they can claim breaking the story. We've had quite a bit of talk here about how blogging is different, and how it can affect change. Well, one of the greatest things about it is it is a truly independent publishing medium, and it is not hindered by the walls put up by established institutions. In this case, the only major student paper on campus is refusing to release critical information to the student body in order to further its own staff's resumes.

The Diamondback should be ashamed of itself.

While this piece is certainly specific to the University of Maryland, perhaps this will make other students research similar systems at their schools. Also, I defiantly press the "Publish Post" button to demonstrate that, at least on my campus, real, substantive journalism does take place outside of the Diamondback.



Swiping Away Security
By Christopher Conroy


Imagine this: as you head back to your dorm later today, you swipe your ID into one of those ubiquitous card readers that adorn practically every entryway on campus. The little light magically turns green, the door clicks, and you move on with your day, but in the time between your swipe and the green light, you just sent your Social Security number across an insecure network to a central database which the university uses to track student movement, purchases, and behaviors. Even worse, the university does not have any policy to determine who can access this Orwellian database nor does it have any kind of security policy or privacy policy in order to protect this sensitive student information. Sadly, this isn’t make-believe; this happens every single time you swipe your card.

As part of a class assignment for HONR239R (Privacy vs. In Your Face Big Government taught by Professor Jim Purtilo), I worked with Karen Scuderi to submit a series of Maryland Public Information Act requests to the university regarding records pertaining to the swipe card system. The responses we received were extremely surprising, and the student body should take careful note of the information we learned.

The first request submitted by Karen Scuderi inquired about the records kept when cards are swiped, any privacy policy relating to such records, and any records of third party purchase or knowledge of the records. David Robb, University Registrar, answered the request with a brief explanation of the inner workings of the card swipe system. According to Robb, “The ID card system neither collects nor stores any data about [card swipe] transactions.” However, we had very good reasons to believe the card system does actually store data about each swipe because another member of the class was subject to a university investigation into a theft because he had swiped into a building on the night of a theft.

I submitted the second request shortly after the first, but with a more detailed focus. I told the university why I had good reason to believe they keep such records, and I made eight specific requests for information regarding the system. Denise Andrews, University Counsel, responded to my inquiry. There exists no policy or set of guidelines that outline who is permitted to access the database with the swipe card data, and the university lacks any records of any methods used to protect the data. There is also no policy for how long the records are allowed to be kept, and therefore this data is most likely stored indefinitely by the university. According to the University Registrar, no data is stored when we swipe our cards. However, I also asked for and received a copy of my swipe access data for a two-month period last semester. Indeed, a central database keeps track of every single card swipe. When a card is swiped for building access, the exact time, date, location, and access granted or denied is recorded. Entering the Campus Recreation Facility causes a separate entry to be made in a database with the date and time. The card swipe is not only an access card but also a purchase card, and the university also tracks and stores time, location, and purchase information for every transaction at the dining facilities.

The vast amount of information that is stored for every imaginable type of use of the swipe card creates a lot of privacy concerns for our student body. Since the university has neither documented methods for protecting the data nor any list of authorized personnel who have access to the database, we have no way of knowing exactly who is looking at our personal swipe card data. An unscrupulous employee who can access this database could severely abuse this privilege, and there is absolutely no guarantee that this information has not leaked into the hands of a third party. Insurance companies would be particularly interested in the spending habits of students at the dining halls and their CRC attendance records. A determined stalker would dream of having the building access records of their target because after running the data through some simplistic statistical modeling, established patterns of movement embedded in the person’s daily routine would become clearly obvious. Or, a jealous person scared at the prospect of infidelity could keep tabs on their significant other and watch for inconsistencies of where he or she claims to be. Potential thieves could also use the building access data to easily determine when the majority of a hallway in a large residence hall is absent and thus the optimal time to execute a large scale theft. This is by no means an exhaustive list of the abusive possibilities of this data, but it’s extremely illustrative because every single one of these possibilities is not just some unlikely hypothetical. Rather, these are all very real examples that have strong motivations and would be easy to execute.

David Robb, the University Registrar, claims that no information is stored, but I have pages upon pages of my own swipe access data. Robb not only made false claims about the existence of the database, but also he neglected to fully enumerate all of the identifying information found on a student ID card. An acquaintance of mine was able to hook a standard card reader into a computer in order to read the data held on the magnetic strip. The magnetic data is stored in a standardized format, and he was able to write a small program to output this data. Every ID card actually contains the student’s Social Security number in a format that can be easily decoded by any magnetic card reader. This sequence of bits residing in the magnetic strip of our cards is perhaps the scariest part of the swipe card system. The Social Security number is sent—unencrypted— to the central database as a means of unique identification. Therefore, anyone with some basic engineering skills could rather easily set up an intercept on campus card readers. By linking stored Social Security numbers with visual identification or other cues, someone could easily amass a large set of students’ Social Security numbers. A quick Facebook search for many students reveals such information as their birthday and address. Thus, a moderately skilled and determined person could successfully defraud countless students, steal their identities, make purchases in their names, ruin their credit ratings, and even change their class registrations.

There is no excuse for having such a sensitive piece of data as our Social Security numbers residing on our ID cards. Identity theft is a growing problem, and its effects can be severely detrimental and lasting. The key piece of information needed to steal someone’s identity is his or her Social Security number, and the university’s swipe card system is practically begging identity thieves to defraud our campus. The university could just as easily use our university ID as a unique identifier on the magnetic strip in order to protect students. Even if someone doesn’t have the expertise to set up an intercept on the card reader, students frequently misplace or lose ID cards, and whoever finds a lost ID card has access to that student’s Social Security number.

This database is also certainly not being used in the interest of serving students. I misplaced my ID card early last semester, and I had to deactivate it before I had time to conduct a thorough search for it because I was worried someone would spend the money linked to my card. However, it would only take slight modifications to the system to allow a card to be flagged as lost and inform a cashier to retain the card for return to the proper owner if anyone attempts to use it fraudulently. Unfortunately, no such system is in place even though it would not require storing swipe transaction data. The university charges $20 to replace these small plastic cards, and I also inquired about the cost of doing this in my request. Apparently, the university has no records indicating what it costs to produce each additional card. The university needs to justify charging the exorbitant rate of $20 because without documentation of the cost of production, this simply appears to be price-gouging those unfortunate students who happen to lose their cards. Since we have no choice about using our ID Cards, the university has a moral responsibility to provide them to students at cost. I also asked about the initial investment made on the card production system, and the university also has no records indicating what they paid for it.

Ostensibly, the ID card system is an important security mechanism. However, the fact that the ID card presents such a vast array of privacy concerns with the Social Security number embedded in the magnetic strip and a central database tracking and storing detailed information about every swipe, the system is potentially serving to undermine student security concerns. The potential benefits of storing swipe data seem to outweigh the many negative possibilities of abuse of the system. Moreover, the access levels granted to cards in the system are known to contain some errors. For example, an alumnus who requested to not be named informed me that his card still grants him 24 hour access to a building on campus that houses thousands of dollars worth of expensive equipment.

The swipe card system has many severe flaws that raise a great deal of privacy concerns for the student body, and the university was not very forthcoming with this pertinent information. As any student who has been awakened in the morning by a telemarketer on a dorm phone knows, the university does not do enough to protect student privacy. However, the end result of abuse of this information doesn’t just mean that your slumber might be disturbed: Your identity could be stolen, you could be targeted by thieves or stalkers, and some third party like an insurance company might obtain your swipe data and use it against you in any number of ways. Certainly, our campus needs to be aware of these issues, and the administration needs to consider reform before one of these scary possibilities becomes a harsh reality.

5 Comments:

At 3:44 AM, Blogger Chris said...

I have now created a seperate blog, privacyumd.blogspot.com to focus on getting the swipe card story out to the UMCP campus. Currently, the exact same article is published there as well. In the future, I will probably provide updates to the progress of publishing the story in our student paper-- if any progress does in fact occur.

 
At 1:52 PM, Anonymous Anonymous said...

I wanted to say that the University does offer for you to request that your information be kept private, because every year I send in a form asking for all of my information to be kept private. However, that is more in regards to telemarketers, because they do pay the University for those contacts. And it really disgusts me how the Diamondback has chosen to give you such a hard time in publishing this story. However, I do want to thank you for putting in so much time and effort into finding out all of these facts, because this is definitely something students should be aware of.

 
At 12:15 AM, Anonymous Anonymous said...

This story is interesting, and assuming its all true, it's quite disturbing. Can you tell us how you got your swipe information, so I can request my own.

 
At 10:31 AM, Blogger Chris said...

I simply wrote a Maryland Public Information Act request inquiring about information pertaining to the swipe cards (I used a numbered list and all of my points were very specific). I then sent it to Mote, and eventually got a response from University Counsel.

 
At 10:37 PM, Anonymous sib said...

Well the University IS working on implementing a new ID instead of a SSN, but it takes time to implement. Also, your swipe is like a credit card. You swipe into your building, and it will log it. It keep track of when and where and what and for how much you buy things to keep your balance in tact, and to ensure no mistakes in your terp bucks and meal points. I mean, it's not ideal, but instead of attacking the University, maybe you should also be attacking the credit card companies, gym membership cards, giant and safeway saving cards, and so on, which all keep your identiy and purchases in a database as well. I am not saying what they are doing is right, but it's not like they invented the wheel here. There are arguments that justify these things, kind of like there are arguments for racial stereotyping etc, which are not 100% right or fair, but the world is not 100% right or fair, not even close.
Of course they can make it more secure. There is always room for improvement. However, Identity theft even happens to the most secure system. There is no way to *prevent* it. As long as there is crime there will be stalkers and identity theft.
The Diamondback not publishing your article is unfortunate, but it does also have a point. If you send an article to the New York Times it better be a really damn good article before they publish it. I am sure that if you were on staff they would publish it, but you have to think of it another way. If you publish this, some random unstable person *will* figure out how to crack it, since you described it in such wonderful detail, and that itself is a security risk. Just to let you know...

 

Post a Comment

<< Home