Monday, May 02, 2005

Computing Officials Worry That Proposed Federal Database Could Be Hacked

Computer experts are questioning whether a large central database being considered by the Education Department that would list information on individual students could possibly be kept secure, given the high number of hacking incidents that have occurred lately.

The department conducted a feasibility study last year on creating a new system to keep track of retention and graduation rates using a database that gathers information on individual students instead of aggregate data from institutions, as is collected now. (See article on Page A1.)

Such a "unit record" database would be difficult to protect from hackers, if not impossible, say technology experts. Eugene H. Spafford, a professor of computer sciences and electrical and computer engineering at Purdue University, says large databases make attractive targets.

"Centralizing all of this information in the databases is a threat, considering the technology," Mr. Spafford says. To obtain information from the existing, aggregate system a hacker "would have to compromise several databases," he said. "But when you have a large system it's possible to attack it from any point in the system."

Colleges and companies around the country have been suffering from security breakdowns lately, with hackers breaking into their servers. Names, Social Security numbers, and other confidential information were compromised in the incidents.

Grover J. Whitehurst, director of the Institute of Education Sciences at the Education Department, says the agency is in the early phases of developing a unit-record database. He says the department has not yet presented the idea to Congress, which would have to pass a measure creating it and financing it.

In the meantime, he says, the department is open to any ideas about how to keep confidential student information secure. For one thing, he says, the database would probably not be connected to the Internet. That means that no hacker would be able to break into the server via public computer networks.

Another security provision would be to not list any Social Security numbers, Mr. Whitehurst says. Students would be given identification numbers not tied to any other type of confidential information.

Barbara Simons, a former president of the Association for Computing Machinery, says she is uncomfortable with the federal government creating a huge database that tracks information about individual students. She questions how the Education Department would even be able to trust the people who have access to the data.

"I have significant concerns about it," she says. "Number one, what is it you want to accomplish? And number two, what is the least privacy-invasive way to accomplish it?"

But Mr. Whitehurst says it is doubtful that someone would bother to steal student information that would be kept on such a database. It would most likely just list the names of the students, where they are enrolled, how many classes they are taking, and what type of financial aid they are receiving.

On top of that, he says, it is a federal offense to steal such data; revealing information about how many courses a particular student was taking in one semester could result in a prison sentence.

"That's something that I think would give pause to somebody who wants to try to provide that information," Mr. Whitehurst says. "And, again, it's not information that would have any particular value."

Still, he says, the Education Department will confer with computer-security experts before going forward with any proposal: "I think people who raise issues of hacking and privacy are raising very important issues that can't be dismissed."

The Chronicle: 5/6/2005: Computing Officials Worry That Proposed Federal Database Could Be Hacked
Powered By Blogger