Blame game [Google posting student info]

JournalNow -- Nort Carolina ^ | Lauren Williamson

[WaterDragon]

Catawba County Schools took aim at Google Friday.

The system filed an injunction against the Internet search engine

The temporary injunction, granted by the Honorable Richard D. Boner, calls for Google to remove any information pertaining to Catawba County Schools Board of Education from its server and index and alleges conversion and trespass against the corporation.

In short, schools say Google grabbed information they shouldn’t have.

Google says they are wrong.

Either way, the names, Social Security numbers and test scores of 619 students were still bouncing around the Web for people with computers to find and read until late Friday, when the page was apparently removed.

Catawba County Schools chief technology officer Judith Ray said her department removed the file from its storage server Friday. They are also working to delete any other electronic files that may contain Social Security numbers or other secure student information.

The information was stored in the system’s DocuShare server, which required a username and password to access, Ray said.

“One of the students on the list had a presence on the Web,” she said. “In Google’s effort to get information on her, one of its spiders latched onto her name in this document. We were not aware that password-protected sites are set up like that. To our knowledge, Google could only cache unsecure information that did not require a password or username.”

[pillut48]

Catawba County Schools Superintendent Tim Markley discusses his frustrations with Google on Friday. The names and social security numbers of 620 students from Catawba County Schools are posted on the Internet search engine. ROBERT C. REED (RECORD PHOTOGRAPHER) -------------------------------------- If ever there was a "Caption this pic"...this guys is NOT happy with Google, no, not one little bit. "I'd like to get the guy in charge of Google and wrap my hands around his scrawny little neck and...!!" :-)

[glorgau]

If the school does not want Google searching their pages, they need to add code to the site to instruct the Google web spiders to skip the site.

Yeah, it's the school's fault. Google respects robot.txt files. Actually, it's a good thing that they found out through Google, there are LOTS of other spiders that are testing web sites for security holes. Heaven knows what else got out.

[Arthalion]

Yep, happens all the time. I frequently tell people that they SHOULD NOT put any information on the web that they don't want the whole world to see, and I'm constantly shocked at the number of people who will argue the point. Web servers are PUBLIC RESOURCES. When you publish information onto the Internet, you are putting it somewhere that the whole world can view. For non-programmers, effectively protecting sensitive data online is almost impossible.

Situations like the one you described are common...people will put the "protected" files in an otherwise public folder, and then limit access to it via a password protected page. Unless you're on a Unix box with a well crafted htaccess file, that just isn't going to work. All it takes is ONE person or ONE web page to link into your "protected" folder, and the security will be irreparably broken. It's the security equivalent of sticking a key under your doormat.

I once visited a webpage that had customer data hidden behind a "secure" login. The routine was written in Javascript, and was entirely client side. When I caught what they were doing, I was all set to get the password from the source code (hey, it's on my computer, it's perfectly legal for me to read it) and send the webmaster a flaming email, but when I looked at the code I found an even dumber mistake...the code contained the actual URL of the "protected" pages". I copied it into my browser, hit enter, and read this wonderful list of fairly sensitive client documents. That kind of stupidity was staggering.

[Redcloak]

Quoth the IT weenie Ms. Ray...

“One of the students on the list had a presence on the Web,”... “In Google’s effort to get information on her, one of its spiders latched onto her name in this document. We were not aware that password-protected sites are set up like that. To our knowledge, Google could only cache unsecure information that did not require a password or username.”

It sounds like Ms. Ray is unaware of the fact that a null password isn't really a password at all. St00pid n00b.

[Libertina]

Perhaps someone with your technical saavy could have contacted them with a warning and offered to help secure the site. A little moonlighting that would also earn you the gratitude of your fellow (less technical) human beings.

[af_vet_rr]

School Finds Out It's Not Google's Fault

More controversy was added to the situation after some sources reported that Google spiders had "hacked" the school system's server to index the information. But both the school's chief technology officer and Google (and a few others with the skinny on how this works) say that Google crawlers cannot bypass password protection to access and cache content.

In short, it's most likely the school's error and if lawsuits ensue from the parents of affected students, Catawba County Schools Superintendent Tim Markley will likely be making the same face he's making in this photo

[af_vet_rr]

Perhaps someone with your technical saavy could have contacted them with a warning and offered to help secure the site.

I've known people who tried to do this very thing and were accused of "hacking their computers".

Of course, accusing somebody who is pointing out your security problems is much cheaper than winding up with a bill from them.

The US Navy had a lot of information posted recently on service members and families, including SSNs and birthplace/dates, and the same thing happened.

Like others have said, if it's connected to the internet, unless you really secure it, it's fair game for Yahoo, Google, MSN, etc.