Safe and Secure

Although Columbia University Information Technology takes pains to back up and secure all student data that resides on CUIT servers—including stored e-mails—it has not made its logging and data-storage policies explicit . CUIT should clearly explain its data backup policies on its Web site so students can be comfortable that their data and e-mails are secure.

CUIT’s Web site explains that backed-up electronic information in its possession may stay in the University network until long after the information is deleted, but the full extent of CUIT’s backup and logging procedures has not been made sufficiently transparent. When asked in an e-mail about these policies, CUIT responded that “for disaster recovery purposes, this data is backed up nightly and securely stored in locations on and off site, with 24/7 restricted access.” However, CUIT was reluctant to provide additional detail, citing security risks associated with making backup locations public. Since the CUIT Web site already identifies Iron Mountain, Inc. as its “preferred records management vendor,” there is little sense in claiming that it is dangerous to divulge the locations of off-site backup facilities. Iron Mountain has recently experienced data breaches, including lost and destroyed backup tapes. It is in students’ interest to know about CUIT’s backup policy so that they know when they are affected by such breaches.

CUIT should explain to Columbia students what information is backed up, how long it is stored, and what measures are taken to ensure its security. To paraphrase Kerckhoffs’ principle—a well-known maxim of cryptography—computer security is better achieved through transparency than through secrecy. Likewise, security specialist Bruce Schneier has argued that openness, unlike secrecy, makes a system resistant to failure. Because open technology can be probed by all interested parties, security flaws are usually caught quickly enough to be fixed before damage is done. Transparency is also more consistent with privacy rights—students should know to what extent their privacy is being compromised in exchange for greater security. While CUIT neither engages in key-logging nor monitors network traffic for content on any machines on the Columbia network, it does record information about the usage of UNIs on columbia.edu Web sites. That such information is recorded is not problematic per se, but students should be informed of even incidental infringements on their privacy. Harvard Information Security and Privacy is more explicit about its backup system and also has a formal system for requesting recovery of accidentally deleted data. CUIT should be similarly forthright in the future.

A trade-off between data privacy and security is common to all e-mail and Internet-service providers. What information CUIT has provided suggests that it follows practices standard among IT departments. We are not criticizing the balance that CUIT has tried to achieve, but it should make that balance publicly known by articulating its procedures for backing up student data and logging activity on campus computers. Doing so is in the interest of both privacy and security.