Last week officials at Yale University's Office of Undergraduate Admissions accused their rivals at Princeton University of hacking --- specifically, of hacking into a website that Yale had specially set up to tell high school seniors whether or not they had been admitted to the prestigious school.

 

Admittedly, the hacking was not too hard. The system, apparently developed by a Yale undergraduate, relied on just three pieces of information to safeguard student privacy: the student's name, date of birth, and social security number. Of course, this is precisely the same information that the students had supplied to Princeton and other universities as part of their college applications.

 

The story broke on Thursday, July 25th with an article in The Yale Daily News by Elise Jordan and Arielle Levin Becker. According to Jordan and Becker, the Princeton officials would have gotten away with their trolling through the Yale website had somebody from Princeton inadvertently spilled the beans at a Dean's conference in June. Yale officials then examined the log files on their web servers and discovered numerous accesses from a few Internet addresses --- addresses that were eventually identified as belonging to the Princeton University Admission's Office.

 

When the Yale reporters called up Princeton for a comment, Senior Associate Dean of Admission Stephen E. LeMenager admitted that he and few of his associates had accessed the Yale site. "It was really an innocent way for us to check out the security," he told the Daily News.

 

Princeton issued a formal apology to Yale on the following day and placed LeMenager on administrative leave.

 

Since then, most security professionals that I've had contact with have turned this story around and virtually held Yale responsible for the intrusion. Sure, they say, LeMenager and the others in his office never should have used the personal information from Princeton applications to access student files at Yale. But Yale never should have made them available in the first place. Instead of relying on an applicant's Social Security Number and date of birth, Yale should have assigned each student a PIN and sent along with the notification when the applications are received.

 

While it's true that Yale should have known better, it would be a serious mistake to start blaming the victims of computer crime in this or similar cases.  May computer hackers justify their actions by saying that they are only "testing security" or trying to "teach a lesson" to companies and governments that have security holes.

 

In all likelihood, LeMenager was telling the truth to the Yale Daily News --- the administrators at Princeton were probably shocked by the lack of security at the Yale site. That's the only explanation that fits the fact that student files were downloaded on only 18 occasions, and that Presidential Niece Lauren Bush's acceptance notice was downloaded numerous times --- including four times on a single afternoon. LeMenager and his associations were probably having a good laugh down in New Jersey at Yale's expense.

 

And while it's easy to blame Yale for having insufficient security, most banks have security in place that's no better. This morning I telephoned three banks where I do business; each one of them told me by bank balance, asking nothing more than a social security number. One of them let me initiate a transfer for $60,000.

 

The security practices at Yale are symptomatic of a nation-wide problem. Another symptom of this problem is the growing number of identity theft cases that we are experiencing every year. That problem is that we treat the Social Security Number as if it were some kind of secret password, yet we are expected to share that password with every business, school, and government agency that we deal with.

 

The Princeton hacking incident is just another example of why we should retire the Social Security Number --- or at least restrict its use to employment and taxes. There really is no fundamental reason why Princeton and Yale need to use the SSN to link together all of the pieces of an undergraduate application. Certainly, when foreign students apply without SSNs, somehow these schools manage to correctly match up the student's application with their transcript, recommendations and standardized test results.

 

But the incident also illustrates another problem. Many businesses and schools have extensive policies that describe how personal information should be protected. But alas, many of these policies aren't backed up with training or a privacy-protecting culture. Something was seriously wrong at the Princeton Admissions Office if an employee with 19 years' experience thought that it was acceptable to use information on student applications for any purpose other than making an admissions decision.