If you’re standing in a public space in a state university building, and you look up and wonder what a door from what appears to be a mezzanine leads to, and you climb up to find out, open an unmarked door that has tape over the lock, and then take photographs of records containing personal information that are behind the door, and you leave the door lock as you found it, and then report your findings with redacted photos after first notifying the university so that they can secure the area, have you broken any laws? That’s what Binghamton University is investigating after student reporters from the campus radio station exposed what appears to be less than stellar security on the university’s part.
According to a report by WHRW News and statements made to me by the station’s news director, Rob Glass, on Friday, March 6, a reporter hoisted himself up to a platform area in a lecture hall and discovered that a door leading from that area had been taped over so that it could not be locked. On the other side of the door was what appeared to be a storage area for student records that included financial data, Social Security numbers, and much more. Pictures of what WHRW reporters found can be found in their original news story. The news station reported their findings to university officials on March 9, the first appointment they could get for a meeting. Earlier this week, I spoke with university spokesperson Gail Glover about the incident When asked when was the last time the New York State University Police had actually checked that door to see that it was locked, the spokesperson could not answer that question and said that was also under investigation.
According to the spokesperson, however, the area is a catwalk that is not “in” the lecture hall or public space and is not part of it. She described it as 10-15′ up from the floor and only accessible by doors that are locked. The news station does not dispute that doors leading to the area from hallways or stairs were locked. Its point was that it is relatively easy to access the area from within the public space without using the stairs.
Pictures of the area in question were provided to me by WHRW News. The records storage area is on the other side of the open door in the first picture, which was taken from within the lecture hall. Since I happened to have a New York State-registered architect lying around the house, I asked him to review the photos provided by the news station as to whether the space in question is part of the public space. He indicated his tentative agreement with the university spokesperson that the area in question is not part of the public space because direct access from within the lecture hall is not evident in the pictures. If the area turns out not to be “public space,” it could have implications for any charges against the reporters, but that does not diminish the seriousness of allegations that the news report made, namely that the door was not secured, that it was relatively easy to gain access to the area even without stairs, and that students and janitorial staff often access the storage area without any security supervision.
As is evident in another picture provided by the news station, there is nothing on the door that alerts people to keep out or that access is for authorized personnel only.
In response to my question as to whether the university intended to notify everyone whose records may have been accessed or viewed, the spokesperson replied that the university was “conducting a criminal investigation into all of the circumstances” and had consulted with the district attorney’s office as to possible criminal charges. When pressed as to whether the university intended to notify everyone and whether they might place a notice on their web site, she reiterated that at this time, they were focused on conducting a criminal investigation. As of this posting, there is still no announcement of the incident on the university’s web site, despite the fact that they know that at least some records were viewed by unauthorized personnel and despite the fact that they know that the room was inadequately secured for at least three days and might have been accessed by untold numbers of other people. There is no security camera in the lecture hall that would have captured images of anyone climbing up to the area.
Rather than seeking to divert attention by investigating the student reporters, the university should devote its resources to investigating and improving its security policies and practices. Reporters from WHRW suggest that this may be the largest university-related security breach ever. It’s not, as unfortunately, there are many even larger university breaches that have been reported over the past few years, but that does not diminish the seriousness of this one.
In the meantime, the student newspaper Pipe Dream reports that the student reporter(s) involved have received offers of pro bono legal representation should charges be filed against them.