Kill the messenger

["Dude VanWinkle" <dudevanwinkle () gmail com>]

Simply amazing. I would have like to see some admin's fired over firpa
violations, but not the people who reported it (even if they were dumb
enough to download the file, the simple fact they reported it via
printed media shows their intention:


from: http://www.splc.org/newsflash.asp?id=1621


Student reporter who discovered university security breach punished
but not expelled
Journalism advocacy groups probing firing of Western Oregon student
paper's adviser

� 2007 Student Press Law Center

October 5, 2007

OREGON � When Western Oregon University student journalist Blair
Loving opened up a mysteriously placed file on the university's public
server last June, he thought he would find information about the
College of Education. Instead, he uncovered a file containing the
names, Social Security numbers, grade point averages and other
sensitive information of former students.

Loving's decision to download the file so that the campus newspaper,
the Western Oregon Journal, could report on the security breach nearly
ended his tenure as a student and led to the dismissal of the paper's
adviser, Susan Wickstrom, for allegedly mishandling a copy of the file
and for failing to advise the students about the university's computer
policies.

Loving learned at a disciplinary hearing Sept. 28 that he would not be
expelled, but the infraction will remain on his record. Wickstrom was
informed in August that her contract would not be renewed.

"I worked there for seven years ...and I really feel like I had an
excellent relationship with the students," Wickstrom said. "So I was
really shocked and stunned to not have my contract renewed."

Additionally, during the course of the university's investigation into
the breach, computer technicians conducted a nighttime search of
newsroom computers without informing newsroom staff, a move that has
angered Wickstrom and other press advocates.

Stumbling on a story

Loving said he discovered the file while in the library on June 6, the
Wednesday before finals week. He took it to Editor in Chief Gerry
Blakney, who copied the information onto a disc and gave it to
Wickstrom. Blakney and Loving then reported the breach to the
university, which launched an investigation.

Vice President for Student Affairs Gary Dukes said the students whose
information was in the file were informed immediately. He added that
the file got out onto the server as the result of a "mechanics issue."

Though the paper's final publication date had already passed, editors
at the Journal decided that the story was too important to hold until
the following school year. So the week after Loving discovered the
file, the paper published a four-page special edition with an article
that detailed Loving's discovery of the security breach. The article
did not include any student's private information. The paper also
reported that the university was pursuing disciplinary action against
Loving for violating the university's computer policy.

During the course of the university's investigation, the director of
University Computing informed Wickstrom that computer technicians had
been let into the newsroom after hours to search newsroom computers.

She was outraged. Neither she nor anyone on staff had been consulted
or informed that the search was going to occur, she said.

"Nobody knew about it," she said. "I feel like the newsroom should
have been protected by federal and state law."

Legal protections

Duane Bosworth, a Portland, Ore.-based attorney who specializes in
media law, said Oregon has the broadest shield law in the nation,
which heavily restricts when law enforcement can perform searches of
newsrooms. The federal Privacy Protection Act provides similar
protection.

"It's protective of all unpublished information period ... and it goes
without saying that it includes information on computers," he said.
"People think they can just barge into any sort of student setting."

Professor Kyu Ho Youm, a communication law professor at the University
of Oregon School of Journalism and Communication, said the physical
intrusion of university administrators could create a "chilling
effect."

"The university administrators should give the students the benefit of
the doubt instead of sending someone to search the newsroom without
any sort of warning," he said.

University reaction

Two months after the university's investigation into the breach,
university officials informed Wickstrom that her contract would not be
renewed. In a letter addressed to Wickstrom, Dukes cited her failure
to remind students of computer policies and mishandling of the disc
that contained the information as reasons for her dismissal. The
letter said that she left the disc in her unlocked office and later
allowed it to be taken off campus.

Loving was found in violation of the university's policy regarding
computer use, which prohibits "accessing clearly confidential files
that may be inadvertently publicly readable." After a disciplinary
hearing on Sept. 28, Loving told The Oregonian that he would not be
expelled, but he has to publish an article in the Journal about the
importance of computer policies and create a proposal to help students
understand the computer policy. Dukes said the newspaper would not be
compelled to publish the article that Loving writes.

When Loving was contacted by the Student Press Law Center, he said his
attorney asked him not to comment.

Wickstrom called the punishment "Soviet" and said she felt the
university was overreacting, especially since Loving informed the
university of the breach so promptly.

"I feel that the university was fortunate that the person who opened
[the file] told them right away rather than using the identities to
buy meth," she said.

But Dukes said that students are not supposed to download files
containing confidential information, even if they accidentally make it
onto the public server.

"It's a violation to download information that you're not supposed to
have access to," he said. "That's the bottom line and that's the
issue."

Although Dukes could not comment on Wickstrom's case directly, he said
that if a newspaper adviser became aware that a student journalist
possessed a file that contained confidential information, the adviser
should "be informing those students of the policy ...and advise them
to be getting rid of that file or turn it over."

Wickstrom said she had about an average knowledge of university
policy. But knowing the policy better would not have changed her
actions, she said.

"I thought my major responsibility was to protect the students' right
to gather information and their responsibility to seek the truth even
if it revealed a university weakness," she said. "I didn't think that
the information was in danger of being leaked from our newsroom or
anything like that."

College Media Advisers and the Society of Professional Journalists
have launched investigations into Wickstrom's dismissal.

"It's just shocking," said Kathy Lawrence, the CMA's chairwoman of
adviser advocacy. "As far as I can tell all she did was act like an
adviser."

By Moriah Balingit, SPLC staff writer

For More Information:
SPLC guide to the Privacy Protection Act

< Return to Previous Page

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.