Issuu

HEIGHTS

THE

The Independent Student Newspaper of Boston College

EST. 1919 WWW.BCHEIGHTS.COM

MONDAY, APRIL 9, 2018

Mistake in Some Google Groups Permissions Left Sensitive Info Accessible to BC Students, Faculty, Staff In December, following notification by ‘The Heights,’ the University quickly secured the vulnerability. Google then made a systemwide change. BY STEVEN EVERETT Creative Director AND

CONNOR MURPHY

Editor-in-Chief Until December 2017, Google Groups containing hundre ds of University communications and associated documents with restricted, confidential, or otherwise sensitive information had misconfigured permission settings such that anyone who could access the Boston College G Suite—known formally as Google Apps—could view them, a Heights investigation found. The Heights notified the University on Dec. 18 of this vulnerability. BC Information Technology Services (ITS) immediately secured the vulnerability that day, but it was not until the week of March 19 that Google instituted a platform-wide modification. The Heights withheld publication of this article until a wider fix was implemented, as publishing this story before that change could have made other institutions that use G Suite more vulnerable in the event that they also had misconfigured privacy settings. Nora Field, BC’s deputy general counsel, said in an email that no other access to confidential information occurred outside of the Heights investigation. The Heights was using Google Groups for other purposes before discovering this vulnerability and notifying the University. The Heights never retained any information contained in any of these

groups. All of these records and communications were visible as a result of the email list feature of Google Groups, a web app available to anyone with access to BC’s G Suite. “Since transitioning to Google [Apps] in 2013-2014, all current BC faculty and staff are able to access Google Groups,” David Escalante, director of computer policy and security, said in an email. All currently enrolled students are also able to access G Suite services including Groups, Gmail, Drive, and others. Google Groups allows any BC user to create mailing lists that deliver emails to specific recipients, but also adds all the messages and attachments to the Google Group associated with the mailing list. Due to misconfigured privacy settings, some of these groups and the communications sent on such mailing lists—some of which contained confidential, restricted, or otherwise sensitive information—were accessible and searchable to those in the BC community. Google’s fix now allows all IT administrators who manage G Suite to modify the default privacy settings for all newly created Google Group mailing lists. Previously, there was not a way to modify the default access level from “public” across an organization. Now, the setting can be changed by administrators such that “private” is the default, meaning only those specified will be able to access it. Domain administrators could previously only set privacy levels on an individual,

group-by-group basis, and the creator of the mailing list had to specify “private” in place of the default setting when setting up their list. Prior to this change, group creators still had the ability to select a private option when creating a group, even though it was not the default. Some BC administrative groups, for example, had privacy settings that restricted access to only specific users. The Office of the Executive Vice President, Office of Residential Life, and Office of Un-

dergraduate Admission, for example, all had settings such that neither the content nor the list of group members was accessible except to those with proper credentials. Some of the communications and records accessible were what appeared to be thousands of internal emails retained in Google Groups for the Boston College Police Department. Some of these correspondences contained confidential, restricted, or otherwise sensitive information, including police

logs and incident reports. A query on Google Groups of a person’s name or event in which BCPD was involved, therefore, could have potentially returned correspondences and associated documents that BCPD would not consider “public.” “BCPD used Google Groups without realizing that access to their message archives was not properly restricted through Google,” Univer-

See Google Groups, A3

RESTRICTED Information that was previously defined as “confidential” and should not be stored on cloud-based services. This includes: social security numbers, financial account numbers, driver’s license or state ID numbers, health and Defined in the Data Security medical records (including HIPAA-proPolicy as information protected tected records), and other information under privacy laws (including, withdesignated by a sponsor or out limitation, the Family Educational responsible vice president, Rights and Privacy Act and the without written permission Gramm-Leach-Bliley Act), information concernfrom them. ing the pay and benefits of University employees, personal identification information or medical/health information pertaining to members of the University A “catchall” term community, and data collected in the course of used by The Heights research on human subjects. Institutional Confito describe any other dential information may include University personal information that financial and planning information, legally might not fall into any of privileged information, invention these categories, but indidisclosures and other information viduals would not reaconcerning pending patent sonably consider applications. “public.”

CONFIDENTIAL

SENSITIVE

MADISON MARIANI / HEIGHTS EDITOR

Two Students Face Sanctions for Chalking They expect to receive their disciplinary verdicts today. BY HEIDI DONG Investigative Editor Around midnight on March 16, two students—Matthew Barad, MCAS ’19, and a graduate student who requested anonymity—were found by Boston College Police Department officers while writing chalk messages on a sidewalk in front of Stokes Hall. They said they were then brought to BCPD headquarters in Maloney Hall, for “tagging.” The Gavel first reported on this incident on March 17. At press time, Chief of BCPD John King had not yet responded to a request for information about the incident. The students received official disciplinary summons from the Office of the Dean of Students for violating the “Property Damage” clause of the Code of Conduct. Barad said that he and the graduate student will receive their disciplinary verdicts Monday. In an email, Dean of Students Tom Mogan said that he was unable to discuss individual conduct cases due to federal privacy laws. The chalking by Barad and the

graduate student is part of a wider organized demonstration. During the week leading up to this incident, similar messages written in chalk could be found throughout campus beginning March 12. In the public police blotter, eight total incident reports were filed for “Damage to Property by Graffiti/Tag” between March 13 and March 16. According to the “Crimes Against Personal Property” chapter of Massachusetts G eneral L aw Section 126A, “tagging” is the act of spraying or applying paint or placing a sticker upon any object or thing on public or private property “with the intent to deface, mar, damage, mark or destroy such property.” “I was writing a number of messages,” Barad said. “I wrote ‘Black Lives Matter,’ ‘BC doesn’t have an LGBTQ Resource Center,’ ‘Our School, Our Sidewalk,’ and others.” The “Property Damage” section of the Code of Studnet Conduct, which the students were charged under, does not explicitly specify chalking as an act of vandalism. The only policy surrounding chalking can be found on the Office of Student Involvement (OSI) website under the posting policy for event planning, which states

See Chalk, A3

SAM ZHAI / HEIGHTS STAFF

The 2014 Dance Through the Decades was hosted at the popular Boston night club Royale. This year’s tickets cost $50 plus fees.

Students Feel Senior Week Costs Add Up The total cost of all Senior Week activities is over $250, plus fees. BY CHARLIE POWER Asst. News Editor For most, Senior Week is an occasion to celebrate, filled with family, friends, and activities. In the months and weeks leading up to commencement, the Senior Week Committee plans a variety of events designed to celebrate the end of four years at BC. While these events are open to all seniors, several of them entail a price tag that is beyond the means of some. The Senior Week website currently lists the prices for a number of, but not all, the

events, which students must pay for out of pocket. The 100 Days Dance, which occured on Feb. 23, was priced at $40, the Dance Through the Decades Event is $50 not including fees, the golf tournament held at Newton Commonwealth is $46.50, and the Commencement Ball is $107.50. “It is hard to imagine some people paying for these events when students are struggling to buy books,” said Lauren Kaufman, CSOM ’18. “People assume that BC students all come from a relatively homogenous financial background, but this isn’t the case as BC accepts people regardless of their financial situation.” “I think making Senior Week events more fiscally possible for students should be a major priority because we’ve all given both our tuition and our time to BC for the

past four years and all seniors deserve to have the chance to close out their BC experience celebrating with their class,” said Heidi Danckers MCAS ’18. The committee does offer several free events, including Battleship water games in the Plex, a Mods Relay, a Boston College Police Department Barbeque, and a Class of 2018 Senior Toast. “Senior week is not a University funded program, meaning the committee receives no funding from BC to put on the events,” said Julia Martelli, one of the chairs of the Senior Week Committee and CSOM ’18. “The committee works extremely hard to put on a variety of events, and the money brought in from any ticketed event goes

See Senior Week, A3

B0ST0N C0LLEGE MARATH0N RUNNERS, A4 INSIDE THIS ISSUE

METRO: Restaurant Mission

Zambrero has a mission to serve 1 billion people in need by 2025..................................A8

NEWS: BC GET Expands

The BC GET app has expanded its services from Hillside Cafe to Coro Cafe.....................................A3

INDEX

NEWS.........................A2 OPINIONS................... A6