Cyber Threats & Vulnerability, Part 1:

“We owe you a big apology for the intermittent service outages we experienced… that may have impacted your website, your email and other services. We let you down and we know it. We take our responsibilities – and the trust you place in us – very seriously. I cannot express how sorry I am to those of you who were inconvenienced.”

The above statement was from a mass email sent out by Scott Wagner, CEO of GoDaddy.com. Beyond the risqué SuperBowl ads and high profile sports marketing efforts lies a company that takes seriously the services offered, and the real implications of the vulnerable client information they storehouse. This company holds the security interests of the paying customer above any potential public criticism that accompanies announcing and rectifying a breach. Database security is a serious business.

Over the past few years, computer systems from the Department of Defense to the Social Security Administration and the Veterans Administration have been hacked into. These breaches have been conducted by individuals and foreign governments – their goals including the procurement and distribution of military secrets, or simply the acquisition of personal information of average citizens for purposes of sales and marketing.  Just this past week, the reigning king of domain addresses, GoDaddy.com was breached. Other large private companies have also suffered scrutiny for similar past events. Media focuses on the large databases which have been breached, does not negate the many smaller databases that have equally experienced harm or data intrusion due to spamming, phishing or hacking. Are these known cases just the beginning of exposing our vulnerability, when everything we do when using the internet is wrapped around online data transactions? For the sake of convenience, many of us pay our bills online, transfer funds or stocks online, and order products or services via private websites, we think we can trust. Many supermarkets and big-box stores request all sorts of personal information to track customer preferences and needs. Local, state and federal agencies also encourage us to pay our real estate or personal property tax online, renew our driver’s licenses online, and even offer a reduced rate for renewing certain registrations online.

The ease of the internet has encouraged an exponential increase in the use of database storage of personal information for public and private use. But the security responsibilities can be overlooked when they are not the primary reason for the stored information. Are these databases harvesting our information for use in compiling demographics, statistics and other data reporting for sales and marketing? Does the information always stay with the company who gathers it? Or is it shared with other databases who collaborate financial deals with the original host? What about the private companies and banking institutions who harvest our personal and financial information – are there enough safeguards in place to ensure our information will not fall into the wrong hands? With all the identity theft that has been discovered over the years, it seems this collected information is no longer fully safe. And with the difficult economic times, concern must be given to whether these private companies fail financially? In the face of bankruptcy and bailouts, will they sell our information to the highest bidder in order to remain solvent?

The use of the internet and the quick sharing of personal information is not going away anytime soon. Now, our children are doing their homework via the internet, and we encourage them to use anti-plagiarism software before submitting their homework. Aspiring college students must fill out online applications before acceptance into public and private colleges and universities. While parents safeguard their children at home, they equally believe school principals and teachers are effectively researching the software they utilize in their schools. But what if these school administrators are currently overstretched in their duties, and cannot fully scrutinize the programs, and tools that are highly regarded or encouraged by their districts? Our investigation has proved that whatever the reason, they are not fully safeguarding our children. In fact, they are perpetuating their downfall by requiring software that leaves them vulnerable. Two such concerns are TurnItIn Anti-Plagiarism Software and TurnItIn Admissions Software.

TurnItIn Anti-Plagiarism Software is currently being used by over 3500 schools, colleges and universities worldwide. The goal of such software is to detect plagiarism among students from high school to doctoral studies, from class assignments to masters’ theses. But does it really detect cheating without setting up students to false allegations? According to their own website, TurnItIn receives over 60 million papers a day. Each submitted work is placed into the TurnItIn database for future use, without the knowledge or consent of the student. The terms and conditions of iParadigm states: "we may only use the content of your paper for the purpose of performing our services for your educational provider and for future use as part of our database."  This implies consent to reuse a person's paper for use within the greater database in its discovery of future plagiarized work. However, evidence proves that documents submitted to their database have been distributed to additional cheat-detection sites for profit. The TurnItIn website states they are a California based company, but does that correctly infer where their database is held? Is it in California or in their new International Headquarters located in Newcastle, England? When students submit papers to TurnItIn’s system, it is included in a privately held company database known as iParadigm, LLC. While the company claims they do not retain owner’s name or identity stamp, the unsuspecting creator of said paper has just been stripped of their personal copyright because they submitted willingly, albeit required, through a school, college or university. Should it be a goal of schools at any level to assist students in shedding ownership to intellectual property?

TurnItIn Admissions Software is a whole other security risk. When a student submits an application to their ‘dream’ college or university they may be required to submit their application using this software.  College applications gather many levels of sensitive information: name, address, phone number, email address, social security number, parents’ occupation and employers, even financial information. Where is this information stored? Does it remain solely with the university admissions? Or does it transfer with the student essay in order to report back to the school a flagged entry? And is this sensitive identifying information then properly withdrawn from the intellectual property used to detect future underhanded entries? Is the TurnItIn database secure from hacking before this supposed information swipe occurs? Are there private companies and social organizers who would do just about anything for the contact information of countless prospective clients and sympathizers? Just who is watching over your child’s personal information and keeping their identity safe?

“The service outage was due to series of internal network events that corrupted router data tables. Once the issues were identified, we took corrective actions to restore services for our customers… We have implemented a series of immediate measures to fix the problem. At no time was any sensitive customer information, including credit card data, passwords or names and addresses, compromised.” GoDaddy.com

When database security is compromised, this is the response we expect from those we trust with our sensitive information. For a company to react, respond, and reply to those involved. GoDaddy.com offered its customer base a declaration of the importance of the incident, an explanation of what was and was not compromised, and a reassurance of personal security. An account credit was also offered as a sign of good faith and continued pledge of service to the client. All such databases should be required to protect the identities they are privy to. This week, we will examine how iParadigm and other database creators are upholding this responsibility. We may not be as secure as we think we are.

Invited co-author of this article, Sean McGowan is published author, a teacher of Civics and American History, as well as a Chaplain. 

Part 2:  Hiding behind Educational Institution Integrity and Credibility