Scanning Initiative

The dean's Connections column for November 2008

Monk_sml.jpg(November 2008)
 
You have probably heard about the University’s interest in scanning all computers that are part of the Penn State network. There appears to be some confusion about what is involved, and I use my column this month to discuss the issues and how we will be responding as a College.
 
Many of us have personal identity information like social security numbers and credit card numbers on our computers. This information is of interest to unscrupulous parties who have become quite skilled at gaining access. While there are ways to protect data, as long as the information resides on a computer there is some vulnerability to discovery. Moreover, the consequences associated with a breach wherein personal identity information is stolen are quite severe and involve significant financial penalties. The University’s reasoning goes like this: People have more personal identity information on their Penn State computers than they realize. In many cases, this information is not needed, and in some cases (such as social security numbers of current or former students) it may even be illegal. Why not provide a scanning service and make it easy for Penn State users to identify and get rid of or otherwise protect the personal identity information that is discovered?  This reasoning gave rise to the scanning initiative.

Last spring, the deans at Penn State were encouraged to try the scanning program on their computers. I was curious about what I would find on my hard drive, although my prediction was that I would have few if any social security numbers or credit card numbers. I was wrong and discovered I had something like 130 social security numbers on my laptop computer alone. Most of these were my own social security number, but there were quite a few others as well, many coming from CVs sent by persons who were seeking employment. Not too long ago, people were more relaxed about sharing personal identification information in public places.
 
My experience was instructive and reassuring. I received assistance from our Education Technology Center (ETC) and proceeded to get rid of the social security numbers. It was a straightforward process. I re-ran the scan and received a clean bill of health. As a consequence, the University’s vulnerability to a breach has gone down, and that is a good result. Information that does not exist cannot be stolen.
 
We are working with ETC and the University’s Information Technology Services (ITS) to make the scanning service available to our faculty and staff. At the moment, the scanning software is available only for PC products and we will begin with these. Each faculty and staff member with a Windows-based computer registered on the network will have the opportunity to run the scan. ETC staff will be available to help interpret the results of the scan and to assist in removing the personal identity information or otherwise deal with it. The Faculty Senate is working with ITS to develop a protocol for those who wish to run their own scan that will certify the completion of the scan and the appropriate disposition of whatever personal identity information comes to light.
 
The approach we are pursuing is consistent with the relevant University Policy (AD-19) and provides flexibility. Penn State’s computing network is highly decentralized and only as safe as the weakest link (in a very long chain). We cannot afford to be complacent, but we also need to be mindful of privacy rights and the need for investigators to fulfill their promises of confidentiality. I believe there will soon be a message from the provost that will provide additional clarification.

As we go through the screening process, please be in touch with me, Kyle Peck, or Dave Cochrane if you have any questions, and thank you for helping to enhance the safety of Penn State’s computing network.

David H. Monk