EDITORIAL: Condemn oversights in Brandeis' online security
Students, faculty and staff have an email account through the University and, by extension, a Google calendar. For these calendars, the default settings allow anyone with a University email address to view other Brandeis calendars, unless users manually disable public access. This means that many students’ calendars have been publicly visible without their knowledge, and worse, the Justice found that select calendars within Academic Services and Student Financial Services were visible to Brandeis users until yesterday when reporters reached out for comment.
Academic Services and Student Financial Services have since changed their settings to make all of their calendars private. Even so, this board denounces these departments’ carelessness. Students’ sensitive information never should have been visible to the public in the first place, and the University must ensure that an error of this magnitude never happens again.
This oversight revealed individuals’ personal information that they may not have wanted announced to the greater University population. In particular, one advisor in Academic Services had a list of their upcoming appointments on their public calendar. The descriptions for these appointments included information such as what disabilities people received advising for and what sorts of accommodations they might need. The locations of meetings were also visible. In addition, personal information was listed, including the phone numbers of those who scheduled the meetings. Consequently, anyone with a University email address was able to see why an individual used either resource, what sort of help they might receive, where they had their appointment and how to contact them.
An individual’s personal calendar should be private. For many, meetings and appointments are personal, and it is not the entire University’s business as to what they are doing, where they are going and why. Beyond that, Brandeis employees must be more careful with their students’ information, especially within departments like Academic Services and SFS, where trust and confidentiality are vital. As such, the University’s negligence in this situation is appalling.
Moving forward, this board urges the University to better protect the privacy of individuals using University accounts, and we recommend that Brandeis make the default settings private for all students.
Additionally, we urge students to evaluate the privacy settings of their University email calendar. This board encourages students to think about whether they want the entire University community to be able to see their personal appointments and other commitments.