Blaming Google For Your Own Failure To Protect Info
from the blame-anyone! dept
Everybody loves to blame Google — but perhaps people should take the time to understand how Google works before flinging around baseless lawsuits. Recently it was the NY politician who falsely accused Google of profiting off of child porn (a suit he just dropped). Now, Digg points out that a school district that exposed the names, social security numbers and test scores of over 600 students is blaming Google for the leak, saying that Google somehow got behind their password protection — which is not how Google works. The school district tries to explain how Google got behind the password protection, but the statement doesn’t make much sense: “One of the students on the list had a presence on the Web. In Google’s effort to get information on her, one of its spiders latched onto her name in this document. We were not aware that password-protected sites are set up like that.” If someone can explain what that means, that would be great. However, it certainly sounds like the school district left the information open, and doesn’t want to admit it. In the meantime, though, they’ve convinced a judge to issue an injunction to get Google to remove all info from the school district from its index — and a trespassing suit will follow (unless someone explains to them how this lawsuit is bound to fail).
Comments on “Blaming Google For Your Own Failure To Protect Info”
Can Google Prevent it?
In the future, can Google have software that detects information like this and prevents it from being searchable in the first place?
why bother?
one step better, detect *any* information, and prevent it being searched, its bound to annoy someone so best not to really.
on a more realistic level *win* a few high profile cases (google that is) get *all* related costs back and maybe a few legal types will take the hint.
google works reasonably well as it is. at some point whoever admins the web server needs to be asked *why* this information was avalible anyway.
google could probably offer to remove *all* references to the organisation in question. i.e. do not index *anything* for them. they may go for it but i doubt it.
Re: why bother?
Claire, please use complete sentences and accurate spelling. Your statements gave me a headache! Really though, it seems you were just babbling about fragmented thoughts in your brain. Organize your mind first so I can better understand your logic. People like you should not post on the web.
Re: Re: why bother?
stfu grammar nazi
Re: Re: why bother?
I agree with the Anonymous Coward…my head hurts from reading your post Claire. You are FREE to make our heads hurt all you want, but I hope you can do that to other folks reading post on some other site.
Thanks
Re: Re: why bother?
People like you, Anonymous Coward, need not post on the web. What have you brought to this discussion? Absolutely nothing. So keep your complaints to yourself and attempt to contribute to this site. Thank you.
Now for my contribution. This is an all too common problem in school districts. They are victims to their own inability to educate their own students. That and it’s hard to find good help when they pay their employees (yes, not only teachers are paid badly) so poorly.
Peace out…
Re: why bother?
The way I see it Google did them a favor by exposing the weakness of their design. The information indexed by Google would have been readily accessable to anyone with half a brain that wanted to get it anyway. It is the webmaster’s responsibility to secure the site, the search engine simply indexes what is publicly available period.
Stupidity of the masses
You wanna know who to blame…
It’s not google…
it’s half-baked wanna-be comp technicians that get their A+ and people think it means something, when 90% of the people with the A+ have very little idea of what they are doing…
The school in particular, needs to beat the crap out of their admin for not securing their network, not harass a search engine…
This case is a clear cut, we want money and noteriety…
Frankly boys and girls it’s people with a clue need to rise to the occasion and put a stop to frivilous lawsuits, which are not the fault of the company and or person their are blaming…
Re: Stupidity of the masses
Raven D. has it right. More than likely, the administrators of the school were told about this from whoever is supposed to be securing this information (the half baked sys admins) as a ploy to keep his/her job. The amatuer technician wannabe probably never thought it would go this far.
Re: Stupidity of the masses
What does an A+ Certified Tech have to do with anything? Maybe a Network + tech or an MCSE tech could have caused the problem.
You make a good point in your statements.
But it sounds like you did not pass your A+ test?
why bother?
whats wrong with posting on the web when you…..
oooh! sparkly things!
But remember...
…”it’s for the children” that they are doing this
The word of the day is sarcasm
Obviously
Well, this is clearly the work of GHack (beta) — Google’s next generation, password hacking, “enhanced” spider. It’s actually part of their new Web 2.0 suite.
Shouldn’t the folks at Techdirt be aware of this?
Re: Obviously
XAXAXA. Funny.
SCHOOL IS PROBLEM
I have personally seen a school promote a science teacher to network admin because he “was good with computers”.
The guy had a couple of MAC’s in his classroom, and that was it.
The guy actually THOUGHT he knew the stuff, and was telling folks how stuff worked that, to a real IT person, sounded like made up gobblety-gook. The folks he was preaching to swallowed hook line and sinker. They would believe him over IT folks, and we ended up with a staff that was working with a total mis-conception of technology. Still am trying to fix it, but folks still say,”Tim said “Blah”, and he KNEW what HE was talking about!”
Bottom line? The admin in charge of the student data & district WWW are to blame, period. Obviously, their security was crap, and it looks like they still don’t know it.
Idiots (which means i'll probably wind up working
so they publish on a public web server, without setting their meta tags to deflect spiders and put no security in place. Did they just remove the link to the page and think it would be ok? Jacob Neilson once said ” a web site is a house where every window is a door”. I had no idea password protect sites worked that way… what? Idiots!!!!
Someone should have schooled their webdesigner on robots.txt . This would have stopped Google’s evil bots… but.. without an Educated network administrator I can see why the school is upset. Since the have no idea what went wrong, they have no choice to blame… sad really… so dumb, cant realize its simple and right in front of them.
I can see what happened...
The webmaster build a “password protected” page that was little more than a PHP or ASP page that asked for a password and then, based on that test redirects the user to the real page or an error page. The student with the website linked to the real page directly, bypassing the page that asked for the password and gave the illusion of security to the school district users who don’t ever look at the address bar. Google come along to the student’s webpage and finds the link to the district’s page and follows it.
I know of many examples of this. The Hays Daily News in Hays, Kansas has implimented this kind of “fake password” system on their PDF editions for years with Google finding the PDF documents for years as well. Just becuase it looks like security doens’t mean it is security.
It takes five minutes to stop a search such as google, msn or yahoo to index your site, even when you want the site to remain public but do not want search engines to index it.
This is a clear case of an admin who knew nothing about making site password protected and un searchable. Maybe he/she thought that if i can bury this under a lots of folders, then google might not be able to get to it.
school webmasters
The problem lies with the school district’s webmaster and/or the way the school posts information. He/she did not do adequate testing. There are a lot of products out there that people use for posting data to the web (tests included) that claim to be password protected. Many of them are just html pages with a javascript ‘entry’ page. They’re relatively safe from casual browsers but google (and other search engines) find the grade pages behind them quite easily.
Unfortunately, a lot of the gradebook programs with web publishing capabilities work this way. They simply create html files and slap an entry page on them. They don’t even check to make sure that someone coming into the grade pages for little Timmy actually came from the entry page. In many places the teachers are making decisions to post grades on the web and don’t go through the webmaster. Many schools have a district webmaster (often a former teacher) who, over the course of time, learns how to be a webmaster. The schools themselves tend to treat the webmaster position as something the librarian can do in their spare time. It’s unfortunate but that’s the way it is.
To keep things like this from happening schools need to be more active in deciding what grade book teachers should use across their district. They need to dedicate money to pay school webmasters rather than make it something a teacher does in their spare time. Finally they need to hire a full time district webmaster who has input into some of these decisions and is capable of learning to be a real webmaster. Until that happens data will be posted under the guise of being password protected.
I have the Answer!!!
I think that Google should create a spider that will go out and crawl the web, find all of the information that it can, and then delete it.
That way, No one can see anything harmful from Google’s search engine.
Or we could expect that whatever you put on the web is public?
Just my 2¢, YMMV
Re: I have the Answer!!!
And just to be extra safe, Google should then delete its self.
Then we can all go back to using Gopher!
On second thought, maybe this Internet thing is too dangerous. We should go back to stone tablets. Then I’d have something to hit this idiot sysadmin over the head with. 🙂
Ignorance is Bliss I guess
The Internet still represents a big huge black box of unknowns to most people, even those in the tech industry and especially among politicians and in the legal trade. It is ripe for such baseless attacks such as this.
It is starggering actually when you talk to many people that they don’t understand the concept of WORLD WIDE WEB, that anything you put online is subject to WORLD WIDE exposure. How many local businesses put up a website only expecting local coverage, and instead get international requests. In this case, the school POSTED something online so that only the students attending the school could see it, without realizing that without proper protection, this information is viewable by the world.
My recommendation to anybody making a website or using the Internet, if you don’t intend to make information global and public, DON’T PUT IT ONLINE. If it is important, DON’T PUT IT ONLINE. Period. Its the WORLD WIDE WEB and it means that even if you put a password on it, you are potentially exposing the information globally.
Sounds like the school wanted to save a few dimes and not print report cards and use the Internet for a cheap way to disseminate information. When will the legal system start implementing the “Slap upside the head” clause when people file lawsuits because of their own stupidity.
Why point the finger?
Why is it that the finger has to be pointed? The school has to blame Google for future hopes of actuially proving this B.S. and getting a lawsuit. Google is not responsible for the knowledge of your IT admins! BTW, why would Google want it? Why would a mega corperation risk everything for a person’s SSN? Try this fisrt, TAKE RESPONSIBILITY FOR YOUR IGNORANCE! I bet their password was something like, admin backwards, god, or password. hehe… To the school, get a life and I hate to know that someone that is this damn ignorant, caould actually teach my kid one day. Freakin’ morons.
The best part is that it will probably end up in the hands of a judge that is equally clueless. I can’t believe how dumb this makes the school look, SMRT!
Why is everyone so focused on Google?
Seriously… Why is everyone so focused on Google? Has everyone completely forgotten about the THOUSANDS of other search engines out there? Let’s take Yahoo for example…
About a year ago… I had a problem with their caching engine. I had a document posted on my own IIS server at home. I made it available to myself for the sake of my own benefit when I’m out and about. The IIS directory was NT protected…[supposedly]. There was a password applied.
This particular document contained a share of my own personal information – up to AND INCLUDING my Social Security Number.
Interesting how a password-protected directory was ACCESSED by one of Yahoo’s ‘spiders’… It managed to grab this personal, password-protected document AND CACHE IT in it’s own index! The only way I found out about it was through my significant other. She ran a Yahoo search for my name (for some reason… She does odd things like that sometimes when she’s bored. Like she’s checking to see if I am FAMOUS yet or something. LOL.) She found this very document that I had gone to the trouble of securing on Yahoo’s search results of my name. LISTED IN THE SEARCH SUMMARY WAS MY SOCIAL SECURITY NUMBER.
Needless to say…I was PISSED.
I contacted Yahoo about the issue and DEMANDED that they remove this cached document – IMMEDIATELY. They sent me a response giving me excuses, etc. They told me that it would take anywhere between 7-14 business days for the ‘caching cycle’ to ‘rotate’ the document out of it’s cache.
This was MOST DEFINITELY unacceptable.
I threatened them with legal action if they did not remove this personally sensitive information AND complete liability if my identity were to be compromised. I was VERY clear to them on that matter.
CRYSTAL…
The document was gone the NEXT DAY. (Thankfully for THEM…)
Now here is my question to the general populace…
WHY are we so focused on one particular search engine when they’re ALL guilty of creating some security issue or breach of privacy? I’m pretty sure that it’s only because they’re so noteworthy in the media of late. Everyone is picking on Google like we have an actual reason.
NO ONE is perfect. But I think that Google does stand above the rest considering the amount of effort they put into innovation and how much they really do give to the people. After all… I can’t overlook the fact that most people I see loading their browsers end up having Google as their homepage… *raises hand* Heh…
As for this school system… I’m pretty sure that they missed something in their security. My own personal web server at home didn’t stop Yahoo’s spider. Why should they be any different? I’m fairly familiar with system security. I never really bothered to research the issue. I simply deleted the directory from the WWW and put the document on my personal secured SCP server instead. I find it disgusting that we hear about these legal battles but NEVER even HALF of the details.
THINK, people. THINK!!
Regards,
Cyryl
Re: Why is everyone so focused on Google?
Problem #1 – I had a document posted on my own IIS server at home…
Problem #2 – I’m fairly familiar with system security. I never really bothered to research the issue…
Its your own fault, people like you working in IT and making ASSumptions is what makes the WWW interesting.
Leave IT to the professionals or better yet RTFM!
Re: Why is everyone so focused on Google?
You are just as much of an idiot as the school district. You put you SSN on a publicly accessable webpage. You did not protect that information.
The school district did not protect their information on their publicly accessable website.
It would take a couple of minutes to tell ALL search engines to not access a portion or even all of any web site.
Think idiots, think!
Re: Why is everyone so focused on Google?
Look man, I don’t want to jump on a “bash the idiot” bandwagon. I’m sure you’re a fairly smart guy and all…
But why would you need to document your SSN and have it accessible on the go? If you’re over 18 and you don’t have your SSN memorized by now, it’s time to catch up. Things like SSN & other “simple” data bits are easy to memorize.
And I don’t care how “reasonably secure” a server is… if anyone else can access it besides yourself, it isn?t safe. Don’t put personal info on there. It’s really that easy.
If you want to keep things secure and accessible “on the go”, type up a little business card (Avery makes some nice, cheap stock for that) and keep it in your wallet.
What if you wallet is stolen? Easy. Do what I do. Write the info up in code. A simple substitution code means that it’ll be unintelligible at a glance, and you can translate it back easy enough when you need the info. You’re not trying to thwart government super-spies or cryptology teams here. Anyone who is going to take the time to break a coded, unknown, peice of paper in your wallet is going to get that info no matter what you try to do.
Blame it on ignorance
Personally, I would blame the people who built the website. It is not Google’s responsibility to secure other people’s work.
Further, I am sure that a lot of you would agree that it would be quite impossible for google to go through every indexed page in their database to ensure that those pages do not violate the interest of that particular school or any institution for that matter.
If the school is not capable of securing thier website, perhaps it is best for them not to have a website at all.
If I was a judge, I will make sure that the IT manager, Web Master, and anyone involved in the development of the school’s website, should never be allowed to hold such positions until their have proven that they are capable of working for such institutions (e.i. Schools, hospitals, etc) where data protection is not an option, but a must have measure.
Boner.
The judge’s name is boner.
… Dick Boner…
Stupid School
This is another indication of just how little money actually gets used to educate kids and how much
goes to buying administrators. There was a time in this country when students had clubs for computer
lovers and that club would have set up the site with
teacher supervision and it would have been secure. Now they can’t afford to let the kids have a club but they can pay some numbnut to not even get it somewhat right. This is just the latest in a long line of symptoms that herald the fall of the education system in this country. It all started with the NEA
and it will only get better when the NEA is abolished
and teachers are hired for there educational skills and not their political skills.
If you are too naive or stupid to know how to use a computer without exposing yourself to security risks then you have no damn business owning a computer. I am so sick and tired of reading articles about people getting information stolen or falling for a phishing scheme replying to emails that are scams etc… Bottom line is if you dont know how to use a PC properly then DONT USE ONE. IF you do you deserve what you get!!
DocuShare?
Do a google on DocuShare, the secure? server software that the school used..interesting results
Not Google's Fault
I know a lot of people are not fans of Google, but as far as I know they behave when you ask them to. Using robots.txt would have stopped this, BUT the real problem here is that this information was not secure. If Google could get at it, so could others. School’s fault, no question about it!
As a matter of fact, there is no way to gaurantee 100% secrecy of any information on the web no matter how good the admin.
So why was this information online at all? Why was that necessary?
Robots.txt
If they don’t want to be listed in Google, they should have secured their areas properly, and used Robots.txt like it is supposed to be used.
Anyone who knows anything about webdesign should have put in Robots.txt with a Disallow on any areas supposed to be secure, and then those areas should have been properly secured.
Now they just have to put a Disallow:
Too bad they don’t know a thing about decent web design.
Robots.txt
Obviously these people just don’t know what they are doing. Even Basic authentication with apache would have prevented the information from being indexed – and it doesn’t take 5 minutes to set up.
Apart from that – robots.txt is a security risk – anyone with half a brain can browse to the address to see exactly what you don’t want them to see. Decent web design is calling an include file from your CGI/ASP/.NET scripts which has a IP whitelist or blacklist, and prevents search engines from accessing the page, merely redirecting them to the home page or something similar.
It isn’t hard to secure information – but using a Robots.txt makes you a googledork.
robots.txt
The robots file is supposed to be for preventing such pages as error pages or the like appearing in the search results for your site, just because the search terms were really specific and your site has a lot of links to that page. thus it would have the 404 page, the inauthenticated user page, and subsidiary pages of forms, for example, would all be on robots.txt. A secure page could be put there reasonably, since anyone who has the password would know about it anyway, so tey could find it using the internal links if they do not know the URL.