Stanford: Running a risk – Return security to lecture hall logins

Western’s Information Technology Services (ITS) has implemented a policy of requiring users to enter their Western login on classroom computers, in the name of enhanced computer security. The end result, however, is a situation in which student grade information and the financial information of teaching faculty are more vulnerable.

This situation is untenable, and must be changed.

The crux of the problem stems from ITS’s pursuit of a single-user ID policy, which it has stated will lead to enhanced security on campus. The thinking behind this policy is, if all staff have a unique identity on campus, Western will have a better handle on who is using its resources.



The nature of the problem is the change has merely transferred a large amount of risk to the instructor. This is because the user ID and password teaching faculty are now required to enter happen to be the same as the ones used to access Western’s financial and grade-management systems. Western employs a ‘single-lock’ system, in which the user ID and password are enough to gain access to this data.

If it had exercised due care for the security of its information systems overall, ITS would have implemented a ‘double lock’ on the student grade and financial information systems in advance of its pursuit of the single-user ID policy.

A burglar who now gains access to the user ID and password of an instructor has access to change grades and redirect pay, as well as change pension information. By implementing the change as it has, ITS has provided those intent on harm increased access to do so.

Instructors must work within a tight window of 10 minutes, during which the departing instructor must log off the system and gather up and answer questions, while the arriving instructor must log onto the system, load software, start response software and likewise answer  student enquiries. In many classrooms, it is virtually impossible to cover up what is entered.

A likely scenario is that a dedicated group of individuals manages to capture the information via cell phone video – one person distracting the instructor while the other captures the key strokes. In large classes, where all of these factors are at play, the likelihood the user ID and password will be captured by a party intent on getting it becomes very high.

As is well known in probability, if an event is repeated often enough, that which has a positive chance of happening will eventually happen.

Access to this secure information will be obtained by parties not entitled to it. It is only a matter of time.

At the Senate meeting on Sept. 21, in response to my question to the president on this matter, the provost responded that Western takes its responsibilities with regards to computer security seriously, but did not in any way address the issues raised here. It is commendable to defend the policies of those working for administration as best they see fit, but surely not at the expense of the increased vulnerability we now face.

At my department’s September meeting, not a single voice was raised in support of the change; the entire focus was on how best to mitigate a bad policy (my words). Either we are a department of malcontents, or the problem is being perceived in the trenches much more seriously than the administration would have us believe.

One of the solutions being considered seriously is to purchase a number of laptops for instructors to use in class. If replicated across campus, such a strategy would render the classroom computers effectively useless, not to mention a large waste of resources.

In light of this, I call on administration to reverse this login measure until they can provide an acceptable alternate method for teaching staff to establish their identity on classroom computers.

While it is bad enough that student privacy is put at risk in this way, the financial side is even worse. No one would think of asking us to enter our bank card information to access classroom computers; asking us to enter our Western Financials login places us at a similar risk.

If administration does not take action to protect us better, then teaching faculty will have to reflect on whether other legitimate avenues exist to restore the security of the personal information that is in administration’s care.

David Stanford, Senator for Science (2011-13), is a professor in Statistical and Actuarial Sciences.