Disclaimer: the opinions in this post are solely mine, except where I use the term “we”. This post was written of my own accord, and apart from knowing its creator, I am not affiliated to Stalkers in any way.
Photo credit: Stalkers.
Stalkers (http://stalker.fuzzie.sg/) was created in July 2013 without any malicious intent, in the hope that the information on it be used in a productive manner such as statistical analysis for the benefit of the students. This web app requires you to log in with your NUSNET account. Once logged in, you are able to search for modules and see which students are taking them, and also search for students and see which modules they are taking/have taken.
The only student details displayed are your faculty, year, NUS email, full name, and matric number. These are details which most students are fine with sharing, since it helps us to find people to form project groups with, or when we need to submit a group assignment but don’t know the matric number of our (MIA) group mates.
The NUS Computer Centre (ComCen) recently asked the creator of Stalkers to take it down from the internet on the grounds that it has unfairly violated the privacy of the students. From the student who created Stalkers, referring to his conversation with the head of IT security in ComCen, “I have made multiple attempts to reaffirm that I am cooperative, present voluntarily and not here to start a fight but [her] aggression was absolutely relentless. It was more an interrogation more than anything. She kept demanding the answer to the same question over and over again as though my answer did not satisfy her.”
Stalkers has now been taken down, but this is merely an illusion of privacy. All the information on Stalkers was taken from ComCen’s LDAP directory, which every single NUS students can access. Simply put, it means that you can retrieve the same info by searching through the address book in Microsoft Outlook when you’re logged in to your NUS email. Many people (and arguably most people in the School of Computing) are equipped with the know-how to access this data.
Additionally, more sensitive information like which NUS residence and block a student stays in and the personal email address which their NUS emails are being forwarded to are available through that address book. The latter has been misused by a few unethical businesses who have used this technique to reach private email inboxes directly for their marketing purposes (I myself have received one such email). Stalkers removes all of the more sensitive data, and only displays the information mentioned at the start of this post.
And it’s not just NUS students who are affected. The personal details of the NUS staff, as well as the staff from other organisations like NUS High and Tan Tock Seng Hospital are readily retrievable too. If ComCen is really so concerned about privacy, why does it allow public student access of their LDAP directory, then call such accesses an invasion of privacy?
That being said, I’m actually fine with the LDAP serivce being available to all NUS students (surprise surprise!). Most companies make their LDAP servers public to their employees anyway, and we can understand why this service is available to everyone. As one of my friends so nicely puts it, “Windows PCs require domain logon via the LDAP servers, and maintaining a whitelist of such PCs is going to be fairly painful”. I’ve known about this public service since my freshie year in Computing, but never had any issues since not many people know they can access data this way. Among those who do, few will bother to do anything with the data anyway.
Back to the point, I’m not sure why ComCen is kicking up such a huge fuss over Stalkers, when all it does is slap a nice UI over the public service which they provide. Honestly, it almost sounds like ComCen is judging Stalkers by its name – but the name “Stalkers” was chosen to make it sound as ridiculous as possible, according to its creator. I mean seriously, just look at its logo.
If ComCen is truly concerned about privacy, may we suggest that they restrict this public service instead of bullying students by carrying out verbal-only communication? From the discussion with a friend of mine, here are 2 things which ComCen can consider doing:
- Remove some LDAP attributes from being queried by non-privileged users.
If ComCen is using a service like Active Directory, it’s just a simple matter of using the confidentiality bit to hide sensitive information. Alternatively, an access control list can be used to show keys depending on who is querying.
- Issue API keys to trusted student developers.
This is actually the same path undertaken by the IVLE LAPI. With the API key approach, ComCen can also do things like rate-limiting and tracking the source of API queries. However, this also requires ComCen to design a new API, rather than directly accessing the LDAP server.
And one still wonders why Singapore will never be the next Silicon Valley, or NUS the next MIT, when innovative student projects are shot down like that.
Have something to say about this matter? Then head over to Stalkers to join in the discussion. A different opinion is especially welcomed.
Update 25/8 10:41pm:
While ComCen has yet to contact the creator of Stalkers (I just checked with him), I would really like to know their stand on this matter. There seems to be more to this than meets the eye, so let’s save our judgement for when more details are revealed (:
And for the record, my stand as of the time of the original post is NOT that ComCen is in the wrong, it’s more like I don’t understand why they’re calling Stalkers an invasion of privacy and closing it down (I can kinda guess why now). As of now, I still really don’t like how they’ve handled this matter so far, and this does not equate to me thinking ComCen is in the wrong.
Update 23/9 11am:
Matter has been escalated all the way up to the the data protection office and the provost. Discussion is ongoing, and hopefully there will be some news within the next few weeks. I doubt this will be settled any time soon though, as organisations are notoriously slow with these sort of things.