Google Blamed For Indexing Student Test Scores & Social Security Numbers

Google "hacked our website" from The Inquirer points to Blame game from the Hickory Record, a story about how the Catawba County Schools in North Carolina has gained a temporary injunction for "Google to remove any information pertaining to Catawba County Schools Board of Education from its server and index and alleges conversion and trespass against the corporation." The school blames Google for some how getting into a password protected area and indexing the content.

Let me make this clear, Google cannot submit forms or type in usernames and passwords. Someone at the school must of left an opening for Google. The security hole came from possibly someone publishing the content publicly, somehow, or by letting down the security or by posting a hyper-linked URL with an embedded password in the URL.

I agree, Google should remove this sensitive information, which they did on Friday after the judge issued the temporary injunction. But Google should not be blamed for this.

Postscript From Danny: As Barry notes, this isn't a case of Google deserving blame. It cannot guess at a protected server's usernames or passwords, nor is it configured to try and hack its way in. If this information got into Google, that's almost certainly because it was left unprotected somehow despite the school's "very secure site."

Since the school says all personal information has now been removed and is protected, I'll explain more at what I guess happened.

The story mentions that somehow, information from the site's supposedly protected DocuShare server got onto the web. OK, where is that server? The story doesn't say, but this search at over at Yahoo gives the likely location:

docushare catawba

Fifth down is this:

DocuShare Authorization Error
Not Authorized. You are currently listed as Guest, which means you are not logged in. ... Password: Domain: DocuShare Catawba County. Copyright © 1996-2003 Xerox Corporation ... - 6k - Cached - More from this site - Save

That shows you that Yahoo tried to access a protected page on the DocuShare server at Is this the secure server that Google somehow managed to penetrate? Probably, given that this search shows nothing at Google now:

That search comes up with no matches. That's probably because Google responded to the complaint last Friday to remove all pages from this domain. But since no one contacted Yahoo, there's a good chance pages from the domain still show over there. And in fact, that search at Yahoo currently shows 13,500 matches.

Are any of these the pages the ones with sensitive information? I did some searches that I felt should bring up whatever the page was that Google was finding and had no luck. This means:

  • Yahoo didn't have it, because it didn't crawl as deep
  • Yahoo didn't have it, because Google really did somehow manage to get pass a password barrier
  • Yahoo didn't have it, because I'm not guessing at the right words in the document

Yahoo clear has some information that the school district itself says:

This site was a DocuShare password-protected site that required all users to log-in

No, not all users had to log-in. If that was the case, you wouldn't see any cached documents at all, such as this one. Clearly, some content was accessible without being logged in -- which makes it possible that some content wasn't properly placed behind password protection.

Postscript 2: See our follow-up, Follow-Up: School Couldn't Reach Google Until Injunction Filed