Catawba County Schools in North
Carolina obtained an injunction to remove private material from Google because
it had no luck getting action from the search engine after trying other routes,
the district tells me. The school district also stressed that it didn’t claim
that Google had somehow hacked into its servers. Here’s what Catawba County
School’s chief technology officer Judith Ray emailed me about the situation:
We asserted that Google had somehow bypassed our login information, not
that they had hacked their way into the system. Hacking, to me assumes
malicious intent and we never intended to imply that Google was doing anything
other than spidering all the web sites available.
There is also miscommunication about "all users" being required to log in.
The DocuShare server is a repository for both public and private information
with logins being required for users who are authorized to view the restricted
information. There are hundreds of pages of information that we share from
DocuShare with users around the state. These are completely open and are not
supposed to [be] password protected.
We did troubleshoot this situation by searching for the students’
information at Yahoo, Dogpile, and AltaVista. We did not find any information
on these three search engine returns and we attempted the searches over a
We acted so aggressively with Google because, until the media got involved,
we could not get beyond an operator at Google. We could not get operators to
connect us with technical support, the legal department, or to anyone higher
up in the organization. We were only given an email address to which we could
submit a complain – which we did but got no response. Google has a link to
submit an emergency request [see
on both Thursday and Friday of last week, the link took you to a dead page.
Only when the news media submitted its own inquiry to Google did we get a call
regarding the situation. And [Google] has been most helpful in working through
this situation with us.
Of course, none of us who are employed with Catawba County Schools at the
current time were involved when Xerox set up this server. We are trying to
ascertain if the server was incorrectly setup/protected or if the appropriate
include meta tags or strings were not included.
For Indexing Student Test Scores & Social Security Numbers from us earlier
has more background on the injunction plus how I was finding pages from what the
district said was a password protected area to still be available through Yahoo.
As clarified above, some of these pages indeed didn’t require a login to view.
Our story originally was headlined "Google Blamed For Hacking & Indexing
Students Test Scores & Social Security Numbers" and said in one part, "the
school [district] blames Google for some how breaking into a password protected
area and indexing the content."
As stated above, the school district itself never appears to have said
anything about being hacked, only that Google somehow got into information it
believed was password protected, as it says on the home page of the district
We do not know how Google was able to access the secure, password-protected
site. Once Google does access a site, it places a copy of the data on its own
server. We immediately called and emailed Google, requesting the urgent
removal of the link and site data. We have eliminated the link from our end
and it appears that as of Friday night, June 23, 2006, Google eliminated the
site from their end.
The hacking reference seems to come from the "Google
‘hacked our website’" story at The Inquirer, which we linked to in our
original story. While the headline says "hacked" in quotes, the story itself
doesn’t have anyone from the school district saying this.
Digg also has a
School claimed google hacked it’s private servers and then posted that data
article. Again, the school district isn’t alleging hacking, only that Google
somehow got into information it believed was restricted. How that happened is
still being investigated.
As for the reference to Xerox in the school district’s explanation, in doing
some investigating in our original piece, I noted that the server seemed to be
managed by Xerox and shared by other companies as well, with material for those
companies appearing to be hosted on the school district’s domain. As noted, the
school district doesn’t know why this was happening, and it remains something
they are looking at.
Finally, Google’s had problems with the automated page removal tool before,
though not that it was down but instead allowing people to remove pages from
sites they didn’t own. More on that in our 2004 story,
Confirms Automated Page Removal Bug.