Google Blamed For Indexing Student Test Scores & Social Security Numbers

Google "hacked our
website"
from The Inquirer points to

Blame game
from the Hickory Record, a story about how the
Catawba County Schools in North
Carolina has gained a temporary injunction for "Google to remove any information
pertaining to Catawba County Schools Board of Education from its server and
index and alleges conversion and trespass against the corporation." The school
blames Google for some how getting into a password protected area and indexing
the content.

Let me make this clear, Google cannot submit forms or type in usernames and
passwords. Someone at the school must of left an opening for Google. The
security hole came from possibly someone publishing the content publicly,
somehow, or by letting down the security or by posting a hyper-linked URL with
an embedded password in the URL.

I agree, Google should remove this sensitive information, which they did on
Friday after the judge issued the temporary injunction. But Google should not be
blamed for this.

Postscript From Danny: As Barry notes, this isn’t a case of Google
deserving blame. It cannot guess at a protected server’s usernames or passwords,
nor is it configured to try and hack its way in. If this information got into
Google, that’s almost certainly because it was left unprotected somehow despite
the school’s "very secure site."

Since the school says all personal information has now been removed and is
protected, I’ll explain more at what I guess happened.

The story mentions that somehow, information from the site’s supposedly
protected DocuShare server got onto the web. OK, where is that server? The story
doesn’t say, but this search at over at Yahoo gives the likely location:


docushare catawba

Fifth down is this:


DocuShare Authorization Error

Not Authorized. You are currently listed as Guest, which means you are not
logged in. … Password: Domain: DocuShare Catawba County. Copyright ©
1996-2003 Xerox Corporation …
docucentre.catawba.k12.nc.us/docushare/dsweb/View/Collection-1546 – 6k –
Cached – More from this site – Save

That shows you that Yahoo tried to access a protected page on the DocuShare
server at docucentre.catawba.k12.nc.us. Is this the secure server that Google
somehow managed to penetrate? Probably, given that this search shows nothing at
Google now:


site:docucentre.catawba.k12.nc.us

That search comes up with no matches. That’s probably because Google
responded to the complaint last Friday to remove all pages from this domain. But
since no one contacted Yahoo, there’s a good chance pages from the domain still
show over there. And in fact, that search at Yahoo currently shows 13,500
matches.

Are any of these the pages the ones with sensitive information? I did some
searches that I felt should bring up whatever the page was that Google was
finding and had no luck. This means:

  • Yahoo didn’t have it, because it didn’t crawl as deep
  • Yahoo didn’t have it, because Google really did somehow manage to get pass
    a password barrier
  • Yahoo didn’t have it, because I’m not guessing at the right words in the
    document

Yahoo clear has some information that the school district itself
says:

This site was a DocuShare password-protected site that required all users to
log-in

No, not all users had to log-in. If that was the case, you wouldn’t see any
cached documents at all, such as

this one
. Clearly, some content was accessible without being logged in —
which makes it possible that some content wasn’t properly placed behind password
protection.

Postscript 2: See our follow-up, Follow-Up: School Couldn’t Reach Google Until Injunction Filed

Related reading

adblock-plus
email chart
gopro
south-park
Simple Share Buttons