Friday, April 11, 2008

Penny For Your Thoughts

A colleague recently had the hard drive from his desktop computer completely erased by an intruder who went to his locked office on a day when his university was closed for a holiday. There was nothing of obvious value on the hard drive -- just manuscripts, proposals, presentations, data, images and so on. That is, just his work.

Everything was backed up, so nothing was lost, but even so, it was an evil act. There's no way to know what the malicious person did before erasing all the files and installing a new (pirated) operating system, but the IT people were able to determine that the computer was accessed at least 4 times. I would not be surprised if files were copied.

Years ago, an intruder copied files from my desktop computer. The computer was in my locked office, and the intruder copied the files late at night on a weekend. The files were of the usual academic sorts -- papers, proposals, data and so on, as well as email files that were saved on my computer.

There are many possible motives for this type of malicious behavior: outright theft of intellectual property for personal gain, a desire to inflict severe inconvenience, or an attempt to find some confidential or embarrassing information. When my files were copied and I had a meeting with an associate dean about the situation, she told me that she had dealt with cases like this before. Furthermore, she also dealt with cases in which someone placed incriminating materials (e.g., child pornography) on someone else's computer. Who are these people?

When my files were stolen (copied), the chair and deans were sympathetic to my situation, but it was very difficult for me to convince them that this theft of intellectual property required them to take action against the thief to try to retrieve the stolen information. The type of research I do has no commercial value, and will not result in patents. The same is true for my colleague who more recently had his hard drive compromised.

In my case, the thief also took some research materials that had been purchased with a grant from a federal funding agency. I contacted the university legal office to see what my options were for trying to retrieve my tangible and intellectual property, although I didn't have a clear idea how to retrieve the latter. The thief had made copies of files, so I didn't lose any intellectual property, and the research materials that were taken had a value of about $1000. Small change for a university.

One of the lawyers in the university counsel's office wrote a strongly worded letter to the thief, who had been proven beyond a doubt to have possession of my files and other research materials and who had by that point been fired from the university. I saw a draft of the letter before it was to be sent, and did not find it particularly compelling, but at least it recognized that someone had done something wrong. But then the letter was never actually sent because the university counsel balked out of concern that it would appear that the university was harassing someone who had not actually stolen anything of value to the university. What if the thief got upset by the letter and sued? Then the university would have to spend more than the cost of a piece of letterhead and a postage stamp, and that would not be worth it.

Nothing of value was taken, just my work.

I have written before about people who borrow (steal) ideas from proposals or talks, but somehow it is worse when someone physically breaks into your office and takes stuff, even if the result is about the same.

How do you put a value on basic research? You can't. I bring in grants (+ indirect costs) and I support students and pay their tuition, so I could put a number on how much money I contribute to the university. My research materials, however -- my ideas, my proposals, my manuscripts, and my teaching files -- have no street value.

Does that mean anyone can break into my office in the dead of night and help themselves to whatever they want as long as they don't take anything of actual worth (e.g. computers, research equipment, my first edition of Flattened Fauna)? Sometimes it seems that way. Of course, anyone who does that will be fired and will have to move to the ends of the Earth, but at least they will have my old manuscript drafts to keep them company. Those, of course, are priceless.

16 comments:

PhysioProf said...

There are some angry bitter people in academia. A system that only allows ultimate success for a very few inevitably generates lots of disappointed people, and some people turn disappointment into rage.

For example, there is a totally demented fucking wackaloon commenter over at Zuska's right now who is ranting and raving about how "affirmative action means unqualified women are taking academic positions from qualified men". He is almost certainly someone who may have succeeded in an environment that excluded non-white, non-male academics, but now that he is competing on a playing field that is at least moving in the direction of becoming more level, he can't get what he wants.

http://scienceblogs.com/thusspakezuska/2008/04/explaining_women_geeks.php

These are the kind of people who channel their anger and hatred into academic vandalism and theft. And I have no doubt that the fact that you are a woman makes you a more appealing target.

Incidentally, this dude commenting at Zuska's really is a totally demented fucking wackaloon, and has threatened to "press charges" against us because we called him out on his demented fucking wackaloonery. It's funny stuff if you like that kind of car-crash Internet loonie rubbernecking.

Anyhoo.

newtronic said...

Hi,
Enjoy your blog...
Let me suggest you install TrueCrypt. It's free, open source, and has been vetted by numerous security pro's. Encrypt data that you care about and then you never have to worry.
http://www.truecrypt.org/ Don't trust me; do a little bit of research on how it works and why you can be sure it is really safe.
Good luck!

Anonymous said...

I realize you're trying to tell this story as anonymously as possible, but - I was shocked to read that you eventually found out the identity of your thief!

Can you tell us a little more about what you could glean from that, in terms of what role he held in the University, how he had access to your office, and why he stole did what he did? Had he done it before to others?

John Dennehy said...

How did they catch the thief? I'm mystified why criminal prosecution was not pursued i.e. for breaking and entering, even if nothing of "value" was taken. Was this because the thief was an employee and therefore was not considered "breaking and entering" although it was certainly unauthorized access?

Candid Engineer said...

I once had a miscreant (who I knew personally) hack onto my computer to search through my email files for personal and work-related information. Even though nothing "of value" was taken, like you, I was shocked that the situation was not taken seriously. Some people even placed blame on me, claiming that I should have been better at protecting my own files. I certainly felt violated, as I am sure you did. Not sure what an appropriate solution is to such a problem.

TW Andrews said...

I hope that you publicly named and shamed the thief. Were the motives for the theft obvious (i.e. to steal your research, a vengeful lab assistant)?

Emily said...

That seems like such a strange crime, and yes, evil. I'm glad your colleague had backups and did not lose any data. Losing a sense of security in one's office is bad enough.

I understand how disturbing the sense of invasion is and how frustrating the lack of response must be, but I also kind of understand why the university's response is so underwhelming. It's completely consistent with the response to other crimes in my experience.

I've had my house broken into, my car broken into, and had an intruder come into my bedroom in the middle of the night (fortunately nothing bad happened). In all these cases the police response was that they'd see what they could do, but that I shouldn't expect much. "Make sure all your doors are locked at night, and call us if you see anyone acting suspicious." The reality is that the police are too busy to spend much time on cases where the losses are small and there's no physical harm.

As citizens I think we're more or less used to the idea that we're on our own most of the time. I certainly wasn't surprised at the low-key police response to my various situations. I think being part of a university makes it seem like there should be a wealthy, lawyered-up entity on your side when things like this happen. Unfortunately, the university makes cost-benefit calculations much the way the police do.

I'm afraid this sounds unsympathetic, which is not my intent. I suppose I wanted to reassure you that they would have been just as dismissive of material losses. Small comfort.

On a side note, what would be an appropriate punishment for this kind of theft? Is it the theft of the work (such a huge component of one's identity in many cases) or the invasion or the malice? Does it matter which component bothers you when you think of the punishment?

I'm not sure how I answer these questions myself.

Anonymous said...

I didn't realize that someone would actually physically come into an office... I thought that they would break in remotely and hack the computer. China might do that actually. I don't know why a single individual with no ties to a governmental secret service would.

But definitely bad news on the 'breaking into the office' part. I regret telling some people that one of my hobbies is picking locks and I have a lock-picking kit. They immediately assume that I'm a thief and I'm always afraid now that I'll be blamed for some break-in where the door wasn't physically forced. Try telling the 'normals' that it's just a hobby and that you don't do any evil... That's why I really hate thieves. It all comes back to me now. I'm not giving up my hobby though. It calms you down and focuses you after a hard day in the lab.

Sara said...

The lab I'm in does research that involves giving technology (like computers, GPS cell phones, etc) to seniors. A research assistant's car was broken into, and she had some equipment in the trunk, including a couple of laptops, a computer monitor, and a GPS cell phone, which she was going to be using the next day or had just picked up from a subject's home.

The cell phone was turned on, and it reported to us where it was whenever it could get a signal. So we were able to trace the thief from the apartment building to Los Vegas and back again.

We filed a report with the police, but they told us they couldn't do anything more because the monetary value was too low. I couldn't believe that they turned down the opportunity to catch a thief who essentially stole from an 85-year old, and who we could track with GPS. It would have made such a brilliant news story!

steppen wolf said...

Sounds to me like a sad state of affairs when even the university who wants you to do research there does not give any real value to your work. It really just means "thanks for bringing in the grants, the rest doesn't matter".

How did you manage to identify the thief, by the way? Some..computer forensic of some time, or did he/she have precedents?

Dr. Cuba Libre said...

Out of curiousity, FSP, how did you find out that someone had broken into your office and copied files? I wouldn't begin to know what to look for (not that anyone wants my data, but whatever). To the other commenter, how did you realize that your email had been hacked?

Female Science Professor said...

The thief printed out some of my files and showed them to someone who, instead of thinking the thief was clever, was shocked and alerted me and others to the problem.

Anonymous said...

Only tangentially related, but two weeks ago in the New England Journal of Medicine, the author of a book review printed in a previous week apologized publicly for having relied upon a review written by some one else without giving them credit. I thought it was pretty shocking that some one would attempt to use another person's work in an international journal. As a sidelight, the original review was written by a woman and the correction by a man (at least judging from their names). Here is the letter, http://content.nejm.org/cgi/content/full/358/13/1407

(I guess this is more a something I thought you'd be interested in to FSP than a comment on this particular thread)

ps that is very lousy. what a sense of violation and then to have the university say it's not worth it to prosecute.

Stu Savory said...

One word: Encrypt!

Newtronic has suggested how :-)

BTW: You have implicitly told us you do not do classified work ;-)

Female Science Professor said...

My incident occurred a decade or so ago; security was different then.

Anonymous said...

My institution as I understand it receives matching funds from the NSF/NIH/etc for each large grant earned by a faculty member. If this is the case for your grants, it is absolutely in the University's material interest (to the tune of hundreds of thousands of dollars in some cases) to prevent loss of information that could prevent you from getting another such grant. I am confused as to why your University lawyers did not consider this factor in pursuing the thief (unless your university/grant does not participate in matching funds programs?)