'Phishing' experiment attracts national adebate about ethics of study

After students discovered that graduate students Tom Jagatic and Johnson were behind a spoof identity theft attack sent out through e-mail last week, students expressed their anger and surprise by writing more than 200 entries in a blog set up by Jagatic and Johnson as a forum to discuss the experiment. \nOn the popular technology Web site www.slashdot.org, links to an article from Tuesday's edition of the Indiana Daily Student and to the blog were posted. This time "techies" from all over the country posted more than 200 comments on the matters of Internet ethics and privacy.\nThe spoof attack was part of a study of identity theft -- "phishing" -- sponsored by a Web-mining course in the Computer Science Department. The experiment aimed to test people's reactions to being "phished" by acquaintances or friends, whose e-mail account would send a message including a link that prompted students to provide their IU usernames and passwords. Jagatic and Johnson, both graduate students in the Computer Science department, obtained students' information from public sites on the Internet, and immediately discarded the usernames and passwords of students who provided them.\nThe anonymous IU blog, which included complaints using explicit language as well as positive comments about the purpose of the study, has been closed to future posts because of the volume of comments and lack of manpower needed to monitor the blog, said Jagatic and Johnson in a note posted Wednesday on www.indiana.edu/~phishing/blog/. \nFor Information Technology watchers around the country, the reaction of IU students to the misleading nature of the study has been a mix of disappointment and sympathy.\nDirector of IU's Center for Applied Cyber-Security Research Fred Cate said he hopes students can look past the deception.\n"I can completely understand why people would be upset about this," Cate said. "When I first heard about this I was like, you've got to be kidding ... but you can't do this type of research and tell people in advance."\nCate, who is also a professor of law, said phishing is the biggest and fastest-growing fraud in the United States and affects those who use the Internet the most, like students on highly wired campuses. \n"It seems like (the study is) addressing a real problem," he said.\nSo it seems. Studies estimate that the normal success rate of identity theft using commercial addresses, such as the auction Web site, eBay, is around 3 percent. But Filippo Menczer, one of the professors who advised Jagatic and Johnson's study, said preliminary results of the IU test show 70 percent of students clicked on the link provided in an e-mail sent by their acquaintances.\nIt was the Human Subjects Committee's hope that students will learn from being duped by familiar e-mail addresses that convinced it to approve the study earlier this semester.\nProfessor of Psychology and Chair of the Human Subjects Committee Peter Finn said there were four criteria the committee considered before approving it: whether the risk to subjects of being spoof-attacked was greater than it would be on a day-to-day basis; whether the element of surprise was needed to obtain accurate results; how the lack of prior consent would affect subjects; and lastly, whether subjects would be properly debriefed after being attacked.\n"We anticipated that some people may be upset, but there's an awful lot of learning that will go on for everybody," Finn said. \nUniversity Information Technology Services will be one party forced to realize this value. Jagatic and Johnson did not inform UITS about the study prior to the attack, and some students were frustrated at the lack of help they found at UITS desks.\nUITS has already responded to the controversy surrounding the study by addressing it in the UITS Monitor newsletter for April 27, but important questions remain about IU's ability to prevent phishing attacks by harmful parties. \nChief Information Technology Security and Policy Officer Mark Bruhn said in an e-mail that Jagatic and Johnson probably did not inform UITS about the study because "they wanted the Support Center to react the way they would normally, should they get a call about such an e-mail received by an IU user." \n-- Contact Staff Reporter Colleen Corley at ccorley@indiana.edu.