mPrint Privacy Violations
Thursday, August 31, 2006
mPrint is a useful service provided by ITCS of the University of Michigan to allow web-uploaded documents to be printed on campus printers. Unfortunately, the designers of mPrint included several "features" that violate the privacy of its users without their knowledge.
Previously, mPrint consisted of a simple form to upload documents and select a printer to send the job to. This was an extremely useful service if a user had internet access but did not have any University printers locally configured on their computer.
Recently, mPrint was upgraded to provide a more extensive interface, providing individual printer queue statistics including the status, time, size, uniqname, and filename of print jobs from all users of that printer. The queue details are available in real-time for hundreds of printers across the University.
Filenames of documents can often be sensitive in nature, even if only in an implicit way. For example, if a supervisor noticed an employee printing out a document titled 'resume.pdf', they might fire the employee out of spite if they believed the employee was looking for a new job. If an incident of similar nature occurred, the University could be considered legally liable for damages by publicly displaying the employee's private information.
In addition, by collecting the queue information over an extended period of time, it would be possible to track the movement of mPrint users across the campus based on printer locations and develop a profile of their daily activity.
mPrint's extended interface offers two useful features:
- showing printers with a high number of jobs so that users can avoid delays
- showing what printer a user's job was directed to
These features can be implemented without exposing the information of others:
- a simple count of active/pending/completed jobs can identify busy printers
- a user's jobs can be displayed only for that specific instead of all users
I have contacted the mPrint team and requested the removal of the violating data.
UPDATE: It appears that the mPrint team has honored my request and blanked out the Uniqname and Title fields in the printer queue output: