Sophos Cloud Optix
When parents send their kids (who at that point are legally adults) off to college, they expect not only that they will be educated, but that they will be living in a safe place with a reasonable measure of personal privacy.
Most higher-ed institutions provide at least a measure of that. But when it comes to the privacy of students’ personally identifiable information (PII), not so much. Besides dates of attendance, courses of study, honors and awards and any degrees earned, a lot more is there for the asking – name, home address, school address, email address, telephone number, date and place of birth, possibly even height and weight and some medical records – for just about anybody at a US higher education institution.
This is in spite of, or perhaps because of, the 1974 federal law that sounds like it would protect student PII – it’s titled “The Family Educational Rights and Privacy Act” (FERPA). That law requires “education records” to be kept private, but not “directory information”.
And, says Leah Figueroa, a data analyst who has worked in higher education for 13 years, directory information is being shared without the knowledge or consent of the students – unless they have the savvy to put a “privacy hold” on it, which as a practical reality is about as likely as people reading all the way through a “privacy policy” and “terms of use” statement before clicking “agree” to use an operating system, a social media site or their favorite mobile app.
At one level, this may sound low risk – the kind of information that, as Bret Cohen, an attorney at Hogan Lovells with a focus on student privacy and data collection, put it, “would be typically published in a student directory provided to other students, or in a program handed out at a school athletic event”.
It’s just that the days are long gone when that information was just on paper and pretty much stayed on campus, or was sought mainly by researchers or employers looking to verify a candidate resume. In a digital world, thousands of those records can go anywhere, instantly.
And they do, said Figueroa, who now works at a community college in Texas (that’s as specific as she wants to get). She estimates that the college provides an average of 90,000 student records per year. If the requests come under the Freedom of Information Act (FOIA), “we’re not even allowed to vet them,” she said.
According to FERPA, directory information, “would not generally be considered harmful or an invasion of privacy if disclosed”. But Figueroa said colleges can pretty much decide what to include, which could mean a student photo, student ID and parents’ names, address, and where they were born, in addition to the list above.
She said while many of the requests are legitimate – from researchers or other colleges seeking to recruit students – some are likely coming from predatory loan companies or other kinds of aggressive marketers. A stalker could even find out the dorm address of a student.
That directory information, along with any degrees earned and dates of attendance is enough to, “create fake identities, to dox people, to do just about anything,” she said.
Figueroa presented a talk on the topic in April at Infosec Southwest titled “FERPA: Only Your Grades Are Safe – OSINT in Higher Education,” and more recently in a Skytalk at Defcon in Las Vegas. Paul Roberts, editor-in-chief of the Security Ledger, also featured her in a recent podcast.
In that talk, she described doing her own small survey of colleges to see what they would turn over. In one case, she said for $50 the institution sent her directory information (emailed and unencrypted) on more than 22,000 students that included the names and addresses of the parents of international students.
Another privacy hole can be medical records, which generally fall under the Health Insurance Privacy and Accountability Act (HIPAA). But Figueroa said a student’s medical records can lose HIPAA protection if anyone but the designated provider requests them – even the student.
Then they suddenly become education records, and they lose all HIPAA protection.
Yes, students do have the right to put a so-called “privacy hold” on their directory information, but Figueroa says most educational institutions aren’t very proactive or consistent about letting them know about it or how to do it.
There’s no standardized way that you have to let students know. Some places it’s on the website, some in catalog, school fact book or some other esoteric place. Some schools let you just sign in with your ID to opt out, some you have to be physically present.
Cohen said the law does require that schools provide notice of the types of information considered “directory,” and the right to opt out. But he added that “there is probably room for privacy-conscious schools to make this information more readily available”.
Figueroa said she sometimes feels like she’s on a one-woman crusade. But she has company. The Electronic Privacy Information Center proposed a Student Privacy Bill of Rights in March 2014 that called for, among other things, making it easier for students to access and amend their records, to limit the collection and retention of records and to forbid using it “to serve generalized or targeted advertisements”.
EPIC also sued the US Department of Education in 2012 over what the group said were “unlawful” changes to privacy provisions in FERPA, but that went nowhere – it was dismissed in September 2013, with the court finding that neither EPIC nor co-plaintiffs had standing.
Still, Cohen said there has been progress. He cited the Data Quality Campaign, which reported that from 2013 through September 2016, “36 states passed 73 student data privacy bills into law. Congress has introduced a number of student privacy legislative proposals, and more than 300 education technology providers have taken the Student Privacy Pledge since it was introduced at the end of 2014.” He added that
… while there is room for FERPA to be modernized, I think that the most impactful way to protect student privacy right now is to better inform students and parents of their rights.
Theresa Payton, CEO of Fortalice and a former White House CIO, agreed.
I would love for students to be able to opt-in/opt-out of having their information shared and fully understand the implications of the state of their personal privacy. I’d also like to see more anonymization of student data for research purposes and trend forecasting.
Figueroa said the bottom line is that the risks from handing out that information to whoever asks is more of a threat than students, or even their parents, realize. “It’s a treasure trove of PII that you can use to do all kinds of things,” she said.
This is an oversimplified and misleading summary of FERPA. FERPA governs the release of “directory information” Directory information varies from institution to institution and does not contain the same data elements from one school to the other necessarily. Additionally FERPA states that institutions “may release” directory information, but does not require them to do so. Educational institutions do protect the privacy of student data.
Thanks for the comment – we welcome all views. But you don’t provide any specifics that prove the assertions presented aren’t true. It says right in the language of FERPA that “directory” information can be released without a student’s knowledge or consent. And in a digital world, that’s significant. Perhaps you work for an institution that does “protect student data.” That’s good. But there are plenty that don’t.
I would agree with Matt, this is oversimplified and misleading. You asked him to “prove the assertions presented aren’t true”, but haven’t done much in your article to prove that most of your points are true.
– It is a big leap from a small informal survey of schools to your primary point that all college student’s private information is publicly available for the asking.
– Making a list of data that COULD be available doesn’t mean that all of that information is available for most people.
– Directory information is clearly defined by most colleges, and the fact that it can be shared is clearly stated. Most colleges also have clear, simply procedures for opting out. A simple Google search will find the policy (based on my small, informal survey).
– If the college is a HIPAA covered entity, they are responsible for complying with HIPAA. If the student requests their medical records, the college is still required to comply with HIPAA. It doesn’t stop just because someone requested them.
You need to read the full legislation. FERPA requires annual notification to students for all institutions of those student’s FERPA rights. The rights include restriction of directory release information. To say FERPA allows for the release of student data generally, without a student’s knowledge or consent is patently false. FERPA authorizes disclosure without consent under a limited number of circumstances including law enforcement issues, health and safety issues, and to university officials within the institution that have a need to know. Your article implies institutions are sharing student data whenever they want without student knowledge which just isn’t true.
Thanks for the discussion. I’m sure it’s true that some institutions guard student data more aggressively than others. Neither the story here nor the sources for it said every school handles things the same way. Here is some of the relevant language in FERPA:
“Directory information includes, but is not limited to, the student’s name; address; telephone listing; electronic mail address; photograph; date and place of birth; major field of study; grade level; enrollment status (e.g., undergraduate or graduate, full-time or part-time); dates of attendance; participation in officially recognized activities and sports; weight and height of members of athletic teams; degrees, honors, and awards received; and the most recent educational agency or institution attended.”
The law allows that info to be released without the student’s knowledge or consent.
The reality is that this is enough information there to create a fake identity. Perhaps not all schools provide all this to anyone who asks. But enough do that it is worth being concerned about it.
Most colleges do not have opt out information in an easy to find fashion nor do most students even know that they have a right to do so. While I requested data from only a handful of schools in my research, I spent time trying to find out opt notices and procedures for many schools across the US and it isn’t an easy find for many of them. I looked at over 40 different institutions ranging from community colleges to universities.
With regard to the HIPAA clause, the DOE has weighed in on the loss of HIPAA protections under specific conditions (An eligible student’s treatment records may be disclosed for purposes other than the student’s treatment, provided the records are disclosed under one of the exceptions to written consent under 34 CFR § 99.31(a) or with the student’s written consent under 34 CFR § 99.30). The DOE also holds that those records convert to only FERPA protected records. “Under Ferpa, if the institution discloses treatment records to anyone other than the treatment provider or another professional of the student’s choice, the records become education records, and all of the Ferpa provisions,” including the disclosure exemptions, “then apply to those records,” the statement says. “Thus, Ferpa would permit the treatment records to be disclosed in litigation between the student and the institution if the records are relevant for the institution to defend itself.”
FERPA rules require a posting of what constitutes student records in only one place. Many colleges post it in the course catalog, where students are not likely to look, and FERPA allows sharing of student directory information without notification as long as a student has not opted out.
This is not responsible handling of student data.
I hope this clarifies the issue for you.
Just why does it need to be exact date of birth? Wouldn’t year of birth provide enough information to help verify the individual. Identity theft is on the up and up and I personally am not at all surprised given the way our data is being managed by sections of society. When you dare to question it you just seemed to be viewed as a troublemaker.
To me the more alarming matters for student privacy involve universities’ increasing reliance on software companies to gather and manage data, for admissions, academic advising, and even electronic organizing of clubs and organizations. Students’ co-curricular activities can now easily be tracked and through software companies colleges contract. I don’t think many of us are very careful to see what the privacy policies of those software companies are. What are they doing with all the student data they gather? Some of that big data can be great for the campus– you can see whether or not attending campus events is correlated with GPA, or if being a first-generation student is correlated with attending events or with GPA, etc, etc. But that data is probably also useful to those with commercial and government interests. What are campuses doing to be sure that these software companies adhere to our privacy policies and how are students informed about what will happen with the data on their educational activities?