The Lack of Virtual Privacy

Report: ‘High Degree' of Security Is Needed to Combat Collectors of Student Information

A student majoring in math receives a credit card, but is turned down for a new card when he changes his major to rhetoric. The card distributor obtained the information off a college computer network.
A hacker "borrows" a student's Social Security number and uses it to retrieve even more personal information about his target. He then impersonates the student, running up large debts.
A student is distraught because her digitized photograph was transmitted on a departmental home page on the World Wide Web without her consent. Now, it will be easier for a man who has stalked her to track her down.
Fiction? Not any more. Gone are the days when student information was simply stored in rows of file cabinets in the basement of the student services building or input into simple databases housed in the central computer administration building.
The introduction of sophisticated new technology into admissions, registrar's, bursar's, financial aid, and student advising offices has cut down on paperwork, streamlined administrative functions, and made information access more efficient.
But along with those advantages, higher education information technology experts warn that virtual learning and administrative environments pose an even greater threat to student privacy protections, particularly beyond campus boundaries.
A recent report raises troubling questions about whether the federal Family Education Rights and Privacy Act, passed by Congress in 1974, still can guard against privacy issues unheard of 25 years ago when the  law  was enacted.
The report, Privacy and the Handling of Student Information in the Electronic Networked Environments of Colleges and Universities, recommends that colleges and universities press for that law to be brought up to speed for today's electronic landscape.
"As institutions embrace information technology to enhance teaching and learning, streamline business processes, and improve student services, they are finding information technology to be both a bane and a blessing with regard to privacy," it says.
"There is a delicate balance between the responsibility for maintaining student privacy rights and the responsibility for providing effective and efficient services to students," the report states.
The 53-page document urges institutions to convene special panels, with members from every campus constituency, to delve into the student records privacy issue and draft policies tailored for each individual college and university.
The report was produced by CAUSE, a national group that promotes information technology in higher education, but has since merged with EDUCOM to form a new higher education organization called EDUCAUSE.
The document "does not prescribe what policy should be for every campus with respect to privacy," writes former CAUSE President Jane Norman Ryland. "It identifies the primary privacy principles involved" and recommends campus-based solutions.
 "Students have an expectation of privacy," says Dr. Clare W. Goldsmith, deputy director of academic computing services at the University of Texas-Austin and a member of the task force that produced the report.
Colleges "ask for transcripts and demographic information for scholarships. The institution builds up this information about the students. It belongs to them," Goldsmith says. "Students would like to be able to control who knows this information."

File-Cabinet Past Put on Ice
The report notes that grades and transcripts were the most crucial student information of yesterday's students. When they wanted to access those records, a clerk had to search through file cabinets to find the information.
But technology has grown so ubiquitous today that students use computer-coded card keys to enter campus buildings, purchase meals and books, and access online library resources with barely a second thought.
"Most institutions are also exploring methods for giving their students electronic network access to their own grades, transcripts, course schedules, and other information," the CAUSE report states.
Yet computerized card keys, network access, and other technologies can make personal information more easily accessed outside of the college or university unless institutions maintain a high degree of security, the report warns.
In addition, the Internet, e-mail, the World Wide Web, digitized signatures and photographs, desktop video, electronic data interchange, and data warehouses all pose certain security risks for colleges and universities.
A number of high-tech tricks can be used to help maintain the sanctity of student records, including "firewalls" — electronic devices that restrict access between an internal computer network and a public one.
Many corporations use such devices to protect their computer networks. But Goldsmith says that because colleges often interact with the public, "it would be very difficult to have firewalls" for many aspects of a college's network.
He advocates the use of digital certificates or signatures, where an independent third party provides verification that computer users really are who they claim to be. The University of Texas will begin a pilot digital signature project later this year.
He also recommends encrypting sensitive information, which means scrambling the data and requiring the receiving party to decipher the text before it can be read. That helps safeguard against computer interlopers.
Other electronic safeguards, such as token cards and smart cards, operate not only on a user ID and password but by virtue of the cards themselves. One-time passwords are based on the concept that authenticity must be unique at each usage.