De-regulatory compliance?

Over the course of any given week I typically receive several inquiries about compliance with Payment Card Industry Data Security Standard and several more about one of the non-card regulatory regimes such as the Health Insurance Portability and Accountability Oh, so your school has a research program for violence against women?  Tell me more about how they publish your home address and phone on the web.Act (HIPAA) or the EU Privacy Directive. Working so often with businesses in regulatory compliance environments, I had come to believe that we had made some progress on security and privacy. Since joining IBM in 2006, I have seen WebSphere MQ security practices go from almost nobody attempting any security to most people attempting it and a significant portion of those getting it right. Woo hoo! The Internet is almost safe for commerce and privacy.

Or is it?

Over the Thanksgiving holiday I discovered what must be the Wild Wild West of privacy at a state-run university, and I had a lot less to be thankful for.

First a little background. The university in question is a public state school. Among their other programs they have a center that researches violence against women. The center’s web site has a number of resources describing the problem of violence against women in excruciating detail. I literally wept reading some of these papers. The National Institute of Justice study The Sexual Victimization of College Women found that 2.8 percent of female students are victimized by rape or attempted rape each academic year. Extrapolating that risk over several years, the study found that:

Over the course of a college career—which now lasts an average of 5 years—the percentage of completed or attempted rape victimization among women in higher educational institutions might climb to between one-fifth and one-quarter.

As you sit in a lecture hall, cafeteria, student lounge, or just stroll across a college campus, look around you. Count the female students you see and consider that one in every for our five will be victims of rape or attempted rape before they graduate. Of those, the study found 22.8% were victims on multiple occasions. And this study only focused on rape. Add in numbers for stalking, battering and other types of abuse and you begin to grasp the magnitude of the problem.

I am absolutely thrilled that this university chose to take a stand on this issue and charter a center dedicated to researching the problem and finding solutions. But at the same time, I cannot help but wonder what the Director and Fellows of this research center think about their school’s policy to publish the home addresses and personal phone numbers of their students, and in particular their female students. They saw fit to link from their web site to the Stalking Resource Center which provides the following advice about protecting your personal information:

It is also important for victims of stalking to remain diligent about protecting their personal information that could be saved in databases. Businesses, for example, collect personal information about people, including addresses, phone numbers, last names, etc. This information can sometimes be accessed and exploited by stalkers. … Victims are encouraged to consider who might have their personal information. They should instruct businesses to not give out any personal information.

Seems reasonable, right? I contacted the president of the university by email explaining that their directory serves up student home address and phone numbers to anonymous web users. There is an option to hide these fields but the student must submit a request. I asked why the university would adopt a policy to list personal contact information as the default rather than to protect it by default, and pointed out that their home state’s policy is to require a court order to disclose this same personal information.

I had expected to receive a response stating that this was an oversight and that the web site would be updated immediately so as not to render home address and phone numbers. On previous occasions when I’ve made similar notifications about other web sites, this kind of remedial action has always been addressed with a very high priority and completed within a day or two at most.

Not this time.

Instead of a reply from the University president or someone from the IT department, today I received a response from their head counsel. Not only is the policy deliberate, but it turns out that there is a lot more information available than I realized. The response quoted Federal law which defines what elements are considered “directory information” and thus public record.

Under the terms of FERPA, 20 USC §1232g(a)(5)(A)), “the term ‘‘directory information’’ relating to a student includes the following: the student’s name, address, telephone listing, date and place of birth, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, degrees and awards received, and the most recent previous educational agency or institution attended by the student.” The University takes student privacy very seriously. For security purposes and with concern about possible identity theft, the University recently revised its definition of directory information and no longer includes date of birth. University officials regularly research our benchmark institutions’ definition of directory information; the research shows that [our] definition of directory information is very similar to most of our benchmark institutions.

I don’t know which disturbs me more, that by removing date of birth the University seems to believe it has gone above and beyond the call of duty to protect its students, or that name, address, telephone listing, date and place of birth, and potentially your weight and height are considered public information under FERPA.

The reply continued on to explain that students can elect to have their directory data made private but that doing so might have unanticipated negative consequences.

Students have the right to withhold the release of Directory Information. To do so, a student must complete a [form], available from the Office of the University Registrar. It should be noted that if a student asks for Directory Information to be withheld, then the University cannot acknowledge the fact of the student’s enrollment to anyone who requests verification of enrollment. The information will be withheld from a variety of sources, including: the student, friends, relatives, prospective employers, honor societies, the news media, and lending agencies for deferring loan repayments. Each student is advised to carefully consider the consequences of a decision to withhold Directory Information.

Wow. Once you mark your directory entry as private, not even YOU can verify your enrollment and all your student loans come due. If I were a predator, I could not dare hope for stronger incentive than that to compel students to disclose their personal information online.

I was also informed that the state privacy laws I had found apply only to state agencies. One would think that a state university would be a state agency but apparently not.

[The state’s institutions of higher education] are created by separate statutes and are not a part of the legislative, judicial, or executive branches; thus, those laws and regulations are not applicable to the state’s institutions of higher education. Most institutions have their own privacy regulations.

Well, that explains it then. The closest thing to a governing law is FERPA and within that context, each university is permitted to formulate their own privacy policy. I wonder what the privacy policies of all the universities that DONT have a center dedicated to researching violence against women look like. They are probably the ones listing your height, weight and date and place of birth. Frankly, I’m scared to go look.

Interestingly, your grades and class schedule are considered personal. Also interesting is that in all the contexts that I found for which there is explicit state law — health information, financial information, belonging to a class of people at elevated risk such as police, public officials and, yes, state employees — home address and phone numbers are protected. There’s another category of people at elevated risk not mentioned in the state’s laws and who the university does not recognize, despite running a center researching violence against that exact population and having the freedom to enact their own privacy policy. This is a pop quiz. Raise your hand if you know the population at elevated risk that I’m talking about.

Now when people complain to me about the burdens of regulatory compliance I have a new option for them. Move your business to one of the few states that still lack privacy protection for their citizens and you will enjoy a considerably lighter compliance burden. Be sure to bring your daughter.

[Update 29 Nov, 2011: Research Center Director responds.]

About T.Rob

Computer security nerd. WebSphere MQ expert. Autist. Advocate. Author. Humanist. Text-based life form. Find me on Facebook, Twitter, G+, or LinkedIn.
This entry was posted in Clue train, Rant and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s