Research Center responds

My last post described my experience on discovering that a state-run University’s policy is to disclose the home address and phone numbers of all its students by default on its online directory.  I was all the more surprised to discover that the same University is home to a research center dedicated to the study of violence against women.  Since college women in particular are susceptible to violence, I wondered what the center’s leadership thought of the University’s policy. The good news is that they not only share my concern but have been working to change the policies.

The Center’s Director provided the following response:

I am aware of the University’s practice with respect to directory information – which I understand is based on the federal law. I have had concerns of my own with respect to protecting students’ identifying information and was involved with a student group and others in having the university narrow the list of what is available on line.  Additionally, and importantly, however, we work to advertise the University’s mechanism that allows any student to prevent that information from being released.

I’m quite relieved to hear that the Center is actively participating in the discussion with the students and University leadership.  Presumably, this involvement was at least partially influential in the school’s decision to remove birth date from the public directory.  Although this is a victory for privacy and safety of students, I cannot imagine how frustrating it must be for the leaders of the research center that their host organization takes a position which their own research proves places students at risk.

The Stalking Research Center (not affiliated with this University) advises victims to safeguard their address and phone information and has an entire section describing how perpetrators use technology to attack victims.  Many states operate address confidentiality programs which provide mail forwarding and other services to hide victim addresses.  If protecting your address and phone number are effective preventative measures for victims, surely they are good practice for those who wish to avoid becoming a victim.

I was unable to find any studies that differentiated rates of rape and other violence based on school privacy practices, however the victim advice and state address confidentiality programs are good indicators that there must be a measurable difference.  Even if it is only a fraction of a percent, the fact that it is measurable means that at least one person became a victim as a direct result of the school’s policy.  Think about that for a minute.  If my assumptions are correct — and they seem conservative to me — then there are women living in the aftermath of rape or attempted rape as a direct result of their University’s official privacy policy, which disclosed their home address over the Internet.

And if that is true, then there must also some number of future victims who could be spared simply by changing the school’s privacy policy and removing their personal information from the public directory.  The actions I proposed to the University’s President in my original email would be a good start:

  • If there is a valid use case for student home address and phone numbers to be publicly listed, then at the very least these fields should default to private and require the student to explicitly opt in to expose their personal data.
  •   The opt-in selection should revert to “private” once a semester or at minimum once a year, requiring the student to periodically reaffirm their desire to expose their personal information.
  • Ideally, it should not be possible to obtain home address and phone number over an unauthenticated online directory.

As the Center Director noted in the reply, there is an option for students to hide their personal information or make the entire directory entry private and the Center works to make sure that this option is widely advertised.  If it is the case that there are many students who don’t know about this and would choose to hide their data if they did, then it is very likely that the cost of administering the opt-out program would exceed the cost of hiding the personal data from unauthenticated queries.  Indeed, I found dozens of home addresses in a matter of minutes just browsing around.  Unless the awareness campaign is extremely successful and there are very few who would choose to hide their data but still don’t know, then it actually costs more to expose the data and manage the opt-out process than it would to modify the directory application to hide it.

Think about that for a moment.  What if this University’s privacy policy contributes directly to campus violence — women raped because of it — and the program operates at a net loss?

One final thought.  Most states have enacted privacy laws that attach to the data and not to the context.  In other words, personally identifiable data is regulated regardless of whether it is attached to school records, health records, financial records or any other context.  A home address is a home address, wherever it lives.  A few states have no such legislation and within those states, schools are allowed to set their own policy.  In his response to my initial query, the University’s legal counsel stated that:

University officials regularly research our benchmark institutions’ definition of directory information; the research shows that [our] definition of directory information is very similar to most of our benchmark institutions.

So, yes I’m writing about one school but the situation is by no means limited to that school or even schools in general and this school’s position is that it is on par with its peers.  Depending on your state laws, you may face this same situation from schools, retail stores, mechanics, your gym or any other vendor.  It seems to be the case that if the law allows custodians of your data to operate in an opt-out mode (forcing you to assert your option to privacy with every individual merchant or vendor) they will.  As the University’s legal counsel so eloquently demonstrated, policy making tends to be based often on industry peer practices rather than principals of right and wrong.  Until the laws catch up with the information age, this will continue to be the norm.  If this concerns you, follow up with one or more of these web sites:

About T.Rob

Computer security nerd. WebSphere MQ expert. Autist. Advocate. Author. Humanist. Text-based life form. Find me on Facebook, Twitter, G+, or LinkedIn.
This entry was posted in Clue train, Rant and tagged , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s