My last post described my experience on discovering that a state-run University’s policy is to disclose the home address and phone numbers of all its students by default on its online directory. I was all the more surprised to discover that the same University is home to a research center dedicated to the study of violence against women. Since college women in particular are susceptible to violence, I wondered what the center’s leadership thought of the University’s policy. The good news is that they not only share my concern but have been working to change the policies.
The Center’s Director provided the following response:
I am aware of the University’s practice with respect to directory information – which I understand is based on the federal law. I have had concerns of my own with respect to protecting students’ identifying information and was involved with a student group and others in having the university narrow the list of what is available on line. Additionally, and importantly, however, we work to advertise the University’s mechanism that allows any student to prevent that information from being released.
I’m quite relieved to hear that the Center is actively participating in the discussion with the students and University leadership. Presumably, this involvement was at least partially influential in the school’s decision to remove birth date from the public directory. Although this is a victory for privacy and safety of students, I cannot imagine how frustrating it must be for the leaders of the research center that their host organization takes a position which their own research proves places students at risk.
The Stalking Research Center (not affiliated with this University) advises victims to safeguard their address and phone information and has an entire section describing how perpetrators use technology to attack victims. Many states operate address confidentiality programs which provide mail forwarding and other services to hide victim addresses. If protecting your address and phone number are effective preventative measures for victims, surely they are good practice for those who wish to avoid becoming a victim.
- If there is a valid use case for student home address and phone numbers to be publicly listed, then at the very least these fields should default to private and require the student to explicitly opt in to expose their personal data.
- The opt-in selection should revert to “private” once a semester or at minimum once a year, requiring the student to periodically reaffirm their desire to expose their personal information.
- Ideally, it should not be possible to obtain home address and phone number over an unauthenticated online directory.
As the Center Director noted in the reply, there is an option for students to hide their personal information or make the entire directory entry private and the Center works to make sure that this option is widely advertised. If it is the case that there are many students who don’t know about this and would choose to hide their data if they did, then it is very likely that the cost of administering the opt-out program would exceed the cost of hiding the personal data from unauthenticated queries. Indeed, I found dozens of home addresses in a matter of minutes just browsing around. Unless the awareness campaign is extremely successful and there are very few who would choose to hide their data but still don’t know, then it actually costs more to expose the data and manage the opt-out process than it would to modify the directory application to hide it.
One final thought. Most states have enacted privacy laws that attach to the data and not to the context. In other words, personally identifiable data is regulated regardless of whether it is attached to school records, health records, financial records or any other context. A home address is a home address, wherever it lives. A few states have no such legislation and within those states, schools are allowed to set their own policy. In his response to my initial query, the University’s legal counsel stated that:
University officials regularly research our benchmark institutions’ definition of directory information; the research shows that [our] definition of directory information is very similar to most of our benchmark institutions.
So, yes I’m writing about one school but the situation is by no means limited to that school or even schools in general and this school’s position is that it is on par with its peers. Depending on your state laws, you may face this same situation from schools, retail stores, mechanics, your gym or any other vendor. It seems to be the case that if the law allows custodians of your data to operate in an opt-out mode (forcing you to assert your option to privacy with every individual merchant or vendor) they will. As the University’s legal counsel so eloquently demonstrated, policy making tends to be based often on industry peer practices rather than principals of right and wrong. Until the laws catch up with the information age, this will continue to be the norm. If this concerns you, follow up with one or more of these web sites:
- State-by-state security breach laws and privacy laws