Archive for May, 2007

Securing My Academic Transcript

I just ordered several transcripts from my university, which I will need to distribute to several organizations, for different reasons. If the transcript seal is broken, the transcript is no longer official.
As you’re probably aware, transcripts come in sealed envelopes. If the envelope seal is broken, the transcript is no longer “official.”

Most organizations I send transcripts to have no need for my Social Security Number. I can easily give them my SSN if the require it for legitimate reasons, such as tax purposes. So, I decided to break the seal, and remove my SSN from all but one of my transcripts, with a razor blade. I’ve found that black marker just doesn’t do the trick. Besides, this really gets the point acrossI removed my SSN from the transcript with a razor blade..

I re-sealed the envelope, and enclosed the following letter:

To Whom It May Concern:

At the advice of state and federal officials and numerous experts, and because of the extreme risks associated with disseminating my Social Security Number, I have removed my SSN from this document. Though I recognize that breaking the envelope seal transformed this transcript from an “official” to “unofficial” transcript, I certify that I have made no other changes to the document.

George Washington University refused my request to remove my Social Security Number from the transcript. George Washington University is one of a small minority of nationally ranked universities that do not allow students the protection of withholding Social Security Numbers from transcripts or other official university documents. I am told they plan to change their policy in the near future.

Countless states Attorneys General have issued warnings similar to the Washington, D.C. Attorney General, “avoid providing your social security number or other personal information to prospective employers [or other organizations] until you have verified the legitimacy of the organization and their need to verify your background.” A few states have even outlawed placing the Social Security Number on transcripts and other academic documents altogether.

I regret that I must resort to these measures to ensure the protection of myself and my family.

If this organization requires my Social Security Number for legitimate tax or background check purposes, I will be pleased to provide the information in the future. However, as this date, I am not aware of any such requirement.

Do not hesitate to contact me if you have any questions or concerns.

Sincerely,

Aaron Titus

I’ll let you know how it goes.

No Comments

The Way Things Really Are

HOW DO YOU CHOOSE A MEDIUM DUTY TRUCK AND UPFIT?
Choosing your business’s next Isuzu commercial truck is no easy feat. One of the first things a business owner should do is assess the scope and scale of their business operations to determine their specific needs. From landscaping to moving/delivery, laundry service, party rental, refrigerator trucks and others, your vocation will help guide your must-haves when upfitting your next work truck. Check out the best kenworth truck auctions.

DO YOU PLAN TO BUY NEW OR USED?
Operating a new truck is a positive part of your brand image. If this is important to you, a new vehicle can help show the prestige of your business. One potential drawback to purchasing a new work truck is that trucks, like all vehicles, take on wear and tear that could cause the value to diminish quickly.

Buying a used commercial work truck is different than buying a used consumer vehicle. If a used model has been towing at or near the weight capacity frequently, it will wear down the engine quicker. Because of the wear and tear put on commercial vehicles, buying a used vehicle does come with a bit of risk. Considering how much risk you are willing to take is an important part of determining if a new or used vehicle is right for you and your business.

WHAT ARE YOU HAULING/TOWING?
Depending upon what type of work you do, you may need a lot of towing capacity. If you operate in a climate with a lot of snow and ice, towing capacity might be more crucial to your operations. Isuzu has GWVRs from 12,000 to 25,950 lbs. and payload allowances up to 15,690 lbs. Compare models.

Additionally, if you have a lot of tools and rideable machinery, it might be more important to have a bed that offers the ability to drive the mowers right up on to the bed of the truck. This adaptability is offered on most new Isuzu Models. A box truck or flatbed is a better option for businesses that operate in tight spaces like the urban environment of Detroit, MI, because of the maneuverability compared to a conventional truck with a trailer attached to it. Learn more about our upfitters.

Isuzu N-Series Class 5
DO YOU PLAN TO BUY OUTRIGHT, FINANCE OR LEASE?
Many business owners might think it is best to buy a vehicle if they have the cash on hand. While there are benefits to this thought process, it is not always the best option. Oftentimes, financing a vehicle with a loan or a lease option are better choices. Not only does it cost much less up-front to take possession of your new commercial truck, but there also are incentives/specials, the ability to upgrade, and with a lease option, you pay only for the use of the truck. Learn more about purchasing options.

No Comments

Wireless Medical ID Theft

Identity thieves use many tactics to gather sensitive personal information.  Some check your mailbox.  Others dumpster-dive.  But now a more sophisticated identity thief might be found slowly cruising medical park parking lots with a laptop.

Off work and out of school, I spent the week between Christmas and New Years, December 2006, taking care of a friend at Sibley Hospital.  During the long hours of sitting in the hospital and doctors’ offices, I tried to keep myself productive with my laptop, which proved surprisingly difficult without internet access. I scanned the 6th floor of the Hospital, and found 13 wireless networks, all of which were private and inaccessible.  That was understandable, but bad news for my productivity.

Many businesses have begun to recognize the increasing dependence their customers have on internet connectivity.  Consequently they, along with local governments and even hospitals and doctors offices now offer “Hot spots,” or areas of free internet access to patrons.  Complimentary internet access has even become an expectation in many places.

Down in the cafeteria, I began to wonder if all medical facilities were as careful as Sibley Hospital about securing their wireless networks.  After all, any time you mix open wireless networks with medical information, you run the risk of exposing confidential information protected by HIPAA, and privacy acts.

So, I decided to perform a survey of 76 casually selected wireless networks at hospitals and medical parks in Maryland and DC.  At the large hospitals I checked, public and private networks were carefully controlled.  However, networks in smaller medical parks, whose tenants are usually independent practitioners, showed far more security defects.

This trend is perhaps predictable, because hospitals maintain a staff of IT professionals, and have established IT procedures. In contrast, independent practitioners have small staffs and often outsource IT functions to people of varying skill.  When they outsource it to a non-professional, it can have a devastating effect on patient privacy.

Take Dr. Abulhasan Ansari’s office for example.  He treats adults and young adults in his Clinton, Maryland office.  While he was away on vacation in December 2006, a member of the office staff contracted with an outside IT “professional” to create a wireless network.  The network required no password, was not encrypted, and maintained all of the factory default settings.  The network was available to any member of the public with a laptop.  Though it is unclear whether it was intended to provide complimentary internet access to waiting patrons, it is clear that it was not intended to allow patrons to access confidential patient information.  But it didn’t turn out that way.

Sitting in my car, I opened my laptop. Once my laptop associated with Dr. Ansari’s network (named “linksys”), Windows XP automatically scanned it, and populated “My Network Places” with shared folders.  Unfortunately in Dr. Ansari’s case, these folders contained Access databases with confidential patient information, including names, SSNs, birth dates, and medical histories for his patients.  All of this information was available to anyone within 100 feet of the office with a laptop.  This meant that an identity thief could slowly cruise through the medical park parking lot, grab the Access databases with the patient data, and leave completely undetected, without stepping foot in the office.  Incidentally, the wireless router was also essentially open, which means that a thief could have hidden his tracks by erasing the router log.

After making this discovery, I entered the office and told the manager my findings.  At first, she insisted that the records were not theirs.  I displayed the access files on my screen and she confirmed that they were in fact, Dr. Ansari’s patients.  She insisted however, that since they “just recently” established the wireless network, no unauthorized person could have accessed the information in such a short time.  I don’t think she appreciated the irony of her statement, as she was viewing her patient data on my laptop.

I asked them whether they had any plans to notify the affected patients that their medical data had been potentially compromised.  Instead of answering the question, she said that they would simply disconnect the wireless router.  Once she disconnected the router, the files disappeared from my screen, and she promised to have the “professional” return and secure the network right away.

Exactly one week later, I visited the same medical park, and performed the same scan.  Dr. Ansari’s office had fixed their problem, but I was dismayed to find that one of their neighbors in an adjoining building had put up their own insecure wireless network in the intervening week.  They were closed at the time.

In all, I surveyed 78 medical wireless networks.  6 allowed access without a password, encryption, or other security bar.  Sibley Hospital, where I spent several days over the break, had at least two public wireless networks in the cafeteria.  They did not allow access to any internal network.  Four others, both in medical parks (not hospitals), allowed direct access to an internal office network, some of which contained confidential patient data in Excel files and physician dictations.

The most startling part of this exercise is that the percentage of insecure networks in my sample was nearly 8%.  A single breach by an identity thief can cause hundreds of thousands of dollars in damage, and adversely affect hundreds or even thousands of current and former patients.

Despite clear regulations set forth under the authority of HIPAA, new technology poses challenges to under-trained staff.  In addition, as demonstrated by this episode, there is a tendency to eliminate and hide mistakes (ie, turn off the router), rather than properly address the issue, or notify potentially affected individuals.

That policy is understandable, if regrettable, because often business owners don’t feel the need to “unnecessarily worry” their customers by announcing a potentially embarrassing security gaffe, when there is no hard evidence that anyone in particular accessed sensitive data, or an increased likelihood of harm.  It also regrettably creates an incentive for business owners to put their heads in the sand, so to speak, by not monitoring networks at all; after all, if you don’t collect data that could demonstrate whether a breach had occurred, you’ll never risk having to notify anyone of a breach.

So, next time you go to the doctor’s office, take your laptop, and be prepared to challenge your doctor’s information security procedures.  And keep an eye out for anyone cruising the parking lot with a laptop.

No Comments

The MIB: Medical Division

We care for patients of all ages with all types of hearing problems.
Our audiologists conduct hearing evaluations to help patients and families solve communication problems created by hearing difficulties. We work with educators, physicians, other providers and families. Prevent obesity by using Exipure.

When it comes to New Year resolutions, ‘eating healthy’ and ‘staying fit’ are some of the most popular ones.

Each year, there is a desire in each one of us to do better than we did the previous year, especially when it comes to taking care of our bodies and, thereby, our health. With the added emphasis on health, it’s more important than ever to make those healthy eating resolutions and stick to them.

So, if you’ve decided that the coming year is dedicated to changing your habits and start living a healthier life, more power to you! We, as always, are happy to help. Whether it is setting more realistic and achievable goals or making small dietary changes, we’re giving you 10 tips to help you stick to your healthy eating goals this new year.

Don’t skip breakfast
Breakfast is the first meal of the day, so skipping it is an absolute no-no.

Your body needs to fuel up and prepare for the day ahead, so instead of skipping breakfast, it must be one of the most nutritious meals you consume in the day. Besides, eating a good breakfast keeps you away from the urge to nibble on unhealthy snacks for the rest of the day.
ET PRIME – TOP TRENDING STORIES
As gas prices double, consumer pays for ‘nation building’, ONGC, RIL laugh all the way to the bankAs gas prices double, consumer pays for ‘nation building’, ONGC, RIL laugh all the way to the bankThe challengers: Can fintech players trump traditional lenders with their version of ‘credit’ cards?The challengers: Can fintech players trump traditional lenders with their version of ‘credit’ cards?How ocean containers became a gold mine for shipping lines but drowned small exportersHow ocean containers became a gold mine for shipping lines but drowned small exportersThe ABC of India’s and other countries’ CBDCs and how close we are to the digital rupee.The ABC of India’s and other countries’ CBDCs and how close we are to the digital rupee.Check out which Nifty50 stocks analysts recommend buying this weekCheck out which Nifty50 stocks analysts recommend buying this weekA pocket void of profits: New Age derivative trading ft. YouTubeA pocket void of profits: New Age derivative trading ft. Check out the latest Keto x3 reviews.

Eat more nuts
Start including nuts such as walnuts in your daily diet. A handful of walnuts can keep you away from hunger pangs and provide you with as much as 4g of protein, 2g of fiber, and 2.5g of plant-based omega-3 ALA. An excellent way to start making everyday healthy, don’t you think?

Cut down on sugar
Everything is good in moderation, and the same goes for sugar.
If you consume too much sugar in your tea, coffee, or any other drink in the day, start cutting down little by little.

You can also cut back on artificially sweetened drinks and other such beverages.

Keep a journal
Always, always track your progress! No matter what healthy eating goal you’ve set for yourself, keep track of it by maintaining a diary or journal. Note down what you eat and drink throughout the day, so that you can keep checking in and seeing how far you’ve come or where you’ve fallen behind.

Drink more water
Remember to stay hydrated at all times. Drinking enough water can not only boost your metabolism and flush out those toxins, but also keep you feeling full. You can also eat fruits or vegetables that have high water content.

Befriend people with similar goals
Having someone by your side to cheer you on and keep you motivated is very important. Find someone who shares the same healthy eating goals as you and keep each other updated. You can always push each other on and have somebody to talk to on the days when you slip up.

Eat more home-cooked meals
Eating restaurant cooked meals sometimes is okay. But, if you want to eat better and stay healthy, focus on eating home-cooked meals. They do not contain artificial flavours or colours, and every ingredient that goes into a home-cooked meal is washed well, so you always know that you’re eating something that is both safer and healthier than a meal that comes from the outside. Check out the latest Exipure reviews.

Eat more vegetables
Make sure that your plate contains a sufficient amount of veggies. Rich in fiber, vitamins, and other nutrients, vegetables form an integral part of a healthy diet. Besides, most veggies are low in fat and calories, so they’ll help you stay on track and eat healthy.

Focus on mindful eating
Practice mindful eating. This could mean pausing before each bite to stay in tune with how hungry you are or taking the time to chew and swallow every bite. This way, you will be able to savour your food and fully understand how much your body needs.

Exercise regularly
Needless to say, exercising is essential to healthy living. Merely focusing on what you eat is not enough. What’s also important is to balance it out with a good workout regime. Whether it is a 30-minute walk around the neighbourhood or a quick cardio session at home, get in some form of exercise each day in order to be active and healthy.

Keep these 10 tips in mind as you embark on this journey to a newer, healthier you. Don’t worry about the roadblocks. Just take things one step at a time, and things will slowly fall into place. Good luck!

4 Comments

Letter to Department of Homeland Security

I sent the following letter to the Department of Homeland Security, and each member of the Senate Committee on Homeland Security & Governmental Affairs, Senate Appropriations Subcommittee on Homeland Security, and the House Committee on Homeland Security on May 3, 2007.
A podcast version of this experience is available at The Privacy Podcast.

3 May 2007

Dear Daniel K Akaka, Lamar Alexander, Robert C Byrd, Benjamin L Cardin, Thomas R Carper, Tom Coburn, Thad Cochran, Norm Coleman, Susan M Collins, Larry Craig, Pete V Domenici, Judd Gregg, Daniel Inouye, Herb Kohl, Mary L Landrieu, Frank Lautenberg, Patrick Leahy, Carl Levin, Joseph I Lieberman, Claire McCaskill, Barbara A Mikulski, Patty Murray, Ben Nelson, Barack Obama, Mark L Pryor, Richard Shelby, Arlen Specter, Ted Stevens, John E Sununu, Jon Tester, George V Voinovich, John Warner, Christopher P Carney, Donna Christensen, Yvette D Clarke, Henry Cuellar, Peter DeFazio, Norman D Dicks, Bob Etheridge, Al Green, Jane Harman, Sheila Jackson-Lee, James R Langevin, Zoe Lofgren, Nita Lowey, Ed Markey , Eleanor Holmes Norton, Ed Perlmutter, Loretta Sanchez, Bennie G Thompson, Albert R Wynn, and Department of Homeland Security Office of General Counsel,

I am writing to alert you to certain DHS practices that seem to violate basic principles of citizenship and civil liberties, while providing no measurable security benefits. DHS is operating in a gray area of the law, and I am asking you to investigate these practices to determine their legality and constitutionality. I also hope you can answer a few basic questions about the short- and long-term consequences of the intimidating experience I had.

I have written the Department of Homeland Security twice in the last two months, and received no response or explanation. I raise three objections:

  • First, the Department of Homeland Security should not have the authority to track the movement of United States citizens once they arrive in the country, absent probable cause, merely because they once fell into the broad class of “international travelers.”
  • Second, some Homeland Security policies and tactics are more about intimidation and looking good at some future congressional hearing than security, while simultaneously hurting freedom and failing to protect national security interests.
  • And third, there is a growing culture of governmental lawlessness and intimidation, emerging as a result of expanding executive power, in the name of National Security.

I want to be clear that this letter is not about Homeland Security officers overstepping their statutory authority, acting irrationally or abusively, or with undue force.

At the beginning of March 2007, I took a 5-day business trip to the Netherlands, to a small town called Ede. Because of my work schedule, I made no purchases except meals. I returned to the United States with no purchased goods, and I carried less than $40 in cash (including Euros).

Every citizen and alien entering the United States must complete a blue Customs Form 6059B, declaring the value of the items he is bringing into the United States. The form is mandatory, and includes your full name, birth date, family members who are traveling with you, passport number, and other information. I filled out the form completely and accurately, except Lines 4(a) and 4(b). These lines are entitled “Street Address (hotel name/destination),” and require travelers to write their complete destination address. And that’s where I objected.

Specifically, the Department of Homeland Security should have the authority to track the movements of law-abiding United States citizens, once they have left the airport and entered the United States, simply because they were international travelers at one time. On a custom’s declaration form, a citizen’s address is logically unrelated to the value of goods, and is no good for identification or security because it may be easily falsified. Because the address may be easily falsified, form 6059B has the effect of tracking the movements of only law-abiding citizens who pose no threat, without probable cause.

So, I left lines 4(a) and (b) blank. The first officer expressed annoyance that I didn’t fill out the form properly. She ordered me to fill in the lines. I politely refused. She informed me that it was mandatory, and that “ Even the President of the United States” must do it. Of course, whether the President had to fill out these lines is not the point- the question is whether the President, or any other citizen should have to do allow their movements to be tracked once they enter the United States.

Of course, I didn’t bother getting into that discussion with the officer, though. Instead, I politely refused again. I felt very uncomfortable, since this was the first time in my life I had ever disobeyed a direct request from an officer.

She called for a supervisor. Immediately, four additional officers were at my side. A supervisor questioned me further. I again politely refused to write my destination on the form. He forwarded me to “Line C” for secondary processing. When I arrived, I looked around at lines A, B, and C. I don’t know if I was the only United States Citizen in those three lanes, but of the more than a dozen people in those lines, I was certainly the only Caucasian.

The secondary officer was a little more pushy, and insisted on calling me “Bossman,” until I told him that “I am not the boss, you are,” after which he dropped the epithet.

He asked where I was traveling from, then said, “If you refused to tell them where you were going in Amsterdam, they’d put you on the next plane home. If you went to London, and you pulled this crap, they’d send you home. If you traveled anywhere in the world and you pulled this crap, Bossman, they’d send you home.”

“So,” I replied, “send me home.”

He dropped the subject, and moved on to another line of questioning.

Of course, I was home. The difference between me in the United States versus Amsterdam or London, is that I’m a citizen in the U.S. I recognize that when I travel to other countries, I am a guest in those countries, and I have only the rights they choose to give me. But it’s a different story in my home country. I am a citizen.

Another officer corrected me, “You are an international traveler.” With that one phrase, she instantly conveyed the fact that as an “International Traveler,” I am less than a Citizen. This concept of law is new to me, and my question for you is: How much less of a citizen am I, when I travel internationally?

The interrogating officer directed me to place my bags on a conveyor belt, where he did a search of the entire contents. He called his supervisor, and I was immediately surrounded by six officers for the duration of my stay at Dulles International Airport Customs. I did not ask, and he did not tell me his name.

While he was doing the search, he continued to interrogate me. He temporarily confiscated my driver’s license, and peppered me with questions about my name, hotel in the Netherlands, hotel receipt, my place of employment, work phone number, boss’ name, other employees’ names, the precise amount of time I had been working at my current place of employment, and so on. Occasionally he would pause to remind me that “this doesn’t need to be this hard ” all I had to do was fill out the form.

And each time he told me how easy it would be if I just complied, I realized how absurd the entire ordeal was. First, they knew exactly who I was they had my passport, my driver’s license, my home address, and a complete profile on me, which was required before they let me step on the plane to begin with. They had done a thorough search of my belongings and confirmed that I was truthful on my customs declaration form which was the purpose of the customs declaration form, in the first place.

I respectfully refused, again, and again, and again, to write my destination on the form, but I answered all other questions completely, correctly, and respectfully (even ones that seemed logically irrelevant, or to which I objected). I even explained that I was going home, and that my home was in the Washington D.C. area.

After interrogation from two separate officers (with four others blocking possible exits at all times), three officers escorted me into the back room, for a complete body pat-down. I spread my arms and feet, while an officer did a clothed pat-down of every inch of my body, including my groin.

They did not find my destination address in my pants.

After the officer was done I asked, “So, writing my destination address on the form would make me that much less dangerous?” That particular officer gave me a look that said, “Hey, I’m just doing my job.”

At that point, I realized that these were not security measures, but intimidation tactics to induce compliance. The officers’ job was simple- do what they could to make me comply. In fact, the very last thing an officer told me was, “Let this be a lesson to you to comply in the future. This was unnecessary, and could have been avoided if you had simply complied.” Well, of course it was. I already knew that.

I was expressly complicit with every order each officer gave me. I was polite and respectful at all times (mainly because I didn’t want to give the six officers a reason to jump on me). I told the officers where I was going, and where I had been. The only thing I refused to do was give the exact street address of my destination, which I could have made up, anyway.

All said, they read me the riot act for 45 minutes. An officer finally wrote down my home address printed on my driver’s license, and confiscated my customs declaration form for additional “special” processing. Apparently this procedure is highly unusual, since the officer at the exit refused to let me leave unless I gave him the form. I had to get special permission to leave the area.

I have no idea why what the special processing entails, why I should be subjected to it, or why it was necessary. After all, the officers won in the end, they got every piece of information they demanded.

DHS is Indiscriminately Tracking Movements of Law-Abiding Citizens

My first objection is simple: Absent reasonable cause, Customs, or the Department of Homeland Security, or the Federal Government, cannot have jurisdiction to track the movements of a large class of United States Citizens.

But the DHS is tracking the movements of a large class of citizens once they have entered the country, namely “international travelers.” Though the Executive Branch has deemed this class universally suspicious, the designation is neither warranted nor logical.

When the government tracks the movements of citizens, they are no longer treated as welcome visitors, but as hostile strangers, which citizens are protected against by the Privileges and Immunities Clause of the Constitution. In addition, tracking the movements of large classes of citizens chills freedom of movement, which the Supreme Court has explained “as close to the heart of the individual as the choice of what he eats, or wears, or reads. Freedom of movement is basic in our scheme of values.” (Kent v. Dulles, 357 U.S. 116 (1958)).

Requiring Citizens to Divulge their Precise Destination Address has no Effect Except to Penalize Law-Abiding Citizens

Because lines 4(a) and 4(b) can be easily falsified, only law-abiding citizens would fill them out correctly. No bad guy would knowingly write his destination address. The lines are therefore effectively worthless for identification, duty enforcement, or security profiling for would-be criminals. Their only effect is to track movements of law-abiding citizens.

In addition, additional security tactics (such as a full body search, intense interrogation, and full baggage search) were logically unrelated to determining my destination. They were nothing more than intimidation tactics, not security tactics. If I had merely falsified an address, I could have avoided the additional security tactics, but ironically my actions would have been more suspect. The point of security questions and measures should be security, not intimidation.

Finally, a reasonable person might question whether the Department of Homeland Security prudently applied such an intense amount of resources (namely six officers for 45 minutes) to a matter of a destination address. The prudence of applying such resources is beyond my area of knowledge.

DHS is Fostering a Culture of Intimidation and Lawlessness

My final objection is a rising culture of lawlessness and intimidation, in the name of National Security. I assume that the officers did not exceed their statutory authority. I assume that they probably could have detained me for 24 hours if they had wanted. I don’t believe that the officers acted with undue force. They did not abuse or beat me. However, the entire thrust of the exercise was to intimidate me into compliance with a form, even though they had all relevant information. And I’m frankly grateful that I was a white, articulate, natural born citizen; otherwise I’m fairly confident that I would have been subjected to additional “security measures.”

But most importantly, I don’t know what the consequences of my actions will be. If I speed or break a criminal law, the punishments are well documented in the law and courts. My questions are: Did I break the law? If so, what law? What are the short and long-term consequences of my actions? The legal ambiguity surrounding this incident is indicative of a culture of lawlessness, and needs to be clarified.

Even though the officers got every piece of information they demanded, they still found it necessary to record something about me in their files. What did they record? Do I now have a profile, and what does it say? Does it say: “Aaron Titus is a know-it-all pain-in-the-butt?” Or more frightening, perhaps it says, “Aaron Titus willfully disobeys direct orders of TSA officers.” Or even worse, perhaps there is just a non-descript red “flag” that will put me in the same category as suspected terrorists and have an effect on my freedom of movement, or future government employment, in perpetuity.

I am unable to answer these questions, and hope that you will be able to elucidate some of them:

  • What is the difference between “International Traveler” and “Citizen?”
  • Did I break the law?
  • Do I have a security profile, and if so, what does it say?
  • Who has access to my profile, and how may it be used?
  • Will this letter be added to a file or profile in my name?
  • What will the consequences be, and how long will they last?

I walked out of Dulles International Customs shaken and intimidated, and a little scared at what unknown consequences await me because I refused to fill out lines 4(a) and 4(b) on a Customs form. Since that time I’ve told some of my friends about the run-in with Homeland Security over the phone. Then, half-jokingly I’ve said something like, “You’d better be careful, because you’re talking to an enemy of the state. Our conversation is probably being recorded.” Then we both pause, and then laugh nervously, because the idea is simultaneously absurd and frighteningly plausible.
I would appreciate any clarification you can give.

Sincerely,
Aaron Titus

2 Comments

The Secure Transcript

Survey of National Universities’ Use of the SSN on Academic Transcripts

Aaron Titus, 21 May 2007

Summary

Most universities have moved away from using students’ Social Security Numbers as their Student ID, but because the SSN continues to be a convenient identification number, ancillary higher education organizations, such as lending institutions, continue to use the SSN as a universal identification number. As a result, some universities which have otherwise discontinued using the SSN as a student ID, continue to print the student’s SSN on academic transcripts and official documentation.

Though academic transcripts should be treated as secure documents, students are often required to disseminate dozens of transcripts to entities with which they will have only one-time contact, most of whom have no need for the SSN. Despite the dangers, the national registrar association, American Association of Collegiate Registrars and Admissions Officers (AACRAO), recommends printing the SSN on transcript, and says that 79% of American colleges did so, in 2003. However, this 2007 survey indicates that now only 26% of US News and World Report’s top 126 colleges and universities mandatorily print the SSN on academic transcripts.

Background

The 2000 US Census reports that 52% of the population over 25, or 94 million people, have attended some college, and therefore potentially have an academic transcript. (http://www.censusscope.org/us/chart_education.html, accessed 5 May 2007). Universities use transcripts to transfer credit. Potential employers use them to verify class standing. Financial institutions, private study abroad corporations, organizations awarding scholarships, and a wide range of other public and private institutions require academic transcripts for a variety of reasons. Before and after graduation, a single student may send dozens of transcripts to organizations with which he may have only passing contact.

Very few of these organizations, including potential employers, have a legitimate need for students’ Social Security Numbers. But each time a student sends a transcript to an organization or prospective employer, the transcript information is usually captured digitally, logged in a database, and stored indefinitely. Since names, birthdates and SSNs are often printed on academic transcripts, these documents pose a potential risk to students and former students, if the information is misused or mishandled. Risk of data breach or identity theft increases proportionally as the student’s personal information is stored in more databases and paper files.

Most of the time, students can easily provide their Social Security Numbers to organizations with a legitimate need, using other methods than an academic transcript. Though employers need the SSN in order to report taxes, most potential employers don’t have a legitimate need for the information. The Washington, D.C. Attorney General warns, “avoid providing your social security number or other personal information to prospective employers until you have verified the legitimacy of the organization and their need to verify your background.” (http://occ.dc.gov/occ/lib/occ/id_theft_tips.pdf, accessed 5 May 2007). Countless other Attorneys General, state agencies, and experts across the country publish similar warnings. A few states have even outlawed placing the Social Security Number on transcripts and other academic documents altogether.

Survey Results & National Trends

Despite the potential risks posed to students and former students, the American Association of Collegiate Registrars and Admissions Officers (AACRAO) currently recommends that universities print SSNs on academic transcripts for convenience and universality. In fact, their most recent publication addressing this issue, the AACRAO 2003 Academic Record and Transcript Guide, reports that 79% of national colleges and universities print the SSN on transcripts. AACRAO is the recognized national authority in the University Registrar field.

I conducted a new survey of US News & World Report’s top 126 national universities in mid-January, 2007, to complement AACRAO’s four-year-old data. The purpose of the survey was to determine the current practices of leading national colleges and universities, with respect to printing students’ Social Security Numbers on official academic transcripts. Representatives from all 126 registrar offices responded to the following questions:

Question 1: Is a student’s Social Security Number printed on official transcripts?

Question 2: If so, may students request that their social security number be withheld from the transcript?

The responses varied from “No,” to categorically “Yes.” Of the many universities that answered no, several indicated that they withheld the SSN for privacy reasons, and one representative mistakenly explained that the privacy provisions of the Family Educational Rights and Privacy Act (FERPA) prohibited them from printing Social Security Numbers on transcripts. Other registrars were more direct. The UC Davis registrar replied simply, “the answer is ‘no’.” Others, like Boston University, include only “the last four digits of your SSN.” Several university registrars explained that the SSN would appear on older university transcripts because they are stored on microfilm, which are not editable. One or two colleges, such as Colorado State University, indicated that they planned to discontinue printing the SSN on transcripts in the near future.

A few, like Texas Christian defended their practice of mandatorily printing the SSN on transcripts by appealing to AACRAO’s recommendations: “Following AACRAO… recommendations we print the SSN on the transcript… as one step in reducing fraudulent use of academic records. AACRAO states the official transcript is a secure document that contains a large amount of confidential data all of which should be kept secure. In addition, in most cases, the transcript will be provided to those (schools and employers) who already have the SSN. We do not accept requests to withhold the SSN from the transcript.”

The responses were divided into four groups:

Category A: Colleges and Universities which did not print the SSN on academic transcripts. Most of these colleges print the Student ID Number, instead.

Category B: Colleges and Universities which print only a partial SSN on academic transcripts.

Category C: Colleges and Universities which print the full SSN on academic transcripts by default, but allow students to withhold it upon request.

Category D: Colleges and Universities which mandatorily print the SSN on academic transcripts.

Six colleges indicated that they include the full SSN on transcripts, but did not specify whether students could withhold it upon request. For purposes of this study, those six were placed in category D. The survey ignores indications of imminent policy changes—it represents a snapshot of practices during the month of January, 2007. The results of the 2007 survey contrast sharply with AACRAO’s 2003 data:

AACRAO 2003 Survey of National Colleges & Universities January 2007 Survey of US News & World Report’s Top 126 Colleges & Universities
In 2003, more than ¾ of national colleges & universities reported using the SSN on transcripts, according to AACRAO. In January 2007, only ¼ of top national universities mandatorily printed the full SSN on transcripts.
In 2003, more than ¾ of national colleges & universities reported using the SSN on transcripts, according to AACRAO. In January 2007, only ¼ of top national universities mandatorily printed the full SSN on transcripts.
Category A: Colleges and Universities which did not print the SSN on academic transcripts. Most print the Student ID Number, instead.
Category B: Colleges and Universities which print only a partial SSN on academic transcripts.
Category C: Colleges and Universities which print the full SSN on academic transcripts by default, but allow students to withhold it upon request.
Category D: Colleges and Universities which mandatorily print the SSN on academic transcripts.

As of January 2007, roughly 2/3 of nationally ranked universities printed a Student ID or only a partial SSN (such as the last 4 digits) on official transcripts. For instance, Harvard, Yale, Stanford, Princeton, and Duke do not use students’ SSNs on transcripts at all, while Georgetown and Berkeley print only the last four digits. 14 nationally ranked schools print the SSN on transcripts, but allow students to withhold it upon request.

Several possible explanations for the contrast between the two surveys may exist. First, the 2007 survey sampled only nationally ranked colleges and universities. Presumably, the 2003 AACRAO data includes a much broader sample of colleges. The absence of local community colleges on the 2007 survey may account for some of the difference, since smaller schools may not have as much funding to overhaul record-keeping systems. However, if nationally ranked colleges serve as a bellwether for national trends in this area, the 2007 survey may also indicate a sea change in how universities treat students’ SSNs. Regardless, only a small minority of nationally ranked colleges and universities now mandatorily print the SSN on academic transcripts.

I presented these findings to AACRAO in a February 2007 letter, and requested that they review their 2003 data and resulting recommendations. As of the date of this article, AACRAO has not responded to my letter.

I also presented the results to the George Washington University administration in Washington, DC. Presently, the university mandatorily prints the SSN on all academic transcripts. However, as a result of this survey, GW University has committed to change their transcript policy, and will allow students to withhold the SSN from transcripts upon request in the near future.

Conclusion

Students and former students should be aware of the risks associated with disseminating academic transcripts, and check their university’s transcript policy. If the policy does not provide sufficient protection, students should push registrars to meet their privacy needs. With persistence, many registrar offices will work with students to come up with creative solutions, on an individual basis.

In the current atmosphere of rising identity theft, students and former students need the ability to control how and to whom their personal information is transmitted. Even among universities that have ceased using the Social Security Number as a student ID, University Registrars should become more aware of this issue, and the trend away from printing Social Security Numbers on transcripts.

About Aaron Titus

Aaron Titus works as a Program Manager at an Alexandria, VA non-profit association. He is also attending the George Washington University Law School, specializing in Information Privacy Law. When he’s not busy being a proud father of two, he writes about privacy, and hosts several podcasts. These include The Privacy Podcast (www.aarontitus.net/privacy), and Free Space (www.libertycoalition.net/liberty-coalition-podcast).

A podcast of this article is available at http://www.aarontitus.net/privacy/index.php?id=13. Copies of this report are also available at Pogowasright.org and the Privacy Rights Clearinghouse.

DATA

I have included a table of results. Question 1 was, “Is a student’s Social Security Number printed on official transcripts?” Question 2 was, “If so, may students request that their social security number be withheld from the transcript?”

Answers in the column labeled “Question 2 Answer” reference the question 1 answer. Thus, if the question 1 answer was “Student ID,” and question 2 answer is “Yes: Optional,” it means: “Academic transcripts print the student ID, but the student ID may be omitted at the option of the student.”

Where the answer to question 1 was “Student ID,” the registrar indicated that the Student ID was not the SSN. “Category” references the descriptions and graphs below:

Category A: Colleges and Universities which did not print the SSN on academic transcripts. Most of these colleges print the Student ID Number, instead.

Category B: Colleges and Universities which print only a partial SSN on academic transcripts.

Category C: Colleges and Universities which print the full SSN on academic transcripts by default, but allow students to withhold it upon request.

Category D: Colleges and Universities which mandatorily print the SSN on academic transcripts.

University State Question1 Answer Question2 Answer Category
University at Buffalo—SUNY NY Student ID No: May Not Remove A
American University DC Student ID No: May Not Remove A
University of the Pacific CA Student ID No: May Not Remove A
College of William and Mary VA Student ID Not Specified A
Brown University RI Student ID Not Specified A
Pennsylvania State U.—University Park PA Student ID No Specified A
Drexel University PA Student ID Not Specified A
University of Tulsa OK Student ID Not Specified A
Cornell University NY Student ID Not Specified A
New York University NY Student ID Not Specified A
Rensselaer Polytechnic Institute NY Student ID Not Specified A
SUNY—Stony Brook NY Student ID Not Specified A
New Jersey Institute of Technology NJ Student ID Not Specified A
U. of North Carolina—Chapel Hill NC Student ID Not Specified A
North Carolina State U.—Raleigh NC Student ID Not Specified A
Harvard University MA Student ID Not Specified A
Boston College MA Student ID Not Specified A
Worcester Polytechnic Institute MA Student ID Not Specified A
Clark University MA Student ID Not Specified A
University of Chicago IL Student ID Not Specified A
U. of Illinois—Urbana – Champaign IL Student ID Not Specified A
Loyola University Chicago IL Student ID Not Specified A
University of Iowa IA Student ID Not Specified A
Howard University DC Student ID Not Specified A
Catholic University of America DC Student ID Not Specified A
University State Question1 Answer Question2 Answer Category
Stanford University CA Student ID Not Specified A
Univ. of California—Los Angeles CA Student ID Not Specified A
University of California—Davis CA Student ID Not Specified A
Univ. of California—Santa Cruz CA Student ID Not Specified A
University of Arizona AZ Student ID Not Specified A
Virginia Tech VA Student ID Yes: Optional A
University of Utah UT Student ID Yes: Optional A
University of San Diego CA Student ID Yes: Optional A
Univ. of Wisconsin—Madison WI No SSN Not Specified A
Southern Methodist University TX No SSN Not Specified A
Vanderbilt University TN No SSN Not Specified A
University of Oregon OR No SSN Not Specified A
University of Rochester NY No SSN Not Specified A
Princeton University NJ No SSN Not Specified A
Dartmouth College NH No SSN Not Specified A
University of New Hampshire NH No SSN Not Specified A
Duke University NC No SSN Not Specified A
Wake Forest University NC No SSN Not Specified A
Univ. of Minnesota—Twin Cities MN No SSN Not Specified A
Michigan State University MI No SSN Not Specified A
Tufts University MA No SSN Not Specified A
Purdue Univ.—West Lafayette IN No SSN Not Specified A
University of Delaware DE No SSN Not Specified A
University of Connecticut CT No SSN Not Specified A
University of Denver CO No SSN Not Specified A
Univ. of California—Riverside CA No SSN Not Specified A
University of San Francisco CA No SSN Not Specified A
SUNY College of Env. Sci. and Forestry NY No SSN Not Specified A
Univ. of Massachusetts—Amherst MA No SSN Yes: Optional A
Yale University CT No SSN Yes: Optional A
Lehigh University PA Last 5 SSN Digits Not Specified B
Marquette University WI Last 4 SSN Digits No: May Not Remove B
Case Western Reserve Univ. OH Last 4 SSN Digits No: May Not Remove B
Columbia University NY Last 4 SSN Digits No: May Not Remove B
University of Colorado—Boulder CO Last 4 SSN Digits No: May Not Remove B
University of California—Irvine CA Last 4 SSN Digits No: May Not Remove B
University of Vermont VT Last 4 SSN Digits Not Specified B
University of Virginia VA Last 4 SSN Digits Not Specified B
St. Louis University MO Last 4 SSN Digits Not Specified B
Univ. of Missouri—Columbia MO Last 4 SSN Digits Not Specified B
University of Missouri—Rolla MI Last 4 SSN Digits Not Specified B
Northeastern University MA Last 4 SSN Digits Not Specified B
University of Kansas KS Last 4 SSN Digits Not Specified B
University of Notre Dame IN Last 4 SSN Digits Not Specified B
Indiana University—Bloomington IN Last 4 SSN Digits Not Specified B
Emory University GA Last 4 SSN Digits Not Specified B
University State Question1 Answer Question2 Answer Category
Georgia Institute of Technology GA Last 4 SSN Digits Not Specified B
Georgetown University DC Last 4 SSN Digits Not Specified B
University of California—Berkeley CA Last 4 SSN Digits Not Specified B
Univ. of California—San Diego CA Last 4 SSN Digits Not Specified B
Univ. of California—Santa Barbara CA Last 4 SSN Digits Not Specified B
Pepperdine University CA Last 4 SSN Digits Not Specified B
Iowa State University IA Last 4 SSN Digits Yes: Optional B
Boston University FL Last 4 SSN Digits Yes: Optional B
Washington State University WA Full SSN No: May Not Remove D
University of Texas—Austin TX Full SSN No: May Not Remove D
Texas A&M Univ.—College Station TX Full SSN No: May Not Remove D
Baylor University TX Full SSN No: May Not Remove D
Texas Christian University TX Full SSN No: May Not Remove D
University of Tennessee TN Full SSN No: May Not Remove D
Clemson University SC Full SSN No: May Not Remove D
University of Pennsylvania PA Full SSN No: May Not Remove D
Carnegie Mellon University PA Full SSN No: May Not Remove D
Ohio State University—Columbus OH Full SSN No: May Not Remove D
Miami University—Oxford OH Full SSN No: May Not Remove D
Fordham University NY Full SSN No: May Not Remove D
SUNY—Binghamton NY Full SSN No: May Not Remove D
Univ. of Nebraska—Lincoln NE Full SSN No: May Not Remove D
University of Michigan—Ann Arbor MI Full SSN No: May Not Remove D
Johns Hopkins University MD Full SSN No: May Not Remove D
Brandeis University MA Full SSN No: May Not Remove D
Tulane University LA Full SSN No: May Not Remove D
University of Kentucky KY Full SSN No: May Not Remove D
University of Georgia GA Full SSN No: May Not Remove D
University of Miami FL Full SSN No: May Not Remove D
Florida State University FL Full SSN No: May Not Remove D
George Washington University DC Full SSN No: May Not Remove D
Colorado State University CO Full SSN No: May Not Remove D
Univ. of Southern California CA Full SSN No: May Not Remove D
University of Alabama AL Full SSN No: May Not Remove D
Auburn University AL Full SSN No: May Not Remove D
Rice University TX Full SSN Not Specified D
University of Pittsburgh PA Full SSN Not Specified D
University of Oklahoma OK Full SSN Not Specified D
Univ. of Maryland—College Park MD Full SSN Not Specified D
Northwestern University IL Full SSN Not Specified D
California Institute of Technology CA Full SSN Not Specified D
University of Washington WA Full SSN Yes: Optional C
Brigham Young Univ.—Provo UT Full SSN Yes: Optional C
Univ. of South Carolina—Columbia SC Full SSN Yes: Optional C
University of Dayton OH Full SSN Yes: Optional C
Ohio University OH Full SSN Yes: Optional C
University State Question1 Answer Question2 Answer Category
Yeshiva University NY Full SSN Yes: Optional C
Syracuse University NY Full SSN Yes: Optional C
Rutgers—New Brunswick NJ Full SSN Yes: Optional C
Stevens Institute of Technology NJ Full SSN Yes: Optional C
Washington University in St. Louis MO Full SSN Yes: Optional C
Massachusetts Institute of Technology MA Full SSN Yes: Optional C
Kansas State University KS Full SSN Yes: Optional C
Illinois Institute of Technology IL Full SSN Yes: Optional C
University of Florida FL Full SSN Yes: Optional C
Category A: 55 43.7%
Category B: 24 19.0%
Category C: 14 11.1%
Category D: 33 26.2%
Total 126 100.0%

No Comments