Archive for category Privacy at School

8 Problems and 9 Solutions to College Information Security

This article originally appeared on the Security Catalyst Blog.

Colleges and universities store employment data, financial records, transcripts, credit histories, medical histories, contact information, social security numbers and other types of personal information. Although higher-education institutions should be forums where information and knowledge are easily exchanged, “sometimes the free flow of information is unintentional.” Here are eight policies and behaviors that put personal information at risk:

  1. Administrative Decentralization
  2. Naive Office Culture
  3. Unprotected “Old” Data
  4. Shadow Systems
  5. Unregulated Servers
  6. Unsophisticated Privacy Policies
  7. Improper Use of the SSN
  8. Unsanitized Hard Drives

Administrative Decentralization

In a university setting each college, each department, and often each professor operates nearly autonomously. In an environment where knowledge must flow freely, decentralization is a must. However, it means that new centralized policies to address information security are difficult to implement.

Naive Office Culture

A closely related risk factor is office culture. Staff turnover makes training an ongoing struggle, despite strict policies governing information control. Accidental information leaks can occur, even in the most secure IT environment. In addition, all office cultures resist changing any process, no matter how inefficient. In one example, I called my law school to discuss financial aid. After identifying myself by only my last name, the staff member automatically read my social security number over the phone.

Unprotected “Old” Data

Colleges do a pretty good job of guarding current personal information, but fail to protect older information, which is especially risky if the old data includes social security numbers.

Almost every week a faculty member backs up an old hard drive to his personal web space, unaware that the hard drive contained legacy student grades and social security numbers. Occasionally the professor is aware of the information but mistakenly believes that his university-provided Web space is not available to the public. Often the data sit on the institutional server for up to five years undetected and forgotten—until the information turns up on Google.

Shadow Systems

“Shadow Systems” are copies of personal information from the core system which professors, colleges, departments, and even student organizations maintain independently. Shadow systems can be sophisticated databases under high security or simple Excel spreadsheets on personal laptops. They multiply at an alarming rate because faculty members with administrative access can create their own databases at any time.

Thus, even though a small army of information-technology professionals may guard a college’s core systems, the security perimeter extends much further. And despite strict policies governing information control, employee turnover makes training about privacy and security issues a continual struggle.

Unregulated Servers

Often faculty members and third-party vendors also set up their own unregulated servers outside university firewalls, often for legitimate academic use. Those servers are particularly vulnerable to hackers and accidental online exposure. In one security audit, a private university uncovered 250 unauthorized servers connected to its public internet network, each containing sensitive student information.

Unsophisticated Privacy Policies

Colleges’ privacy policies often demonstrate a basic lack of understanding of the law and, more importantly, how the institution carries out the law through internal processes. Many policies basically say nothing more than “We follow the law,” without explaining what the law is or how they follow it. Even worse, some simply say, in essence, “Trust us, we’ll be good.”

Many institutions’ privacy policies also erroneously mimic commercial policies, which are narrowly tailored to cover only information collected online. Those policies are deficient in a college setting because just a small fraction of personal information that colleges maintain is collected online.

Further, a single institution may have dozens or hundreds of separate privacy policies, each dealing with a different, and incomplete, set of issues. For example, at some highly decentralized institutions, each college, department, and even some facilities like student unions have their own privacy policies. While privacy policies should reflect the practices of each group, inconsistent policies can create confusion among staff members who must explain or carry them out.

Improper Use of the SSN

Even though many colleges don’t now use social security numbers to identify students, they once did. Those old records sit like land mines on old servers. In addition, some universities print them on academic transcripts and official documents. Even though the American Association of Collegiate Registrars and Admissions Officers recommends printing the social security number on transcripts, my January 2007 study indicates that fortunately, most don’t.

Unsanitized Hard Drives

Deleted files remain almost unchanged on the hard drive until it is overwritten or physically destroyed. Once unsanitized hard drives are re-sold, sensitive personal and corporate information can be easily retrieved. Though most universities have a sanitization protocol when retiring old hard drives, enforcing the policy can be challenging.

Solutions

College administrators should consider the following:

  • Regularly scan institutional networks for sensitive information, such as social security numbers, grades, and financial information. Use a combination of public search engines, and internal text- and file-scanning software.
  • Automatically retire “old” data on institutional servers but allow faculty members to un-retire old data they still use. Forgotten information is dangerous information.
  • Establish a “radioactive date,” which is when your institution last used social security numbers as an identifier. Files last modified before this date should be presumed dangerous.
  • Create permissions-based access to core systems. Sensitive personal information should be available to faculty members and departments only on a need-to-know basis.
  • Establish a data-retention-and-access policy by balancing threat, benefits and risks of maintaining the data.
  • Coordinate interdepartmental privacy and security practices with a special committee of information security professionals.
  • Update your privacy policy to reflect all privacy issues arising in a university setting. Explain privacy rights and practices that protect offline employment information and sensitive student records. Also explain work-flow protections (for example, “only director-level employees have access to social security numbers”) and technical practices (for example, “employee data is stored on encrypted hard drives”). Privacy policies should deal with more than just cookies and Web forms.
  • Eliminate social security numbers from official records where possible, or establish a policy whereby students can opt to omit their numbers from transcripts or other records.
  • Physically destroy all old hard drives.

Institutions of higher education must promote the free exchange of ideas while protecting sensitive personal information. Although the academic environment can seem at odds with information security, appropriate practices and procedures can balance information freedom and personal privacy.

Aaron Titus is the Privacy Director for the Liberty Coalition, and runs National ID Watch. A version of this article originally appeared in the October 24, 2008 edition of the Chronicle of Higher Education, and is republished here by arrangement.

No Comments

Securing My Academic Transcript

I just ordered several transcripts from my university, which I will need to distribute to several organizations, for different reasons. If the transcript seal is broken, the transcript is no longer official.
As you’re probably aware, transcripts come in sealed envelopes. If the envelope seal is broken, the transcript is no longer “official.”

Most organizations I send transcripts to have no need for my Social Security Number. I can easily give them my SSN if the require it for legitimate reasons, such as tax purposes. So, I decided to break the seal, and remove my SSN from all but one of my transcripts, with a razor blade. I’ve found that black marker just doesn’t do the trick. Besides, this really gets the point acrossI removed my SSN from the transcript with a razor blade..

I re-sealed the envelope, and enclosed the following letter:

To Whom It May Concern:

At the advice of state and federal officials and numerous experts, and because of the extreme risks associated with disseminating my Social Security Number, I have removed my SSN from this document. Though I recognize that breaking the envelope seal transformed this transcript from an “official” to “unofficial” transcript, I certify that I have made no other changes to the document.

George Washington University refused my request to remove my Social Security Number from the transcript. George Washington University is one of a small minority of nationally ranked universities that do not allow students the protection of withholding Social Security Numbers from transcripts or other official university documents. I am told they plan to change their policy in the near future.

Countless states Attorneys General have issued warnings similar to the Washington, D.C. Attorney General, “avoid providing your social security number or other personal information to prospective employers [or other organizations] until you have verified the legitimacy of the organization and their need to verify your background.” A few states have even outlawed placing the Social Security Number on transcripts and other academic documents altogether.

I regret that I must resort to these measures to ensure the protection of myself and my family.

If this organization requires my Social Security Number for legitimate tax or background check purposes, I will be pleased to provide the information in the future. However, as this date, I am not aware of any such requirement.

Do not hesitate to contact me if you have any questions or concerns.

Sincerely,

Aaron Titus

I’ll let you know how it goes.

No Comments

The Secure Transcript

Survey of National Universities’ Use of the SSN on Academic Transcripts

Aaron Titus, 21 May 2007

Summary

Most universities have moved away from using students’ Social Security Numbers as their Student ID, but because the SSN continues to be a convenient identification number, ancillary higher education organizations, such as lending institutions, continue to use the SSN as a universal identification number. As a result, some universities which have otherwise discontinued using the SSN as a student ID, continue to print the student’s SSN on academic transcripts and official documentation.

Though academic transcripts should be treated as secure documents, students are often required to disseminate dozens of transcripts to entities with which they will have only one-time contact, most of whom have no need for the SSN. Despite the dangers, the national registrar association, American Association of Collegiate Registrars and Admissions Officers (AACRAO), recommends printing the SSN on transcript, and says that 79% of American colleges did so, in 2003. However, this 2007 survey indicates that now only 26% of US News and World Report’s top 126 colleges and universities mandatorily print the SSN on academic transcripts.

Background

The 2000 US Census reports that 52% of the population over 25, or 94 million people, have attended some college, and therefore potentially have an academic transcript. (http://www.censusscope.org/us/chart_education.html, accessed 5 May 2007). Universities use transcripts to transfer credit. Potential employers use them to verify class standing. Financial institutions, private study abroad corporations, organizations awarding scholarships, and a wide range of other public and private institutions require academic transcripts for a variety of reasons. Before and after graduation, a single student may send dozens of transcripts to organizations with which he may have only passing contact.

Very few of these organizations, including potential employers, have a legitimate need for students’ Social Security Numbers. But each time a student sends a transcript to an organization or prospective employer, the transcript information is usually captured digitally, logged in a database, and stored indefinitely. Since names, birthdates and SSNs are often printed on academic transcripts, these documents pose a potential risk to students and former students, if the information is misused or mishandled. Risk of data breach or identity theft increases proportionally as the student’s personal information is stored in more databases and paper files.

Most of the time, students can easily provide their Social Security Numbers to organizations with a legitimate need, using other methods than an academic transcript. Though employers need the SSN in order to report taxes, most potential employers don’t have a legitimate need for the information. The Washington, D.C. Attorney General warns, “avoid providing your social security number or other personal information to prospective employers until you have verified the legitimacy of the organization and their need to verify your background.” (http://occ.dc.gov/occ/lib/occ/id_theft_tips.pdf, accessed 5 May 2007). Countless other Attorneys General, state agencies, and experts across the country publish similar warnings. A few states have even outlawed placing the Social Security Number on transcripts and other academic documents altogether.

Survey Results & National Trends

Despite the potential risks posed to students and former students, the American Association of Collegiate Registrars and Admissions Officers (AACRAO) currently recommends that universities print SSNs on academic transcripts for convenience and universality. In fact, their most recent publication addressing this issue, the AACRAO 2003 Academic Record and Transcript Guide, reports that 79% of national colleges and universities print the SSN on transcripts. AACRAO is the recognized national authority in the University Registrar field.

I conducted a new survey of US News & World Report’s top 126 national universities in mid-January, 2007, to complement AACRAO’s four-year-old data. The purpose of the survey was to determine the current practices of leading national colleges and universities, with respect to printing students’ Social Security Numbers on official academic transcripts. Representatives from all 126 registrar offices responded to the following questions:

Question 1: Is a student’s Social Security Number printed on official transcripts?

Question 2: If so, may students request that their social security number be withheld from the transcript?

The responses varied from “No,” to categorically “Yes.” Of the many universities that answered no, several indicated that they withheld the SSN for privacy reasons, and one representative mistakenly explained that the privacy provisions of the Family Educational Rights and Privacy Act (FERPA) prohibited them from printing Social Security Numbers on transcripts. Other registrars were more direct. The UC Davis registrar replied simply, “the answer is ‘no’.” Others, like Boston University, include only “the last four digits of your SSN.” Several university registrars explained that the SSN would appear on older university transcripts because they are stored on microfilm, which are not editable. One or two colleges, such as Colorado State University, indicated that they planned to discontinue printing the SSN on transcripts in the near future.

A few, like Texas Christian defended their practice of mandatorily printing the SSN on transcripts by appealing to AACRAO’s recommendations: “Following AACRAO… recommendations we print the SSN on the transcript… as one step in reducing fraudulent use of academic records. AACRAO states the official transcript is a secure document that contains a large amount of confidential data all of which should be kept secure. In addition, in most cases, the transcript will be provided to those (schools and employers) who already have the SSN. We do not accept requests to withhold the SSN from the transcript.”

The responses were divided into four groups:

Category A: Colleges and Universities which did not print the SSN on academic transcripts. Most of these colleges print the Student ID Number, instead.

Category B: Colleges and Universities which print only a partial SSN on academic transcripts.

Category C: Colleges and Universities which print the full SSN on academic transcripts by default, but allow students to withhold it upon request.

Category D: Colleges and Universities which mandatorily print the SSN on academic transcripts.

Six colleges indicated that they include the full SSN on transcripts, but did not specify whether students could withhold it upon request. For purposes of this study, those six were placed in category D. The survey ignores indications of imminent policy changes—it represents a snapshot of practices during the month of January, 2007. The results of the 2007 survey contrast sharply with AACRAO’s 2003 data:

AACRAO 2003 Survey of National Colleges & Universities January 2007 Survey of US News & World Report’s Top 126 Colleges & Universities
In 2003, more than ¾ of national colleges & universities reported using the SSN on transcripts, according to AACRAO. In January 2007, only ¼ of top national universities mandatorily printed the full SSN on transcripts.
In 2003, more than ¾ of national colleges & universities reported using the SSN on transcripts, according to AACRAO. In January 2007, only ¼ of top national universities mandatorily printed the full SSN on transcripts.
Category A: Colleges and Universities which did not print the SSN on academic transcripts. Most print the Student ID Number, instead.
Category B: Colleges and Universities which print only a partial SSN on academic transcripts.
Category C: Colleges and Universities which print the full SSN on academic transcripts by default, but allow students to withhold it upon request.
Category D: Colleges and Universities which mandatorily print the SSN on academic transcripts.

As of January 2007, roughly 2/3 of nationally ranked universities printed a Student ID or only a partial SSN (such as the last 4 digits) on official transcripts. For instance, Harvard, Yale, Stanford, Princeton, and Duke do not use students’ SSNs on transcripts at all, while Georgetown and Berkeley print only the last four digits. 14 nationally ranked schools print the SSN on transcripts, but allow students to withhold it upon request.

Several possible explanations for the contrast between the two surveys may exist. First, the 2007 survey sampled only nationally ranked colleges and universities. Presumably, the 2003 AACRAO data includes a much broader sample of colleges. The absence of local community colleges on the 2007 survey may account for some of the difference, since smaller schools may not have as much funding to overhaul record-keeping systems. However, if nationally ranked colleges serve as a bellwether for national trends in this area, the 2007 survey may also indicate a sea change in how universities treat students’ SSNs. Regardless, only a small minority of nationally ranked colleges and universities now mandatorily print the SSN on academic transcripts.

I presented these findings to AACRAO in a February 2007 letter, and requested that they review their 2003 data and resulting recommendations. As of the date of this article, AACRAO has not responded to my letter.

I also presented the results to the George Washington University administration in Washington, DC. Presently, the university mandatorily prints the SSN on all academic transcripts. However, as a result of this survey, GW University has committed to change their transcript policy, and will allow students to withhold the SSN from transcripts upon request in the near future.

Conclusion

Students and former students should be aware of the risks associated with disseminating academic transcripts, and check their university’s transcript policy. If the policy does not provide sufficient protection, students should push registrars to meet their privacy needs. With persistence, many registrar offices will work with students to come up with creative solutions, on an individual basis.

In the current atmosphere of rising identity theft, students and former students need the ability to control how and to whom their personal information is transmitted. Even among universities that have ceased using the Social Security Number as a student ID, University Registrars should become more aware of this issue, and the trend away from printing Social Security Numbers on transcripts.

About Aaron Titus

Aaron Titus works as a Program Manager at an Alexandria, VA non-profit association. He is also attending the George Washington University Law School, specializing in Information Privacy Law. When he’s not busy being a proud father of two, he writes about privacy, and hosts several podcasts. These include The Privacy Podcast (www.aarontitus.net/privacy), and Free Space (www.libertycoalition.net/liberty-coalition-podcast).

A podcast of this article is available at http://www.aarontitus.net/privacy/index.php?id=13. Copies of this report are also available at Pogowasright.org and the Privacy Rights Clearinghouse.

DATA

I have included a table of results. Question 1 was, “Is a student’s Social Security Number printed on official transcripts?” Question 2 was, “If so, may students request that their social security number be withheld from the transcript?”

Answers in the column labeled “Question 2 Answer” reference the question 1 answer. Thus, if the question 1 answer was “Student ID,” and question 2 answer is “Yes: Optional,” it means: “Academic transcripts print the student ID, but the student ID may be omitted at the option of the student.”

Where the answer to question 1 was “Student ID,” the registrar indicated that the Student ID was not the SSN. “Category” references the descriptions and graphs below:

Category A: Colleges and Universities which did not print the SSN on academic transcripts. Most of these colleges print the Student ID Number, instead.

Category B: Colleges and Universities which print only a partial SSN on academic transcripts.

Category C: Colleges and Universities which print the full SSN on academic transcripts by default, but allow students to withhold it upon request.

Category D: Colleges and Universities which mandatorily print the SSN on academic transcripts.

University State Question1 Answer Question2 Answer Category
University at Buffalo—SUNY NY Student ID No: May Not Remove A
American University DC Student ID No: May Not Remove A
University of the Pacific CA Student ID No: May Not Remove A
College of William and Mary VA Student ID Not Specified A
Brown University RI Student ID Not Specified A
Pennsylvania State U.—University Park PA Student ID No Specified A
Drexel University PA Student ID Not Specified A
University of Tulsa OK Student ID Not Specified A
Cornell University NY Student ID Not Specified A
New York University NY Student ID Not Specified A
Rensselaer Polytechnic Institute NY Student ID Not Specified A
SUNY—Stony Brook NY Student ID Not Specified A
New Jersey Institute of Technology NJ Student ID Not Specified A
U. of North Carolina—Chapel Hill NC Student ID Not Specified A
North Carolina State U.—Raleigh NC Student ID Not Specified A
Harvard University MA Student ID Not Specified A
Boston College MA Student ID Not Specified A
Worcester Polytechnic Institute MA Student ID Not Specified A
Clark University MA Student ID Not Specified A
University of Chicago IL Student ID Not Specified A
U. of Illinois—Urbana – Champaign IL Student ID Not Specified A
Loyola University Chicago IL Student ID Not Specified A
University of Iowa IA Student ID Not Specified A
Howard University DC Student ID Not Specified A
Catholic University of America DC Student ID Not Specified A
University State Question1 Answer Question2 Answer Category
Stanford University CA Student ID Not Specified A
Univ. of California—Los Angeles CA Student ID Not Specified A
University of California—Davis CA Student ID Not Specified A
Univ. of California—Santa Cruz CA Student ID Not Specified A
University of Arizona AZ Student ID Not Specified A
Virginia Tech VA Student ID Yes: Optional A
University of Utah UT Student ID Yes: Optional A
University of San Diego CA Student ID Yes: Optional A
Univ. of Wisconsin—Madison WI No SSN Not Specified A
Southern Methodist University TX No SSN Not Specified A
Vanderbilt University TN No SSN Not Specified A
University of Oregon OR No SSN Not Specified A
University of Rochester NY No SSN Not Specified A
Princeton University NJ No SSN Not Specified A
Dartmouth College NH No SSN Not Specified A
University of New Hampshire NH No SSN Not Specified A
Duke University NC No SSN Not Specified A
Wake Forest University NC No SSN Not Specified A
Univ. of Minnesota—Twin Cities MN No SSN Not Specified A
Michigan State University MI No SSN Not Specified A
Tufts University MA No SSN Not Specified A
Purdue Univ.—West Lafayette IN No SSN Not Specified A
University of Delaware DE No SSN Not Specified A
University of Connecticut CT No SSN Not Specified A
University of Denver CO No SSN Not Specified A
Univ. of California—Riverside CA No SSN Not Specified A
University of San Francisco CA No SSN Not Specified A
SUNY College of Env. Sci. and Forestry NY No SSN Not Specified A
Univ. of Massachusetts—Amherst MA No SSN Yes: Optional A
Yale University CT No SSN Yes: Optional A
Lehigh University PA Last 5 SSN Digits Not Specified B
Marquette University WI Last 4 SSN Digits No: May Not Remove B
Case Western Reserve Univ. OH Last 4 SSN Digits No: May Not Remove B
Columbia University NY Last 4 SSN Digits No: May Not Remove B
University of Colorado—Boulder CO Last 4 SSN Digits No: May Not Remove B
University of California—Irvine CA Last 4 SSN Digits No: May Not Remove B
University of Vermont VT Last 4 SSN Digits Not Specified B
University of Virginia VA Last 4 SSN Digits Not Specified B
St. Louis University MO Last 4 SSN Digits Not Specified B
Univ. of Missouri—Columbia MO Last 4 SSN Digits Not Specified B
University of Missouri—Rolla MI Last 4 SSN Digits Not Specified B
Northeastern University MA Last 4 SSN Digits Not Specified B
University of Kansas KS Last 4 SSN Digits Not Specified B
University of Notre Dame IN Last 4 SSN Digits Not Specified B
Indiana University—Bloomington IN Last 4 SSN Digits Not Specified B
Emory University GA Last 4 SSN Digits Not Specified B
University State Question1 Answer Question2 Answer Category
Georgia Institute of Technology GA Last 4 SSN Digits Not Specified B
Georgetown University DC Last 4 SSN Digits Not Specified B
University of California—Berkeley CA Last 4 SSN Digits Not Specified B
Univ. of California—San Diego CA Last 4 SSN Digits Not Specified B
Univ. of California—Santa Barbara CA Last 4 SSN Digits Not Specified B
Pepperdine University CA Last 4 SSN Digits Not Specified B
Iowa State University IA Last 4 SSN Digits Yes: Optional B
Boston University FL Last 4 SSN Digits Yes: Optional B
Washington State University WA Full SSN No: May Not Remove D
University of Texas—Austin TX Full SSN No: May Not Remove D
Texas A&M Univ.—College Station TX Full SSN No: May Not Remove D
Baylor University TX Full SSN No: May Not Remove D
Texas Christian University TX Full SSN No: May Not Remove D
University of Tennessee TN Full SSN No: May Not Remove D
Clemson University SC Full SSN No: May Not Remove D
University of Pennsylvania PA Full SSN No: May Not Remove D
Carnegie Mellon University PA Full SSN No: May Not Remove D
Ohio State University—Columbus OH Full SSN No: May Not Remove D
Miami University—Oxford OH Full SSN No: May Not Remove D
Fordham University NY Full SSN No: May Not Remove D
SUNY—Binghamton NY Full SSN No: May Not Remove D
Univ. of Nebraska—Lincoln NE Full SSN No: May Not Remove D
University of Michigan—Ann Arbor MI Full SSN No: May Not Remove D
Johns Hopkins University MD Full SSN No: May Not Remove D
Brandeis University MA Full SSN No: May Not Remove D
Tulane University LA Full SSN No: May Not Remove D
University of Kentucky KY Full SSN No: May Not Remove D
University of Georgia GA Full SSN No: May Not Remove D
University of Miami FL Full SSN No: May Not Remove D
Florida State University FL Full SSN No: May Not Remove D
George Washington University DC Full SSN No: May Not Remove D
Colorado State University CO Full SSN No: May Not Remove D
Univ. of Southern California CA Full SSN No: May Not Remove D
University of Alabama AL Full SSN No: May Not Remove D
Auburn University AL Full SSN No: May Not Remove D
Rice University TX Full SSN Not Specified D
University of Pittsburgh PA Full SSN Not Specified D
University of Oklahoma OK Full SSN Not Specified D
Univ. of Maryland—College Park MD Full SSN Not Specified D
Northwestern University IL Full SSN Not Specified D
California Institute of Technology CA Full SSN Not Specified D
University of Washington WA Full SSN Yes: Optional C
Brigham Young Univ.—Provo UT Full SSN Yes: Optional C
Univ. of South Carolina—Columbia SC Full SSN Yes: Optional C
University of Dayton OH Full SSN Yes: Optional C
Ohio University OH Full SSN Yes: Optional C
University State Question1 Answer Question2 Answer Category
Yeshiva University NY Full SSN Yes: Optional C
Syracuse University NY Full SSN Yes: Optional C
Rutgers—New Brunswick NJ Full SSN Yes: Optional C
Stevens Institute of Technology NJ Full SSN Yes: Optional C
Washington University in St. Louis MO Full SSN Yes: Optional C
Massachusetts Institute of Technology MA Full SSN Yes: Optional C
Kansas State University KS Full SSN Yes: Optional C
Illinois Institute of Technology IL Full SSN Yes: Optional C
University of Florida FL Full SSN Yes: Optional C
Category A: 55 43.7%
Category B: 24 19.0%
Category C: 14 11.1%
Category D: 33 26.2%
Total 126 100.0%

No Comments