Archive for category Privacy at School
8 Problems and 9 Solutions to College Information Security
Posted by Titus in Privacy, Privacy at School on February 14, 2009
This article originally appeared on the Security Catalyst Blog.
Colleges and universities store employment data, financial records, transcripts, credit histories, medical histories, contact information, social security numbers and other types of personal information. Although higher-education institutions should be forums where information and knowledge are easily exchanged, “sometimes the free flow of information is unintentional.” Here are eight policies and behaviors that put personal information at risk:
- Administrative Decentralization
- Naive Office Culture
- Unprotected “Old” Data
- Shadow Systems
- Unregulated Servers
- Unsophisticated Privacy Policies
- Improper Use of the SSN
- Unsanitized Hard Drives
Administrative Decentralization
In a university setting each college, each department, and often each professor operates nearly autonomously. In an environment where knowledge must flow freely, decentralization is a must. However, it means that new centralized policies to address information security are difficult to implement.
Naive Office Culture
A closely related risk factor is office culture. Staff turnover makes training an ongoing struggle, despite strict policies governing information control. Accidental information leaks can occur, even in the most secure IT environment. In addition, all office cultures resist changing any process, no matter how inefficient. In one example, I called my law school to discuss financial aid. After identifying myself by only my last name, the staff member automatically read my social security number over the phone.
Unprotected “Old” Data
Colleges do a pretty good job of guarding current personal information, but fail to protect older information, which is especially risky if the old data includes social security numbers.
Almost every week a faculty member backs up an old hard drive to his personal web space, unaware that the hard drive contained legacy student grades and social security numbers. Occasionally the professor is aware of the information but mistakenly believes that his university-provided Web space is not available to the public. Often the data sit on the institutional server for up to five years undetected and forgotten—until the information turns up on Google.
Shadow Systems
“Shadow Systems” are copies of personal information from the core system which professors, colleges, departments, and even student organizations maintain independently. Shadow systems can be sophisticated databases under high security or simple Excel spreadsheets on personal laptops. They multiply at an alarming rate because faculty members with administrative access can create their own databases at any time.
Thus, even though a small army of information-technology professionals may guard a college’s core systems, the security perimeter extends much further. And despite strict policies governing information control, employee turnover makes training about privacy and security issues a continual struggle.
Unregulated Servers
Often faculty members and third-party vendors also set up their own unregulated servers outside university firewalls, often for legitimate academic use. Those servers are particularly vulnerable to hackers and accidental online exposure. In one security audit, a private university uncovered 250 unauthorized servers connected to its public internet network, each containing sensitive student information.
Unsophisticated Privacy Policies
Colleges’ privacy policies often demonstrate a basic lack of understanding of the law and, more importantly, how the institution carries out the law through internal processes. Many policies basically say nothing more than “We follow the law,” without explaining what the law is or how they follow it. Even worse, some simply say, in essence, “Trust us, we’ll be good.”
Many institutions’ privacy policies also erroneously mimic commercial policies, which are narrowly tailored to cover only information collected online. Those policies are deficient in a college setting because just a small fraction of personal information that colleges maintain is collected online.
Further, a single institution may have dozens or hundreds of separate privacy policies, each dealing with a different, and incomplete, set of issues. For example, at some highly decentralized institutions, each college, department, and even some facilities like student unions have their own privacy policies. While privacy policies should reflect the practices of each group, inconsistent policies can create confusion among staff members who must explain or carry them out.
Improper Use of the SSN
Even though many colleges don’t now use social security numbers to identify students, they once did. Those old records sit like land mines on old servers. In addition, some universities print them on academic transcripts and official documents. Even though the American Association of Collegiate Registrars and Admissions Officers recommends printing the social security number on transcripts, my January 2007 study indicates that fortunately, most don’t.
Unsanitized Hard Drives
Deleted files remain almost unchanged on the hard drive until it is overwritten or physically destroyed. Once unsanitized hard drives are re-sold, sensitive personal and corporate information can be easily retrieved. Though most universities have a sanitization protocol when retiring old hard drives, enforcing the policy can be challenging.
Solutions
College administrators should consider the following:
- Regularly scan institutional networks for sensitive information, such as social security numbers, grades, and financial information. Use a combination of public search engines, and internal text- and file-scanning software.
- Automatically retire “old” data on institutional servers but allow faculty members to un-retire old data they still use. Forgotten information is dangerous information.
- Establish a “radioactive date,” which is when your institution last used social security numbers as an identifier. Files last modified before this date should be presumed dangerous.
- Create permissions-based access to core systems. Sensitive personal information should be available to faculty members and departments only on a need-to-know basis.
- Establish a data-retention-and-access policy by balancing threat, benefits and risks of maintaining the data.
- Coordinate interdepartmental privacy and security practices with a special committee of information security professionals.
- Update your privacy policy to reflect all privacy issues arising in a university setting. Explain privacy rights and practices that protect offline employment information and sensitive student records. Also explain work-flow protections (for example, “only director-level employees have access to social security numbers”) and technical practices (for example, “employee data is stored on encrypted hard drives”). Privacy policies should deal with more than just cookies and Web forms.
- Eliminate social security numbers from official records where possible, or establish a policy whereby students can opt to omit their numbers from transcripts or other records.
- Physically destroy all old hard drives.
Institutions of higher education must promote the free exchange of ideas while protecting sensitive personal information. Although the academic environment can seem at odds with information security, appropriate practices and procedures can balance information freedom and personal privacy.
Aaron Titus is the Privacy Director for the Liberty Coalition, and runs National ID Watch. A version of this article originally appeared in the October 24, 2008 edition of the Chronicle of Higher Education, and is republished here by arrangement.
Securing My Academic Transcript
Posted by Titus in Privacy at School on May 27, 2007
I just ordered several transcripts from my university, which I will need to distribute to several organizations, for different reasons. 
As you’re probably aware, transcripts come in sealed envelopes. If the envelope seal is broken, the transcript is no longer “official.”
Most organizations I send transcripts to have no need for my Social Security Number. I can easily give them my SSN if the require it for legitimate reasons, such as tax purposes. So, I decided to break the seal, and remove my SSN from all but one of my transcripts, with a razor blade. I’ve found that black marker just doesn’t do the trick. Besides, this really gets the point across
.
I re-sealed the envelope, and enclosed the following letter:
To Whom It May Concern:
At the advice of state and federal officials and numerous experts, and because of the extreme risks associated with disseminating my Social Security Number, I have removed my SSN from this document. Though I recognize that breaking the envelope seal transformed this transcript from an “official” to “unofficial” transcript, I certify that I have made no other changes to the document.
George Washington University refused my request to remove my Social Security Number from the transcript. George Washington University is one of a small minority of nationally ranked universities that do not allow students the protection of withholding Social Security Numbers from transcripts or other official university documents. I am told they plan to change their policy in the near future.
Countless states Attorneys General have issued warnings similar to the Washington, D.C. Attorney General, “avoid providing your social security number or other personal information to prospective employers [or other organizations] until you have verified the legitimacy of the organization and their need to verify your background.” A few states have even outlawed placing the Social Security Number on transcripts and other academic documents altogether.
I regret that I must resort to these measures to ensure the protection of myself and my family.
If this organization requires my Social Security Number for legitimate tax or background check purposes, I will be pleased to provide the information in the future. However, as this date, I am not aware of any such requirement.
Do not hesitate to contact me if you have any questions or concerns.
Sincerely,
Aaron Titus
I’ll let you know how it goes.
The Secure Transcript
Posted by Titus in Privacy at School on May 21, 2007
Survey of National Universities’ Use of the SSN on Academic Transcripts
Aaron Titus, 21 May 2007
Summary
Most universities have moved away from using students’ Social Security Numbers as their Student ID, but because the SSN continues to be a convenient identification number, ancillary higher education organizations, such as lending institutions, continue to use the SSN as a universal identification number. As a result, some universities which have otherwise discontinued using the SSN as a student ID, continue to print the student’s SSN on academic transcripts and official documentation.
Though academic transcripts should be treated as secure documents, students are often required to disseminate dozens of transcripts to entities with which they will have only one-time contact, most of whom have no need for the SSN. Despite the dangers, the national registrar association, American Association of Collegiate Registrars and Admissions Officers (AACRAO), recommends printing the SSN on transcript, and says that 79% of American colleges did so, in 2003. However, this 2007 survey indicates that now only 26% of US News and World Report’s top 126 colleges and universities mandatorily print the SSN on academic transcripts.
Background
The 2000 US Census reports that 52% of the population over 25, or 94 million people, have attended some college, and therefore potentially have an academic transcript. (http://www.censusscope.org/us/chart_education.html, accessed 5 May 2007). Universities use transcripts to transfer credit. Potential employers use them to verify class standing. Financial institutions, private study abroad corporations, organizations awarding scholarships, and a wide range of other public and private institutions require academic transcripts for a variety of reasons. Before and after graduation, a single student may send dozens of transcripts to organizations with which he may have only passing contact.
Very few of these organizations, including potential employers, have a legitimate need for students’ Social Security Numbers. But each time a student sends a transcript to an organization or prospective employer, the transcript information is usually captured digitally, logged in a database, and stored indefinitely. Since names, birthdates and SSNs are often printed on academic transcripts, these documents pose a potential risk to students and former students, if the information is misused or mishandled. Risk of data breach or identity theft increases proportionally as the student’s personal information is stored in more databases and paper files.
Most of the time, students can easily provide their Social Security Numbers to organizations with a legitimate need, using other methods than an academic transcript. Though employers need the SSN in order to report taxes, most potential employers don’t have a legitimate need for the information. The Washington, D.C. Attorney General warns, “avoid providing your social security number or other personal information to prospective employers until you have verified the legitimacy of the organization and their need to verify your background.” (http://occ.dc.gov/occ/lib/occ/id_theft_tips.pdf, accessed 5 May 2007). Countless other Attorneys General, state agencies, and experts across the country publish similar warnings. A few states have even outlawed placing the Social Security Number on transcripts and other academic documents altogether.
Survey Results & National Trends
Despite the potential risks posed to students and former students, the American Association of Collegiate Registrars and Admissions Officers (AACRAO) currently recommends that universities print SSNs on academic transcripts for convenience and universality. In fact, their most recent publication addressing this issue, the AACRAO 2003 Academic Record and Transcript Guide, reports that 79% of national colleges and universities print the SSN on transcripts. AACRAO is the recognized national authority in the University Registrar field.
I conducted a new survey of US News & World Report’s top 126 national universities in mid-January, 2007, to complement AACRAO’s four-year-old data. The purpose of the survey was to determine the current practices of leading national colleges and universities, with respect to printing students’ Social Security Numbers on official academic transcripts. Representatives from all 126 registrar offices responded to the following questions:
Question 1: Is a student’s Social Security Number printed on official transcripts?
Question 2: If so, may students request that their social security number be withheld from the transcript?
The responses varied from “No,” to categorically “Yes.” Of the many universities that answered no, several indicated that they withheld the SSN for privacy reasons, and one representative mistakenly explained that the privacy provisions of the Family Educational Rights and Privacy Act (FERPA) prohibited them from printing Social Security Numbers on transcripts. Other registrars were more direct. The UC Davis registrar replied simply, “the answer is ‘no’.” Others, like Boston University, include only “the last four digits of your SSN.” Several university registrars explained that the SSN would appear on older university transcripts because they are stored on microfilm, which are not editable. One or two colleges, such as Colorado State University, indicated that they planned to discontinue printing the SSN on transcripts in the near future.
A few, like Texas Christian defended their practice of mandatorily printing the SSN on transcripts by appealing to AACRAO’s recommendations: “Following AACRAO… recommendations we print the SSN on the transcript… as one step in reducing fraudulent use of academic records. AACRAO states the official transcript is a secure document that contains a large amount of confidential data all of which should be kept secure. In addition, in most cases, the transcript will be provided to those (schools and employers) who already have the SSN. We do not accept requests to withhold the SSN from the transcript.”
The responses were divided into four groups:
Category A: Colleges and Universities which did not print the SSN on academic transcripts. Most of these colleges print the Student ID Number, instead.
Category B: Colleges and Universities which print only a partial SSN on academic transcripts.
Category C: Colleges and Universities which print the full SSN on academic transcripts by default, but allow students to withhold it upon request.
Category D: Colleges and Universities which mandatorily print the SSN on academic transcripts.
Six colleges indicated that they include the full SSN on transcripts, but did not specify whether students could withhold it upon request. For purposes of this study, those six were placed in category D. The survey ignores indications of imminent policy changes—it represents a snapshot of practices during the month of January, 2007. The results of the 2007 survey contrast sharply with AACRAO’s 2003 data:
| AACRAO 2003 Survey of National Colleges & Universities | January 2007 Survey of US News & World Report’s Top 126 Colleges & Universities |
 |
 |
| In 2003, more than ¾ of national colleges & universities reported using the SSN on transcripts, according to AACRAO. | In January 2007, only ¼ of top national universities mandatorily printed the full SSN on transcripts. |
| Category A: Colleges and Universities which did not print the SSN on academic transcripts. Most print the Student ID Number, instead. Category B: Colleges and Universities which print only a partial SSN on academic transcripts. |
Category C: Colleges and Universities which print the full SSN on academic transcripts by default, but allow students to withhold it upon request. Category D: Colleges and Universities which mandatorily print the SSN on academic transcripts. |
As of January 2007, roughly 2/3 of nationally ranked universities printed a Student ID or only a partial SSN (such as the last 4 digits) on official transcripts. For instance, Harvard, Yale, Stanford, Princeton, and Duke do not use students’ SSNs on transcripts at all, while Georgetown and Berkeley print only the last four digits. 14 nationally ranked schools print the SSN on transcripts, but allow students to withhold it upon request.
Several possible explanations for the contrast between the two surveys may exist. First, the 2007 survey sampled only nationally ranked colleges and universities. Presumably, the 2003 AACRAO data includes a much broader sample of colleges. The absence of local community colleges on the 2007 survey may account for some of the difference, since smaller schools may not have as much funding to overhaul record-keeping systems. However, if nationally ranked colleges serve as a bellwether for national trends in this area, the 2007 survey may also indicate a sea change in how universities treat students’ SSNs. Regardless, only a small minority of nationally ranked colleges and universities now mandatorily print the SSN on academic transcripts.
I presented these findings to AACRAO in a February 2007 letter, and requested that they review their 2003 data and resulting recommendations. As of the date of this article, AACRAO has not responded to my letter.
I also presented the results to the George Washington University administration in Washington, DC. Presently, the university mandatorily prints the SSN on all academic transcripts. However, as a result of this survey, GW University has committed to change their transcript policy, and will allow students to withhold the SSN from transcripts upon request in the near future.
Conclusion
Students and former students should be aware of the risks associated with disseminating academic transcripts, and check their university’s transcript policy. If the policy does not provide sufficient protection, students should push registrars to meet their privacy needs. With persistence, many registrar offices will work with students to come up with creative solutions, on an individual basis.
In the current atmosphere of rising identity theft, students and former students need the ability to control how and to whom their personal information is transmitted. Even among universities that have ceased using the Social Security Number as a student ID, University Registrars should become more aware of this issue, and the trend away from printing Social Security Numbers on transcripts.
About Aaron Titus
Aaron Titus works as a Program Manager at an Alexandria, VA non-profit association. He is also attending the George Washington University Law School, specializing in Information Privacy Law. When he’s not busy being a proud father of two, he writes about privacy, and hosts several podcasts. These include The Privacy Podcast (www.aarontitus.net/privacy), and Free Space (www.libertycoalition.net/liberty-coalition-podcast).
A podcast of this article is available at http://www.aarontitus.net/privacy/index.php?id=13. Copies of this report are also available at Pogowasright.org and the Privacy Rights Clearinghouse.
DATA
I have included a table of results. Question 1 was, “Is a student’s Social Security Number printed on official transcripts?” Question 2 was, “If so, may students request that their social security number be withheld from the transcript?”
Answers in the column labeled “Question 2 Answer” reference the question 1 answer. Thus, if the question 1 answer was “Student ID,” and question 2 answer is “Yes: Optional,” it means: “Academic transcripts print the student ID, but the student ID may be omitted at the option of the student.”
Where the answer to question 1 was “Student ID,” the registrar indicated that the Student ID was not the SSN. “Category” references the descriptions and graphs below:
Category A: Colleges and Universities which did not print the SSN on academic transcripts. Most of these colleges print the Student ID Number, instead.
Category B: Colleges and Universities which print only a partial SSN on academic transcripts.
Category C: Colleges and Universities which print the full SSN on academic transcripts by default, but allow students to withhold it upon request.
Category D: Colleges and Universities which mandatorily print the SSN on academic transcripts.
| University | State | Question1 Answer | Question2 Answer | Category |
| University at Buffalo—SUNY | NY | Student ID | No: May Not Remove | A |
| American University | DC | Student ID | No: May Not Remove | A |
| University of the Pacific | CA | Student ID | No: May Not Remove | A |
| College of William and Mary | VA | Student ID | Not Specified | A |
| Brown University | RI | Student ID | Not Specified | A |
| Pennsylvania State U.—University Park | PA | Student ID | No Specified | A |
| Drexel University | PA | Student ID | Not Specified | A |
| University of Tulsa | OK | Student ID | Not Specified | A |
| Cornell University | NY | Student ID | Not Specified | A |
| New York University | NY | Student ID | Not Specified | A |
| Rensselaer Polytechnic Institute | NY | Student ID | Not Specified | A |
| SUNY—Stony Brook | NY | Student ID | Not Specified | A |
| New Jersey Institute of Technology | NJ | Student ID | Not Specified | A |
| U. of North Carolina—Chapel Hill | NC | Student ID | Not Specified | A |
| North Carolina State U.—Raleigh | NC | Student ID | Not Specified | A |
| Harvard University | MA | Student ID | Not Specified | A |
| Boston College | MA | Student ID | Not Specified | A |
| Worcester Polytechnic Institute | MA | Student ID | Not Specified | A |
| Clark University | MA | Student ID | Not Specified | A |
| University of Chicago | IL | Student ID | Not Specified | A |
| U. of Illinois—Urbana – Champaign | IL | Student ID | Not Specified | A |
| Loyola University Chicago | IL | Student ID | Not Specified | A |
| University of Iowa | IA | Student ID | Not Specified | A |
| Howard University | DC | Student ID | Not Specified | A |
| Catholic University of America | DC | Student ID | Not Specified | A |
| University | State | Question1 Answer | Question2 Answer | Category |
| Stanford University | CA | Student ID | Not Specified | A |
| Univ. of California—Los Angeles | CA | Student ID | Not Specified | A |
| University of California—Davis | CA | Student ID | Not Specified | A |
| Univ. of California—Santa Cruz | CA | Student ID | Not Specified | A |
| University of Arizona | AZ | Student ID | Not Specified | A |
| Virginia Tech | VA | Student ID | Yes: Optional | A |
| University of Utah | UT | Student ID | Yes: Optional | A |
| University of San Diego | CA | Student ID | Yes: Optional | A |
| Univ. of Wisconsin—Madison | WI | No SSN | Not Specified | A |
| Southern Methodist University | TX | No SSN | Not Specified | A |
| Vanderbilt University | TN | No SSN | Not Specified | A |
| University of Oregon | OR | No SSN | Not Specified | A |
| University of Rochester | NY | No SSN | Not Specified | A |
| Princeton University | NJ | No SSN | Not Specified | A |
| Dartmouth College | NH | No SSN | Not Specified | A |
| University of New Hampshire | NH | No SSN | Not Specified | A |
| Duke University | NC | No SSN | Not Specified | A |
| Wake Forest University | NC | No SSN | Not Specified | A |
| Univ. of Minnesota—Twin Cities | MN | No SSN | Not Specified | A |
| Michigan State University | MI | No SSN | Not Specified | A |
| Tufts University | MA | No SSN | Not Specified | A |
| Purdue Univ.—West Lafayette | IN | No SSN | Not Specified | A |
| University of Delaware | DE | No SSN | Not Specified | A |
| University of Connecticut | CT | No SSN | Not Specified | A |
| University of Denver | CO | No SSN | Not Specified | A |
| Univ. of California—Riverside | CA | No SSN | Not Specified | A |
| University of San Francisco | CA | No SSN | Not Specified | A |
| SUNY College of Env. Sci. and Forestry | NY | No SSN | Not Specified | A |
| Univ. of Massachusetts—Amherst | MA | No SSN | Yes: Optional | A |
| Yale University | CT | No SSN | Yes: Optional | A |
| Lehigh University | PA | Last 5 SSN Digits | Not Specified | B |
| Marquette University | WI | Last 4 SSN Digits | No: May Not Remove | B |
| Case Western Reserve Univ. | OH | Last 4 SSN Digits | No: May Not Remove | B |
| Columbia University | NY | Last 4 SSN Digits | No: May Not Remove | B |
| University of Colorado—Boulder | CO | Last 4 SSN Digits | No: May Not Remove | B |
| University of California—Irvine | CA | Last 4 SSN Digits | No: May Not Remove | B |
| University of Vermont | VT | Last 4 SSN Digits | Not Specified | B |
| University of Virginia | VA | Last 4 SSN Digits | Not Specified | B |
| St. Louis University | MO | Last 4 SSN Digits | Not Specified | B |
| Univ. of Missouri—Columbia | MO | Last 4 SSN Digits | Not Specified | B |
| University of Missouri—Rolla | MI | Last 4 SSN Digits | Not Specified | B |
| Northeastern University | MA | Last 4 SSN Digits | Not Specified | B |
| University of Kansas | KS | Last 4 SSN Digits | Not Specified | B |
| University of Notre Dame | IN | Last 4 SSN Digits | Not Specified | B |
| Indiana University—Bloomington | IN | Last 4 SSN Digits | Not Specified | B |
| Emory University | GA | Last 4 SSN Digits | Not Specified | B |
| University | State | Question1 Answer | Question2 Answer | Category |
| Georgia Institute of Technology | GA | Last 4 SSN Digits | Not Specified | B |
| Georgetown University | DC | Last 4 SSN Digits | Not Specified | B |
| University of California—Berkeley | CA | Last 4 SSN Digits | Not Specified | B |
| Univ. of California—San Diego | CA | Last 4 SSN Digits | Not Specified | B |
| Univ. of California—Santa Barbara | CA | Last 4 SSN Digits | Not Specified | B |
| Pepperdine University | CA | Last 4 SSN Digits | Not Specified | B |
| Iowa State University | IA | Last 4 SSN Digits | Yes: Optional | B |
| Boston University | FL | Last 4 SSN Digits | Yes: Optional | B |
| Washington State University | WA | Full SSN | No: May Not Remove | D |
| University of Texas—Austin | TX | Full SSN | No: May Not Remove | D |
| Texas A&M Univ.—College Station | TX | Full SSN | No: May Not Remove | D |
| Baylor University | TX | Full SSN | No: May Not Remove | D |
| Texas Christian University | TX | Full SSN | No: May Not Remove | D |
| University of Tennessee | TN | Full SSN | No: May Not Remove | D |
| Clemson University | SC | Full SSN | No: May Not Remove | D |
| University of Pennsylvania | PA | Full SSN | No: May Not Remove | D |
| Carnegie Mellon University | PA | Full SSN | No: May Not Remove | D |
| Ohio State University—Columbus | OH | Full SSN | No: May Not Remove | D |
| Miami University—Oxford | OH | Full SSN | No: May Not Remove | D |
| Fordham University | NY | Full SSN | No: May Not Remove | D |
| SUNY—Binghamton | NY | Full SSN | No: May Not Remove | D |
| Univ. of Nebraska—Lincoln | NE | Full SSN | No: May Not Remove | D |
| University of Michigan—Ann Arbor | MI | Full SSN | No: May Not Remove | D |
| Johns Hopkins University | MD | Full SSN | No: May Not Remove | D |
| Brandeis University | MA | Full SSN | No: May Not Remove | D |
| Tulane University | LA | Full SSN | No: May Not Remove | D |
| University of Kentucky | KY | Full SSN | No: May Not Remove | D |
| University of Georgia | GA | Full SSN | No: May Not Remove | D |
| University of Miami | FL | Full SSN | No: May Not Remove | D |
| Florida State University | FL | Full SSN | No: May Not Remove | D |
| George Washington University | DC | Full SSN | No: May Not Remove | D |
| Colorado State University | CO | Full SSN | No: May Not Remove | D |
| Univ. of Southern California | CA | Full SSN | No: May Not Remove | D |
| University of Alabama | AL | Full SSN | No: May Not Remove | D |
| Auburn University | AL | Full SSN | No: May Not Remove | D |
| Rice University | TX | Full SSN | Not Specified | D |
| University of Pittsburgh | PA | Full SSN | Not Specified | D |
| University of Oklahoma | OK | Full SSN | Not Specified | D |
| Univ. of Maryland—College Park | MD | Full SSN | Not Specified | D |
| Northwestern University | IL | Full SSN | Not Specified | D |
| California Institute of Technology | CA | Full SSN | Not Specified | D |
| University of Washington | WA | Full SSN | Yes: Optional | C |
| Brigham Young Univ.—Provo | UT | Full SSN | Yes: Optional | C |
| Univ. of South Carolina—Columbia | SC | Full SSN | Yes: Optional | C |
| University of Dayton | OH | Full SSN | Yes: Optional | C |
| Ohio University | OH | Full SSN | Yes: Optional | C |
| University | State | Question1 Answer | Question2 Answer | Category |
| Yeshiva University | NY | Full SSN | Yes: Optional | C |
| Syracuse University | NY | Full SSN | Yes: Optional | C |
| Rutgers—New Brunswick | NJ | Full SSN | Yes: Optional | C |
| Stevens Institute of Technology | NJ | Full SSN | Yes: Optional | C |
| Washington University in St. Louis | MO | Full SSN | Yes: Optional | C |
| Massachusetts Institute of Technology | MA | Full SSN | Yes: Optional | C |
| Kansas State University | KS | Full SSN | Yes: Optional | C |
| Illinois Institute of Technology | IL | Full SSN | Yes: Optional | C |
| University of Florida | FL | Full SSN | Yes: Optional | C |
| Category A: | 55 | 43.7% |
| Category B: | 24 | 19.0% |
| Category C: | 14 | 11.1% |
| Category D: | 33 | 26.2% |
| Total | 126 | 100.0% |