When the Stanford Student Computer and Network Privacy Project completed its recent study of computer and network-related student privacy issues, little did we know how timely our findings would become. This is a critical time to consider student privacy issues as well as to ensure student privacy protection. The events of recent months may have a direct impact on the current and future privacy of student records. The San Jose Mercury News recently reported: "Colleges across the country … are providing the FBI and other federal agencies with student records in connection with the investigation of the Sept. 11 terrorist attacks." We set out to examine the student privacy issues and concerns on the Stanford campus.
This study addresses critical issues that do not receive much attention, including the Family Educational Rights and Privacy Act’s vague definition of "student educational records" and the faulty presumption that subpoenas implicate judicial review. On the positive side, the study may have also uncovered privacy issues that either were unknown or not a high priority among Stanford officials.
Stanford is one of the better-prepared universities in the area of student privacy, and yet its policies and practices manifest troublesome aspects that require improvement. We hope these findings encourage other universities to examine the state of their own student privacy policies and practices. We suspect that doing so will uncover additional or similar weaknesses in student privacy protection.
We surveyed a small sample of the student body to consider their expectations and perceptions of student privacy rights on the Stanford network. We found that while most surveyed students knew little about their privacy protection rights and the degree to which these rights can be compromised, they do believe that privacy protection is important. Based on these findings, we suggest the university place greater emphasis on increasing awareness of student privacy issues through literature distribution and educational programs.
We then investigated the current state of computer and network privacy at Stanford and found that students, faculty, and staff can access personal student information via the campus network. Students can access each other’s home and school addresses, class schedules, and email activity logs. They can associate a particular student with a specific computer terminal and so determine his or her physical location in addition to what applications he or she is running. However, it is not clear at which point students would be willing to forgo convenience in favor of increased privacy protection (for example, disabling the command to physically locate another student at the cost of locating a teaching assistant during office hours).
We next considered a foursome of laws and policies in order to investigate privacy protections guaranteed to Stanford students: Electronic Communications Privacy Act (ECPA); Family Educational Rights and Privacy Act (FERPA); Stanford’s Principles of Privacy in the university; and Stanford’s Computer and Network Usage Policy.
ECPA is a crime bill that makes wiretapping legal under certain limitations. Due to an increase in electronic communications, legislators subsequently expanded ECPA in 1986 to address resultant privacy concerns. ECPA specifies that " … a provider of electronic communication service or remote computing service may disclose a record or other information pertaining to a subscriber or customer of such service … to any person other than a governmental entity." The university provides such services to its student subscribers. ECPA further specifies that when a governmental entity seeks "subscriber" information, the information may be disclosed only if the entity has obtained a warrant, court order, an authorized administrative or grand jury subpoena, or the consent of the subscriber.
Subpoenas, in particular, range from court orders to law enforcement subpoenas to attorney boilerplate. For example, if some arbitrary law firm were to provide Stanford with a subpoena attempting to compel the disclosure of a student subscriber’s identity or electronic communications records, Stanford security officers could legally provide the requested information. Or they could ask a court to settle the matter. Therefore, ECPA does not serve to protect student privacy. Since ECPA does not require judicial review, ECPA provides a convenient rationalization for questionable authorizing procedures (see www.digitalcentury.com/encyclo/update/ecpa.html for details) in matters of the university conducting email surveillance or turning over electronic communication records. We suggest Stanford officials limit what types of subpoenas can warrant disclosure of student information.
FERPA is a federal law that provides the following rights to adult students or to the parents of students under the age of 18: The right to inspect and review the information the university is keeping on the student; the right to seek amendment to those records and in certain cases append a statement to the record; the right to consent to disclosure of his or her records; and the right to file a complaint with the FERPA office in Washington. (See ferpa.sis.usmd.edu/ferpaweb for details.)
An accurate interpretation of FERPA hinges on the definition of a "student educational record." FERPA defines such a record as directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution (www.lrp.com/ed/freelib/ free_regs/c34_99_3.htm). Under this loose definition, a student’s email, data files, programs, and network account information may be interpreted as student educational records. However, FERPA’s definition of student educational records as well as its provisions as to what constitutes a violation of protecting the privacy of these records is neither clear nor well defined. We recommend Stanford officials establish a formal interpretation of FERPA, educate students, faculty, staff, and system administrators about it, and put it into practice in a timely fashion.
Stanford’s two-page Principles of Privacy in the university (last updated in March 1984 and available only in print) outlines privacy protections afforded to students by the university but does not explicitly address protections guaranteed to students from other Stanford students, faculty, and staff. For example, the policy states, "The University should obtain information only with the informed consent of the individual." Furthermore, if "information" can be interpreted as a student’s email, data files, programs, and network account information, then one might argue that Stanford is compromising students’ privacy rights since its security officers and/or system administrators are allowed to access such student information without the student’s consent. In sum, the university privacy policy needs to clearly define "information" as well as address network privacy issues to protect students from other students, faculty, and staff.
Stanford’s Computer and Network Usage Policy specifies that users of the Stanford network and computer resources are responsible for not abusing those resources and for respecting the rights of others. Specifically, the usage policy states, "users must be mindful of the rights of others to their privacy." It appears that Stanford’s policy attempts to provide students as much privacy protection as possible. However, it is problematic that no audit trails or logs are kept to monitor the actions of the university’s security staff (or of any administrator with extra network privileges), especially considering that Stanford security is authorized to access computer users’ files—without notification—to ensure proper computer and network usage. We suggest the Security Office keep an audit log to ensure proper use of access privileges.
None of the aforementioned laws and policies adequately protects student privacy. Stanford policies, for example, do not explicitly forbid users from running programs to view another student’s command-line contents during a login session. It may not be feasible to explicitly outline every action a user can and cannot perform on the Stanford network; perhaps a more practicable solution is to make users aware of how their privacy can be violated and what they can do to protect themselves. Since we contend that providing a document containing such information would be a significant improvement, we drafted and inserted this information in orientation packets for first-year students and provided the Web site URL for more information. We were very pleased with the university’s support; we hope it will continue to update and distribute such a document for all incoming students.
Other Perspectives
We also interviewed several university officials in an effort to analyze what Stanford has planned from both a policy and technological point of view. One official recognized the urgency to revise the university’s privacy policy. Another official stated the trend for the future was to avoid relying solely on the education of end users; that it is better to build higher levels of security into any service or system whenever practicable.
To help us better understand and gain perspective about Stanford’s privacy policy, we also considered the privacy policies of other universities, including Cornell, Dartmouth, MIT, the University of Texas-Austin, and the University of Washington.
MIT’s policy (web.mit.edu/policies/11.0.html) outlines in great detail the rights of students, faculty, and staff to obtain and review information stored about them. In addition, it states the right of an individual whose information is being gathered includes knowing the purpose of the collection and that the information may not be used for any other reason. MIT’s policy also details the situations in which consent is not needed to share information and discusses MIT’s compliance of FERPA. In general, MIT’s policy seems conservative, and the intended audience seems to be technologically savvy.
The most clear and concise privacy policy came from the University of Washington (www.washington.edu/computing/rules/privacy.html), which carefully lists the necessary legal conditions for legitimate compromising of university accounts by way of inspection or monitoring. Privacy policies from other schools included similar lists, but Washington’s policy is very easy to locate online and it is direct in describing the university’s privacy-related obligations.
In reading privacy policies from other universities, we discovered that Stanford is, for the most part, well informed and well prepared in the area of student privacy. However, we contend a revision of Stanford’s privacy policy is necessary and critical. It should also be easily accessible and available on the Web.
Conclusion
Based on our study, we suggest Stanford University should put greater emphasis on increasing awareness of student privacy issues through literature distribution and educational programs. Students should be partially responsible for their own protection by revealing less information on personal Web space; controlling what information is shared with the campus community and with the outside world; specifying access permissions are read-only when sharing files; and being mindful not to provide sensitive information when using cluster computers.
Regarding legal and policy issues, we recommend Stanford officials limit the types of subpoenas that warrant disclosure of student information; establish a formal interpretation of FERPA and educate all parties about it; and expand the university’s Principles of Privacy to address privacy issues that will protect students from other students, faculty, and staff. Furthermore, we suggest the Security Office keep an audit log to ensure proper use of access privileges. Finally, Stanford’s privacy policy should be revised and made easily accessible as soon as possible.
We hope other universities will conduct similar analyses of student computer and network privacy issues and make serious attempts to improve student privacy protection on their campuses.
The full study by the Stanford Student Computer and Network Privacy Project is available at www.stanford.edu/group/privacyproject/.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment