In June 2006, the trustees of Ohio University (OU) voted unanimously to spend up to $4 million on enhanced information security. The decision came in the wake of the media coverage about OU's "lax, low-priority attitude toward security," resulting in five data breaches detected since April, the theft of 173,000 Social Security numbers, and an unsecured alumni database which was used by hackers for over a year to share music files and launch attacks on other systems.5 Fallout from the breaches included a lawsuit filed by alumni who sought class action status to represent any students, employees and other alumni affected by the breaches,6 and an 8% decline in the number of donations received when the breaches were disclosed compared with the same period in the previous year.7
Higher education faces significant privacy and security challenges, as the OU example illustrates.1 First, most colleges and universities engage in the same types of ecommerce activities that raise privacy concerns in the private sector and potentially pose privacy risks if not managed effectively. For example, schools typically process electronic applications, engage in relationship marketing, accept donations and sell t-shirts, textbooks and athletic tickets, online. However, their privacy policies have received little attention compared to the scrutiny the private sector has received.3
Universities also collect and maintain large online stores of sensitive personal information, putting them at risk for security breaches. Further, while most businesses have retention policies specifying when records should be discarded, many educational records containing sensitive personal information about students and their families may be retained indefinitely. Higher education has accounted for a disproportionate share of publicly reported security breaches.9 The majority of these breaches were attributed to hacking, but schools also reported lost laptops, or even posting of sensitive information on a Web site. Some schools reported multiple incidents.
Further, like the private sector, higher education faces privacy risks posed by decentralized computing environments. Many schools outsource common business functions such as online admissions, sale of athletic tickets, credit card processing or operation of their bookstores to third parties. However, the higher education information environment is also characterized by other attributes including norms of academic freedom that pose additional risks and challenges not found in the commercial world. Academic departments often operate their own servers and run their own Web sites. Individual faculty, students and student organizations also have personal Web sites that run on department servers or servers managed by the school.
This article presents the results of a benchmark study of online privacy practices in higher education.2 The study addresses the question, how well is higher education managing online privacy? The study is based on an audit of Web site privacy practices and a content analysis of the online privacy notices of America's leading colleges and universities to assess whether they observe fair information practices.
To manage privacy effectively, organizations need to implement policies based on fair information practices. Fair information practices (FIP) are global principles that provide individuals with control over the disclosure and subsequent use of their personal information, and describes organizational obligations for data protection. Because FIP balance the legitimate but competing business and individual interests around the use of the individual's personal information, they provide the basis for both privacy laws and self-regulatory programs. For example, federal privacy laws based on FIP that affect higher education include the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), and the Children's Online Privacy Protection Act (COPPA).1
Currently, the most widely accepted U.S. version of fair information practices reflects a subset of the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and is based on five elements: notice, choice, access, security and accountability.3 Notice means when individuals provide personal information, they have the right to know what, if any, information is being collected and how it will be used. Choice means individuals should have the right to object when personal information is collected for one purpose and will be used for other unrelated purposes or shared with third parties, unless this sharing is required by law. Access means individuals should have the right to see their information and correct errors. Security means organizations should ensure data integrity and protect data from unauthorized access during both transmission and storage. Accountability means organizations should put in place processes to insure they comply with these principles.
As a result of the publicity about security breaches, privacy is often equated with security. However, privacy is more than security. While security is one important element of privacy, there are important differences between the two. Privacy is about how organizations use (and reuse) personal information, and whether or not they gain permission for these uses, while security is about protecting information. Failure by organizations to manage personal information along both of these dimensions can result in harm to the individual.11 While you cannot have privacy without security, you can have security without privacy, as organizations can secure personal information yet make legal but poor decisions about using this information which raise privacy concerns.
This study is based on an analysis of the Web sites of the top 236 schools from the US News and World Report 2004 list of best colleges. The sample consisted of 129 national doctoral universities and 107 national liberal arts colleges. We collected three types of data: data about actual practices based on an automated audit of common privacy risks; a content analysis to measure the extent to which the privacy notices posted by schools in our sample reflect fair information practices; and a readability assessment of these notices.
First, we conducted an automated audit of the Web sites for all 236 schools using Watchfire's WebXM Privacy Module.a Web XM was an automated tool that helps organizations identify risks related to their collection of personal information online. Watchfire ran five scans for each school. In addition to the home page, we scanned four other sections of the Web sites where schools are likely to collect personal information: undergraduate admissions, athletics, alumni, and employment/human resources. Each scan analyzed approximately 200 pages from each starting URL; we scanned a total of 174,291 pages across all schools. The scans looked for three types of privacy risks related to privacy notice use, cookies, and data collection forms. Table 1 describes these risks and how they relate to fair information practices.
First, we scanned for pages without a link to a privacy notice. Nearly 100% had at least one data collection form on a page without a link to a privacy notice with an average of 177 such pages per school. Next, we scanned for third party cookies. Third-party cookies were found on the Web sites of only nine schools (4%) suggesting this is not a major risk factor in higher education. However, it is interesting to note that for these nine schools, five did not have a homepage privacy notice, and one of the four schools with a privacy notice did not address cookies in their notice. Finally, we scanned for privacy risks associated with data collection forms. All of the 236 schools had at least one non-secure page with a data collection form, with an average of 424 such pages per school. Nearly 100% had at least one data collection form that used the HTTP GET method to submit the data with an average of 209 instances per school. As described in Table 1, the GET method encodes data in the Request-URI which may then be stored in a server log, making it visible to unauthorized individuals.
Next, we conducted a manual search for privacy notices in each of the five sections we analyzed during the automated audit (home page, undergraduate admissions, alumni, athletics, and employment/HR). Only 36% of the schools overall (40% doctoral universities and 21% liberal arts colleges) had a privacy notice that could be accessed from the home page either by a link on the page, by using a dropdown menu, or by doing a search.
Doctoral universities were statistically more likely to have a homepage privacy notice than liberal arts colleges. Overall, larger schools, based on number of undergraduate students, were statistically more likely to have a home page privacy notice than smaller schools, however there were no significant differences for size when doctoral universities and liberal arts colleges were analyzed separately. Further, there were no significant differences for public versus private institutions.
Next, we did a content analysis of the 65 home page privacy notices linked from the home page. We analyzed each notice to determine to what extent the notice reflected four elements of fair information practices (notice, choice, access and security). Our survey form was adapted from the form used in the FTC's 2000 Online Privacy Survey.3
Table 2 contains the results for the content analysis of the 65 home page privacy notices. Less than half of the notices described the scope of the notice or provided contact information. While the results of the automated audit suggest that all schools collect personal information, only 51 schools provided a statement to that effect. For these 51 schools, we next analyzed the notice to see to what extent the notice reflected the basics of fair information practices and these results are also contained in Table 2. While 90% of these notices described how personal information is used, approximately half of the notices fell short on the remaining criteria.
For privacy notices to be useful, the notice must be readable. To assess readability, we collected three forms of data for all 65 notices. We measured overall readability using the Filesch-Kincaid grade level score, the length of the notice in words and whether or not the notice contained any internal links to facilitate navigation.
We found overall that these notices scored well on readability given the audience for these sites. The average Flesch-Kincaid grade level score was = 9.35 or first year of high school. The average length of the notices was 736 words (equivalent to approximately two pages of single-spaced text); 4% of the 65 notices contained at least one internal link to facilitate navigation.
The results suggest that if the U.S's leading institutions of higher education were graded on privacy based on the results of this study, they would likely receive a failing grade. Nearly all of the institutions in our study engaged in practices online that pose a potential privacy risk yet less than one-third had a privacy notice accessible from their home page. Further, none of the notices included all of the core elements of fair information practices. The results also suggest that despite facing similar risks, higher education lags the private sector in addressing privacy issues.1,3
However, the issues raised by this study are likely the tip of the iceberg.1 The failure of the majority of schools in our sample to post any type of notice suggests that colleges and universities do not have comprehensive processes in place for managing privacy. While it can be a relatively simple matter to create a privacy notice, it is critical that the notice is backed up with an ongoing governance process to ensure that a school's practices are consistent with its privacy noticethat is, you "do what you say."
There is also a need for large-scale efforts to promote awareness in higher education of the need to make online privacy a strategic priority. Today, most commercial Web sites post some form of a privacy notice even if there is no legal requirement to do so. This resulted from a variety of activities by the federal government and the private sector.
Beginning in the late 1990's, the FTC conducted several Web surveys of the leading .com Web sites to assess the extent to which these sites posted privacy notices based on fair information practices.3 These surveys provided the catalyst for the private sector to launch a number of self-regulatory programs, motivated by a desire to avoid Federal legislation as well as recognition of the potential for privacy concerns to inhibit the growth of e-commerce. Further, the E-Government Act of 2002 required all federal agencies to develop privacy policies, and to post privacy notices on their Web sites. There have not been any similar efforts targeting higher education, but there should be, given the widespread adoption of e-commerce, the high incidence of security breaches in higher education, and the results of this study. Higher education trade and professional associations, the media, state attorney generals, and other legislative and regulatory bodies all have a bully pulpit that could be used to focus attention on the problem.
A new Massachusetts security regulation issued in September 2008 (201 CMR 17.00) may now require many colleges and universities to implement a comprehensive formal security program.10 The rule applies to all organizations that maintain personal information about a Massachusetts resident and defines processes to be included in the security program. While the rule does not require organizations to address other privacy issues nor to develop a privacy notice, complying with the security requirements provides an opportunity to address these related issues, including developing policies related to how the organization uses personal information.
In conclusion, effective privacy notices have been shown to help create trust, particularly for companies that do not have a strong brand.8 Currently, higher education enjoys a high level of public confidence. A 2006 survey conducted for the American Association of University Professors (AAUP) found that higher education enjoyed a level of confidence second only to the military, with nearly 42% of the public reporting they have "a lot of confidence."4 Therefore, privacy concerns are unlikely to reduce the demand to attend America's leading institutions of higher education. However, failing to manage privacy strategically can significantly damage reputation, reducing the willingness of donors to contribute. Privacy concerns can also cause people to refuse to interact with schools online, thereby raising the school's administrative costs.
Personal information is a valuable resource in the information age. Every college and university needs to guard its information assets as carefully as it protects its money. Personal information touches many business processes and is accessible to administrators, faculty and even student employees. As a result, privacy is a strategic issue that deserves the attention of university presidents and trustees in order to protect their institution's reputation with its stakeholders. Absent top management support, it is unlikely that a school will successfully implement an effective, ongoing governance process, particularly if privacy and security are viewed purely as a technology issue.1
a. Watchfire was acquired by IBM in July 2007, and Watchfire's Privacy XM software was incorporated into the IBM Rational Software Delivery Platform. Both of these events took place after this paper was accepted for publication. See www.ibm.com/rational.
The authors acknowledge the helpful comments of Jane Fedorowicz, Charles Iacovou, and Lynne Markus on earlier versions of the article. We also acknowledge Traci Logan's contributions to the study design. Watchfire collected the data for the automated audit portion of the study.
©2009 ACM 0001-0782/09/0300 $5.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
No entries found