Educause Security Discussion mailing list archives
Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT
From: Kevin Shalla <kshalla () UIC EDU>
Date: Mon, 31 Mar 2008 14:44:21 -0500
Brian, The document recognizes that certain items may be in the directory, like user ID when other factors are required to access personal information, but it specifically prohibits student ID number: "...may not designate as directory information a student's SSN or other student ID number." And that prohibition demonstrates where I see them confusing identification with authentication. At our university, username isn't satisfactory to uniquely identify students - we need the student ID number, and the proposal prohibits that from being directory information. Kevin At 01:44 PM 3/31/2008, Basgen, Brian wrote:
Kevin, While I agree that the government often confuses identification with authentication, I'm wondering where you see that in this document. For example, I found this section which seems to indicate a reasoned approach and question to the community (p. 24): "As noted above, single-factor authentication of identity, such as a standard form user name combined with a secret password or PIN, may not provide reasonable protection for access to all types of education records or under all circumstances." The meat of the issue is on page 3: "Proposed Regulations: The proposed regulations would provide that an educational agency or institution may not designate as directory information a student's SSN or other student ID number. However, directory information may include a student's user ID or other unique identifier used by the student to access or communicate in electronic systems, but only if the electronic identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the student's identity, such as a personal identification number (PIN), password, or other factor known or possessed only by the student." It seems to me like they are addressing the issue reasonably well, and taking head-on the problem of Student ID numbers, which has been a subject of some debate over the years. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Shalla Sent: Monday, March 31, 2008 11:37 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] FERPA Notice of Proposed Rulemaking Addresses Changes in IT Thanks Rodney, It seems that the legislators here are confusing identification with authentication. I hope that universities learned from the social security number problem (a number, stored in thousands if not millions of IT systems around the country, properly used for identification and improperly used (because it's convenient) as authentication) and are not allowing knowledge of a student ID number to gain access to anything. I'm pushing to define student ID as directory information so that it cannot ever be used for authentication, but some on campus are afraid of doing this. What do others think? Kevin At 12:58 PM 3/31/2008, Rodney Petersen wrote: The U.S. Department of Education has issued a Notice of Proposed Rulemaking ( http://edocket.access.gpo.gov/2008/pdf/E8-5790.pdf <http://edocket.access.gpo.gov/2008/pdf/E8-5790.pdf> ) with proposed regulations pertaining to the Family Education Rights and Privacy (FERPA). Among other things, "the proposed regulations respond to changes in information technology and address other issues identified through the Department's experience administering FERPA," according to the Notice. Additionally, the regulations are needed to implement amendments to FERPA contained in the USA Patriot Act and the Campus Sex Crimes Prevention Act, to implement two U.S. Supreme Court decisions interpreting FERPA, and to make other necessary changes. Among the IT-related changes are: * Clarification of what can be included as directory information, addressing Social Security Number (SSN), other student ID numbers, and email addresses * Requiring the use of reasonable methods to identify and authenticate the identity of students, parents, school officials, and any other parties to whom personally identifiable information is disclosed * Recommendations to assist institutions in safeguarding educational records (Note: this is covered on page 15598 of Federal Register Notice or page 26 of PDF document.) The deadline for comments is May 8, 2008. The EDUCAUSE Washington Office ( http://www.educause.edu/policy <http://www.educause.edu/policy> ) is reviewing the proposed changes and welcome your comments or questions (send comments to rpetersen () educause edu). We will provide a more detailed analysis of the proposed rules and any further updates at a later date. -Rodney -------------------------------------------------- Rodney J. Petersen, J.D. Government Relations Officer & Security Task Force Coordinator EDUCAUSE 1150 18th Street, N.W., Suite 1010 Washington, D.C. 20036 (202) 331-5368 / (202) 872-4200 (202) 872-4318 (FAX) EDUCAUSE/Internet2 Security Task Force www.educause.edu/security --------------------------------------------------
Current thread:
- FERPA Notice of Proposed Rulemaking Addresses Changes in IT Rodney Petersen (Mar 31)
- <Possible follow-ups>
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Kevin Shalla (Mar 31)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Basgen, Brian (Mar 31)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Gary Dobbins (Mar 31)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Kevin Shalla (Mar 31)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Basgen, Brian (Mar 31)