Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT

From: "Michael R. Gettes" <gettes () MIT EDU>
Date: Tue, 1 Apr 2008 17:57:21 -0400
Searching on student ID is not the same as returning the student ID
as public information.  I submit you don't want to give out student ID
but you might want to make it searchable.  If you give out student ID
like we have done with SSN then you will simply make the student ID
the new SSN for your community.  That is not a good thing to do and
is exactly what the proposed FERPA regs are trying to limit - smartly
so.  Just as using the last 4 digits of SSN has reduced the value
space of SSN, nationally, to only 4 digits for purposes of identity
verification.  While I agree in principle with the language you
have proposed - I have to say I am in agreement with what the proposed
FERPA changes are trying to achieve in practice.  There are better
ways of handling these types of problems and the time has come for
us all to do something better than what we have always done.  Now it
might be reasonable to pose questions back regarding searchability
versus making known and what restrictions one would have to place
on detecting trolling and such related attacks since I don't see
where the proposed changes give guidance on how to handle these
distinctions.

/mrg

On Apr 1, 2008, at 17:44, Kevin Shalla wrote:

I want to give everyone access to look up everyone's student ID, and
the only way to do that is to define student ID as directory
information.  I guess other schools don't want to do that, because
some professors want to distribute grades assuming that student IDs
are secret (although in reality, a large portion of the staff
already have access to student ID (most administrative offices),
because they need that access to do their jobs).

At 12:36 PM 4/1/2008, Michael R. Gettes wrote:

Kevin,

I have checked back on your posts of this topic and I think
I understand where the confusion exists.  Firstly, I think
the proposed regs have it right this time.  Where the confusion
exists, I believe, is your interpretation of Directory Information.
As 99.3 describes Directory Information it essentially catalogs
examples of Directory Information and does NOT define a directory
as any form of repository.  You keep referring to "student ID
number must not be in the directory".  You can store an SSN,
biometric or any other form of personally identifiable data
in a directory - where directory is some repository with defined
protocols for accessing it.  What you can't do is release
that information without following the rules of FERPA.  So, you
are free to store the student ID number in a directory or any
other database - just follow the rules on releasing that info
and you will be fine.  Am I correct in identifying the point
of confusion?

/mrg

On Apr 1, 2008, at 12:57, Kevin Shalla wrote:

Steve,

Because we're considering law, not just a guideline, the wording
that is proposed must be highly scrutinized.  At our institution the
student's user ID is NOT the student ID number, and the student ID
number is NOT used to access or communicate in electronic systems.
Because of this, I believe that the proposed regulations clearly
states that student ID number must not be in the directory - and
this is the problem.

This is what is proposed:
The proposed regulations would provide that an educational agency or
institution may not designate as directory information a student's
SSN or student ID number. However, directory information may include
a student's user ID or other unique identifier used by the student
to access or communicate in electronic systems, but only if the
electronic identifier cannot be used to gain access to education
records except when used in conjunction with one or more factors
that authenticate the student's identity, such as a personal
identification number (PIN), password, or other factor known or
possessed only by the student.

This is what I would propose:
The proposed regulations would provide that an educational agency or
institution may not designate as directory information a student's
SSN. Also prohibited from being designated as directory information
is any identifier that  would allow access to education records
without requiring one or more factors that authenticate the
student's identity, such as a personal identification number (PIN),
password, or other factor known or possessed only by the student.

Kevin

At 04:14 PM 3/31/2008, Basgen, Brian wrote:

Steve,

You raise an interesting point. Yet, student IDs as directory
information can be problematic, since faculty sometimes publicly
post
grades with student IDs attached. In this case the faculty member
is
confusing identification with authentication, but you know, good
luck
explaining that to faculty. :)

In this sense, prohibiting student IDs in association with grades
helps. Naturally, the flip side is possible, that the student ID
could
become another form of authentication. Yet, I think the rule gets
beyond
this limitation.

Reading the section right after your quote: "However, directory
information may include a student's user ID ... if [it] cannot be
used
to gain access to education records except when used ... [with] a
personal identification number (PIN), password, or other factor
known or
possessed only by the student."

This seems to resolve the issue?

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College




> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Shalla
> Sent: Monday, March 31, 2008 12:44 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] FERPA Notice of Proposed Rulemaking
> Addresses Changes in IT
>
> Brian,
>
> The document recognizes that certain items may be in the
> directory, like user ID when other factors are required to
> access personal information, but it specifically prohibits
> student ID number:
> "...may not designate as directory information a student's
> SSN or other student ID number."
>
> And that prohibition demonstrates where I see them confusing
> identification with authentication.
>
> At our university, username isn't satisfactory to uniquely
> identify students - we need the student ID number, and the
> proposal prohibits that from being directory information.
>
> Kevin
>
> At 01:44 PM 3/31/2008, Basgen, Brian wrote:
> >Kevin,
> >
> >  While I agree that the government often confuses
> identification with
> >authentication, I'm wondering where you see that in this
> document. For
> >example, I found this section which seems to indicate a reasoned
> >approach and question to the community (p. 24):
> >
> >"As noted above, single-factor
> >authentication of identity, such as a
> >standard form user name combined with
> >a secret password or PIN, may not
> >provide reasonable protection for access to all types of
education
> >records or under all circumstances."
> >
> >  The meat of the issue is on page 3:
> >
> >"Proposed Regulations: The proposed
> >regulations would provide that an
> >educational agency or institution may
> >not designate as directory information a student's SSN or
> other student
> >ID number. However, directory information may include a
> student's user
> >ID or other unique identifier used by the student to access or
> >communicate in electronic systems, but only if the electronic
> >identifier cannot be used to gain access to education records
except
> >when used in conjunction with one or more factors that
> authenticate the
> >student's identity, such as a personal identification number
(PIN),
> >password, or other factor known or possessed only by the
student."
> >
> >
> >  It seems to me like they are addressing the issue reasonably
well,
> >and taking head-on the problem of Student ID numbers, which
> has been a
> >subject of some debate over the years.
> >
> >
> >~~~~~~~~~~~~~~~~~~
> >Brian Basgen
> >Information Security
> >Pima Community College
> >
> >
> >
> >
> >
> >
> >
> >________________________________
> >
> >         From: The EDUCAUSE Security Constituent Group Listserv
> >[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin
Shalla
> >         Sent: Monday, March 31, 2008 11:37 AM
> >         To: SECURITY () LISTSERV EDUCAUSE EDU
> >         Subject: Re: [SECURITY] FERPA Notice of Proposed
Rulemaking
> >Addresses Changes in IT
> >
> >
> >         Thanks Rodney,
> >
> >         It seems that the legislators here are confusing
> >identification with authentication.  I hope that
> universities learned
> >from the social security number problem (a number, stored in
> thousands
> >if not millions of IT systems around the country, properly used
for
> >identification and improperly used (because it's convenient) as
> >authentication) and are not allowing knowledge of a student
> ID number to gain access to anything.
> >I'm pushing to define student ID as directory information so
that it
> >cannot ever be used for authentication, but some on campus
> are afraid
> >of doing this.
> >
> >         What do others think?
> >
> >         Kevin
> >
> >         At 12:58 PM 3/31/2008, Rodney Petersen wrote:
> >
> >
> >
> >                 The U.S. Department of Education has issued
> a Notice
> >of Proposed Rulemaking (
> >http://edocket.access.gpo.gov/2008/pdf/E8-5790.pdf
> ><http://edocket.access.gpo.gov/2008/pdf/E8-5790.pdf> ) with
proposed
> >regulations pertaining to the Family Education Rights and
Privacy
> >(FERPA).   Among other things, "the proposed regulations respond
to
> >changes in information technology and address other issues
> identified
> >through the Department's experience administering FERPA,"
> according to
> >the Notice. Additionally, the regulations are needed to
implement
> >amendments to FERPA contained in the USA Patriot Act and the
> Campus Sex
> >Crimes Prevention Act, to implement two U.S. Supreme Court
decisions
> >interpreting FERPA, and to make other necessary changes.
> >
> >                 Among the IT-related changes are:
> >
> >                 *       Clarification of what can be included
as
> >directory information, addressing Social Security Number
> (SSN), other
> >student ID numbers, and email addresses
> >                 *       Requiring the use of reasonable methods
to
> >identify and authenticate the identity of students, parents,
school
> >officials, and any other parties to whom personally identifiable
> >information is disclosed
> >                 *       Recommendations to assist
institutions in
> >safeguarding educational records (Note:  this is covered on
> page 15598
> >of Federal Register Notice or page 26 of PDF document.)
> >
> >
> >                 The deadline for comments is May 8, 2008.
> >
> >                 The EDUCAUSE Washington Office (
> >http://www.educause.edu/policy <http://www.educause.edu/
policy> ) is
> >reviewing the proposed changes and welcome your comments or
> questions
> >(send comments to rpetersen () educause edu). We will provide a
more
> >detailed analysis of the proposed rules and any further updates
at a
> >later date.
> >
> >                 -Rodney
> >
> >
--------------------------------------------------
> >                 Rodney J. Petersen, J.D.
> >                 Government Relations Officer & Security Task
Force
> >Coordinator
> >
> >                 EDUCAUSE
> >                 1150 18th Street, N.W., Suite 1010
> >                 Washington, D.C. 20036
> >                 (202) 331-5368 / (202) 872-4200
> >                 (202) 872-4318 (FAX)
> >                 EDUCAUSE/Internet2 Security Task Force
> >                 www.educause.edu/security
> >
--------------------------------------------------
>
Previous By Date Next
Previous By Thread Next

Current thread: