Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT

[Drexel Atkinson <datkins () UNM EDU>]

I've been following some of this and would like clarification on what is
meant by the term "directory".   Does this proposed change say we could
not store a student id number (ie. banner id number) in an ldap
directory or does the directory mean a public white/yellow pages?   We
use banner id's for student id numbers.   Would the student id number be
stored only in a database?  Can the number be printed on a student id
card?    If a student accesses a demographic self service page
containing the student id number, is  that a database access and
therefore not a directory?
-d

Basgen, Brian wrote:
> Kevin,
>
>  You have picked up an interesting point that is easy to miss due to the
> similarity "Student user ID" and "Student ID".
>
>  It is an interesting situation, but their logic is discernable. User
> IDs are, by definition, identifiers and not authenticators: thus they
> can be directory information. SSNs, unfortunately, are used as
> authenticators, so naturally they have to be excluded. The trouble is,
> as you point out, with Student IDs. Now, they explain in their reasoning
> why they have made this move: faculty posting grades.
>
>  In particular, they cite 5% of teachers engaging in this practice (a
> pure guess being called an "estimate", it seems), and this gives them a
> misleading so-called "exact" $8 million dollar amount in terms of extra
> labor to stop doing this. This is all based on the assumption that the
> SID is a knowable identifier that would thus reveal the grade. Instead
> of a prohibition on grade posting, they seem to accept it as a necessary
> practice, and as such, force a particular method to carry it out.
>
>  Perhaps an alternative would be language such that for institutions
> that have faculty who post grades, they are prohibited from SIDs as
> directory?
>
> ~~~~~~~~~~~~~~~~~~
> Brian Basgen
> Information Security
> Pima Community College
>
>
>
>
>
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Shalla
> > Sent: Tuesday, April 01, 2008 9:57 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] FERPA Notice of Proposed Rulemaking
> > Addresses Changes in IT
> >
> > Steve,
> >
> > Because we're considering law, not just a guideline, the
> > wording that is proposed must be highly scrutinized.  At our
> > institution the student's user ID is NOT the student ID
> > number, and the student ID number is NOT used to access or
> > communicate in electronic systems.  Because of this, I
> > believe that the proposed regulations clearly states that
> > student ID number must not be in the directory - and this is
> > the problem.
> >
> > This is what is proposed:
> > The proposed regulations would provide that an educational
> > agency or institution may not designate as directory
> > information a student's SSN or student ID number. However,
> > directory information may include a student's user ID or
> > other unique identifier used by the student to access or
> > communicate in electronic systems, but only if the electronic
> > identifier cannot be used to gain access to education records
> > except when used in conjunction with one or more factors that
> > authenticate the student's identity, such as a personal
> > identification number (PIN), password, or other factor known
> > or possessed only by the student.
> >
> > This is what I would propose:
> > The proposed regulations would provide that an educational
> > agency or institution may not designate as directory
> > information a student's SSN. Also prohibited from being
> > designated as directory information is any identifier that
> > would allow access to education records without requiring one
> > or more factors that authenticate the student's identity,
> > such as a personal identification number (PIN), password, or
> > other factor known or possessed only by the student.
> >
> > Kevin
> >
> > At 04:14 PM 3/31/2008, Basgen, Brian wrote:
> >
> > > Steve,
> > >
> > >  You raise an interesting point. Yet, student IDs as directory
> > > information can be problematic, since faculty sometimes publicly post
> > > grades with student IDs attached. In this case the faculty member is
> > > confusing identification with authentication, but you know, good luck
> > > explaining that to faculty. :)
> > >
> > >  In this sense, prohibiting student IDs in association with grades
> > > helps. Naturally, the flip side is possible, that the
> > student ID could
> >
> > > become another form of authentication. Yet, I think the rule
> > gets beyond
> >
> > > this limitation.
> > >
> > >  Reading the section right after your quote: "However, directory
> > > information may include a student's user ID ... if [it]
> > cannot be used
> >
> > > to gain access to education records except when used ... [with] a
> > > personal identification number (PIN), password, or other
> > factor known or
> >
> > > possessed only by the student."
> > >
> > >  This seems to resolve the issue?
> > >
> > > ~~~~~~~~~~~~~~~~~~
> > > Brian Basgen
> > > Information Security
> > > Pima Community College
> > >
> > >
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: The EDUCAUSE Security Constituent Group Listserv
> > > > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Shalla
> > > > Sent: Monday, March 31, 2008 12:44 PM
> > > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > > Subject: Re: [SECURITY] FERPA Notice of Proposed Rulemaking
> > > > Addresses Changes in IT
> > > >
> > > > Brian,
> > > >
> > > > The document recognizes that certain items may be in the
> > > > directory, like user ID when other factors are required to
> > > > access personal information, but it specifically prohibits
> > > > student ID number:
> > > > "...may not designate as directory information a student's
> > > > SSN or other student ID number."
> > > >
> > > > And that prohibition demonstrates where I see them confusing
> > > > identification with authentication.
> > > >
> > > > At our university, username isn't satisfactory to uniquely
> > > > identify students - we need the student ID number, and the
> > > > proposal prohibits that from being directory information.
> > > >
> > > > Kevin
> > > >
> > > > At 01:44 PM 3/31/2008, Basgen, Brian wrote:
> > > >
> > > > > Kevin,
> > > > >
> > > > >  While I agree that the government often confuses
> > > > identification with
> > > >
> > > > > authentication, I'm wondering where you see that in this
> > > > document. For
> > > >
> > > > > example, I found this section which seems to indicate a reasoned
> > > > > approach and question to the community (p. 24):
> > > > >
> > > > > "As noted above, single-factor
> > > > > authentication of identity, such as a
> > > > > standard form user name combined with
> > > > > a secret password or PIN, may not
> > > > > provide reasonable protection for access to all types of
> > education
> >
> > > > > records or under all circumstances."
> > > > >
> > > > >  The meat of the issue is on page 3:
> > > > >
> > > > > "Proposed Regulations: The proposed
> > > > > regulations would provide that an
> > > > > educational agency or institution may
> > > > > not designate as directory information a student's SSN or
> > > > other student
> > > >
> > > > > ID number. However, directory information may include a
> > > > student's user
> > > >
> > > > > ID or other unique identifier used by the student to access or
> > > > > communicate in electronic systems, but only if the electronic
> > > > > identifier cannot be used to gain access to education
> > records except
> >
> > > > > when used in conjunction with one or more factors that
> > > > authenticate the
> > > >
> > > > > student's identity, such as a personal identification
> > number (PIN),
> >
> > > > > password, or other factor known or possessed only by the
> > student."
> >
> > > > >  It seems to me like they are addressing the issue
> > reasonably well,
> >
> > > > > and taking head-on the problem of Student ID numbers, which
> > > > has been a
> > > >
> > > > > subject of some debate over the years.
> > > > >
> > > > >
> > > > > ~~~~~~~~~~~~~~~~~~
> > > > > Brian Basgen
> > > > > Information Security
> > > > > Pima Community College
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > ________________________________
> > > > >
> > > > >         From: The EDUCAUSE Security Constituent Group Listserv
> > > > > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Shalla
> > > > >         Sent: Monday, March 31, 2008 11:37 AM
> > > > >         To: SECURITY () LISTSERV EDUCAUSE EDU
> > > > >         Subject: Re: [SECURITY] FERPA Notice of
> > Proposed Rulemaking
> >
> > > > > Addresses Changes in IT
> > > > >
> > > > >
> > > > >         Thanks Rodney,
> > > > >
> > > > >         It seems that the legislators here are confusing
> > > > > identification with authentication.  I hope that
> > > > universities learned
> > > > >from the social security number problem (a number, stored in
> > > > thousands
> > > >
> > > > > if not millions of IT systems around the country,
> > properly used for
> >
> > > > > identification and improperly used (because it's convenient) as
> > > > > authentication) and are not allowing knowledge of a student
> > > > ID number to gain access to anything.
> > > >
> > > > > I'm pushing to define student ID as directory
> > information so that it
> >
> > > > > cannot ever be used for authentication, but some on campus
> > > > are afraid
> > > >
> > > > > of doing this.
> > > > >
> > > > >         What do others think?
> > > > >
> > > > >         Kevin
> > > > >
> > > > >         At 12:58 PM 3/31/2008, Rodney Petersen wrote:
> > > > >
> > > > >
> > > > >
> > > > >                 The U.S. Department of Education has issued
> > > > a Notice
> > > >
> > > > > of Proposed Rulemaking (
> > > > > http://edocket.access.gpo.gov/2008/pdf/E8-5790.pdf
> > > > > <http://edocket.access.gpo.gov/2008/pdf/E8-5790.pdf> )
> > with proposed
> >
> > > > > regulations pertaining to the Family Education Rights and Privacy
> > > > > (FERPA).   Among other things, "the proposed regulations
> > respond to
> >
> > > > > changes in information technology and address other issues
> > > > identified
> > > >
> > > > > through the Department's experience administering FERPA,"
> > > > according to
> > > >
> > > > > the Notice. Additionally, the regulations are needed to implement
> > > > > amendments to FERPA contained in the USA Patriot Act and the
> > > > Campus Sex
> > > >
> > > > > Crimes Prevention Act, to implement two U.S. Supreme
> > Court decisions
> >
> > > > > interpreting FERPA, and to make other necessary changes.
> > > > >
> > > > >                 Among the IT-related changes are:
> > > > >
> > > > >                 *       Clarification of what can be included as
> > > > > directory information, addressing Social Security Number
> > > > (SSN), other
> > > >
> > > > > student ID numbers, and email addresses
> > > > >                 *       Requiring the use of reasonable
> > methods to
> >
> > > > > identify and authenticate the identity of students,
> > parents, school
> >
> > > > > officials, and any other parties to whom personally identifiable
> > > > > information is disclosed
> > > > >                 *       Recommendations to assist
> > institutions in
> >
> > > > > safeguarding educational records (Note:  this is covered on
> > > > page 15598
> > > >
> > > > > of Federal Register Notice or page 26 of PDF document.)
> > > > >
> > > > >
> > > > >                 The deadline for comments is May 8, 2008.
> > > > >
> > > > >                 The EDUCAUSE Washington Office (
> > > > > http://www.educause.edu/policy
> > <http://www.educause.edu/policy> ) is
> >
> > > > > reviewing the proposed changes and welcome your comments or
> > > > questions
> > > >
> > > > > (send comments to rpetersen () educause edu). We will provide a more
> > > > > detailed analysis of the proposed rules and any further
> > updates at a
> >
> > > > > later date.
> > > > >
> > > > >                 -Rodney
> > --------------------------------------------------
> >
> > > > >                 Rodney J. Petersen, J.D.
> > > > >                 Government Relations Officer & Security
> > Task Force
> >
> > > > > Coordinator
> > > > >
> > > > >                 EDUCAUSE
> > > > >                 1150 18th Street, N.W., Suite 1010
> > > > >                 Washington, D.C. 20036
> > > > >                 (202) 331-5368 / (202) 872-4200
> > > > >                 (202) 872-4318 (FAX)
> > > > >                 EDUCAUSE/Internet2 Security Task Force
> > > > >                 www.educause.edu/security
> > --------------------------------------------------


--

---------------
Drexel Atkinson (505) 277-8044
datkins () unm edu
Systems Specialist
UNM-ITS
-------------------------------