Educause Security Discussion mailing list archives
Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Tue, 1 Apr 2008 10:28:01 -0700
Kevin, You have picked up an interesting point that is easy to miss due to the similarity "Student user ID" and "Student ID". It is an interesting situation, but their logic is discernable. User IDs are, by definition, identifiers and not authenticators: thus they can be directory information. SSNs, unfortunately, are used as authenticators, so naturally they have to be excluded. The trouble is, as you point out, with Student IDs. Now, they explain in their reasoning why they have made this move: faculty posting grades. In particular, they cite 5% of teachers engaging in this practice (a pure guess being called an "estimate", it seems), and this gives them a misleading so-called "exact" $8 million dollar amount in terms of extra labor to stop doing this. This is all based on the assumption that the SID is a knowable identifier that would thus reveal the grade. Instead of a prohibition on grade posting, they seem to accept it as a necessary practice, and as such, force a particular method to carry it out. Perhaps an alternative would be language such that for institutions that have faculty who post grades, they are prohibited from SIDs as directory? ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Shalla Sent: Tuesday, April 01, 2008 9:57 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] FERPA Notice of Proposed Rulemaking Addresses Changes in IT Steve, Because we're considering law, not just a guideline, the wording that is proposed must be highly scrutinized. At our institution the student's user ID is NOT the student ID number, and the student ID number is NOT used to access or communicate in electronic systems. Because of this, I believe that the proposed regulations clearly states that student ID number must not be in the directory - and this is the problem. This is what is proposed: The proposed regulations would provide that an educational agency or institution may not designate as directory information a student's SSN or student ID number. However, directory information may include a student's user ID or other unique identifier used by the student to access or communicate in electronic systems, but only if the electronic identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the student's identity, such as a personal identification number (PIN), password, or other factor known or possessed only by the student. This is what I would propose: The proposed regulations would provide that an educational agency or institution may not designate as directory information a student's SSN. Also prohibited from being designated as directory information is any identifier that would allow access to education records without requiring one or more factors that authenticate the student's identity, such as a personal identification number (PIN), password, or other factor known or possessed only by the student. Kevin At 04:14 PM 3/31/2008, Basgen, Brian wrote:Steve, You raise an interesting point. Yet, student IDs as directory information can be problematic, since faculty sometimes publicly post grades with student IDs attached. In this case the faculty member is confusing identification with authentication, but you know, good luck explaining that to faculty. :) In this sense, prohibiting student IDs in association with grades helps. Naturally, the flip side is possible, that thestudent ID couldbecome another form of authentication. Yet, I think the rulegets beyondthis limitation. Reading the section right after your quote: "However, directory information may include a student's user ID ... if [it]cannot be usedto gain access to education records except when used ... [with] a personal identification number (PIN), password, or otherfactor known orpossessed only by the student." This seems to resolve the issue? ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Shalla Sent: Monday, March 31, 2008 12:44 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] FERPA Notice of Proposed Rulemaking Addresses Changes in IT Brian, The document recognizes that certain items may be in the directory, like user ID when other factors are required to access personal information, but it specifically prohibits student ID number: "...may not designate as directory information a student's SSN or other student ID number." And that prohibition demonstrates where I see them confusing identification with authentication. At our university, username isn't satisfactory to uniquely identify students - we need the student ID number, and the proposal prohibits that from being directory information. Kevin At 01:44 PM 3/31/2008, Basgen, Brian wrote:Kevin, While I agree that the government often confusesidentification withauthentication, I'm wondering where you see that in thisdocument. Forexample, I found this section which seems to indicate a reasoned approach and question to the community (p. 24): "As noted above, single-factor authentication of identity, such as a standard form user name combined with a secret password or PIN, may not provide reasonable protection for access to all types ofeducationrecords or under all circumstances." The meat of the issue is on page 3: "Proposed Regulations: The proposed regulations would provide that an educational agency or institution may not designate as directory information a student's SSN orother studentID number. However, directory information may include astudent's userID or other unique identifier used by the student to access or communicate in electronic systems, but only if the electronic identifier cannot be used to gain access to educationrecords exceptwhen used in conjunction with one or more factors thatauthenticate thestudent's identity, such as a personal identificationnumber (PIN),password, or other factor known or possessed only by thestudent."It seems to me like they are addressing the issuereasonably well,and taking head-on the problem of Student ID numbers, whichhas been asubject of some debate over the years. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Shalla Sent: Monday, March 31, 2008 11:37 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] FERPA Notice ofProposed RulemakingAddresses Changes in IT Thanks Rodney, It seems that the legislators here are confusing identification with authentication. I hope thatuniversities learnedfrom the social security number problem (a number, stored inthousandsif not millions of IT systems around the country,properly used foridentification and improperly used (because it's convenient) as authentication) and are not allowing knowledge of a studentID number to gain access to anything.I'm pushing to define student ID as directoryinformation so that itcannot ever be used for authentication, but some on campusare afraidof doing this. What do others think? Kevin At 12:58 PM 3/31/2008, Rodney Petersen wrote: The U.S. Department of Education has issueda Noticeof Proposed Rulemaking ( http://edocket.access.gpo.gov/2008/pdf/E8-5790.pdf <http://edocket.access.gpo.gov/2008/pdf/E8-5790.pdf> )with proposedregulations pertaining to the Family Education Rights and Privacy (FERPA). Among other things, "the proposed regulationsrespond tochanges in information technology and address other issuesidentifiedthrough the Department's experience administering FERPA,"according tothe Notice. Additionally, the regulations are needed to implement amendments to FERPA contained in the USA Patriot Act and theCampus SexCrimes Prevention Act, to implement two U.S. SupremeCourt decisionsinterpreting FERPA, and to make other necessary changes. Among the IT-related changes are: * Clarification of what can be included as directory information, addressing Social Security Number(SSN), otherstudent ID numbers, and email addresses * Requiring the use of reasonablemethods toidentify and authenticate the identity of students,parents, schoolofficials, and any other parties to whom personally identifiable information is disclosed * Recommendations to assistinstitutions insafeguarding educational records (Note: this is covered onpage 15598of Federal Register Notice or page 26 of PDF document.) The deadline for comments is May 8, 2008. The EDUCAUSE Washington Office ( http://www.educause.edu/policy<http://www.educause.edu/policy> ) isreviewing the proposed changes and welcome your comments orquestions(send comments to rpetersen () educause edu). We will provide a more detailed analysis of the proposed rules and any furtherupdates at alater date. -Rodney--------------------------------------------------Rodney J. Petersen, J.D. Government Relations Officer & SecurityTask ForceCoordinator EDUCAUSE 1150 18th Street, N.W., Suite 1010 Washington, D.C. 20036 (202) 331-5368 / (202) 872-4200 (202) 872-4318 (FAX) EDUCAUSE/Internet2 Security Task Force www.educause.edu/security--------------------------------------------------
Current thread:
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Kevin Shalla (Apr 01)
- <Possible follow-ups>
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Mclaughlin, Kevin (mclaugkl) (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Basgen, Brian (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Michael R. Gettes (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Mclaughlin, Kevin (mclaugkl) (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Basgen, Brian (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Mclaughlin, Kevin (mclaugkl) (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Kevin Shalla (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Kevin Shalla (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Michael R. Gettes (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Basgen, Brian (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Charlie Prothero (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Chuck Dunn (Apr 01)
(Thread continues...)