ID Cards & Campus Privacy [close to home]

[David Farber <farber () central cis upenn edu>]

Date:    Mon, 15 Nov 93 15:56:17 PST
From:    "Willis H. Ware" <willis () jake rand org>
Subject:  ID Cards & Campus Privacy


Dave Millar of the Univ of Pennsylvania wants to know:


> Can you help me find any information on the issues associated with
> information kept on security card scanner systems?  We have a large
> network of card readers scattered across campus tracking the comings
> and goings of several tens of thousands of people at several hundred
> points on campus - administrative buildings, dining halls, dorms,
> libraries, etc.  What, if anything, stops someone from collecting
> this data and using it in ways not known or intended by the people
> being monitored?


In a word, very little.  Stop looking; you will find nothing.


The University of Pennsylvania is a private institution and hence can
behave largely as any entity in the private sector does with personal
information, do as it pleases.  In the private sector there are very
few legal restrictions on what may done with personal information;
credit information on an individual is one of exceptions.  The only
thing going in favor of the individual is the morality and ethical
behavior of the institution and concerned well informed leadership and
administrators.


As a matter of proper behavior and sensible administration, the
University should have in place a policy stipulating how such
information will be protected and access to it controlled, how such
information will be stored, how long it will be retained, who may be
allowed access to it, with whom it will be shared, will law
enforcement have access to it, is it subject to subpoena, are audit
trails accumulated of any one individual, etc.  Additionally, the
campus population should also know what things are possible with the
system; e.g., what is the information used for, how might it be used if
some administrator has a bright idea for a new use, who makes policy on
the use, does or should the campus population have a voice in such
decisions.


In short there should be a privacy policy governing the operation of
such a system and the policy should be made known to all campus users.


If it does not, there is no law that will require it do so.  All you
can do is to demonstrate, cajole, pressure, embarrass, threaten,
publicize, persuade, etc. in an effort to get a proper response.  In
the end everyone on the Penn campus will depend on the ethics of the
University administration.


I suggest that you contact my colleague and friend, Professor David
Farber of the Computer Science Department.  He is alert to computer
security and privacy problems.  He may be well informed on this system
and can give you more detailed answers, or help you in rectifying any
shortfalls.


                                Willis H. Ware
                                Santa Monica, CA


                        [ Depressing, isn't it?  -- MODERATOR ]