etiolated consumer\citizen

Shedding light on who's doing what with your private information. Searchable Attrition.org DLDOS index.

Information Privacy Challenges Faced by Education

D. Shettler - Etiolated.org

2007-06-02

.EDU has a significant hurdle to address and subsequently overcome, and has, for the most part, already begun addressing the issue … slowly.  Most educational institutions’ policy changes are dictated by various committees with membership traversing all levels of the stake holder populace.  A given policy committee is likely to have administrators, faculty, as well as students, but could well in addition contain alumni, community representatives, and others.  Public institutions can have even larger memberships.  Making headway can, as a result, be a slow albeit methodical process.

Common arguments against any infosec related change, including changes relating to sensitive data practices and procedures, are:

  1. The change will interfere with academic freedoms of faculty
  2. We’re not a Fortune 500 financial company
  3. It’s too expensive.

The reality is, protecting sensitive data should not obstruct faculty freedoms in any way, as most cases of sensitive data storage is within the administrative umbrella.  Faculty should have no need for social security numbers in most cases, or credit card data, or any other significant combination of data whose compromised would be commonly held as a ‘dataloss’.

Most of those who handle such information are administrators, and in many cases that data is required in order for certain processes to be accomplished.  Admissions departments and financial aid departments (which can sometimes be the same department), tend to require social security numbers for obvious reasons.  Generally speaking, these subgroups tend to be well aware of the threat to that data, and protect it passionately.  The major threat today is the other administrative departments that do not necessarily understand the significance of collecting social security numbers.

Take your local .EDU’s athletics department, for example.  Most are utilizing software in their recruitment efforts, and those applications tend to have a field for “Social Security Number”.  If the field exists, it is often filled out by the unknowing recruiter, and most teenaged college bound potentials are likely willing to ‘tell all’ to a recruiter.  The big danger with .EDU athletics recruiters and like groups is that they tend to travel, exporting the database on to a laptop, traveling with it while adding new data, and re-uploading later.

The case of a traveling machine with sensitive records on it is particularly scary.  Etiolated has, at this time, over 145 incidents of data loss involving a stolen laptop since 2000, 30 alone so far in 2007 – a whopping 33 percent of those in .EDU.  Your .EDU may well have the world’s greatest network security implementation, stacked top to bottom with solutions from NAC with policies for checking AV and patch level, to network intrusion prevention devices and more firewalls than the federal reserve, yet once that machine leaves the confines of your network, it can be and often is subjected to any number of threats.

Number of Incidents in Education Involving Laptops

The prevalence of remote control robot worms (botnet worms) is a major threat to privacy data.  Most worms presently are not scanning for such sensitive data, though doing so is well within the realm of possibility.  Then compound the problem with the fact that most .EDU’s are not heavy handed when it comes to patching, typically it is a users’ responsibility, and let’s face it – athletics departments, generally speaking, are not the computer savviest of users on a given campus.  This isn’t a criticism either, their skills lie elsewhere.  Yet, they often carry with them the most sensitive of data.

Public safety departments are another example of a subgroup that utilizes sensitive data, and a major problem is that while these groups tend to be cautious with their data, they often utilize small scale applications to manage it, and these applications often do not have data security in mind.  It is not uncommon for a client/sever public safety application to communicate unencrypted, passing sensitive data back and forth.

Then of course there are paper issues.  Many forms of yesteryear are still in use today, and often contain a line item for Social Security number (check your public safety parking permit forms, for example).   While most will say the forms are shredded post data-entry, does every dispatcher know the implications of not shredding the documents?  How often do corners get cut?

These situations are not unique to .EDU, though some are uncommon outside of it.  What is unique is that there is often no oversight of who is doing what with confidential, highly sensitive data.  While some larger schools have privacy officers charged with this, most schools do not feel such a position is justified, and as a result are completely unaware of what subgroups utilize sensitive data, how they utilize it, whether or not they need to be utilizing it, and what security is in place to mitigate an accident.

The issue of culture in education runs often perpendicular to the needs of information security.  It is counter culture to notify the infosec department when you are downloading sensitive data to a PC or Laptop – “what business is it of theirs how I do my job/educate/etc?”  Unfortunately, it is the organization’s business, culture or not, to ensure its public affairs office is not overrun with press phone calls as a result of the hundred thousand lost social security numbers as a result of asking the previous question.  One hundred thousand letters is the US Post Office’s dream, but not necessarily good for Joe/Jane University.

Our statistics show that publicized .EDU data loss incidents have risen dramatically over the last several years, in part due to new legislation requiring notification, in part because of the increase in value of an identity to criminals, but also in part as a result of increased diligence by organizations in identifying potential ID theft situations.  The latter is a good thing, but we’d still prefer to see the trend down slopping as a result of increased prevention of these types of incidents.

Number of Incidents in Education

Perhaps 2008 will show us some improvement in that direction.

UPDATE (2007-06-02):

Thanks to a reader, I've been introduced to an enlightening survey written and conducted by Aaron Titus (2007), which highlights in detail the use of Social Security Numbers on transcripts in higher ed. The results of the survey are overwhelming, showing that roughly 56 percent of schools surveyed still print at least partial Social Security Numbers on transcripts. The results are, however, an improvement over similar survey results conducted in 2003 by another organization. See the references for details

 

References

Titus, A. (2007). The Secure Transcript: Survey of National Universities' Use of the SSN on Academic Transcripts. Retrieved online 6/02/2007 from http://www.pogowasright.org/files/SSNs_Transcripts.pdf