Challenges to Opt-Out Privacy Policies at Colleges?

jmaxlow asks: "It's that time of year again when my university sends out mailers informing students that their personal information will be compiled and released in a student directory unless students register objections in writing by the deadline. This info includes name, address, date of birth, and email address, among other items, and there is nothing to prevent them from selling the information to third parties without vested interests. The Buckley Amendment allows them to do this, so of course it isn't illegal. But my question is: has anyone ever petitioned their university to change to an opt-in policy? I'd like to know what responses schools have given, if any, when challenged, before I bring it up with my own registrar."

Don't get it.

[Captain_Stupendous]

Opt in? You mean, "Please, PLEASE sell my personal information to the highest bidder! Please make a profit at my expense, without any possible benefit to me!"

Generally, "Opt-in" services are where you pay someone to provide you a service. "Opt-out" is where you bitch at them to stop charging you, or raping and pillaging you, or whatever. I can't see any possible benefit to an "Opt-in" service of this type, unless you are a masochist.

Re:Don't get it.

[greenhide]

Hmmm...

I think what the original poster meant was that the current default *is* an opt-out version. In other words, you must make the effort to be left alone.

Some students are willing to give out their information in order to receive freebie samples from various corporations in their mailbox, or to get cute little letters about their favorite pop-stars, or free "magazines" targetting at college students. That is "opt-in". There do actually happen to be companies who I *want* to receive information from, because I find it useful to me. That is "opt-in" as well.

The question is whether the school could have a default of "we won't give away your information" and then have a form where a student can sign a statement that says, "I don't mind if you give my name to advertising corporations."

Re:Don't get it.

[Misch]

They still can't sell your information to the highest bidder. There's only certain information that they're allowed to actually publish, and that is essentially directory information. RIT finally got smart this year and started giving students the option of having their e-mail address publicly visible in the school's LDAP server. (Faculty and staff have the ability to login and see the e-mail addresses, because there is a legitimate need for them to do so, but the faculty and staff don't get to opt out of having their address listed in the LDAP server.)

Then again, students also get the ability to go in and edit most of their LDAP entry.

Re:Don't get it.

[oyenstikker]

Now if they'd just get smart and use SSL for IMAP and POP.

Levels of Information

[greenhide]

Obviously, there has to be a distinction made between the *kinds* of use of your information.

For instance, I would *want* all of my personal information to be in the student directory, so friends of mine at the school would be able to contact me easily. On the other hand, I would *not* want any of that information to fall into the hands of companies trying to target the student market.

I do recall that starting sophomore year or thereabouts, my school stopped listing the extension numbers of students living on campus. This mean that if you wanted to find out the phone number of a fellow student living on campus, you had to trudge over to the main office, show your student id, and then ask (no, they would not give the information over the phone!). This was very annoying, though it was clearly thought necessary to protect the privacy of the students, especially women.

Nevertheless, we still had a few obscene crank callers that got a hold of some of the numbers anyhow...

Re:Levels of Information

[DutchSter]

My school (Miami University) has an online phonebook accessable from anywhere in the world http://www.muohio.edu/ph You can opt out of being listed completely, or you can let your information be posted (the default). Depending on where you are running the query from (ie, within Miami or outside), certain bits of information may or may not be available. I can edit my record to include my telephone number if I want it visible to the outside world. Unless I specifically include that, only people within Miami can see my school phone. The official address you keep on file is always private, and can only be viewed from within the University.

This completely ignores that we get a fair number of solicitations from outside organizations who are more than happy to inform you that your name was obtained from 'Officially Authorized University Lists', AKA: what they sold.

On the one hand, Joe Shmoe outside the school has to work to find my address and telephone number, but if you have money, hey, here's our whole database! People who officially opt-out aren't available at all in the PH (as it's called), but I know of several people who did this but still get solications by name in their dorms. *Shrug*

What we have at my Uni...

[Papineau]

Here (Canada, so obviously different laws apply), my Uni does collect that info, if only to send us the necessary things to attend classes (registration, etc.). I don't recall anything about selling those informations to other entities though.

The students of my faculty do have a student directory. The old way of getting the info was by passing sheets in each class, where people could modify their current information at the beginning of the semester. So if you didn't want to be listed, you just didn't filled it (opt-in). Now, that has changed a bit: the info for the directory is channeled from the Uni's info to the paper directory. But again, sheets are passed at the beginning of each semester to get the approbation of students to be listed in the directory.

To get back closer to the subject, I recall that some insurance company was sponsoring an event for coop students, so they had to send a letter to each of them. The way it was handled was that the insurance company gave us what they wanted us (the student's association) to send, and we handled the "put it in an envelope, put the address sticker and repeat" part. They never had access to the list of students, or to their info.

Re:What we have at my Uni...

[hardave]

Here at the UofA (Alberta) we're governed under the Freedom of Information and Protection of Privacy Act passed by the provincial government. I believe most other provinces have something similar, but I'm not sure. Basically under this act we can't devulge ANY information about a student without prior permision. On their initial application form students have to indicate whether they want to be added to the student directory. And we can ONLY contact them on official school business, such registration. One of the main things to come out of the act is that we can no longer publicly post grades of students outside the profs office. Although it was listed with the student id number only, it was still pretty easy to figure out who got what grade.

The nice thing about the act is that it also gives access to information the previously would have been kept quite confidential. For example if I felt that I was turned down for a job under unfair conditions, I can ask to see the interview records to see if the interview process was done in a fair manner, ie was I asked to recite 25 lines of code verbatim from the eepro100 net driver from linux kernel 2.2.6, while the other guy was just asked to describe how he would send an email to someone.

It's too bad sometimes that this Act only applies to public insitutions. It'd be real nice if a applied to everyone.

Opt-out is valid

[Call+it+a+n1ght]

Perhaps you'd like for your school to be able to verify your full-time status to mom and dad's insurer, report your accession to the Dean's List to your local paper, or for your school to verify your degree for a potential employer someday. All of these are prohibited without the student's written release for those who choose to restrict their directory information.

Denying these customary information releases for a few privacy fanatics isn't in the interest of a college or its students. On the other hand, the process of restricting and unrestricting one's directory information should be made as frictionless as possible. And in an ideal world, schools wouldn't sell out their students to marketers for chump change.

College Student Apathy

[forsetti]

Unfortunately, changing this type of service to opt-in would render the service completely useless. Very few students would both registering for the service, unless it was absolutely necessary. Being a recently graduated student, now working in a University IT department, I have seen the student apathy levels from both sides. If purely voluntary opt-in, only a small percent would bother.
However, I agree with Opt-In policies for all identity information repositories. So the real question becomes -- should this service be offered at all? DO most students want their information shared? DO they understand the risks? Should they? Should such repositories allow only authenticated access, no public access?
Thoughts?

Opt-in practical?

[soegoe]

An opt-in policy will result in better privacy, but is it practical? The aim of the whole thing is to create a rather complete directory. If you consider how many student are too lazy to answer and don't care about whether they're included or not, an "opt-in directory" will probably only contain a very small percentage of the students. Opt-out, on the other hand, just removes the ones who are really concerned about their privacy, for the price of a little work on their side, resulting in a directory as complete as possible.

Decision

The best way is probably to release only the name under an opt-out policy and provide students with an automated interface to allow or disallow a choice of other information to be listed. Then offer enquirers an automated option to ask for more information: Student get's an email notification and can grant or deny permission through a webinterface. That should satisfy both the completely paranoid and the database fetishists.

Opt-Out is a Cop-Out

[ealar+dlanvuli]

Just a friendly public service reminder for those of you in the USA:
When your bank or brokerage sends you a copy of its privacy policy, full of ambiguous language, and saying "Since we protect your privacy, there's no need for you to opt out of our information sharing among our family of companies", do two things:

1) Opt-out. Yes, it means writing a letter and putting a stamp on it. Deal with it.

2) In your letter, mention that you're opting-out because it's your only option available under the law, but that you're doing so under protest - and that you consider anything less than opt-in a violation of your privacy rights. Congratulate the bank on coming up with a wording ("information sharing") that sounds so harmless that most consumers are unlikely to realize what it really means.

3) Print out a second copy and send it to your Representative and Senator. Use proper "Cc:" snail-mail etiquette -- you want your bank to know you're telling your Congresscritter, and you want your Congresscritter to know that your bank knows.

Thank the critter (especially if he or she voted for it) for the new privacy law that's forced banks to do this very small ("opt-out") notification. Tell them that you realize the bank (or more accurately, the DMA, on request of its members) to use a low response rate to this "you have an opportunity to opt-out" mailing campaign as "evidence" that the consumers really do like to eat their spam, "or they'd opt-out, but since 0.00001% actually bothered to opt-out, the other 99.99999% must like receiving special offers through the mail and telephone and email!".

Tell your congresscritters that silence does not imply assent.

You know the argument's bogus. But the DMA, with millions of dollars in lobby funds, is gonna try to make it. And they'll succeed, unless you - yes, you there, behind the keyboard - get off your ass and do something.

Silence does not imply assent. But the DMA is going to try very hard to convince your congresscritter that it does.

The logical response is to deny the DMA the silence it needs to pull off the scam.

Problem

[Permission+Denied]

If you believe, even for a moment, that your university would sell your data, you should look into transferring. Any place that would do that cannot be considered an academic institution on ethical grounds. I'm serious: if you think your university is capable of such a thing, look into transferring.

Secondly, your university is most likely a non-profit organization, which grants it certain tax benefits. I believe selling student data to marketing droids would challenge the university's non-profit status, which means big bucks. You should look into this because the university's non-profit status determines a lot of policy decisions.

Re:Problem

[Monkelectric]

Never have I heard someone talk out of their ass so badly.

Universities of all types are money grubbing bastards. Even when I opted out of the student directory, my name was sold to a slew of companies, I got special student credit card offers, and all sorts of adds for graduation stuff, rings, invitations etc...

And as a former university employee, let me tell you WHY they do this. Government money is regulated, it can only legally be spent on what it is earmarked for. Once in my employment, we had 250k for equiptment but our other accounts were nearly depleted, we could hardly pay our employees and bills and we couldn't cheat. I ordered 100k worth of sun servers (which we also needed badly), but when we got them we couldn't afford the 900$ to have the power receptacles installed (3 prong 210V dealies), because that money had to come from out general fund not our equiptment fund.

So here's why universities are money grubbing bastards (atleast in the US). Money they get from ripping off students is *FREE MONEY*. They can put it in "discretionary funds" and do whatever the fuck they want with it. At my university "the money runs uphill and the shit runs downhill" (to quote the Sopranos). The chancelor stole money from wherever he could to the tune of like 2 mill a year in his discretionary fund. With a student body of about 15,000 you can see thats about 134$/year in fees per student, easily accomplished.

Re:Problem

[Permission+Denied]

My University experience was quite different (I was also a full-time employee for the Uni after I graduated, doing programming and unix system administration). This was a private Ivy-caliber institution (you could probably find out which one if you looked hard enough).

When a server which housed our primary username/password database was comprimised, they went through a huge rigamarole, having all 20000+ students, staff, faculty, etc change passwords. They said they were "obliged by federal law" to protect student records, and they took it seriously (IANAL).

Of course, they ripped off students in various ways.

I'm fairly certain my information was never sold, and I would be enraged if they did such a thing. I never received any credit card offers after I opted out with the credit reporting agencies. I didn't get any advertisements for any graduation stuff (only official university stuff - even the offers for graduation pics and videos came through the University, not the company that did the photos). The only junk mail (postal) that I got was from people who got my address through other means (Dr. Dobbs subscription, ordering electronics equipment online, etc). I also received zero spam (electronic) as I took various precautions to ensure my primary email address was not available off-campus. The online student directory (which I had a part in writing) had various features to prevent spambot harvesting. Our telephone system blocked caller ID (PITA for those with "privacy manager").

Um, what?

[Levine]

Maybe you haven't been to a university, uh, ever? But colleges function as one hell of a money-making institution. As if state and federal grants, tuition, and student fees don't more than adequately cover costs, they then pull in sometimes insane amounts of alumni donations and other contributions.

Try some research.

Regards,
levine

Buckley amendment explained...

[lythander]

Buckley (Also know as FERPA) requires american educational institutions (all, not just post-secondary) to protect ALL student information from disclosure, with certain exceptions. The exceptions include inquiries from government agencies and other educational institutions (i.e. they can reply to another university when they call to check your transcript). This is OK mostly becasue these institutions have the same sorts of restrictions placed on them once they have the info.

The other big exception is for "directory" information. What comprises this information is up to the discretion of the university. You would think what sirectory info was would be obvious, or at least standard, but at least at the university I work at, a leading online university, does not count email address as directory information (because otherwise other online universities (read "for-profit") might be able to request, and we'd be required to provide, this information, and then PU spam is just a click away).

There was recently a story in the news of an elementary school in Texas somewhere who was publishing student info in this way. They were just following the letter and spirit of the law.

So opt out. Your school is following the law. If they put you in a student directory, then they have to give that info to anyone who asks.

Maybe they could publish a student directory with everyone assigned a code number, which you could then input to a student-restricted website to get the address of that hottie you've been wanting to stalk?

What about employee's?

[Chanc_Gorkon]

I work for a college and I asked why was a union allowed to have my address and was basically told that because I work for a state/public school, that my address is public information and they have to give it to anyone that asks. I was infuriated (plus I am against this union in representing ME!). I don't give a rats ass what kind of institution I work for the better limit acess to my info to only the institution.

That said, for the students, this kind of selling could be against the FERPA law. Family Education Rights and Privacy Act should prevent this kind of selling of student information. If it doesn't, why doesn't it? I remember when I was setting up a printer in the Records and Registration area and things are so tight with FERPA that they have to have to separate 75 page per minute printers (or ones similar to it). One prints schedules and the other is the only one they use for transcripts because the one for schedules anyone can get to including other students. The address could be considered different then say evidence that you took a certain course, but I don't think it should be that way.

Re:What about employee's?

[acceleriter]

I suspect the location of transcripts away from the schedule printers has more to do with the security of transcript paper than with FERPA compliance concerns.

leave it.

[capoccia]

when i was at ohio state, we had a similar database of email addresses, phone numbers and regular addresses. i found it to be very usefull for getting in contact with profs, ta's and other students about school projects. that use alone outweighs the slight inconvenience of a little more junk.

the list started out as a gopher and ph service, but now it is more accessible through a web form:
http://www.osu.edu/cgi-bin/Inquiry

I fought against a directory

We didn't have a name/phone number/address one, and the administration wanted to create one, and while I was in our Residence Hall Association, I worked strongly against it.

Student stalking by other students is really pretty frequent, and this is a major concern among lots of females. If you knew what building someone lived in, you could call the front desk 24/7 and get connected to their roo. This also allowed the front desk to screen potentially harmful callers (ie someone from the room could request no calls be connected.)

My own view is that if someone should have your number, you can give it to them. We also had a student accesible email directory, which I had a lot less of a problem with. It was a fairly safe way for someone to be contacted, and if someone you don't like is emailing you, it's very easy to filter out, or bring to the OIT.

FOOBAR

WALDO

maxlow asks: "It's that time of year again when my university sends out mailers informing students that their personal information
will be compiled and released in a student directory unless students register objections in writing by the deadline. This info
includes name, address, date of birth, and email address, among other items, and there is nothing to prevent them from selling
the information to third parties without vested interests. The Buckley Amendment allows them to do this, so of course it isn't illegal. But my question
is: has anyone ever petitioned their university to change to an opt-in policy? I'd like to know what responses schools have given, if any, when
challenged, before I bring it up with my own registrar."