Challenges to Opt-Out Privacy Policies at Colleges?

jmaxlow asks: "It's that time of year again when my university sends out mailers informing students that their personal information will be compiled and released in a student directory unless students register objections in writing by the deadline. This info includes name, address, date of birth, and email address, among other items, and there is nothing to prevent them from selling the information to third parties without vested interests. The Buckley Amendment allows them to do this, so of course it isn't illegal. But my question is: has anyone ever petitioned their university to change to an opt-in policy? I'd like to know what responses schools have given, if any, when challenged, before I bring it up with my own registrar."

Don't get it.

[Captain_Stupendous]

Opt in? You mean, "Please, PLEASE sell my personal information to the highest bidder! Please make a profit at my expense, without any possible benefit to me!"

Generally, "Opt-in" services are where you pay someone to provide you a service. "Opt-out" is where you bitch at them to stop charging you, or raping and pillaging you, or whatever. I can't see any possible benefit to an "Opt-in" service of this type, unless you are a masochist.

Re:Don't get it.

[Misch]

They still can't sell your information to the highest bidder. There's only certain information that they're allowed to actually publish, and that is essentially directory information. RIT finally got smart this year and started giving students the option of having their e-mail address publicly visible in the school's LDAP server. (Faculty and staff have the ability to login and see the e-mail addresses, because there is a legitimate need for them to do so, but the faculty and staff don't get to opt out of having their address listed in the LDAP server.)

Then again, students also get the ability to go in and edit most of their LDAP entry.

Re:Don't get it.

[oyenstikker]

Now if they'd just get smart and use SSL for IMAP and POP.

What we have at my Uni...

[Papineau]

Here (Canada, so obviously different laws apply), my Uni does collect that info, if only to send us the necessary things to attend classes (registration, etc.). I don't recall anything about selling those informations to other entities though.

The students of my faculty do have a student directory. The old way of getting the info was by passing sheets in each class, where people could modify their current information at the beginning of the semester. So if you didn't want to be listed, you just didn't filled it (opt-in). Now, that has changed a bit: the info for the directory is channeled from the Uni's info to the paper directory. But again, sheets are passed at the beginning of each semester to get the approbation of students to be listed in the directory.

To get back closer to the subject, I recall that some insurance company was sponsoring an event for coop students, so they had to send a letter to each of them. The way it was handled was that the insurance company gave us what they wanted us (the student's association) to send, and we handled the "put it in an envelope, put the address sticker and repeat" part. They never had access to the list of students, or to their info.

Opt-Out is a Cop-Out

[ealar+dlanvuli]

Just a friendly public service reminder for those of you in the USA:
When your bank or brokerage sends you a copy of its privacy policy, full of ambiguous language, and saying "Since we protect your privacy, there's no need for you to opt out of our information sharing among our family of companies", do two things:

1) Opt-out. Yes, it means writing a letter and putting a stamp on it. Deal with it.

2) In your letter, mention that you're opting-out because it's your only option available under the law, but that you're doing so under protest - and that you consider anything less than opt-in a violation of your privacy rights. Congratulate the bank on coming up with a wording ("information sharing") that sounds so harmless that most consumers are unlikely to realize what it really means.

3) Print out a second copy and send it to your Representative and Senator. Use proper "Cc:" snail-mail etiquette -- you want your bank to know you're telling your Congresscritter, and you want your Congresscritter to know that your bank knows.

Thank the critter (especially if he or she voted for it) for the new privacy law that's forced banks to do this very small ("opt-out") notification. Tell them that you realize the bank (or more accurately, the DMA, on request of its members) to use a low response rate to this "you have an opportunity to opt-out" mailing campaign as "evidence" that the consumers really do like to eat their spam, "or they'd opt-out, but since 0.00001% actually bothered to opt-out, the other 99.99999% must like receiving special offers through the mail and telephone and email!".

Tell your congresscritters that silence does not imply assent.

You know the argument's bogus. But the DMA, with millions of dollars in lobby funds, is gonna try to make it. And they'll succeed, unless you - yes, you there, behind the keyboard - get off your ass and do something.

Silence does not imply assent. But the DMA is going to try very hard to convince your congresscritter that it does.

The logical response is to deny the DMA the silence it needs to pull off the scam.

Problem

[Permission+Denied]

If you believe, even for a moment, that your university would sell your data, you should look into transferring. Any place that would do that cannot be considered an academic institution on ethical grounds. I'm serious: if you think your university is capable of such a thing, look into transferring.

Secondly, your university is most likely a non-profit organization, which grants it certain tax benefits. I believe selling student data to marketing droids would challenge the university's non-profit status, which means big bucks. You should look into this because the university's non-profit status determines a lot of policy decisions.

Re:Problem

[Monkelectric]

Never have I heard someone talk out of their ass so badly.

Universities of all types are money grubbing bastards. Even when I opted out of the student directory, my name was sold to a slew of companies, I got special student credit card offers, and all sorts of adds for graduation stuff, rings, invitations etc...

And as a former university employee, let me tell you WHY they do this. Government money is regulated, it can only legally be spent on what it is earmarked for. Once in my employment, we had 250k for equiptment but our other accounts were nearly depleted, we could hardly pay our employees and bills and we couldn't cheat. I ordered 100k worth of sun servers (which we also needed badly), but when we got them we couldn't afford the 900$ to have the power receptacles installed (3 prong 210V dealies), because that money had to come from out general fund not our equiptment fund.

So here's why universities are money grubbing bastards (atleast in the US). Money they get from ripping off students is *FREE MONEY*. They can put it in "discretionary funds" and do whatever the fuck they want with it. At my university "the money runs uphill and the shit runs downhill" (to quote the Sopranos). The chancelor stole money from wherever he could to the tune of like 2 mill a year in his discretionary fund. With a student body of about 15,000 you can see thats about 134$/year in fees per student, easily accomplished.

Re:Problem

[Permission+Denied]

My University experience was quite different (I was also a full-time employee for the Uni after I graduated, doing programming and unix system administration). This was a private Ivy-caliber institution (you could probably find out which one if you looked hard enough).

When a server which housed our primary username/password database was comprimised, they went through a huge rigamarole, having all 20000+ students, staff, faculty, etc change passwords. They said they were "obliged by federal law" to protect student records, and they took it seriously (IANAL).

Of course, they ripped off students in various ways.

I'm fairly certain my information was never sold, and I would be enraged if they did such a thing. I never received any credit card offers after I opted out with the credit reporting agencies. I didn't get any advertisements for any graduation stuff (only official university stuff - even the offers for graduation pics and videos came through the University, not the company that did the photos). The only junk mail (postal) that I got was from people who got my address through other means (Dr. Dobbs subscription, ordering electronics equipment online, etc). I also received zero spam (electronic) as I took various precautions to ensure my primary email address was not available off-campus. The online student directory (which I had a part in writing) had various features to prevent spambot harvesting. Our telephone system blocked caller ID (PITA for those with "privacy manager").

Um, what?

[Levine]

Maybe you haven't been to a university, uh, ever? But colleges function as one hell of a money-making institution. As if state and federal grants, tuition, and student fees don't more than adequately cover costs, they then pull in sometimes insane amounts of alumni donations and other contributions.

Try some research.

Regards,
levine

Buckley amendment explained...

[lythander]

Buckley (Also know as FERPA) requires american educational institutions (all, not just post-secondary) to protect ALL student information from disclosure, with certain exceptions. The exceptions include inquiries from government agencies and other educational institutions (i.e. they can reply to another university when they call to check your transcript). This is OK mostly becasue these institutions have the same sorts of restrictions placed on them once they have the info.

The other big exception is for "directory" information. What comprises this information is up to the discretion of the university. You would think what sirectory info was would be obvious, or at least standard, but at least at the university I work at, a leading online university, does not count email address as directory information (because otherwise other online universities (read "for-profit") might be able to request, and we'd be required to provide, this information, and then PU spam is just a click away).

There was recently a story in the news of an elementary school in Texas somewhere who was publishing student info in this way. They were just following the letter and spirit of the law.

So opt out. Your school is following the law. If they put you in a student directory, then they have to give that info to anyone who asks.

Maybe they could publish a student directory with everyone assigned a code number, which you could then input to a student-restricted website to get the address of that hottie you've been wanting to stalk?

Re:Levels of Information

[DutchSter]

My school (Miami University) has an online phonebook accessable from anywhere in the world http://www.muohio.edu/ph You can opt out of being listed completely, or you can let your information be posted (the default). Depending on where you are running the query from (ie, within Miami or outside), certain bits of information may or may not be available. I can edit my record to include my telephone number if I want it visible to the outside world. Unless I specifically include that, only people within Miami can see my school phone. The official address you keep on file is always private, and can only be viewed from within the University.

This completely ignores that we get a fair number of solicitations from outside organizations who are more than happy to inform you that your name was obtained from 'Officially Authorized University Lists', AKA: what they sold.

On the one hand, Joe Shmoe outside the school has to work to find my address and telephone number, but if you have money, hey, here's our whole database! People who officially opt-out aren't available at all in the PH (as it's called), but I know of several people who did this but still get solications by name in their dorms. *Shrug*

What about employee's?

[Chanc_Gorkon]

I work for a college and I asked why was a union allowed to have my address and was basically told that because I work for a state/public school, that my address is public information and they have to give it to anyone that asks. I was infuriated (plus I am against this union in representing ME!). I don't give a rats ass what kind of institution I work for the better limit acess to my info to only the institution.

That said, for the students, this kind of selling could be against the FERPA law. Family Education Rights and Privacy Act should prevent this kind of selling of student information. If it doesn't, why doesn't it? I remember when I was setting up a printer in the Records and Registration area and things are so tight with FERPA that they have to have to separate 75 page per minute printers (or ones similar to it). One prints schedules and the other is the only one they use for transcripts because the one for schedules anyone can get to including other students. The address could be considered different then say evidence that you took a certain course, but I don't think it should be that way.

leave it.

[capoccia]

when i was at ohio state, we had a similar database of email addresses, phone numbers and regular addresses. i found it to be very usefull for getting in contact with profs, ta's and other students about school projects. that use alone outweighs the slight inconvenience of a little more junk.

the list started out as a gopher and ph service, but now it is more accessible through a web form:
http://www.osu.edu/cgi-bin/Inquiry