Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/18/2006
06:37 PM
Patricia Keefe
Patricia Keefe
Commentary
50%
50%

Dude! Wanna Be In The National Student Database?

It's been a while since I've been in college or hung around with anyone who is, but I distinctly recall that no matter who was paying the freight, a student's grades were delivered only to the student. Even paying parents had no right to see the results. In the weird halfway house of adulthood that makes up the college experience, students are considered adults in some areas, children in others. Grades fell into the adult side of the class. And my guess is this goes for student health and other

It's been a while since I've been in college or hung around with anyone who is, but I distinctly recall that no matter who was paying the freight, a student's grades were delivered only to the student. Even paying parents had no right to see the results. In the weird halfway house of adulthood that makes up the college experience, students are considered adults in some areas, children in others. Grades fell into the adult side of the class. And my guess is this goes for student health and other records as well.For example, there was a case a few years ago involving one storied Cambridge institution of higher learning where a young woman killed herself. She apparently had been having problems and was receiving medical care from the school at the time of her death. Her parents were outraged that the school had never alerted them to their daughter's mental state. The school cited privacy issues, naturally.

That's because in answer to the question of whether students are adults or teenagers, from the standpoint of most colleges they're adults. This means that when universities aren't shrugging off responsibility for obnoxious, and sometimes illegal, student behavior, they're fiercely protecting their privacy.

This is why a draft proposal from the Bush administration's Commission of the Future of Higher Education to essentially create a national database of secondary-level student records caught my eye. The commission wants to compel colleges and universities to provide each student's academic, financial aid, and enrollment data--right down to attendance records--to an organization that would allegedly use the data to build a huge database capable of tracking, at least initially, about 17 million university students. Add into this soup a student's K-12 data and even their career path, and we'll be able to track students all right. Practically from cradle to retirement.

The Education Department claims the data can be used to better test educational theories and set spending priorities. Some proponents claim the data can be used to grade an individual college's performance, as well as track college transfer students and drop-out rates at specific schools. Or the data collected could be used to determine whether financial aid pays off.

It could also be used to violate student privacy. This year has produced one massive database breach or endangerment right after the other. If the government can't protect the data of veterans and active-duty soldiers, if stores can't protect customer data, and if health care organizations can't protect patient data, why should anyone think we can protect student data?

In essence, if this database comes to pass, each student would be assuming a very real risk that carries little to no benefit to them personally, as far as I can see.

And yet no one seems to be asking the students themselves whether they want to be tracked in this manner, whether they care about a particular school's drop-out rate, or whether they want follow-up contact or even for their data to be part of this project!

And it's not exactly a slam dunk amongst the higher education powers that be. There seems to be a split between public and private schools, with the private institutions mostly opposing the database. They even went so far as to commission a survey of 1,000 Americans, 62% of which (wait for it...) are opposed to the government's collecting of this data, citing privacy and cost issues. And yet those are very real issues. In fact, according to The Herald-Sun of Durham, N.C., the proposal has some wondering if it would violate the Family Educational Rights and Privacy Act of 1972, which requires schools to get written permission before releasing student records, except in a few specific instances. And the House voted earlier this year to prohibit the creation of a database that would track individual students over time. No word yet from the Senate.

Sure, sure, the data collected will be used in aggregate--students names etc. will be kept confidential. But their specific personal data will likely still be in this big tempting database. And eventually other well-meaning and maybe not so well-meaning programs will want to access it, for which they'd maybe have to pay a fee to the agency holding the database, but not necessarily adhere to the same security controls. (You know the data is going to get spread around. This is a prime demographic--it's just too tempting.) The bottom line here is that as we all know, no data is safe today--anywhere. Not from hackers, not from ordinary street crime, and least of all not from the stupidity of well-meaning people.

If students are adults, then shouldn't they have the right to opt in or out of this project? I'm thinking free books, lab fees, or, heck, an entire semester would be an attractive inducement to get that "God yes, have your way with my data" box checked off, but even so many might choose to pass. Whichever, it should be their choice. It's their data!

Do we need a national student tracking system? If parents can't breach the wall of student privacy without their offspring's permission, why the heck should some educational researcher or marketer be able to? Or should the need for better tracking of government funds and better accountability for universities take priority in this debate? Tell us what you think!

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Panopticon37
50%
50%
Panopticon37,
User Rank: Apprentice
4/20/2012 | 4:59:24 PM
re: Dude! Wanna Be In The National Student Database?
Excellent commentary, Patricia. For me, the highlight of this piece is the parallels (or is it perils)of health, consumer and military data to student data - and for that reason I quoted you in my blog last week: http://bit.ly/JUoBKY. Thanks for the great (and pragmatic) insights!
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25382
PUBLISHED: 2021-04-23
An improper authorization of using debugging command in Secure Folder prior to SMR Oct-2020 Release 1 allows unauthorized access to contents in Secure Folder via debugging command.
CVE-2021-26291
PUBLISHED: 2021-04-23
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be t...
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...