January 31, 2007
Personal Information Abuse at Case
Identity theft is a serious concern and loss of personal information by "responsible" entities, including governments, schools, and corporations is occurring almost every day. For many years, students at Case Western Reserve University have been pleading the administration to crack down on what are perceived to be abuses of personal information and a severe threat to the security of their personal identity.
This past fall semester, the Undergraduate Student Government (USG) took aim at the issue for the third time in recent years. They invited the undergraduate student body to take an online survey regarding the issue. Nearly twenty-five percent of the student body-- about the same amount that respond to USG general elections-- responded. Their results were assembled into a ninety-two page report (Case ID required). The report called for an expedition of USG's requests in Resolution R.16-06, "a resolution calling upon the University to respect the federally protected student Right to Privacy by expediting a transition away
from Social Security-based Student Identification numbers." It was hoped that the requests of the student body would be hastened after the administration was alerted of an alarming level of insecurity surrounding personal information, which was confirmed from survey results.
Despite figures such as "41% of respondents indicat[ing] that they had been accidentally exposed to other students’ Social Security numbers on paper documents" and 12% on computer files, the administration still appears to be side-stepping the issue.
Today, the university uses your Social Security number as the primary means to identify you. If you are a student, your Student ID number is (usually) your Social Security number. If your are staff or faculty, your staff or faculty ID is your SSN. What does this mean? Well,
- Your Social Security number is embedded on the magnetic strip of your Case ID Card
- Entities that have no need to know your Social Security number (such as the Office of Undergraduate Studies, your professors, etc) have access to it because it is your Student ID number
- Whenever you need to be uniquely identified in a database environment, chances are your Social Security number is the identifier
- Many more
Obviously, the university must possess your Social Security number for some uses. However, with recent trends in computer and personal privacy and more restrictive state and federal laws dictating its use, the university's continued reliance upon this "private" number taunts a fine line with gross negligence. How is it that with the recent higher ed mass exodus from using it as a primary identifier, the university's reliance remains nearly the same as it was four years ago?
Fortunately, it appears that USG's efforts last semester did not go unnoticed. The University Provost, John Anderson, addressed the USG General Assembly on the issue this past month. The university has also assembled a committee to address the concerns. However, it appears they have also taken a step backward.
Concerned students used to be able to go to the Registrar and have their Student ID number changed, with few questions asked. Sure, there were hiccups as systems all over campus got confused when things changed, but it was possible to do, and your personal information security was a little better. Now, it appears things have changed as a result of the new attention the administration is giving to the issue. The following was posted on the Case Forum earlier today:
Friday of the first week of classes I went to the registrar's office and filled out a form requesting to have my Student ID changed. For the reason, I simply said "privacy." They said I'd receive an email in about four days, and could then go to Access Services to have my card re-programmed.Last Friday, I went in to check the status of my request. The lady at the desk went into one of the side offices to talk to (I think, at least) the Registrar's assistant. She came back out and told me I had to put a better reason than "privacy." I figured I wouldn't get anywhere with her, so I went to the assistant's office to talk.
The assistant told me that as a result of the concern over SSNs being used to identify people, a committee was formed that has to approve student ID changes, and that "privacy" wouldn't be a good enough reason. I started bringing up FERPA, and she said that the registrar's office was not in violation of FERPA. I started telling her reasons why I don't want to use my SSN as my student ID (EMAE 172 card access sign-up sheet, I don't want my adviser to know my SSN, student ID encoded in plain-text on Case ID card) and she was just like... "oh they can't do that." Well, they do, and that's why I want it changed. At the end of the discussion, my request can still be denied to have my student ID changed.
If this student's encounter is indicative of new university policy, then, well, I'm just flabbergasted. The university used to allow you to change ID's without asking questions, now they refuse on grounds that your personal information privacy is not good enough!?
At this point, I have lost lots of faith in the university. On the whole, they are guilty of either gross negligence or gross incompetence. Unfortunately, given the closed-to-the-outside-world mindset of upper administration, it is impossible to know which is true. I would hope neither, but as circumstances have it...
As long as the current mindset prevails, it seems the only thing I, and others concerned about our privacy, can do is set back and hope that when-- not if-- there is a serious breach of personal information at Case, we are fortunate our information wasn't included.
Trackback
You can ping this entry by using http://blog.case.edu/gps10/mt-tb.cgi/12525 .
Comments
Even years later, the concept of identity theft has not been realised by a greater percentage of the University community.
When I looked back at my years at Case, I had to be concerned when we had to write down our SSN if we forgot our Case ID when entering Leutner. There were several pieces of paper on the cashier counter, and list of student names and their SSN's. At certain times, there was no one manning the station, so anyone could have taken that list and walked out with it.
Another time were the credit card solicitors that were hanging out at Leutner and Fribley Commons. They had a portable copy machine and students were filling their personal info so they can get that free gift or t-shirt.
In almost all of my classes, we had to write down the whole or a part of our SSN to identify ourselves and this was used to look up our exam scores afterwards.
When filling out university requests forms, USG disbursement forms, and others, a SSN is used. Back then, it was on paper, and there was no secured method to ensuring that your most prized identification number is not lost.
Then there was one time when a computer on the network had shared a copy of the whole undergraduate list with their birth date and SSN's. It took several emails and phone calls to the appropriate dept to get that computer removed from the network.
Why do people think that identity theft won't happen to them? Even at home, I bet that most people would throw out their bills and credit card statements without shredding them or ripping them apart. A person can just look through a person's rubbish and be able to find enough private info to steal someone's identity.