A Princeton student who tried to raise awareness about how much information the university makes available about students online may have bought himself some trouble with the university.
Anastasya Lloyd-Damnjanovic reports:
“Congrats on using Gmail for your Princeton email,” Dan Li ’11 wrote in the hundreds of e-mails he sent out over the last few days to students who forward e-mails from their Princeton accounts to their Gmail e-mail addresses. “If you’re creeped out because I know your Gmail address, read on.”
The e-mails included personal details about each student including their names, e-mail and mailing addresses, dorm room addresses and student identification numbers, which, he said, were publicly accessible through the University’s web-based directory.
Li said he sent the e-mails in an effort to raise awareness about a perceived security breach in the University’s Lightweight Directory Access Protocol server that could allow anyone outside the community to access the personal information about students that Li included in his e-mails.
Read more on The Daily Princetonian.
The problem, of course, is that the federal education rights privacy law (FERPA) allows schools to publish way too much information:
Section II of “Rights, Rules and Responsibilities” states that “the University may disclose the following types of ‘directory information’ without restriction unless the student otherwise requests: name; address; telephone number; e-mail address; photograph; student identification number; dates of attendance; major field of study; participation in officially recognized activities, organizations and athletic teams; weight and height of members of athletic teams; degrees and awards; academic institution attended immediately prior to Princeton University.”
One could argue, “Well, just because you can doesn’t mean you should.” One could also wonder why, in this day and age, more universities haven’t voluntarily decided to be more privacy protective or to make publication of such information opt-in. But then I’d remind you all of how universities are often selling this information and make huge amounts of money selling this information to banks or others who offer students credit cards, etc.
It is way past the time for Congress to have realized that what worked reasonably well in a brick and mortar world does not work well in a digital world. The default amount of information needs to be revisited and reduced.
If schools are serious about trying to teach students to be careful online and to protect their privacy, then they should start by modeling what they want the students to learn – be more protective of the students’ privacy.