Computer Privacy Digest Sat, 18 Sep 93 Volume 3 : Issue: 036 Today's Topics: Moderator: Dennis G. Rears Family Educational Rights and Privacy Act John misses the point Re: About Selling Phone Numbers Re: Something to Consider The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: merlin Newsgroups: comp.society.privacy,alt.privacy Subject: Family Educational Rights and Privacy Act Date: 17 Sep 1993 09:52:22 -0700 Organization: University of Southern California, Los Angeles, CA My campus housing office disclosed my name, address, social security number, and other non-directory information to a private third party commercial long distance telephone carrier in order to help this 3rd party long distance carrier replace Pacific Telephone as the carrier for all students in campus dorms/apartments. When I complained that such disclosure violated the FERP our general counsel replied that (1) the 3rd party long distance carrier signed a confidentiality agreement and (2) the 3rd party long distance carrier was acting as an 'agent' of the university. It seems to me this disclosure is forbidden by the FERP -- the campus knows it violated the FERP -- and is trying to get out of it by using the claim that the 3rd party carrier is an 'agent' of the campus. Does anyone on the network know the FERP well -- maybe to the point of representing usc dorm students in administrative complaint and/or some followon lawsuit for willfully continuing to disclose this information to an inappropriate 3rd party long distance telephone carrier? >>My campus housing office disclosed my name, address, >This is definitely directory information. I specifically requested nondisclosure of even directory information -- so the disclosure of this information is against the act. >>social security number The campus identifies SSAN as nondirectory information. Moreover, neither the statute or the implementing regulations in the CFR's identify SSAN as potential directory information. I believe everyone would agree SSAN is not in the category of directory information. >Incidentally, how do you know that they have this information? Did they send >you a form with your SS # on it or something? I called Sunbelt Computer Systems home office in Phonenix AZ before they opened an office under the pseudonym Student Telephone Services on campus -- and they identified me by social security number and told me they were provided my SSAN by the USC Housing & Residence Halls office. Also, on the back of the telephone authorization code/credit card sent to me by Student Telephone Services (a.k.a. Sunbelt Computer Systems) is the statement: "REMEMBER: Your student identification number serves as your account number." Clearly SCS/STS/HTS (whatever else this third party long distance carrier wants to be called) acquired, used, and intended to continue using student ID numbers (which on our campus are almost exclusively social security account numbers) as their own internal account number for student long distance telephone accounts. >What other information did they disclose? I could hardly imagine any other >non-directory information that would be of interest to long distance carrier. Other minutia -- financial records and the like. >>When I complained that such disclosure violated the FERP our general >>counsel replied that (1) the 3rd party long distance carrier signed a >>confidentiality agreement and (2) the 3rd party long distance carrier >>was acting as an 'agent' of the university. > >Well, (2) sounds like garbage, but neither sounds like the counsel was >necessarily admitting a violation of FERPA. Schools do have lattitude >in decidening whether or not to disclose directory information. He may >have been explaining their reasons for disclosing directory information. >(And in any case, he likely just figured that he was calming some crazy >student, rather than framing a legal position. Don't assume that they >respect you enough at the outset to pay serious attention to you...) > >It would certainly be very stupid for an attorney to admit such a >violation--not to mention that school's are usually pretty careful about >FERPA, in the first place. > >I'd like to hear just what information was disclosed, and find out about >any relevant interpretations of "directory information" before drawing >a conclusion as to whether or not the school actually violated FERPA. > >By the way, how did you manage to talk with the school's attorney? It seems >awfully strange for you to be dealing with the school's attorney, rather >than with an administrator. Quote from 7/23/93 letter from Mr. Jeffrey Urdahl (USC Director Housing and Residence Halls) to A. J. Annala (Student in USC Graduate Student Apartments): "I share your concerns regarding disclosure of student information to non-University entities. In discussion with the General Counsel's office, it was determined that the release of information for telephone services to Sunbelt Computer Systems would in fact be legal as they are acting as an agent of the University. In addition, they signed a confidentiality agreement that we maintain in our files. Therefore, release of this information was seen as within the requirements of the Student Educational Rights and Privacy Act." So, I dealt with an administrator who relayed counsel's opinion. Another administrator (Associate Registrar) wrote: "The release of SSN is, of course, prohibited." All in all, I'll confine my complaint to disclosure of SSAN, which admittedly occurred, continues to occur because the campus insists SCS is an agent of the campus, and appears to be a clean cut violation of the FERP. So, I wrote to the housing director. I also wrote back to the registrar. I don't know what else I should do. -------------------------------------------------------------------------- Mr. Urdahl, Here is a copy of the portion of federal law (United States Code) which spells out the only individuals, agencies, or organizations to which you may disclose student records without a written request from the student [or the parents of the student] subject of the record to be disclosed. It is my understanding that Sunbelt Computer Systems (a.k.a. USC Student Telephone Services) is solely concerned with the sale of long distance telephone service. SCS is not involved in the maintenance of telephone equipment at the USC campus. SCS has no purpose for accessing student records other than to facilitate their attempt to replace Pacific Bell and AT&T as the long distance carriers for the students identified in the student records transmitted to SCS by Mr. Jeffrey Urdahl's office. Would you please indicate, among the categories identified below, which category includes SCS -- and therefore would authorize the disclosure of student records (including social security number) to SCS? It would seem to me, given the very restricted nature of this list, that SCS is not authorized to receive student records under any circumstances. If it is claimed that SCS falls under subsection (1)(A) would you please state the "legitimate educational interests" served by the disclosures. Also, under section (4)(A) below, you are required to "maintain a record, kept with the education records of each student, which will indicate all individuals (other than those specified in paragraph (1)(A) of this subsection), agencies, or organizations which have requested or obtained access to a student's education records maintained by such educational agency or institution, and which will indicate specifically the legitimate interest that each such person, agency, or organization has in obtaining this information." I hereby request a copy of this record for release of all information from my student records [particularly records maintained under Mr. Jeffrey Urdahl's jurisdiction] to any third party not identified in subsection (1)(A) of the Family Educational Rights and Privacy Act. Thanks, AJ Annala cc: Mr. Morley n.b. I am not interested in filing a complaint with the US Department of Education. I do, however, believe the campus made a mistake in the disclosure of student records to SCS -- and -- that it is incumbent on the campus to retrieve those records to rectify this situation. If it is not possible to do this then it would seem the campus is supporting a policy of permitting the release of student records against the Act. The potential penalty could be the removal of Department of Education funding from the campus -- an undesirable outcome for all concerned. -------------------------------------------------------------------------- 20 USC 1232g. Family educational and privacy rights [Buckley Amendment] (1) No funds shall be made available under any applicable program to any educational agency or institution which has a policy or practice of permitting the release of educational records (or personally identifiable information contained therein other than directory information, as defined in paragraph (5) of subsection (a)) of students without the written consent of their parents [or students] to any individual, agency, or organization, other than to the following-- (A) other school officials, including teachers within the educational institution or local educational agency, who have been determined by such agency or institution to have legitimate educational interests; (B) officials of other schools or school systems in which the student seeks or intends to enroll, upon condition that the student's parents be notified of the transfer, receive a copy of the record if desired, and have an opportunity for a hearing to challenge the content of the record; (C) authorized representatives of (i) the Comptroller General of the United States, (ii) the Secretary, (iii) an administrative head of an educational agency (as defined in section 408(c) , or (iv) State educational authorities, under the conditions set forth in paragraph (3) of this subsection; (D) in connection with a student's application for, or receipt of, financial aid; (E) State and local officials or authorities to whom such information is specifically required to be reported or disclosed pursuant to State statute adopted prior to November 19, 1974; (F) organizations conducting studies for, or on behalf of, educational agencies or institutions for the purpose of developing, validating, or administering predictive tests, administering student aid programs, and improving instruction, if such studies are conducted in such a manner as will not permit the personal identification of students and their parents by persons other than representatives of such organizations and such information will be destroyed when no longer needed for the purpose for which it is conducted; (G) accrediting organizations in order to carry out their accrediting functions; (H) parents of a dependent student of such parents, as defined in section 152 of the Internal Revenue Code of 1954; and (I) subject to regulations of the Secretary, in connection with an emergency, appropriate persons if the knowledge of such information is necessary to protect the health or safety of the student or other persons. -------------------------------------------------------------------------- (4) (A) Each educational agency or institution shall maintain a record, kept with the education records of each student, which will indicate all individuals (other than those specified in paragraph (1)(A) of this subsection), agencies, or organizations which have requested or obtained access to a student's education records maintained by such educational agency or institution, and which will indicate specifically the legitimate interest that each such person, agency, or organization has in obtaining this information. Such record of access shall be available only to parents, to the school official and his assistants who are responsible for the custody of such records, and to persons or organizations authorized in, and under the conditions of, clauses (A) and (C) of paragraph (1) as a means of auditing the operation of the system. -------------------------------------------------------------------------- ------------------------------ Date: Fri, 17 Sep 1993 10:15:08 -0700 (PDT) From: Dave Ptasnik Subject: John misses the point > From: John Higdon > Organization: Green Hills and Cows > Subject: Re: ANI > > All the verbage aside, this is what seems to bother you a great deal. > Tell me, why is it that you seem to feel it so threatened that an entity > that you call who pays for that call know who you are? > I am interested in YOUR reasons for having an abhorrance for > letting a business that YOU elect to contact know anything at all about > the person doing the contacting. It should be enough that many people feel that it is an invasion of privacy for it to be considered just that. While I am not the person of whom John asked this question I will give my answer. My mother-in-law has cancer. If I call a medical information information service at a hospital, and that service is paid for by a health insurance company, I am concerned that the health insurance company will keep track of all phone numbers that access cancer information. Once the insurance company has a database of callers to a cancer hotline, it is very easy to compare that list to the phone numbers of new applicants for coverage. Even though I don't have cancer, and am not genetically related to anyone who does, now I have a problem because I made the call. The insurance company isn't selling the list, they aren't calling for new customers, it is unlikely that anyone will ever know why their application for insurance was denied, or why they were asked to take lots of tests before being accepted. Granted this method of screening is not perfect. The data ages very rapidly. There are lots of ways around this if you suspect it is happening. Still, I think it is a legitimate reason for me to resist giving out my phone number when I call that kind of info serivce. I feel like I am paying for the service by having to listen to the inevitable commercials you hear with that sort of thing. If the service chooses to reject calls from blocked numbers, that is their privilege. > The custom and usage of caller anonymity, a legacy of the limited > technology of the past, will die hard. John, you are the one who wants to limit technology. The technology exists to send Caller ID and/or ANI. The technology exists to prevent the sending of both or either. The technology exists to reject blocked calls. I suggest we put all of these technologies into the marketplace, there are customers for all of them. I'm sorry that you feel that the technologies that I like decrease the value of the technologies that you like, but I resent your telling me that I should not have blocking, just because you want my phone number. John, I'm truly sorry that PacBell decided not to give you access to this latest technological terror. I have often heard you support divestiture (as do I). When we get competition at the local level, you will get your Caller ID, maybe even true ANI. Some of us will probably block our numbers when we call you. But just because PacBell did not give you what you wanted, citing the reason of required blocking for their refusal to offer Caller-ID, does not mean that blocking is a bad idea, or that it is the fault of privacy advocates that you did not get what you wanted. I think you can more squarely place the blame on PacBell for their desire to be controlling and manipulative, interested in their own pocketbooks to the exclusion of the deisres of thier customers. An inexcusable attitude from a regulated monopoly. For all of you out there with door and peephole analogies, I retain my privilege of putting my thumb over the hole when I knock. You retain the privilege of not opening the door. Should I become obnoxious on your front porch, you can always call the cops. > As the knee-jerk reactions to > anything that threatens the status quo subside, we may all eventually > look back on this era with great amusement. I agree with that, but I do wonder who will be getting laughed at. Get the point John. When you get the features you want, don't attempt to deny me the features I want. I want the freedom to call without identifying myself. I do not want you to force me to send my number. If you don't like the way I call you, I would never dream of forcing you to answer. ------------------------------ From: Ed Ravin Subject: Re: About Selling Phone Numbers Date: 17 Sep 1993 13:10:56 -0400 Organization: Not Just Another Pretty Face In article , Carl Oppedahl wrote: >>Two days after getting a new phone line here in Tucson, the local paper >>was calling to "FIRST, welcome me to my new neighborhood, and SECOND..." >>of course they wanted me to buy their paper. > >Yes, most telcos peddle lists of people who have just gotten new >service, and you can be sure they are very popular among many service >industries including newspaper delivery. But let's not forget the biggest offender in this department: the US Postal Service. When you file a change-of-address, it immediately gets delivered to a whole bunch of junk mail lists. The junk mail at your new address often gets there before you do. -- Ed Ravin | eravin@panix.com | "The cockroach is very advanced politically -- not elr@trintex.uucp | one cockroach in America voted for Ronald Reagan." +1 914 993 4737 | ---- Professor Louie ------------------------------ Date: Fri, 17 Sep 93 10:18:00 EDT From: Brinton Cooper Subject: Re: Something to Consider Organization: The US Army Research Laboratory Kirsi M. Vivolin discussed the well-known risks (see Risks-Digest archives for complete discussions on the topic) of pooled databases by phone companies, credit organizations, etc. She says, in part: | On the other hand, if data from many different points starts converging |into one database, privacy becomes impacted. Not only can we expect |this to happen(it is happening now), but we can expect little guidance |from the existing body of law, simply because there has never been any |precedent to this. | Notice how she slipped in "(it is happening now)" near the end of the posting. A key point in the ANI debate on this forum is whether "it" is happening or not. If corporations are collecting ANI data and using it for nefarious reasons, let's have at least one concrete example, rather than a litany of what "could" happen. Let's not suggest legislating as illegal acts which haven't yet been observed. _Brint ------------------------------ End of Computer Privacy Digest V3 #036 ******************************