People concerned with the privacy of student and employee data urge changes to the openness policies in place on university computer network, while academics encourage the openness as being a necessary way of doing business in a world that depends on collaboration and the sharing of data on research projects, an enterprising report by Scott Dance in the Baltimore Sun describes.
The Sun shows that, based on data from the California-based Privacy Rights Clearinghouse, several breaches have occurred in the last few months, attacks by criminals that have exposed personally identifying information for hundreds of thousands of people, including recent breaches at the University of Maryland and Johns Hopkins University.
Officials say they are striving for a balance. At the University of Maryland, Ann Wylie [of the cyber task force] said sensitive student data might be sequestered without affecting research activity, though the university’s task force could determine that research data on human subjects, survey responses or valuable intellectual property could afford stricter controls. “There is a tension here, but I think we can work with that tension,” she said. “We do not want to do anything that would put barriers for our faculty and grad students and researchers to do their work.”
Huge differences in the K-12 world
At universities, the sharing of data has a legitimate purpose: it advances the research, which advances learning, which is the main goal of the universities.
In the K-12 world, experts find that personally identifying information about students, such as test scores, specific areas where they are struggling, and so on, advances mainly a for-profit corporate mission of developing and selling lessons in those specific areas. A side effect is that parents can learn how their sons or daughters are doing in school, but putting information online doesn’t actually address any school-related issue that can’t be solved—or that hasn’t been solved for years and years—in other, off-line ways.
For example, an article in the March 2013 issue of Educational Leadership, published by ASCD, says, “Putting technology first—simply adding a layer of expensive tools on top of the traditional curriculum—does nothing to address the new needs of modern learners.” In other words, the writer, Will Richardson, does not believe the justifications for putting student data online have any connection whatsoever to the mission of the schools.
Plus, the permanence of the data is the big issue. The Internet really has no “DEL” key to erase some piece of data. And Google scans things right away so they live forever, no matter how quickly they can be taken off-line.
There are steps that can be taken on computer networks that would keep the data out of Google’s hands, but that just shifts the burden of protecting data from our laws to I/T experts in schools, who are often strapped for time and not up to speed on the latest cybersecurity research.
But even those who are keeping up with the cybersecurity literature can miss a trick when it comes to safeguarding critical and sensitive information.
An example of how difficult it can be to safeguard data comes from the corporate world, as the New York Times reported Saturday that “Target acknowledged on Thursday that its computer security system had alerted it to suspicious activity after hackers infiltrated its network last year, but the company ultimately decided to ignore it, allowing what would become one of the largest data breaches ever recorded to proceed without a hitch.”
Until we find a way to keep data secure—not likely to happen, but we can show a shade of optimism here—the obvious path for cybersecurity is just not to put some information online. We must ask the question, Who needs to know this information? If the answer is not “everybody,” then it should be kept off-line.
Sorry, parents: the risks outweigh the benefits of K-12 schools publishing sensitive and personally identifying information about our youngest citizens. In a world where bad people have free access to data, we can’t risk privacy in order to sell a product or give you a 24/7 report card on what your kids talked about in class.
University breaches reported in the Sun
- Sept 28: Va. Tech reveals 144,963 online applications to the university may have been accessed (17,000 driver’s license numbers, but No SSNs or financial data)
- Nov 27: Names, SSNs, bank account info, DOBs for 2.5 million people associated with the Maricopa County Community College district in Phoenix, Ariz.
- Dec 13: Names, SSNs, tax ID numbers for 6,500 individuals associated with the Univ of N.C., Chapel Hill, were mistakenly posted online
- Feb 19: The Univ of Md., College Park, says SSNs and DOBs for 309,079 (later revised downward) students, alumni, faculty and staff were exposed in a breach.
- Feb 26: Indiana Univ, Bloomington, says data including SSNs of 146,000 students and alumni breached
- March 6: N.D. Univ System notifies students, staff and faculty that 290,780 personal records, including SSNs, were exposed in a breach
- March 6: The Johns Hopkins University says the names and contact information of 1,307 (later revised downward) students and faculty were exposed when a hacker attempted to extort the university