 Good morning and welcome to my talk for about only your grades are safe. Osten in higher education. Before I start, I'll tell you a little bit about myself. I'm a data analyst who's involved in higher education. I have a big interest in data privacy and security. You can contact me at Twitter or at one of those emails. Also, I've gotten a lot of questions when people have seen this talk about why I'm doing it. You're just giving people resources to pull data for free. I'm not, there's a big issue which I will talk about. People are already taking advantage of this and most people don't know that they are and they don't know how to protect themselves. So that's pretty much the reasoning behind this talk. So have any of you ever thought about your education records? Do any of you know what education records are? Can you tell me what it is? I have a nice little book I can give you. Education records go farther than that. It's everything that the college has collected on you. That it's tied to a student. That it's tied to a student every single thing. So everything. This can even include things like your height and weight. Eye color. Your student ID picture. All of this. And it's maintained by an educational agency. Would you like that? So these records are maintained by an educational agency, an institution or parties acting for them. And I'd like to point out that there are no federal rules who tell you what parties the educational institution can say are working for them. So if they suddenly decide that they want to partner with Antelios and they're being deemed as an educational party or a third party that they can work with, there's nothing you can do about it. And they do not have to disclose it. So, like I said, it's anything the educational institution has collected on you for the entirety of your stay at said institution. Some institutions like community colleges that have people that drop in and out, they tend to keep records in perpetuity and don't technically follow your graduation plus three years, seven-year collection data cycle because students drop in and out and you may have a student who's been going off and on for 15 years. So they just keep everything. So if you've been going since you were 20 and now you're 45, they have all 25 years of those records of anything that you've done at that college. So this is the big fancy rule that's supposed to protect the privacy of student education records, but there's a big glup hole with this one. And it applies to all schools. I don't, I didn't even touch K through 12 because I have an issue with looking at non-adult records. So that's just a boundary I won't touch, but this applies to all of them. So any place that's received any type of funding from the Department of Education, even a dollar is subject to this law. So a lot of people I've heard, you know, when I started talking about it, they're like, oh, well, that federal law protects us, right? They don't have to worry about anything. You know, no one can just ask for this. Yeah, that's totally wrong. So FERPA protects everything but directory information. And you know who decides what directory information is? The college. So anything that falls under directory information by the educational agency or the institution or their third party can be disclosed without prior consent. And basically this is information contained in an education record that does not generally considered harmful or an invasion of privacy of disclosed. These PII that they can disclose without telling you or your name, your address, telephone number, date and place of birth, honors and awards, dates of attendance, height and weight. Sometimes they include parents' name. They include international students' addresses and their parents' names and their international contacts in addition to their local contacts. I've come across some of them that have student ID photos that you can pull. Very high quality JPEGs off to make your own ID. Height and weight, hair color, everything but your grades. And in many cases the colleges also consider your email address at the college protected. But everything else is fine. And the biggest caveat is it's released without consent unless a student has requested a privacy hold and it means you can just go ask for it. And so I decided to do a proof of concept. I work at a college but I do all of this research in my own time and I'd gotten the reason I did a proof of concept because I was hoping that maybe just my institution was the only one that was giving away this data when people would ask for it. And it's not. So I contacted 10 colleges and universities just standard email. I didn't proceed with FOIA requests because they're pain in the butt for the people involved and I've been on the back end of FOIA requests. I'm not going to do that to anyone unless I really need to. But three of them basically told me go fill out a FOIA. Two said go help yourself to our directory. Here's a special link that you can't get on the main page. But go right ahead. You can look up whoever you want. One of them said give us 50 bucks and we'll give you whatever you want. So five schools did not respond. I figure 50% return on my time. And if I went with the FOIA request I would have probably gotten all of them. I was going to do a live demo until I realized how much of this information would just go out and I didn't feel like doxing people. But this is all of the information down to some of them told me which dorm room they were in and which dorm building they were in. And their home address as well. So I knew where they lived when they were on vacation and where they lived during the school year. They also did not like providing email. But for some reason they provided here. So it was explicitly stated that they didn't provide email but emails listed if you look them up. This is UT Austin. Big school. A lot of students. Same thing. Some of the people I looked up included their work numbers as well. They worked on campus so I had where they would work on campus. And all you have to do with that is call to see when they're working if you're trying to find somebody. So a FOIA request a lot of people think it's this big complicated thing. This is basically an example of regular FOIA requests I receive. You just write it out. The federal government doesn't have any specifics. You just have to request it. And you can make up whatever you want with why you need it. And this is what it'll get you. So this is the information that was provided in response to that email. Hey, I'm marketing to these students and I want to help them decide where they're going to school. We're not allowed to verify who's requesting this information. So all of this information was given though we are not allowed to tell people when the degree was awarded. But one of the things you can do is you provide dates of attendance and the degrees and awards they received. If someone went to school for four years and they got a bachelor's degree I can figure out when they got that bachelor's degree. And some of them are very helpful and they will provide you all previous educational institutions those people have attended as well. Because you might need that for helping them at the fake school you're providing. Now this one is my favorite. What 50 bucks can get you? So as per my previous emails I sent out this standard email. It's at a domain that we purchased using a pseudonym. There is nothing on it except for a little tagline under my email signature that said data for tough decisions. Looks official. But it's basically I'm writing a request to listing of student directory information. What steps do I need to take in order to obtain this information? Additionally, is there a cost involved? Thank you for your help. I didn't tell them why I wanted it. I didn't tell them what I was going to do with it. I just said I wanted it. They were very helpful. And I said hey, give us $50 for programming and we can get you anything on the directory that you want. So I requested every single thing that they could give me. They said I would provide all the data as soon as I got the money. I sent off a $50 Western Union money order from a P.O. box. I got a nice helpful email receipt. And within 10 business days I got an email that said your data is ready. Where do you want me to send this Excel file to? I have issues with that. So I said hey, I've got a secure upload. Go ahead and securely upload this. But if I didn't have it, I would have gotten it directly into my fake email. And in that, on March 10th I received 22,000 student records containing all of the information I had requested including international student information. I had international student parent names because that's part of the directory information. I had international student addresses. I had their local addresses. I had ages. I even had law students listed on there. This is all completely legal. I didn't break any laws. And the federal government is completely aware of this. So what's the big deal? Most colleges and universities, I won't say all because I haven't seen every single one of them, but most. And in all that I've seen, automatically opt in students. It's much easier to not let a student opt out very easily. The paperwork is often hard to find. It can require multiple steps. And if you're an alumni and you find out about this stuff, it sometimes requires extra steps. Personally, I went to a university in a city that I don't live in now. In order to get my data opted out, I'm going to have to take a full day off, travel there. And hopefully the alumni officer will be present that day because I've already gone twice and they haven't been there. In order for me to get my data to be opted out. I can't mail anything in. I can't opt out over the phone. And it's not well protected and anyone can use it for a variety of purposes. I would hope that when you got a random email with someone who just had a tagline for data for tough decisions, they might ask a few questions instead of, can I have $50? So a lot of people don't think about it, but you can use this to construct a false identity. Just kind of as a, to see what I could do. We took a friend's name to see how many fake identities we could come up that matched his current name. So you can get people, oh, I got all these degrees. I went here and here and here. Just an recursive research using directory information. I was able to find six or seven degrees that we could put on his resume. Because when you call a college to verify a degree, you just have to tell them what year the degree was earned. Since degrees and attendances are posted, you can use that and falsify any of the information you want. You can use it to mess with international students. You can use it if you decide that you want to be a stalker. So this is scary stuff, but there's a whole lot more. So your directory information can be provided, but treatment records can become education records when you receive treatment at a college or university. So how many of you know what HIPAA is? How many of you have ever had a HIPAA violation? Two of you, okay. It's pretty hard to do though, right? So HIPAA is supposed to protect treatment records. And student medical records are usually protected by HIPAA, usually. FERPA provides another gaping loophole. Records that should be protected by HIPAA can lose all HIPAA protection and become only protected by FERPA. So there are several ways that medical records and psychological treatment records can become education records. And when they convert, these records can lose all protection. So in education, here we go. This is the scary part. An eligible student's treatment records may be disclosed for purposes other than the student's treatment provided the records or disclosed under one of the exceptions to written consent. And one of those exceptions includes when the medical records convert to FERPA protected education records. And that occurs sometimes when anyone but the doctor that the student is seeing or a designated outside provider looks at the records. So if you go in and look at your medical records, you've converted your records from HIPAA protected to FERPA protected. How many of you went to school not in your hometown? A few of you. A lot of people sometimes get treatment on campus because it's easier than trying to fit a doctor in your schedule or you may not have health care outside of what's provided at school. Or you may have a doctor back home who has not yet made it to the 21st century and still uses paper only records. If you walk into that medical office and say, hey, while I was in college, I discovered I had a thyroid issue. Can I have my medical record so over the summer while I'm not here for three months, I can continue my care. Those records lose all protection except for FERPA. And to top it off, if they disclose it in any way, they also lose protection. And it's totally legal for the university to decide that your medical records can be disclosed. So the DOE should be on this because, you know, it's not a good thing. But the DOE says that, well, yeah, tough luck. It's totally legal. I don't really care. So the DOE has not moved forward with it. There was a call to action in August 2015 as a result of something I'll be talking about in a minute. They asked for a feedback that was due October 2, 2015. Nothing has been changed. This is where you can actually find the press release for it. But there's no comments. There's been no updates to the law. It's never even gone in front of the legislature. They just quietly waited for the next big thing to move forward and it kind of got pushed under the rug. And before people say, no, this is not something that can actually happen. It's not really a big deal. Well, this loophole has been exploited publicly. So FERPA and the rape of Jindo was where this loophole first came to light for a lot of people. And during the course of this, I may actually slip from saying allegedly raped to raped. They did not move forward with the conviction of the alleged rapists, but there's enough proof in all of the court documentation that you can decide for yourself. But Jindo was allegedly gang raped by three members of the university's basketball team over a 12-hour period in March 2014. She reported it to both the local authorities and the campus authorities. The university decided not to investigate and put the investigation off until after the NCAA basketball tournaments had started. After the tournaments were completed and they had done all of the things they needed to do, they formally began investigation without disclosure. Again, that's not really illegal. They can do that if they want so. It's just not very ethical. The local district attorney decided not to move forward due to low possibility of a guilty verdict. Part of the issue is the rape kit had degraded because of the long gap in the formal investigation and some other issues with documentation because it was almost six weeks after the rape before the investigation began on campus. Eventually the college decided, well, we should probably suspend them because they weren't good. After the suspension, they decided they were guilty of sexual misconduct and banned them from campus up to 10 years. Then the university administrators seeing and hearing that there was going to be a lawsuit compelled the university counseling center to hand over all of her medical records from her psychological treatment from the trauma associated with rape. She filed her lawsuit in January and it came to light that they'd pulled her records and they were no longer protected. They defended their rights and saying, well, you know, FERPA said we can use them for whatever we want. She was going to sue us so we had to protect ourselves. The cases moved to the court and during that time period, her rapist was able to get a hold of all of her medical records dealing with the trauma of the rape and he was able to see what kind of therapy she had gone through. This is still in court and I guess the university decided to stop because they were starting to get people a little bit angry at them and they settled. They paid her $800,000 and said, hey, we'll pay for you to go to school for four more years here where you were raped. You really want to come back, don't you? And they changed the policy for admitting students with a history of sexual assault and misconduct but they didn't do anything about their misuse of records because as they put it, it was completely legal under FERPA and they were not hit with any DOA fines for doing so. So why does this all matter? The university accessed her medical records including her mental health records. They also accessed her sexual health records from the Student Center. Women are encouraged to go every year to get an annual exam because an STI test is part of that annual exam for most women. It's just part of the whole part and parcel. They use that as part of their defense. Look, she's been tested for STIs. Never mind that it's considered standard of care. They pulled the records in anticipation of the lawsuit without consent. She never knew those records were breached. I mean, not necessarily breached but she never knew those records were pulled and she continued to go for therapy. Then they converted them to education records which meant that the lawyer for the student who was considered the alleged head rapist could pull all these records and review them with his client. And then they were once again used against her in court. So what does it mean for you? Well, your confidential medical records could become records anyone can look at. They could be used against you. It could potentially be used to negatively affect you in the future. During college, a lot of people go through trying times. People who may not necessarily have issues other times in their life may suffer from depression, suicidal ideation. Your brain is still developing or you may get involved with a sorority or fraternity or you may start binge drinking just because that's a cool thing to do. If that appears on your records that you sought treatment for that that can be used against you at some port to deny you medical coverage. It can be used to deny you a job. It can be used to say that you're a bad fit for a position that has nothing to do with what you did when you were in college. Yeah. No, you can go ahead. Nope. In the case of educational institutions, if you've received care at an educational institution and anyone at that educational institution looks at those records as long as it falls within certain parameters, which it did because it's the educational institution looking at its own records, it doesn't constitute a HIPAA violation. Yes. You can opt out. There's some certain caveats which I'll talk about but the next one is this is what you can do about it. So you can opt out of data sharing at any institution of higher education that you've ever attended. So this is what you can do about it. But there are some caveats to the opting out. When you opt out, that means that someone like me can request the data and I'll be told no these people, you know, I'm not going to get those records. I won't know that they've ever existed because they're a blank slate. However, if your college or university is involved in any type of evaluation program, your data can be shared with the outside evaluator even if you've opted out because it's part of a grant program and it supersedes your opting out. Yeah. Yep. Yeah. So I want you to think about that. Unless you've gone to a completely private college and received no funding from the Department of Education even when you opt out, your data can still be accessible to some people. Opting out provides you a lot, a big safety net so someone can't just go request it like I did but other people can still see your data. Anytime there's grant funds or anything like that, these are considered, opt-outs aren't considered at all. They make a note of it. 2% of the students opted out but it's not a guarantee that your data is completely safe. And the Department of Education and the grant fundees and no one else is interested in protecting those students who don't want their data shared. We recently had a data agreement or we recently had a request come across where we were providing data to outside entity for the current students, about 44,000 students. Of those 44,000 students, only about 400 of them had opted out. And previously when I talked about it, it's sometimes hard to see or hard to find. The law only stipulates that it has to be put up in one place. Colleges sometimes look to put it at the very front of the course catalog for the semester in little tiny print, one of the first two pages. How many of you ever read that front part of the course catalog when you were planning your schedule? I never did. I just was trying to get my classes before they filled up with everybody else, you know? Some places will put it up where you can see it but it requires jumping through hoops. One college I liked that had an opt out and in order to opt out, even if you're a current student, you have to go to their office with an ID. 25% of their students are military members serving overseas. So how are you supposed to opt out when you can't physically be present? So currently, the only thing I can do is tell people to opt out. Tell everyone you know to do the same thing. Contact your higher education group. Right now it's just a few of us saying, hey, this is a problem, but maybe at some point if enough people start talking about this, they'll stop screwing people over and just giving their data away. Contact your congress critters. They're not people, I'm sorry. They're not. But if you contact them and bug them enough and tell them you should start talking about this or we're going to vote for the other critter, maybe they'll listen. Colleges have gone from a bastion of higher education, a bastion of learning, to a place where student data is commoditized and just given out. Another issue is, I anticipate we're going to see more requests for things like DACA students in student religion. I already had to tell people we don't collect data on students' sexual identity or sexual preference because they wanted to use that to do a study and how dare I not let them have their sexual preference? I was like, that has nothing to do with education. We had another person who asked for a list of all Muslim students on campus. No, this is not a question we ever asked. We've received multiple requests for a list of all DACA students. I don't care about your immigration status when you come to school. I look at how you're doing and report data on that. DACA status shouldn't be ever held, but the issue is even with opt-out I can be compelled to give lists and with the current political climate I'm not going to create a list of DACA students because if it is a gist, someone can ask me for it even if they've all opted out and someone with enough authority behind their name can make me give it to them. So this is kind of my what's next. I kind of wanted to see what other personal information I can gather, but I'm also transitioning jobs because I'm hoping to set up kind of a resource center to help students start taking back control of their data. People don't know how to opt-out and every college has a different opt-out procedure and sometimes they're impossibly obstinate about letting you control what's about you. First people in college now, my recommendation is don't use the student medical resources which is a shame because sometimes that's the only medical care you can get. But the fact that this sort of stuff can happen is a warning to everybody, especially because opt-out won't protect that necessarily from some people who are asking. Any questions? I think I am hopeful that they will do the right thing but I don't know that they will because the loopholes still continue to exist despite uproar from colleges themselves. For instance, the college where the student was raped, the only reason that that information came to light is because two people from the counseling center filed a formal complaint against the university lost their jobs as a result because they said that they were prohibiting due process and raised enough of a stink that a journalist found out what's going on. So I hope that colleges will comply but I have a feeling that it will be a battle and I have a feeling that there will probably be a lot of lawsuits, especially from international and foreign students regarding their data protection. Yeah, there are often FERPA violations within some of the data that's presented but as someone who works with the data I can only advise, I can never tell the decision comes from above of what to do with it and I know consistently across the board colleges across the U.S. often violate FERPA in order to provide data to consortiums and things like that. So none of these would be HIPAA violation because the way it is worded but FERPA violations are up to $1,000 per student per incident. It's nothing but a lot of times with the sum of data that they're passing out it's 500,000 students, it's 15 years of data and that does add up but it's just a slap on the wrist and it doesn't really, the college will find some other way to pay that fine and continue to do what they're doing. No, it doesn't affect change. Yeah, and I believe that is a scare tactic because you can provide, you can contact your college or university and ask them to send a certified transcript which most employers who are looking for students are all too happy to receive a certified transcript because that's a better indicator than just calling some random person in a registrar's office. They also use it in some places as a scare tactic. Well, you know, you're gonna have to have, you can't just log into everything easily using different passwords. You're gonna have to use different passwords for all your logins, you know, because they use one type of a one login for every single thing. Honestly, that's poor security. You should be using different passwords for all the things you log into anyway but they use it as we're gonna cut off your convenience, we're gonna make it so no one will hire you as a way to prevent students from opting out because it's extra paperwork. That's extra thing. When I get a data request from an outside entity personally, I would love to be like, I'm sorry, here's four students who didn't opt out but you've got an enrollment of 44,000. Yeah, but these are the only ones who didn't opt out so I can't provide you the rest of the data. That would be a dream for me because that would cut down some of the data sharing that we have. You can still supersede it. I sent an email to one of the UC colleges saying that I was interested in receiving some directory information so I could send students a scholarship application and I was told I would just need to provide some funding for programming but that I would be able to... They actually violated it. Yeah, so there are... They actually violated it. Yeah, there are so many because sometimes it's a mix of, they don't care, a mix of negligence and a mix of I work with really poor students, here's an opportunity. Yeah, and people don't understand FERPA when you start talking about it, a lot of people think it protects everything. Well, it's educational rights, you know? No. And one of the things is I don't have... I'm not accessible accessing K-12 records but you can request K-12 records and see all of this information. It doesn't apply to private schools per se but charter schools and public schools who receive federal and state funding are subject to FOIA requests so you can send a FOIA request for all sorts of data on students under the age of 18. Yeah, and I think part of that is colleges are a lot of times even they're trying to find money wherever they can and sometimes this is... complying with these grants with all of these stipulations to give over everything, it's a way to fund further programming and some schools don't really care, it's basically cattle in, cattle out. Other schools, especially smaller schools are trying to help their students but some of the smaller private schools have 75% of the students who have high need and you're gonna take money wherever you can and make sure the students go through the classes and complete and so it's kind of a cycle. I mean, people have to start opting out and then when they find out that their data's been shared when they've opted out start making a fuss because it's not a lot of money but if you have enough people yelling hey, my data's been violated, can you look into this and they find enough things, at some point if you have enough violations it will hurt. Any other questions? I will be, if you follow me on Twitter so I'm kind of in a tenuous situation since I work for a college providing this kind of stuff could violate my job so I'm looking for a private sector job but I will be setting up kind of a resource page eventually it'll be under Cat Bear Intelligence but if you just, if you follow me let me put it back to you. So either follow me on Twitter or send me an email. My husband in blue here is a DevOps engineer so he's helping me set up a lot of the backbone. All of my programming is in SAS and R so it's not quite as useful outside of the statistical area but I'm going to be setting something up to try and explain FERPA and plain language to people who may not understand what it means for their rights as well as explaining how they opt out and how to make sure your data's not being shared in plain language and then I'm hoping to have a community effort and have people who've opted out and the procedure that they followed at their particular school can look up and see because they are different across the board. You can opt out as soon as you start college. No, they have to keep them as part of the DOE because of DOE funding and receiving financial aid and stuff so they require, you can't just have your data purged. Well, let me take that back. I potentially do something that would put you in the witness protection program that would allow you to clean that record up but I don't recommend that as a way to get that record removed. And not all schools follow. Where I work, we have, basically we have records, what we call from the beginning of time from when we started because we have so many students who do the I go for a little bit and then life happens in a little bit and so you'll see that more in community colleges. Universities still hold on to some of the data because they have verification and they need the transcripts and things like that so some data might be destroyed but your transcripts and things like that stay around. Any other questions? Anyway, like I said, just follow me on Twitter, just drop me an email. I have some business cards as well if you didn't get a snapshot of that I'm hoping to set up a public facing page to have kind of a crowd sourced tell me how you opted out of your college so we can help other people and move forward with that. Thank you.