July 22, 1997 2:05 PM PDT
Colleges criticized for posting student data
From the State University of New York to the University of New Mexico, students' full or partial Social Security numbers are popping up on the Net. The practice is drawing fire from privacy advocates who say the schools are carelessly breaking the law and putting their students in danger of fraud and other harmful activity.
Despite a federal statute that protects citizens' right to refuse disclosure of their Social Security numbers to public institutions, schools of higher education often use the number to personally identify students in an array of records. Students hand out the numbers to enroll in classes, collect grades, and check out books. The numbers are supposed to be kept private but often aren't.
Unlike documents stored away in locked file cabinets at physical locations, information in insecure electronic documents can be broadcast to the world via the Net. Social Security numbers can be used to obtain a person's address, employment information, and birth date using a look-up service such as Lexis Nexis's P-TRAK or any number of for-pay sites on the Net.
The Federal Trade Commission's high-profile privacy workshops and threats of federal legislation haven't curbed the occurrence of private data and numbers making their way online. In the latest example, a University of New Mexico computer science professor posted students' social security numbers, without the two middle digits, alongside a series of test scores.
Even with some information missing, privacy experts say the numbers can still be used for shady activity. "The first three digits stand for the region where the number was given. So it's really the last four digits that identify a particular individual," said Dave Banisar, staff counsel for the Electronic Privacy Information Center.
The two middle digits of a number "have no special significance but merely serve to break the numbers into blocks of convenient size," according to Social Security Administration information.
In addition, the last four digits of a Social Security number are often used by banks and credit card companies for customers to access account information over the phone, for example.
Just today, the University of New Mexico professor was asked to take the numbers down, but at press time they were still available. The posted numbers are a concern. "We're taking action," said David Grisham, the computer security administrator for the university. "The university is reviewing this and looking into a policy."
The State University of New York responded in kind when it learned that 101 student Social Security numbers were accessible online from April to June as part of a beta site for an internal business administration resource. The document with the numbers also included students' names and school health fee payments.
The page was retrievable by sifting through the university's Net site directories, according to Glen Roberts, a privacy advocate who published the findings on his Web site.
SUNY pulled the document and has since notified the students involved that they have a right to file a complaint with the U.S. Department of Education.
"Our information services people believed those documents were secure," said Robert Baber, director of public relations for SUNY. "We agree with Roberts. We don't want these records to be accessed by any outside source and most internal sources. I've been in touch with the students, and none have reported anything unusual going on with their personal records."
The New York university now limits online access to private information. "All internal electronic documents will continue to be located in restricted directories," Baber said.
Even if the numbers aren't put on the Net, computers with sensitive data that are hooked to the public network are vulnerable to global hackers, not just the cat burglars seeking paper archives.
"Many of the universities have Web pages where students and faculty can enter their Social Security number to gain access to internal information," Roberts said.
"This is dangerous because this number is being transmitted over the Net to a server. It also means there is a database of all these numbers on a server, which could be accessible online," he added. "Students or faculty should refuse to give out there Social Security number unless it's for employment at the university or for a grant."
But some wonder why Roberts, a self-proclaimed privacy protector, is republishing the sensitive online data he discovers. When Indiana University put almost 3,000 Social Security numbers online, Roberts duplicated the data in its entirety on his site. After being criticized by Netizens, he currently puts the federal identification numbers up without the two middle digits.
"The evidence being presented is probably important because seeing is believing, but these people's privacy shouldn't be violated a second time around," Banisar said. "He should probably get rid of the last four digits."