I have, saved on my desktop, a beautifully organized spreadsheet with the personal information of over 25,000 UCSD students.
The spreadsheet — which covers all undergraduates and graduates enrolled as of Winter Quarter 2012 — includes names, emails, phone numbers and addresses, and could have covered more if I had so requested. The only people not included are those who have specifically restricted their information; according to University Registrar Bill Haid, less than 10 percent of students have done so, meaning that my document provides access to 90 percent of our campus population.
There’s a short answer to the question of how I got the spreadsheet: I paid for the information in a completely legal transaction, one that any UCSD student can go through. After that, it’s just a question of uploading the spreadsheet to the appropriate mail server and clicking “send.” But the transaction itself is part of a larger discussion about student privacy rights, access and online communication.
For me, the process of obtaining the spreadsheet started with the all-campus email Utsav Gupta — former A.S. President and current Alumni Office employee — sent on Feb. 29 encouraging students to vote in favor of the Division I referendum. Since there was no anti-Division I email, members of the con campaign accused the administration of bias, assuming that they approved Gupta’s email. As I started interviewing, I heard allegations from professors suggesting that Gupta had improperly accessed an all-campus listserv without the approval of the appropriate vice chancellor. But when I spoke to Gupta, he maintained that he had sent the email without accessing any listserv or using university resources.
I set out to learn more about student privacy rights and how this was possible. As evidenced by the process I went through in late March and the email I sent out last night to a random sampling, it is entirely possible to have an independent list and send unsolicited mail to the majority of our campus population. And Gupta and I aren’t the only ones who can do so.
***
The names, emails, numbers and addresses I have fall under the category of public directory information, and were previously available through the online student directory on TritonLink. Before September 2011 — when administration shut down the directory due to student privacy concerns — anyone could search for students and pull up any information not explicitly restricted. From September on, those who wanted the information would either need to ask the Registrar informally or go through the same process I did, which Registrar staff say has been in place for at least 19 years.
According to David Loy of the American Civil Liberties Union, the Family Educational Rights and Privacy Act (FERPA) of 1974 stipulates that this official directory information can be released without consent — again, unless a student has explicitly restricted this information. (See our front-page infographic for information on how to do so.)
Directory information includes, in addition to the data mentioned above, most recent educational institution attended, major, units enrolled, dates of attendance, grade level, enrollment status, degrees and honors.
Transcripts, personal identification numbers, high school test scores and photos are deemed confidential and cannot be released without a student’s consent once she turns 18 or attends university. Though this confidential information is available to all faculty due to “legitimate educational interest” — for instance, faculty would need access to full transcripts to write a recommendation letter — it cannot be released to third parties without explicit consent.
***
I first tried to obtain the information via the California Public Records Act, which generally mandates release of public information that should have included directory data. I sent an email requesting the names, emails, numbers and addresses of all graduates and undergraduates, but was denied access.
According to Paula Johnson of the UCSD Policy and Records Administration, FERPA legally allows for the release of such information, but does not require the university to release said information to third parties. Though I had emailed my request using a UCSD email, I did not explicitly state my current status as a student.
“The university withholds this information to protect student privacy,” Johnson said. “We do not release this information to third parties.”
She explained that while students can access this information — and it was therefore possible for me to obtain the spreadsheet internally through the Registrar — the university avoids releasing it to protect student privacy. Johnson cited specific provisions of the CPRA — Govt. Code § 6254(c) and 6255) and the California Information Practices Act (Civil Code § 1798 et seq; e.g., 1798.24 and 1798.60) — which showed that there was no legal ground for third parties to obtain this information. She referred me to the Registrar.
***
Although denied by Johnson and the CPRA, I received a response from Melissa Ciandro at the Registrar.
She first asked me if I had business with the university, since the Registrar tries to confirm the reason for the data request to best tailor the information provided.
I explained that my data request was out of personal curiosity, and identified myself as a member of the Guardian staff. The UCSD Policy and Procedure Manual provides a form that needs to be filled out for each request; I did this electronically, providing my name, address and phone number. I did not need to provide my PID, student ID card or photo identification. Throughout this exchange, I never saw Ciandro face to face.
She then explained that the charge for the information is $75 per hour, with a one-hour minimum to set up the file I requested. I was required to provide my personal information so the Registrar could set up an account to record the charge. Usually, Ciandro will create an invoice, send it to the requestor and the request sends back a check made out to the UC Regents — this ensures that she does not release the information without receiving payment. After the file is released and the check deposited, Ciandro sends the receipt back to the requestor. In my particular case, I did not write a check and instead charged the document to the Guardian’s account. I also had the option of renewing the list each quarter with new enrollments, for a recurring charge. I declined.
After 14 emails and a $75 charge, I had t
he document.
Any student can access this information, Haid said.
“Students can walk up to the Registrar’s office and informally ask for information about another student,” he said. “If we have it on file, and the student has not opted to restrict it, we will provide this public information. We don’t often get requests. The $75 fee is meant to be a deterrent, and it is a one-time fee, as we ask that the information is provided solely to the person who paid for it and cannot be re-released.”
Ciandro also emphasized that tthe document she provided was for personal use and could not be re-released or shared. She specified that the information was for personal use, and the document should not be duplicated or shared.
It’s been nearly a month since I first requested the information and, as far as I know, there is no way for the Registrar to keep me accountable to my promise of keeping the information private. I can think of no way for them to know if I have forwarded the contact information to anyone, made copies for a different student organization, or sold it illegally to pesky credit card companies that live to prey on college students’ debt. Although I have not done any of the above, the release of this information seems to operate on an honor system without a way to ensure that the information is not widely released once one person has a copy.
I did not receive a briefing on the legal limitations of how this information could be used — or the consequences if I leaked the document or decided to use my new knowledge of personal addresses to harm someone.
There is a UC Policy on Safeguarding Resources and Investigating Misuse of Resources, last amended in 1981, but the version online does not specify consequences for said misuse.
***
There’s two pieces of good news. First, both Haid and Ciandro said that although any UCSD student can go through this process, the Registrar does not provide directory information to third parties.
Second, relatively few people have accessed this information in the past three years. I requested a second spreadsheet detailing everyone who has requested data since 2009. The list included 60 names, mine included, all of them affiliated with an organization. The people included had requested various combinations of information (seniors only, 18+, all incoming male freshmen, all students with 3.0+ GPAs, etc).
Those who requested the information included the military (as required by the Solomon Amendment, which allows the Secretary of Defense to deny funding to universities if they block recruitment activity), various UC campuses, the UCSD Bookstore, the Associated Students, UCSD Extension and the Phi Sigma Pi honor fraternity.
“All of these customers agree to this data being used by them only and a one-time use,” Ciandro wrote in an email. “All students with FERPA holds are excluded from the data files. All data requests are routed to me and I investigate as I did with you to find out who you are and what you need the data for.”
But after all this, I still don’t have exact confirmation that Gupta requested information from the Registrar to send his all-campus email. He was not directly included in the list of students who had requested access to such data, although there is an October 2009 request for all student data from Associated Students under then-Director Lauren Weiner’s name. This request occurred during Gupta’s 2009-10 tenure as A.S. President, showing that the Associated Students then, at least, had access to the information during that time. Weiner requested the same information in October 2010; in 2011, the Associated Students requested data for all seniors and transfer students.
Personally, I restricted my information as a freshman in Fall Quarter 2009. I still received Gupta’s email, although this could easily be because we have been communicating via my UCSD email for years.
***
With each week bringing another story about employers asking applicants for their Facebook passwords or a trend piece on varied uses of email, online communication is clearly changing.
Haid, of the University Registrar, sat on the Student Messaging Committee charged by Vice Chancellor of Student Affairs Penny Rue to revise campus communication guidelines. The group, which concluded its work in February 2012, has made two main recommendations to Rue.
In September, the group successfully took down the aforementioned student online directory.
“Even though an online directory and its info is legal and public, students don’t realize that it is easily available and there’s a trend among UCs to have more restriction on this type of info,” Haid said.
Currently, the student directories of UC Berkeley, UCLA, UC Irvine UC Davis and UCSC are open to the public, though most provide only the student’s email. UC Santa Barbara’s student directory can only be accessed by those who sign into the campus email server.
Haid said that the change was spurred by occasional complaints from students concerned about their information and worried about identity theft and safety, especially in regard to ex-boyfriends or girlfriends. The group realized that since the university has no legal obligation to make the information publicly available, it would be in the best interest of student privacy to take down the directory.
“The directory started as a paper book, back when technology was different and people needed more access,” he said. “Now, with technology changed, there are so many other avenues in which one can find this information. We provide class lists and rosters, and people can use Facebook.”
Haid said that the group chose not to make directory information an opt-in process (in which students would have their information restricted unless they acted to un-restrict it) because there was not enough demand.
“We rarely ever receive complaints about the directory, and we addressed the issue by taking down the directory,” he said. “Creating an opt-out system would require redesigning the entire system, which we felt wasn’t necessary.”
Student Messaging Committee Undergraduate Representative Alex Greco applauded the group’s efforts.
“They pushed [the closing of the online directory] through in fall, and it really addressed a lot of issues,” he said. “The opt-out idea didn’t really come up; the purpose of the group was to analyze these issues and see what was lacking
, not necessarily tackle anything as a problem.”
The second recommendation of the Student Messaging Committee was to divide university communication into mandatory and non-mandatory emails. If this recommendation is implemented, students will still be responsible for reading mandatory emails — about grades, admissions, enrollment — which will be labeled with a special banner. Non-mandatory emails — for instance, parking, construction and event notices — will be labeled differently and students will have the ability to opt out.
“I personally think that this is a very important process that will potentially impact students for some time to come,” Greco said.
The Student Messaging Committee presented its recommendations to Vice Chancellor Rue in April.
***
How to Restrict Your Information:
1. Sign into TritonLink using Single Sign-on
2. Click the “Personal Tools” tab, then select “Addresses”
3. Click the tab labeled “Public Information Restriction”
4. Restrict relevant information