In-Depth

Why Colleges Fail the Privacy Test

Most college Web sites lack online privacy policies. What does that say about their ability to secure people’s private information and to avoid data breaches?

• By Mathew Schwartz
• 06/06/2006

How well do educational sites handle people’s private information?

To find out, researchers from Bentley College and security vendor Watchfire Inc., both based in Waltham, Mass., assessed the privacy practices of the top 236 U.S. colleges, per the US News and World Report 2004 list of best colleges.

Taking a cue from the Federal Trade Commission’s ongoing surveys of e-commerce sites’ privacy practices, the Bentley researchers studied the privacy notices posted on colleges’ Web sites, as well as how the sites linked to them internally. Meanwhile, researchers at Watchfire ran automated scanning to assess the Web sites for common security problems, including insecure cookie or data-collection practices.

The findings: most colleges’ privacy practices don’t get a passing grade. Researchers found only 36 percent of schools studied “had a privacy notice that could be accessed from the homepage either by a link on the page, by using a dropdown menu, or by doing a search.” Furthermore, while 65 schools technically linked to the privacy policy from the homepage, only 53 included the word “privacy” in the link.

Of the 65 schools with privacy policies, 85 percent did note whether their site collected personal information. Roughly two-thirds of the privacy notices also defined the scope of the privacy notice, and an equal number offered contact information for any privacy-related concerns. Yet only one in five sites detailed how changes to the privacy notice were handled. Interestingly, none contained a privacy seal.

What’s the big deal with privacy policies? While the presence of a privacy policy doesn’t ensure sensitive or confidential information is secured, it is a window into an organization’s overall security practices. In other words, if a university—or any organization that gathers and stores people’s information, for that matter—doesn’t link to a detailed privacy policy from its home page, or perhaps at least from somewhere on the site, or if it has inconsistent privacy policies, that telegraphs behind-the-scenes disarray.

Decentralized IT vs. Privacy Practices

Some institutions also post multiple privacy policies, begging the question of which one rules. For example, according to the report, “50 schools posted a privacy notice for the undergraduate admissions section of their website, but only 41 of these policies were the same as the privacy policy posted on the homepage.” Furthermore “an additional 39 schools, or 17 percent of the sample, had privacy notices on other sections of the site, but no homepage privacy notice.”

Perhaps this isn’t surprising, given the decentralized nature of many colleges, not to mention their related IT and information security practices. As the report notes, “one of the particular challenges of managing privacy in higher education is the fact that most schools operate in a decentralized information environment with norms of academic freedom that do not exist in the private sector.” Translation: the average IT staffer has no power to regulate the actions of faculty or staff, who may run their own departmental servers, buy and use servers or wireless routers on a whim, and gather and store information however they choose.

To help deal with this decentralized reality, organizations can use a scope statement in their privacy policy. Simply put, it specifies exactly “which URLs or domains are covered by the privacy notice, and what types of pages are not covered such as personal websites, surveys or blogs and chat rooms,” writes Mary Culnan, the management and information technology professor at Bentley who conducted the research in conjunction with a Bentley MBA candidate.

Of course, what the privacy policy says the university needs to enforce. Here, automated Web-site assessment tools can help, by auditing data-collection practices, security settings, and so on.

An Educational Data-Breach Epidemic

Beyond setting privacy policies, universities must also foster an organizational information-security proficiency, and culturally make security a requirement for anyone collecting and storing sensitive information. Yet “while most CIOs in higher education identify information privacy and security as a critical challenge, too often this view doesn’t permeate organizational culture and spending,” notes Traci Logan, the vice provost and vice president for information technology at Bentley, who helped design the study.

Indeed, almost every educational Web site the Bentley researchers studied had at least one data-collection form that didn’t link to a privacy notice, and at least one page for collecting data that wasn’t secure. For example, many data-collection forms relied on the GET method for collecting data, which isn’t optimal since it leaves a copy of any submitted information in the Web server log files, which typically aren’t as well-secured as more high-value assets.

Beyond collecting data, many colleges have problems storing it securely. For example, since California passed SB 1386, numerous data breaches involving educational institutions have been reported. Just last month, Ohio University reported an alumni database hack could have compromised information on 300,000 people, including 137,800 Social Security numbers. In April, the University of Texas McCombs School of Business in Austin reported a data breach that may have affected 200,000 people. Those follow other collegiate data breaches reported this year and last, many of which individually affected the person information of more than 100,000 people.

In short, “higher education is not immune from concerns about online privacy,” says Bentley’s Culnan. Poor privacy practices also have institutional repercussions. For starters, “privacy breaches potentially undermine consumer trust and confidence, and make people less willing to disclose personal information online.” Also, don’t discount fallout from alumni donors.

Improving Privacy Practices

How can colleges do better? Culnan recommends studying the California Online Privacy Protection Act of 2003. “The California law requires any entity that collects personally identifiable information from California residents through an Internet Web site for commercial purposes to conspicuously post a privacy notice on its Web site, and to comply with its privacy policy as described in the privacy notice.” Conspicuously, by the way, means linking to a privacy notice from the home page, as well as any other page that solicits personal information.

The law details what the privacy notice should disclose, which includes the categories of information being collected, the third parties who will have access to it, and how individuals can access or change information they’ve submitted.

Again, writing a privacy policy doesn’t magically secure sensitive information, but such a policy tells users and staff how their organization addresses information privacy. Thus it helps organizations—and especially IT departments—assess, then implement and promote the cultural changes and technological safeguards they’ll need to realize the policy, and thus ultimately better secure the private information they collect and store.

Related Articles:

• Forty Million Stolen Identities Later: Learning from CardSystems’ Breach
• Q&A: The 2006 Threat Landscape