Every day, colleges in the U.S. give away or sell all manner of personal information on students under the guise of student “directory information.” The first job of students and parents when arriving on campus should be to opt out of the sharing and protect their data.

I arrived on campus to start my Freshman year at Vassar College 29 years ago this month. My brother and sister dropped me off on campus and helped me carry up an ungodly amount of stuff to my room including, if I remember, three or four weighty cardboard boxes of treasured vinyl albums. God forbid I should have to listen to cassettes for 10 months.

I don’t remember much about my first day on campus. But I believe one of my first responsibilities was to go to the Main building at Vassar where most of the college’s administrative offices are and obtain my student photo ID that would serve as my library and meal card, etc. etc. This was 1988 and the Internet, such as it was, hadn’t reached Vassar students yet. Data privacy wasn’t a top concern. My student ID was, conveniently, my Social Security Number, and it was printed on the front of my ID card for everyone to see.

We live in a very different world today. Identity data like Social Security Numbers are widely recognized as valuable both to individuals and companies, and also to cyber-criminal groups interested in identity theft and other schemes. No more SSN doing double duty as student ID, employee ID, driver’s license number, and so on.

Moreover, private and public-sector organizations these days – from retailers to doctor’s offices and banks – are at least cognizant that they are stewards of a wide range of personal data on their customers. In some cases, as with healthcare and financial organizations, specific laws exist (like HIPAA) that govern and protect that data from casual disclosure or resale.

But you will be surprised to learn that, in the case of student data, that is mostly not the case, and that much of the data on you (or, if you’re a parent) you son and daughter that is collected by schools – the so-called student “directory data” -- is free for the taking by, essentially, anyone who asks.

I learned this after speaking, in a recent podcast, with Leah Figueroa, a data analyst at a community college in Texas who has researched the issue. Figueroa was witness to and concerned by the many, wide-ranging requests for student data that her school was receiving. While many of these were for seemingly legitimate causes (such as research by other institutions), others were clearly commercial, and several lacked any context for or explanation of the purpose of the request whatsoever. In every case, however, her school turned over the goods: thousands, tens of thousands – even hundreds of thousands of records containing “directory data” on current and former students, no questions asked.

What kind of information are we talking about here? It really varies from school to school, but you can generally figure it out by Googling “FERPA” and limiting the search to the college you’re interested in. So, for me, that search was FERPA site:vassar.edu.
The term “FERPA” stands for the Family Educational Rights and Privacy Act of 1974, a federal law that ostensibly protects student data like grades, but that exempts so-called “directory information” that may have seemed extraneous in 1974, but is now a gold mine for everyone from credit card companies to sub-prime lenders.

What’s in that “directory data”? It is what, in most every other context, would be considered “personally identifiable information” or PII. For Vassar, it includes the student’s name, their student ID number, their address, telephone listing, electronic mail address, photograph, date and place of birth, their major, dates of attendance, class level, enrollment status, participation in officially recognized activities or sports, weight and height of members of athletic teams, degree received and honors awarded, and the most recent educational institution attended.

That’s pretty standard. MIT’s directory information includes an almost identical list of data. Both schools noted that they don’t need a student’s consent to release the information and provide instructions on suppressing the sharing of student directory information. MIT provides a link to the site to do it, Vassar just provides text instructions of how to adjust the sharing of directory information on the Student Directory page of the colleges website, leaving the student to figure out which page to navigate to on their own.

Very few students do so. “In any given data request, let’s say someone is asking for 40,000 records, we might have had 400 students opting out,” Figueroa told me in our conversation.

But Figueroa says there is little consistency between colleges about informing students about the sharing of directory information. Some put a disclaimer in their course catalog, others on their web site, some on both, and so on. That makes it impossible to say – for a given school – where the information on the college’s policy on sharing directory information can be found or what information is shared. Some colleges also warn students about protecting their data, linking its availability to other, on-campus services. 

Beyond that, and as freshmen flood campuses for Freshmen orientation, few colleges actually promote the idea that students should protect this data, even though colleges and universities typically don’t profit from sharing it. Rather, they leave it to students to be aware of the omnibus sharing of personally identifiable information and to figure out on their own how to protect it. That should change – at the level of practice and, even more important, at the federal level, where FERPA is in sore need of an update.

In the meantime, if you’re reading this and you’re a parent or a student: do some research on your school’s FERPA policy using the guidelines above and take a moment to tell your school that you would like to have your student data protected.

Paul Roberts is the Editor in Chief of The Security Ledger and the Founder of The Security of Things Forum.