2. Who Am I?
● Data Analyst involved in higher education for over 13
years with an interest in data privacy and security
● Twitter - @Sweet_Grrl
● Email - leahfigueroa22@gmail.com or
sweetgrrl1222@protonmail.com
3. Have You Ever Thought About Your Education Records?
● There are education records?
● What are education records?
○ Basically any records that are
■ Relatedto a student and
■ Maintained by an educational agency or institution or parties
acting for them
4. Have You Ever Thought About Your Education Records?
● What does that all mean?
○ Means ANYTHING the educational institution has collected on you for
the ENTIRETY ofyour stay at said institution.
5. What is FERPA?
● The law applies to ALL schools (in our
case, higher education institutions) that
receive funds under an applicable program
of the U.S. Department of Education.
6. But Aren’t Those Education Records Safe?
● There’s a federal law that protects it, right?
● That FERPA thing protects everything, right?
● Not just anyone can see my student data, right?
● They don’t just hand over stuff for the asking, right?
WRONG!
7. So what does FERPA do?
● FERPA protects EVERYTHING but directory information.
8. What the Hell is Directory Info?
● Education records that have been appropriately
designated as "directory information" by the educational
agency or institution may be disclosed without prior
consent. See 34 CFR §§ 99.31(a)(11) and 99.37.
9. What the Hell is Directory Info?
● FERPA defines directory information as information
contained in an education record of a student that would
not generally be considered harmful or an invasion of
privacy if disclosed. 34 CFR § 99.3.
● This includes Personally Identifiable Information (PII)
such as
○ Student's name
○ Address
○ Telephone number
○ Date and place of birth
○ Honors and awards
○ Dates of attendance
○ Etc.
10. How do I get Directory Info?
● Directory information is a student’s information that
may be released without the consent of the student,
unless the student has requested a privacy hold
● So this means you just go ASK FOR IT.
11. Proof of Concept
● Contacted 10 colleges and universities
● 3 said “Fill out a FOIA (Freedom of Information Act)
request”
● 2 said “Go help yourself to our directory”
● 1 said “Give us $50 and we will give you whatever you
want”
● 5 schools did not respond
● 50% return on a few minutes of time
12. Directory Example
Kansas State Demo - http://search.k-state.edu/
BEGIN:VCARD
VERSION:2.1
TZ:-06:00
REV:2017-03-12T00:15:57-0600
N:REDACTED;
FN:REDACTED
EMAIL;INTERNET:REDACTED@k-state.edu
TITLE:Senior-Bakery Science And Mgmt-B,Minor - Business
TEL;VOICE;HOME;PREF:(913) XXX-XXXX
ADR;HOME:;REDACTED;Manhattan;KS;66506;USA
LABEL;HOME;ENCODING=QUOTED-PRINTABLE:REDACTED=0D=0AManhattan, KS 66506=0D=0AUSA
ADR;HOME:;REDACTED;Overland Park;KS;66210-1304;USA
LABEL;HOME;ENCODING=QUOTED-PRINTABLE:REDACTED=0D=0AOverland Park,KS 66210-1304=0D=0AUSA
NOTE;ENCODING=QUOTED-PRINTABLE:Thisinformation was retrieved from=0D=0A=
the Kansas State University People Directory on March 12, 2017.=0D=0A=
Refer to http://search.k-state.edu/ for current information.
END:VCARD
13. Directory Example
UT Austin - https://directory.utexas.edu/
BEGIN:vCard
VERSION:2.1
N:REDACTED;;
FN:REDACTED
TITLE:REDACTED
ORG:TheUniversity of Texasat Austin;Department of GeologicalSciences, Jackson School of Geosciences
ADR;TYPE=WORK;ENCODING=QUOTED-PRINTABLE:;JSG ;The Universityof Texas atAustin =0D=0ADepartment of
GeologicalSciences, Jackson School of Geosciences =0D=0A1 University StationC1100 =0D=0AAustin, TX 78712
ADR;TYPE=HOME;ENCODING=QUOTED-PRINTABLE:;;REDACTED =0D=0AAUSTIN, TX78705-4014
TEL;VOICE;HOME:REDACTED
TEL;VOICE;WORK:
TEL;FAX;WORK:
EMAIL;TYPE=INTERNET:REDACTED@utexas.edu
LABEL;TYPE=DOM,WORK,POSTAL;ENCODING=QUOTED-PRINTABLE:The Universityof Texas at Austin =0D=0ADepartment of
GeologicalSciences, Jackson School of Geosciences =0D=0A1 University StationC1100 =0D=0AAustin, TX 78712
LABEL;TYPE=DOM,HOME,POSTAL;ENCODING=QUOTED-PRINTABLE:REDACTED =0D=0AAUSTIN, TX78705-4014
PRODID:UTdirectory
END:vCard
14. What does a Freedom of Information Act (FOIA) Request
look like and what does it get you?
A FOIA is simply a written request that describes the
records you seek.
I am seekingto contact your students who might be interested in programs and
degreesat SCHOOL. In order for us toreach them, I kindly request your
studentdirectory information that isavailable under the Texas Public
Information Act.
15. What Does the FOIA Get You?
● Anything listed as directory information
● In the previous example, this information was provided:
○ Name
○ Address
○ Telephone number
○ Place of birth
○ Major field of study
○ Dates of attendance
○ Most recent previous educational institution(s) attended
○ Classification
○ Degreesand awards received.
16. What $50 can get you
● Asper the previous examples, I sent out my standard email:
○ I am writingto request a listing of student directory information.
What steps do I need to take in order to obtain this information?
Additionally, is there a cost involved? Thank you for your help.
● School responded and stated that there was a $50 programming fee and to
contactthe office again ifI were interested.
● I requested all data that could be classified as student directory
information
17. What $50 can get you
● Contactstated that they could provide all data I requested, with the
exception ofemail
● Sent off $50
● Within 10 business days, data was ready
● I provided a secure link toupload data
18. What $50 can get you
On March 10, 2017, student data was uploaded to my account
● 22,006 student records containing all the information I
had requested, including international student
information
● And this is COMPLETELY LEGAL
19. What’s the big deal?
● Colleges and universities automatically opt in students
● Opt-out paperwork is often hard to find and can require
multiple steps
● This data is not very well protected
● Anyone can use it for a variety of purposes
20. Using Higher Education OSINT
● Can use it to construct a false identity
● Can use it to get further credentials
● Can use it to mess with international students
● Can use it for...
21. Scary Stu ...But Wait, There’s More!
● Not only can your directory information (aka education
records) be provided, treatment (medical and mental
care) records can become education records.
22. HIPAA and Student Medical Records
The Standards for Privacy of Individually Identifiable
Health Information, known as the HIPAA Privacy Rule,
establishes the standards to protect patients' personal
health information (PHI).
Student medical records (treatment records) are usually
protected by HIPAA.
23. FERPA Loopholes
Due to wording of FERPA, records that SHOULD be protected
by HIPAA can lose HIPAA protection and become records
protected ONLY by FERPA
24. When “Treatment” Records Become “Education” Records
At postsecondary institutions, medical and psychological
treatment records of eligible students are excluded from
the definition of “education records” if they are made,
maintained, and used only in connection with treatment of
the student and disclosed only to individuals providing the
treatment. See 34 CFR § 99.3 “Education records.” These
records are commonly called “treatment records.”
25. When “Treatment” Records Become “Education” Records
An eligible student’s treatment records may be disclosed
for purposes other than the student’s treatment, provided
the records are disclosed under one of the exceptions to
written consent under 34 CFR § 99.31(a) or with the
student’s written consent under 34 CFR § 99.30.
26. When “Treatment” Records Become “Education” Records
If a school discloses an eligible student’s treatment
records for purposes other than treatment, the records are
no longer excluded from the definition of “education
records” and are subject to all other FERPA
requirements.
27. What the DOE Says about it!
"Under Ferpa, if the institution discloses treatment
records to anyone other than the treatment provider or
another professional of the student’s choice, the records
become education records, and all of the Ferpa provisions,"
including the disclosure exemptions, "then apply to those
records," the statement says. "Thus, Ferpa would permit the
treatment records to be disclosed in litigation between the
student and the institution if the records are relevant for
the institution to defend itself."
The Education Department’s email to The Chronicle (of Higher Education) in response to a request for
clarification. http://www.chronicle.com/article/Just-How-Private-Are-College/228229/
28. DOE and Lack of action
Despite a “call to action” by DOE in August 2015 requesting
feedback by October 2, 2015, NOTHING has been changed.
https://www.ed.gov/news/press-releases/department-education-
seeks-public-input-guidance-protecting-privacy-student-
medical-records
30. FERPA and the Rape of Jane Doe
● March 2014
○ Jane Doe is allegedly gang raped by three members ofthe
university’sbasketball team over a 12 hour period in multiple
locations
○ Jane Doe reports sexual assault to both local police and campus
authorities
● March 2014
○ After reports of rape, university does not begin investigation and
approves the three students named to play in NCAA tournaments
31. FERPA and the Rape of Jane Doe
● April 2014
○ University formally begins investigation without disclosure
● May 2014
○ Local district attorney did not move forward due to low possibility
ofa guilty verdict/insufficient evidence
● May 2014
○ The three students named are suspended indefinitely from the
basketball team
32. FERPA and the Rape of Jane Doe
● May 2014
○ Following suspension, the university found the three students guilty
ofsexual misconduct and banned them from campus for up to 10 years
● December 2014
○ University administrators required university counseling center to
hand over medicalrecords in preparation of lawsuit
● January 2015
○ Jane Doe files lawsuitagainst university
33. FERPA and the Rape of Jane Doe
● January 2015
○ University defends using medicalrecords and cites legality ofuse
under FERPA
● January - August 2015
○ Case ismoved to court
● August 2015
○ University reaches settlement - $800,000 and four years of paid
tuitionand housing along with a change inpolicy for admitting
students with a history of sexual assault/misconduct
34. FERPA and the Rape of Jane Doe
● But why does this all matter?
35. FERPA and the Rape of Jane Doe
● The university accessed her medical records, including
her mental health records
● The university pulled the records in anticipation of the
lawsuit, without consent
● The university converted them to “education” records,
making their use COMPLETELY LEGAL UNDER FERPA
● The records were then used against Jane Doe in court
36. So What Does That Mean For Me?
● Your confidential medical records could become records
anyone can look at
● Your confidential medical records could be used against
you
● Your confidential medical records could potentially be
used negatively in the future
37. What Can I Do About?
● Opt out of data sharing at ANY institution of higher
education you ever attended
● Tell everyone you know to do the same thing
● Contact your state’s higher education group
○ https://www2.ed.gov/about/contacts/state/index.html?src=ov
● Contact your congress critters
40. Appendix - FERPA, Jane Doe, and Other Articles of Interest
http://www.documentcloud.org/documents/1677748-jane-doe-v-university-of-oregon-dana-dean-altman.html
https://www.plainsite.org/dockets/2jilqax1z/oregon-district-court/doe-v-university-of-oregon-et-al/
https://www.scribd.com/document/273536278/Jane-Doe-v-University-of-Oregon-Settlement-Agreement
https://katieroseguestpryal.com/wp-content/uploads/2017/01/Pryal_When_Ferpa_Doesnt_Protect_Students.pdf
http://www.chronicle.com/article/Education-Dept-Seeks-to/232463/
http://chronicle.texterity.com/chronicle/20150313a?pg=18#pg18
https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html