A new national survey of top-ranked universities and colleges shows these schools' online privacy policies aren't...
nearly as stellar as their scholastics. Many fail to properly secure sensitive data and to adequately explain just what happens to information provided during online transactions.
"Privacy is a lot more than just data breaches," explained Mary J. Culnan, a management and IT professor at Bentley College in Waltham, Mass., who lead the study done with MBA candidate Thomas J. Carlin. "Another element is letting people know how their information is being used."
The survey involved examinations of some 175,000 Web pages from schools listed in the 2004 issue of U.S. News and World Report listing America's best colleges. Automated probes of Web pages by technology partner Watchfire Corp., which specializes in online risk management software, crawled pages originating from each school's home page and undergraduate admissions, human resource and athletics sections.
That content analysis and a subsequent manual examination of flagged pages revealed that almost every school lacked adequate privacy notice links, used faulty collection practices and had at least one page with an unsecured data collection form.
"Web site privacy and security has started to come on the radar in a big way only in the last 12 to 18 months," said David Grant, director of product management for Waltham, Mass.-based Watchfire. He added that college campuses have unique, open and decentralized computing environments and transitory users that make policy awareness and enforcement a thorny problem.
"Generally speaking," Grant said, "they are large environments with hundreds of millions of Web pages to manage and students and professors who have full permissions and autonomy to publish on a site what they want. That can be tough to manage and control."
During the past year, many major universities nationwide have reported major data breaches. The latest is this week's admission by the University of Texas' business school that 200,000 records were illegally accessed. The same school was forced to come clean on a similar network compromise in 2003, in which a former student eventually admitted accessing some 40,000 Social Security numbers.
Culnan said almost all of the 236 institutions in her study in at least one instance failed to follow best practices: to link to a privacy notice from a Web page gathering data. The schools also at least once used a particular method to submit data to a server that left the sensitive information vulnerable to thieves able to tap into Web server log files.
Drilling down manually, the authors discovered only 65 privacy notices linked from a school's home page. Of those notices:
Within that subset, 51 schools the following offered these disclosures:
Culnan conducted a similar manual study for the Federal Trade Commission in 1999, to check dot-com sites' information security practices regarding posting privacy notices. She, too, wasn't surprised by higher education's lax practices.
"The FTC set up guidelines for the private sector and put everyone on notice. In the dot-edu world, there's been no such pressure to do anything," Culnan said. "Schools are well-intentioned, but given no one said 'you need to do this,' it hadn't happened.
"It's not that they are trying to hide anything; they just aren't aware they needed a privacy notice," the professor said. "Basically, colleges and universities still enjoy a high level of trust among the public."
But that may change soon, just as universities are expanding online services for everything from tuition payments, alumni contributions and faculty searches to posting courses and grades online and selling athletics tickets and school paraphernalia.
In the meantime, consumers are becoming more leery of providing necessary financial information due to the litany of network and server compromises during the past year.
Grant advises companies, whether working in education or elsewhere, to get a good inventory of everywhere they collect personally identifiable information online. Make sure each page links to a solid, understandable privacy notice that clearly explains why you need certain information and what you do with it.
Culnan advocates doing three things: say what you do in a privacy notice (full disclosure); do what you say (govern processes to ensure you follow the policy); and then prove it (so if there's a breach, you can demonstrate you had processes in place to prevent it).
"We are now in the Information Age," she said. "Personal information is a resource and companies should treat personal information as they treat money."