LIBRARIES AND SCHOOLS

Beware Public Net Terminals

The Annoyance:

I use the computers at my local library to access my email and do a little word processing. Can the people who use the machine after me see what I've done?

The Fix:

They might be able to do that and a lot more. The security of such public Internet terminals varies wildly from library to library. Some lock down everything on the system, leaving you nothing but access to a browser and a few basic commands. Other libraries think they've protected their systems from snoops when they really haven't.

As an experiment, I visited the public library down the street from my office. In less than 15 minutes, on a system the library thought was secure, I found Word documents containing résumés with complete street address information (including phone numbers and addresses of their references), letters someone had written to their insurance company (complete with their Social Security Number), and an account of someone's first pregnancy. I was able to view the browser history, which produced not only a record of recent site visits (including some truly nasty ones) but also AOL chat handles and Yahoo email addresses. I could also look at the cookies folder to see what sites the people before me had visited, and so on. Had I been a stalker, an identity thief, or just your average psychopath, this data would have been a goldmine. Meanwhile, the librarian in charge of the terminals had no clue you could save files to the hard drive; he believed the system was completely wiped of data every time someone new logged on.

The lesson: be particularly careful when using a public Internet terminal, especially if the terminal prevents you from deleting files, clearing the browser's cache and history, and so on. Be careful where you surf, and never save anything to the hard drive on a public terminal. If you use one to edit your résumé or write letters, you can usually save your files to a floppy. Delete temp files, cookies, and your browser history, if you can. (For instructions on how, see Chapter 2.) Don't take the librarian's word that your privacy is protected it may not be.

An easy way for a snoop to steal your passwords or other personal information at a public Net terminal is to sneak a peek at what's on your screen a practice known as "shoulder surfing." Some libraries put terminals in carrels or recessed cabinets that are hard to spy on. If you're planning to view sensitive information on a public terminal, pick one that's in a corner or another less open area. If possible, push the monitor back into the wall or at an angle that makes it hard for anyone else to get a good look. And always be aware of those who might be loitering nearby with nothing better to do than stick their nose in your business.

Your Reading Habits Are Private ...

The Annoyance:

I like to check out books on radical topics, but I'm worried this could affect my reputation if word got out. Can anyone just walk in and demand to see my library records?

The Fix:

In most cases, no. At last count 48 states have laws on the books protecting library confidentiality, but the particulars vary. To find out the rules in your neck of the woods, visit the American Library Association's home page (http://www.ala.org) and type "state privacy laws" into the site's search engine. A page listing relevant codes in each state should be the first page on the list.

...Except When the Feds Step In

The Annoyance:

Wait can't the FBI find out what books I've checked out?

The Fix:

It certainly can try. All library records are subject to court order, which must be approved by a judge and can be challenged by the subject of the investigation (i.e., you). The 2001 USA Patriot Act makes this much more invasive by allowing the FBI to request "business records" from libraries and bookstores for anyone they deem "relevant" to an investigation. The requirements for judicial approval are much lower, and libraries are also prohibited from notifying the subject of the investigation, so you'd have no chance to challenge such an order. Records could include the titles of books and other media you checked out or purchased, as well as any data relating to your use of public computers and even the questions you ask reference librarians, assuming the library maintains that information.

The American Library Association and the American Booksellers Association strongly objected to these provisions of the Act, and many libraries made it a policy not to retain this information so that such requests can't be fulfilled. Your first step toward protecting your privacy is to find out what kind of records your library keeps and how long it keeps them. Some key questions to ask:

• Does the library have a written policy about patron confidentiality? If so, ask for a copy.

• Does the library keep a record of all the material you've ever checked out, all activity for a certain period, or just the items you have out right now?

• Does the library keep patron information in offsite backups or data archives? Even if they delete your information when you return a book, this data could be backed up somewhere and available to the Feds.

• Are individual books linked to records of everyone who's ever taken them home, squirreled away in some computer database? That's important for rare books, in case librarians discover that parts are missing and need to hunt them down, but otherwise there's no practical use for this information.

• What kind of identification does your library require for access to Internet terminals? How long does it save sign-up sheets? The ALA advises libraries to delete and/or shred this information when it's no longer needed.

• How much information does the library keep about your Internet activity? Is computer use or browsing history linked to personally identifiable information? Who manages this information? Many libraries use outside companies to provide Internet access; such firms could be approached directly for information without the library (or its patrons) ever knowing.

The ALA offers guidelines for implementing library privacy policies and procedures at http://www.ala.org/ala/oif/iftoolkits/toolkitsprivacy/Default4517.htm. If your library is clueless when it comes to privacy, print out a copy and give it to them.

Hate the thought of the FBI peeking over your shoulder as you read? You could curse and gnash your teeth, or you could ask Congress to do something about it using the petition from the Campaign for Reader Privacy (http://www.readerprivacy.org), shown in Figure 5-2.

annoyances 5-2. The Campaign for Reader Privacy petition.

So What's Your Major?

The Annoyance:

I'm planning to major in Islamic studies when I go to college. Am I going to end up on somebody's watch list? Exactly how private are my college records?

The Fix:

It depends on which records and who's asking. The Family Educational Rights and Privacy Act (FERPA) of 1974 prevents any schools that receive Federal funds from releasing "non-directory" information such as your transcripts or financial aid records without your consent. (Unless, once again, the school is presented with a court order; more on that in a moment.)

But colleges can publish student directories, which may contain all kinds of information about you, including addresses, phone numbers, photographs, your major, and your date of birth (see Table 5-1). A recent survey by the American Association of Collegiate Registrars and Admissions Officers (http://www.aacrao.org) found that about half of all directories contained information such as student names, campus and home contact information, and email addresses. A third of universities shared directory information with other parties, from individuals simply checking on your student status to banks looking to sign you up for a credit card. FERPA allows students to request their information be removed from such directories, though the procedure varies by school. Contact your school's office of public records or registrar for the nitty gritty.

Be aware that opting out could have some unintended negative consequences, says Barmack Nissarian, an associate executive director at AACRAO. For example, employers trying to verify your degree may get an unhelpful response from the university, because you haven't given permission. Or you may not be able to collect your diploma along with your classmates at commencement, because printing your name and major in the graduation booklet could reveal information you've deemed private.

Here's the scary part. According to the same survey, nearly 70 percent of the schools surveyed reported they'd received subpoenas or court orders requesting non-directory information about students, and nearly all complied with these requests. Another 31 percent received improper requests unaccompanied by a subpoena or court order and about 20 percent of those schools went ahead and handed over the information anyway.

If that makes you mad enough to feel like suing the Feds, I've got some bad news. Though FERPA forbids such disclosures, it does not allow for private rights of action. In fact, there's little recourse for punishment save withholding Federal funds from the school. That would be a death sentence for most universities, so no government agency is ever likely to pursue it.

Apply With Care

The Annoyance:

I used an online service to send my college application to a bunch of schools. Is my data safe?

The Fix:

Not necessarily. Here's a nasty little catch I bet you didn't know about: FERPA only applies to enrolled students. So if you've applied for college but didn't get accepted, the information on your application is completely unprotected. In fact, some states require publicly funded institutions to share such information.

For example, the Texas Public Information Act requires state agencies to provide certain information to any member of the public who asks for it. So a bank could request a list of anyone who applied to the University of Texas and get a nice little cache of potential credit card customers. UT is required by law to share only the name and address of each prospective or enrolled student, says Shelby Stanfield, director of student information systems for the Austin campus. But he adds the university doesn't ask who is asking or what they want the data for.

You certainly leave yourself open if you use an online service to apply to multiple schools. Most online services offer no privacy protections at all indeed, most of their revenue derives from selling your information to marketers. There are a few exceptions, however. One of the largest processing services, CollegeNet, claims to be "one of the rare commercially sponsored college-oriented Websites that DOES NOT collect student data for sale or brokering to third parties," according to a notice posted on its web site. Another popular third-party service, Princeton Review, allows students to opt out of its marketing efforts.

Unfortunately, most applicants will reveal anything if they think it will help them get accepted, says AACRO's Nassirian. "They spill their guts to colleges and universities they give away tons of financial information, that their grandfather died last year, that they're depressed, all kinds of personal problems," he says. "Even my doctor doesn't have access to the kind of information people routinely fess up to on college applications."

The lesson: before you include that tear-stained confessional essay in your college packet, think twice about who might be reading it. Stanfield advises students to avoid putting their Social Security numbers on applications, since it's not legally required. (Students attempting to qualify for financial aid, scholarships, or campus jobs, however, will likely have to give up their SSN at some point). If you use an online service to process your application, read the site's privacy policy carefully; don't use any service that shares your personal information with third parties. Most important, says Stanfield, don't share your log-on or password information with friends, roommates, or other significant others the information they find may prove too juicy to resist.

According to an April 2002 survey by AACRAO, half of all universities use a student's Social Security Number as the primary student identification number. As schools become savvier about identity theft, they're becoming more flexible about letting you request a different student ID. Procedures vary by school, so check with the campus registrar about what you have to do. While you're there, ask whether you can have your SSN removed from or partially obscured on copies of your transcript. Four out of five schools still put students' SSNs on their transcripts.

High School Confidential

The Annoyance:

I had a checkered past in school some truancy issues, and more than a few run-ins with my high school detention officer. Does this record really stay with me for life, as my teachers were so fond of saying?

The Fix:

Your school disciplinary records are considered part of the information protected by FERPA, which applies to students of any age. So the fact you got caught smoking in the boy's room a few times probably won't come back to haunt you. But there are a few exceptions. Records kept by campus police aren't covered by FERPA (though this is more likely to affect college students). If you've been disciplined for a violent crime or sex-related offense, that information can be made public in some circumstances. And when students transfer to a new school, their disciplinary records must transfer along with them.

Other bits of controversial legislation have punched holes in FERPA. A little-known provision of the No Child Left Behind Act compels schools to turn over student contact information to military recruiters, unless parents or students explicitly tell them not to. (So if you don't want the ROTC to come knocking on your door, be sure to ask your school administrator for the form that lets you opt out.) Under the Patriot Act, schools must share information about immigrant students such as disciplinary problems or changes in their field of study with the U.S. Citizenship and Immigration Services (formerly called the Immigration and Naturalization Service). Forget about opting out of that one.

And if you apply for Federal aid, you might as well just open your door and invite the G-men in for tea. Among other things, your name will be run through Department of Justice records to determine if you've been convicted of a drug-related offense (if so, kiss that scholarship goodbye). If you're a male, you'll be checked against Selective Service records to make sure you've registered for the draft. Fallen behind on student loans? Your data could be shared with a private collection agency.

If you believe a school has violated your or your child's FERPA rights, you can file a complaint with the Department of Education's Family Policy Compliance Office (http://www.ed.gov/policy/gen/guid/fpco/ferpa/students.html). You'll need to send a letter to the following address:

Family Policy Compliance Office

U.S. Department of Education

400 Maryland Ave., SW

Washington, DC 20202-5901

Be sure to include all pertinent details, and don't expect a prompt response. You can also call the DOE at (202) 260-3887. For more information on FERPA and other student privacy issues, see http://www.epic.org/privacy/student.

So you've been nominated to appear in a national directory of exceptional high school students, despite the fact that you've been pulling straight C's for three years? Don't get all puffed up it's really just a ploy to make you fill out a marketing survey. The No Child Left Behind Act lets parents and students opt out of school surveys that are really just marketing tools, but it makes exceptions for fundraisers, magazine and book clubs, and "student recognition" programs like those bogus national directories. Do yourself a favor: when you see a survey that asks questions about your habits, attitudes, religious or political affiliations, or other non-educational topics, put down your number two pencil, close the survey booklet, and read a book instead.