Another reminder that student privacy matters: Student doxing through FERPA loopholes

Today Inside Higher Ed wrote an excellent article about the relationship of the Family Educational Rights and Privacy Act (FERPA) and the recent doxing of Harvard students. In short, it was easy to dox the students based on information the college published — legally — about them. FERPA was supposed to be the US federal law that protects students’ privacy. But there is a serious exception in the law that allows for unconsented publication of some student information, unless a student or their parent pro-actively opts out of that publication. How many students and parents know about this? Very, very few.

In  2020, World Privacy Forum published the results of a 4-year study of more than 5,000 educational institutions from K-University regarding how the institutions implemented FERPA, which as stated earlier is the federal student privacy law in the US. 

The results of our FERPA research were stark  — so much so that we ran the research a second time to ensure our results were accurate. The research unambiguously found that the exemption built into FERPA for the publication of student directory information substantially undermined the regulation. The information designated as directory information by many schools can, in our modern world, be invasive of privacy and cause harm. Exact date of birth, home address, gender, and photographs of students released as public information without parental or student consent is no longer acceptable and poses demonstrable risk to students. You can see our research, findings, and recommendations here: 

Meanwhile, the “Failure of FERPA” article from Inside Higher Ed is excellent, and makes a case for doing more to close the directory information loophole. The author summed up the problem well: 

“While colleges are required to give students the right to opt out of disclosure of this directory information, a 2020 investigation by the World Privacy Forum found that FERPA notification and opt-out procedures vary from institution to institution, and that many make it unduly confusing or burdensome for students to exercise this fundamental right to privacy.” 

There is much that can and must be done to improve student privacy outcomes. Some solutions are simple, such as updated guidance requiring schools to post annual FERPA notices, and ideally, opt out forms, on school websites. As of 2020, only 39 percent of studied primary and secondary schools made FERPA opt-out forms online and available to the public. This level of compliance is unacceptably low. It would be possible to improve baseline FERPA opt-out-related practices with training, awareness, and institutional will. 

Other solutions require legislative and regulatory attention, such as ensuring students’ directory information does not get passed to data brokers. Ensuring students’ photographs or digital images are not available on school websites to be scraped for use in test and training databases for biometric or other systems also requires attention. And ensuring that all students, from all walks of life, including those who are homeless or living in poverty, have the ability to learn about their privacy rights and take advantage of those rights is of utmost importance.

The days of schools designating and releasing broad swaths of directory information publicly as a “deault setting” of FERPA privacy rights needs to be behind us. Advances in modern privacy thought and laws demonstrate that directory information is no longer just a dusty right consigned to dense legal notices few understand the full significance of. There is an urgent need to ensure that FERPA notices and opt outs are online, available all year, and can utilized without resorting to paper handouts or in-person office visits.

You can find the Inside Higher Ed article here:

You can find our FERPA research, Without Consent: An analysis of student information practices in US schools, and impacts on privacy here: