Continuing my reminiscing and updating, this piece originally appeared 17 October 2007 in The Cord Weekly. Please click the article title to see the original PDF.
Student Privacy at Laurier
17 October 2007
Special Projects Editor
Luckily for the majority of Laurier students, issues relating to privacy and personal information are of little concern. Having never lived in a repressive police state or been victim to identity theft, most students walk around campus unaware that their personal information is being collected and stored.
While this information is not being used for malicious reasons, it may come as a surprise that the lives of students may not be as private as they believe they are. Although many students are not overly concerned with their privacy, many members of the Laurier community are. Currently, Dr. Martin Dowding, an assistant professor in the communication studies department,
is looking into privacy issues relating to students.
“[At Laurier] people don’t seem all that excited about [privacy] or interested in it,” Dowding says, talking about students in particular. “There’s a kind of carelessness that we’ve had on campus. There’s been a kind of trust. We’ve been isolated for so long but as the university becomes bigger here at Laurier we need to be more careful.”
But while Dowding is concerned with how information is tracked, he points out that there’s a delicate balance
between privacy and security that must be maintained. “There’s a real tension,” says Dowding. “We want to feel free and yet at the same time we want to be secure.”
With the majority of the Waterloo campus contained within one city block, many students feel secure in the knowledge that their campus is safe. Adding to this sense of security is the fact that campus security has over 130 digital security cameras at its disposal. This coverage amounts to “about 80% of the exterior of campus” says director of Campus Safety & Security
(CS&S) Rod Curran, and various interior places around campus including the Concourse, library, the Peters Building, the Bookstore and in and around the Dr. Alvin Woods Building.
But Curran is quick to point out that CS&S respects the privacy of the school’s students. “We’re not intruding on anybody’s rights here, we’re just doing the outside of campus,” says Curran. “We’re not in the residences.”
For Curran, the cameras are merely a means for ensuring that the campus
remains safe. “It’s part of our security plan; we only have 12 special constables on campus,” says Curran of the need for the camera coverage, “so the security cameras assist us in monitoring emergency situations and also if we see suspicious characters
coming on campus.”
With the irregular hours that many students keep, CS&S works to ensure that the campus remains under the watchful eye of the cameras long after most people have gone to sleep. “The [cameras] are monitored here 24/7 by our student dispatch,” says Curran. “The cameras assist us greatly,” he continues, providing an example of how the cameras are utilized. “Earlier
in the spring, it was really busy one Saturday night. Some people were stealing furniture out of a residence;
they were followed on camera over to Albert Street. Two days later, the police were called and we got our furniture back.”
However, while CS&S preach the virtues of cameras on-campus, Dr. Dowding is wary of the use of these sorts of surveillance techniques. “We could very well be in trouble if we watch each other too much, ” he says.
“In the event that we have this entire surveillance infrastructure set up and we have a reasonable government,
that’s all well and fine,” he continues and explains his hesitations regarding surveillance, “but what happens if things slip a little bit and we have a very different kind of government? That’s what worries me.”
The use of video cameras as a surveillance technique is not the only way that the personal information and privacy of students is monitored on campus. Information relating to the use of things as innocuous as our OneCards, Emails and computer use, and school records are maintained in extensive databases.
“Your complete financial history is kept,” explains OneCard Manager Nick Tomljenovic. “For a lot of locations, your complete access history is kept, just for example, for sensitive doors in the science building.”
“As soon as you swipe your card we have a record of where you’ve been,” Tomljenovic continues.
This information is then stored in a mass database for an indefinite period of time and can be accessed by the individual student at any time. “It’s like banking information,” explains Tomljenovic. “It’s kept indefinitely just in case you should ever need to pull it up, or if you should come back years later and decide you want to look at it.”
While this information is readily available to the individual student, by accessing it online or at the OneCard
office, it is not available to any other student or to faculty or staff. And the information that is stored within the database is not used for targeted marketing purposes by campus businesses or the Student’s Union.
“We use it for things like Food Services to see how they’re doing in terms of sales. The Students’ Union uses the OneCard system to see their sales breakdowns by units, but that’s all sort of internal breakdowns done by themselves,” he explains. “We don’t really bother to see who’s eating
Despite the fact that such targeted marketing or the tracing of particular students has not occurred,
Tomljenovic admits that the use of the digital database makes such actions possible. “The only people that could actually call on it would be security,” he says. “If there’s an incident at a particular location and they wanted to know the last person to swipe in, then we could tell them who that is.”
With the amount of information that is relayed by the OneCard and contained in the digital database, it becomes imperative that this information is protected from hackers or other breaches to the system. While the firewalls that protect the OneCard servers are “state of the art” and “very secure”, Tomljenovic admits that they are not perfect. “There’s no such thing as a 10, but I would say we’re as close to it as we could possibly be,” he says.
Such imperfections are the sorts of things that worry Dr. Dowding and like-minded individuals. “Every time a new technology is developed, somebody’s going to figure out how to do an end-run,” says Dowding, which “all has to do with who can break a firewall.”
As the amount of spam that regularly fills the email inboxes of Laurier students’ school accounts demonstrates,
there is no shortage of people willing to try and circumvent the system and maliciously use personal information.
While this spam is a nuisance that is potentially dangerous, Carl Langford ,manager of network
operations for Information Technology Services, assures us that ITS is doing its best to keep Laurier Email account information
Since the Ontario government implemented the Freedom of Information and Protection of Privacy Act (FIPPA) last year, the ways in which students’ Email account information has been distributed had to be changed.
Until that time Laurier had an online database where the Email addresses for students, faculty and staff could be accessed. “We were notified by the Privacy Officer that that was no longer acceptable, so within a few minutes that was turned off,” explains John Kearney, director of Information Technology Services. This move was done to ensure that students’ account information could not easily be discovered on the school’s website. Another aspect of the Email system that ITS seeks to keep private are the actual Email accounts themselves.
As Langford explains, “We cannot see the actual message, and in fact we cannot see who it is from. Basically
the message is a black box; we can tell it’s there but we don’t know who sent it, when they sent it, we just know that something’s there.”
The Email systems are not the only account information that falls underneath of the ITS umbrella. Each time a student logs into a computer on campus, that information is stored in a protected database for a short period of time.
“We keep limited logs so that we can tell the last couple of times that you may have logged in,” says Langford, “It does not tell us where you have logged in, it tells us when.”
This information that is collected through the use of the OneCard and ITS is protected by an elaborate system of firewalls. At the same time these firewalls also serve to protect the information that is held at the Registrar’s Office. “Most of the information we gather from students starts at the admissions stage,” explains Ray Darling, Laurier’s Registrar. “Right away you’ve got all of your wallet information, you’ve got all of the institutions that you’ve attended, you’ve got your grades, the programs that you’ve applied to here, your date of birth.”
This information is then sorted into individual files and stored in an extensive database for an indefinite period of time. “It’s stored in Banner. You would know it as LORIS, that’s kind of the front end of it. But the database underneath it is called Banner,” explains Darling. The information contained in Banner is used for administrative purposes and to determine whether or not students have met the progression requirements. “We have to have a good reason to ask for private information,”
Darling says. Determining what is and is not a “good reason” comes down to what is laid out in the recently enacted Privacy
Act. The job of dealing with the changes brought on by the act and how the school goes about maintaining
the privacy of its students falls on Dr. John Metcalfe, director of the universityinformation and privacy office, and ombudsperson.
“Each piece of information has a different access class around it,” explains Metcalfe. “For example, the names of people in courses would likely be highly accessible across the campus to employees of the university who need that for their work. But something like your grades would be much less accessible.”
In terms of total access to university information, Metcalfe explains that only the school’s president, Dr. Max Blouw, has the ability to see everything, as “he has the exclusive right, as the guy who runs the show.” By limiting who has the ability to view certain kinds of student information, Metcalfe hopes that he is protecting the privacy of the school’s students and upholding a moral responsibility to each student as an individual.
“Our moral and our legal responsibility is to restrict our asking for information to just that information that is necessary to run the university,” says Metcalfe. “Because your freedom as a citizen in this country, and anywhere in the world, is based on your privacy. It’s your ability to control what other people know about you that really gives you some sort of control over your liberty.”
Although students themselves may take their privacy for granted, Metcalfe believes that “in ten years some students will kick themselves for what they did. Lots of it’s very innocuous and benign, but there are three corner stones of identity theft: name, date of birth and social insurance number.”
With two of these three things being placed in electronic files by various institutions at the school, and oftentimes being willingly placed online on sites such as Facebook it makes it possible for, “you to compile lots of little bits of information on people and create a dossier,” says Metcalfe.
With identity theft becoming increasingly prevalent in our society, and the possibility for credit fraud and other malicious actions being particularly damaging to a student’s future, the need to better protect one’s personal information should begin to be taken more seriously.
Metcalfe’s advice on how and where you use your personal information is that “you just have to be cautious. Don’t be crazy about it.”