The Chronicle: Colloquy Live Transcript

Social Security Numbers and Student Privacy

Thursday, August 1, at 1 p.m. U.S. Eastern time

What do colleges need to do to protect students from having their Social Security numbers used for fraudulent purposes?

Students on a growing number of campuses are demanding that their colleges stop identifying them by their Social Security numbers, which are in numerous databases. The students fear that the widespread use of the Social Security numbers has made them easy targets for people who seek to obtain credit cards, cash, or various benefits to which they are not entitled. The issue is a tricky one for colleges because many of them have come to rely on Social Security numbers. One of the institutions that has done the most to avoid using Social Security numbers is the University of Illinois system.

» ID Theft Turns Students Into Privacy Activists (8/2/2002)

» U. of Illinois May Be a Model in Protecting Privacy (8/2/2002)

Michael A. Corn is an associate director in the University of Illinois system's Office for Planning and Budgeting. In that role, he helped the university carry out its plan to change how it used Social Security numbers. He has also led many projects on how the university system gathers, uses, and analyzes various types of information. Mr. Corn will respond to questions and comments about those issues on Thursday, August 1, at 1 p.m., U.S. Eastern time. Advance questions are encouraged and may be posted now.

A transcript of the chat follows.

Andrea L. Foster (Moderator):
Good Day. I'm Andrea Foster of The Chronicle. I'll be moderating today's chat on colleges' use of Social Security numbers. Students on a growing number of campuses are demanding that their colleges stop identifying them by the numbers because they're concerned about identity theft. Our guest today is Mike Corn, who is overseeing the University of Illinois system's efforts to move away from using Social Security numbers.

Welcome, Mike. We'll start with a few questions that were submitted in advance.

Michael A. Corn:
Before getting started I�d like to thank The Chronicle for bringing attention to the issue of identity theft and SSN usage. It�s also worth pointing out that there are plenty of issues related to the SSN that aren�t black and white. I�d encourage anyone working on reducing the use of SSN at their institution to work closely with their campus Legal Counsel and other policy makers. Issues will arise that require changes in how individuals do their jobs and thus a true consensus on policy is required for success. Additionally I�d be happy to speak with anyone about SSN remediation at their school and point out that we have a fair amount of information about our SSN policy and its implementation at http://www.ssn.uillinois.edu.

Question from Louie, private four year college:
Should colleges and universities who currently use Social Security numbers as student identifiers start moving away from that practice immediately or should they wait until Federal and/or State laws and regulations mandate it?

Michael A. Corn:
I would encourage anyone still using SSNs as their student or employee ID to move to an alternative as soon as possible. Note that the Privacy Act requires public institutions to provide a requested service even when the individual withholds their SSN. If however you generate your own internal identification number it is our understanding that you can insist on the individual providing their ID number before servicing them. Thus in many ways a generated student/employee ID is more useful to you and since it is meaningless outside of the institution, is an unattractive target for theft. It's worth pointing out that transitioning away from the SSN can take quite sometime, particularly at large schools, and there's no guarantee that federal mandates will grant institutions a comfortably long period to move away from the SSN.

Question from Kathryn Voigt:
Our university openly asks for and displays employees' SS numbers at sign-in for training classes, etc. What do you suggest as alternative practices?

Michael A. Corn:
The key is use something that'll uniquely identify a person to you, but still provide some element of privacy - if you have an employee ID number, use it. If not, perhaps you could generate a one time random number you assign to people when they register for classes. I used to do this when I was teaching before there was a University Identification Number - I'd assign a random number to each student, sort them by number, not alphabetically, and use this this to post grades.

Question from Hayley, Princeton graduate:
Can you describe unique identifier systems and explain whether such systems would provide good options for colleges to protect students' confidential information?

Michael A. Corn:
There's been quite a bit of discussion of this issue (take a look at http://middleware.internet2.edu/core/identifiers.shtml for a technical sample) - a couple of thoughts, mostly personal opinions: avoid identifiers that include meaningful data - data changes. The first 2 digits of our IDs currently identify the campus the ID card was first generated at. But many of our students start at one campus and then move to finish at another - so what's the value now of those 2 digits? Consider how identifiers resemble other data - our IDs are random 9 digit numbers, but unfortunately this means you can't tell them apart from valid SSNs - this can lead to confusion and errors. Also be careful not to assume that having such an identifier authorizes anyone to anything. Having an ID card or ID number by itself shouldn't grant access to computers, the gym, or any other facility or service. Doing so instantly increases the necessary security you've got to apply to the identifier. Smaller schools may want to explore using smartcards possibly combined with digital certificates or biometric authentication (this can be very expensive, thus the 'smaller' caveat). It may also be tempting to use your local 'network ID' used for computer access and email. However these are usually recycled after some period of time and thus not ideal. Generally speaking, it's hard to beat a nice random alpha-numeric string as an identifier. This coupled with any good two part authentication process should be adequate to protect any confidential information.

Question from Silla Brush, new jersey college:
How culpable do you feel Yale is in the current incident? How long should it have taken Yale to inform Princeton (was a month too long)?

Michael A. Corn:
I don't know enough details to discuss how culpable Yale is in this case - however I can say that we are wrestling with the problem of how you allow individuals to login to a secure web site prior to their arrival on campus (or perhaps even their admission to the University) and thus they don't yet have a network ID. Note that 'wrestling' is not past tense - as yet we don't have an ideal solution of the type that might have prevented Princeton from so easily getting into Yale's system.

Question from Mark. Siena College:
My concern has to do with accuracy of records. If we move away from using the SSN as the identifyer, how does the institution verify that information is applied to the correct record, especially if there are multiple people with the same name? As an example, if a student named Michael Smith takes a class at another institution and has a transcript sent to us, either with an ID number assigned by the other institution or no ID number at all, how do we make sure the correct Michael Smith (since we have thirty records with that name in our system) gets the transfer credit at our institution? Thanks.

Michael A. Corn:
Until the Federal government comes up with some acceptable alternative to the SSN, admissions offices will continue to face this problem. Most schools and testing services use SSN to link up supporting materials. We do ask for the SSN on our application for admission, but the applicant is requested to voluntarily provide it. While I'm sure there are some horror stories out there, our research, when we were drafting our SSN policy, found that most schools report a very very small number of people withhold their SSN (at the U of I, I don't believe it's more than a dozen or so). The key here is to use a disclosure statement that underscores the benefit to the student of providing an SSN and that you take its confidentiality seriously. One small subsidiary issue I'd like to mention, when we started this process it became clear that many units were assuming a 'correct' SSN meant they'd authenticated the individual. At a minimum releasing confidential information should require a photo ID to qualify as 'authenticated.'

Question from Betty Stevens, Kansas State University:
Can a student maintain the same ID number at all the public higher education institutions in the state? If so, how is that coordinated?

Michael A. Corn:
One of the biggest issues I have with enforcing a rigorous SSN policy is that State and Federal laws are often in conflict. State agencies generally assume they've full legal rights to SSNs, yet, personally I'm not convinced how far that right really goes. There's nothing to prevent all the public institutions from coordinating on a non-SSN 'common' ID, but as you indicate, coordinating this would be tricky. Organizations such as CREN and eduCause are involved in a number of initiatives that are examining digital certificates as a possible portable authentication document. We're also working with the State of Illinois' digital signature initiative to see how their use of digital certificates might help with these cross-institutional identification problems. But as I'm sure you're aware, in-state students only comprise a subset of your student population, and any meaningful solution would really have to address the full student population. So the short answer to your question is that it probably couldn't be coordinated without a really collaborative effort involving all the public educational institutions in your state.

Question from Todd Nelson, California State University:
Our university uses SS #'s for a lot of student, faculty, and staff records. How can I convince administrators to change that?

Michael A. Corn:
I wish there was a magic "here's what you do" answer available for this question - lots of people are facing it. Your best bet is to 1. Educate them about the growing problem of identity theft; 2. Encourage them to spend sometime at least examining the problem and how to solve it - it really does require broad consensus to move forward on this; 3. Point out to the administration that it would be easier and cheaper to start now than to wait until a Federal mandate comes along and gives you a very short period of time to work with; 4. Point out how other schools (particularly peer institutions) are moving forward with this, and it is a manageable problem. There was considerable concern here when this started that it would have a major impact on how staff do their job, but now that we're pretty far down the road many of the previously concerned are seeing that the reality of changing isn't any where near as problematic as was feared.

Question from Anthony Starace, University of Nebraska-Lincoln:
How should universities deal with benefit providers, such as Blue Cross and Blue Shield, who use insured clients' social security numbers as the insurance ID? These identity cards must be carried in one's wallet, which opens one to ID theft if the wallet is lost or stolen.

Michael A. Corn:
Our policy permits us to share SSNs with 'agents' of the University, and our newest SSN disclosure (that we'll use during the hiring practice) tells new hires that the SSN will be used for benefits purposes. Having said that there's only so much you can do about these third parties and their practices - I suppose the best approach would be to raise the issue with them forcefully during negotiations. We have had some luck with third parties in getting them to be more careful with SSNs when communicating with faculty and staff (to ensure they're not visible in an envelope window for example).

Question from Kevin Garganta, Bristol Community College (Fall River, MA):
As a faculty member, I am very concerned about the misuse of SSN's at many schools, including my own. I now recommend to all my students that they request a "unique identifier" from our school...but few, if any of them, listen to me. (What else is new!) As a faculty member, what else can I do besides "complain" to the college administration and cajole my students into taking some action?

Michael A. Corn:
The problem is that you're dealing with the wrong end of the issue - true, it would be nice if students took responsibility for this and requested the unique identifier themselves, but until the institutional policy of using SSNs by default changes, it'll continue to be an uphill battle. Cajoling and complaining to administration may be your best avenue - you may want to point out to them that since FERPA defines the SSN as part of the educational record, using the SSN as the primary identifier is akin to asking individuals to use their grade point average as a primary identifier. They may also be assuming that the SSN, once recited, constitutes a kind of authentication - you can point out that every divorced person probably knows their ex's SSN and thus using the SSN in this fashion opens the door to a host of problems.

Question from Mark Davenport, UNC Greensboro:
Our concern is about using alternatives to SSN is that students are notoriously poor at remembering things like computer-generated PIN numbers (freshmen, in particular). What have others done to address the problem?

Michael A. Corn:
This issue was quite a concern here as well - our University Identification Number (UIN) is printed on every University ID card (our "i-card") and highlighted in blue. This helps since most students (and faculty) do seem to carry their card. However we're finding that as more and more services are keyed to someone providing their UIN students are getting used to reciting it - and thus memorizing it or displaying their i-card. Some services even use card-readers so that individuals simply swipe their card to, say, enter the gym. But ultimately there's no answer to the problem other than to say it turns out not to be a serious issue in practice.

Question from Barbara, large public university:
How will U of Illinois collect and maintain student SSNs for compliance with the IRS 6050S reporting regulations (TRA reporting)?

Michael A. Corn:
There are 2 answers to this - when this issue first came up we spoke with the IRS and as I recall (I'm working from memory on this one - our Legal Counsel handled this communication) they indicated they were aware of a conflict between what they were asking and the Privacy Act. My suspicion is that before too long they'll get the law changed so as to require us to collect all student SSNs - so philosophically the answer is that we're not required to collect all student SSNs and are reporting only those SSNs we do collect. The practical answer is that given the growing # of students that get financial aid, or a part time job, and that we broadly educate students as to the advantage of providing the university with their SSN, we have a negligable number of students withhold their SSN and so we can report a full population to the IRS.

Question from Mark Jordano, Gannon University:
What steps should be taken if a member of your community is a victim of identify theft? Do you have written procedures you would be willing to share? Thanks

Michael A. Corn:
Excellent question - but I guess we're fortunate that we haven't had it arise yet. One difficulty is that like many schools we have a highly decentralized set of administrative systems - which would make it difficult to have a controlled response. However, again, like may other schools, we're in the process of centralizing and replacing many legacy systems, and so while I don't have anything to share with you, clearly an opportunity exists to develop a single institutional approach. I'd imagine we'd have to involve not only the administrative systems but campus academic administration as well.

Question from Peter Bachman c=US Directory:
Using SSN's is a dangerous idea and leads to identity theft. The only reason for using a SSN is that it provides a unique id, and sometimes it is not even that. It's a lazy programming technique for system integration.

Identity theft can be prevented by providing ways for students to manage their own personal identity information and linking in college data systems to that student published identity data instead of the college capturing, storing, and ultimately being liable for the misuseof that data. Would the speaker support the role of the student as a publisher of her/his identity data?

Michael A. Corn:
We have created guidelines for developers of electronic systems on how to use (or not use) the SSN - our SSN policy calls for the use of the University Identification Number (UIN) w/in systems in place of the SSN as a linking element. In theory allowing the individual to fully control all personal data is intriguing, particularly from a privacy standpoint, but at first thought I would imagine it requiring a rather rigorous and established infrastructure with unassailable controls concerning, for example, changes to data. One additional thought - regardless of the ease w/which individuals are seemingly 'erased' in movies, I would imagine there is a kind of security that comes from widely distributed data. With a single source for all my personal information, a simple typo could instantly bar me from also sorts of services (typing an 'F' instead of an 'M'). Perhaps in a world with dirty data, multiple unreliable sources can converge more accurately than a single point source for any given piece of data. I'd probably deny every having uttered that last sentence however.

Question from Jim Miller, University of Texas at Austin:
Do most universities that have implemented SSN solutions encrypt SSNs for storage? Do you think that encryption of SSNs would be cost-effective?

Michael A. Corn:
Doubtful - and truthfully I'm not sure worth pursuing. First, not all DBMS' have encrypted data types and the overhead of encrypting and decrypting every read/write to the database might be problematic. But what we've been trying to impress on people is not that the SSN requires 'extra-special' protection, but rather protecting the SSN should be seen as part of a general review of and effort to raise the bar on data security. Students would like to know that *all* their data is rigorously protected.

Question from Mark Ehlert, U of Missouri:
Should student SSNs be used for research projects? There is a body of research that is based on sweeping administrative data sets to compile a relatively large number of data points for individuals, e.g., college performance, labor market status and earnings, financial aid received, etc. Matching records across different databases requires a common ID, i.e., SSNs. Credible researchers take measures to protect the anonymity and confidentiality of these "electronic" human subjects. Are you opposed to this use of SSNs? If so, what research methodologies might you propose as alternatives?

Michael A. Corn:
As long as individual privacy is maintained, I don't see any ethical problems with this practice (just my personal opinion), however note that the privacy act of 1974 requires an institution to inform the individual, when the SSN is collected, what use is to be made of it. Thus, while a University may use a collected SSN for internal purposes (and I suppose you could argue that research falls into this category) your SSN disclosure statement should state this use. I'd hate to propose a methodology off the cuff, but this is precisely the kind of situation that calls for a formal institutional protocol - rather than leaving this up to the discretion of the individual researcher.

Question from Andy Corn, Indiana State University:
Using an alternative to social security numbers for students who are new to the system seem to be a logical step. However, how did your institution adapt to students who were already in the system using social security numbers. Did the University continue to use social security numbers until those students matriculated out of the system, or did you change their existing ID numbers?

Michael A. Corn:
It's worth pointing out that we haven't eliminated SSNs from our systems - we still hope to collect SSNs from students and we obviously have to have it for employees. What we've done though is stopped using it as *the* key for record linkage. The SSN is (as systems are replaced) used as merely another data attribute. For example our new suite of administrative applications uses the University Identification Number (UIN) as the lookup key for students. However, many staff members at Admissions and Records, dealing with applicants, may have to use the SSN (if available) to link supporting material with applications. With regard to legacy data we're looking at retrofitting some select subsets of data with UINs - but not globally. We do have a bulk SSN2UIN utility available to assist units with small internal databases with the conversion from SSN to UINs.

Question from Jack McGrath, William Tyndale College:
What do thieves typically try to when they steal Social Security, driver licenses and college identifications?

Michael A. Corn:
Most of the articles I've read reference attempts to take out large loans, transfer cash from bank accounts or obtain credit card numbers and use them to make purchases. One could easily imagine someone at a college or university using a stolen identity to corrupt academic records.

Andrea L. Foster (Moderator):
Well, we're about half-way through our chat. If you'd like to submit a question, now's the time.

Question from Clark:
What should students do to protect themselves from improper use of their social security numbers and other confidential data that they provide to colleges during the application process?

Michael A. Corn:
If I were a savvy student apply to schools today, I'd first check to see what the disclosure statement on the application says - it should list the uses the school will make of the SSN. If it were a private school (and not beholden to the privacy act) or if there were no disclosure included, I'd contact the school and press them on the issue. This kind of feed back does have an impact (being one of the people that receives these kinds of queries for the U of I, I can vouch for that!)

Question from Stephanie Kot, Siena College:
Mr. Corn, our Registrar is especially concerned about discontinuing the use of SSNs as student IDs because he feels that the students will not remember a randomly generated number, causing confusion when the student requests information on or changes to his/her record. Have you found this to be the case in your instituion, and if so, how did you deal with it?

Michael A. Corn:
Our policy permits a staff member to request (though not demand) an SSN as an alternative form of identification. So if "Joe Smith" walks in and doesn't know their ID number, they can ask for the SSN, explaining why they're asking and what they'll use it for. But as I pointed out in another question - just because Joe Smith recites their SSN doesn't mean you've authenticated that the individual is Joe Smith. Our ID office (the i-card office) can provide select units with access to a query screen (web based) that allows the clerk to look up the individual based on name, ID, or SSN and have their digital photo displayed - thus the person can be confidently identified. But as I said earlier, the issue of individuals forgetting their ID # simply hasn't proven to be a problem.

Question from Tariq Mahmood UNC Greensboro:
What are your thoughts about the ramifications of using a portion of the SSN, say, the last four numbers?

Michael A. Corn:
Truthfully it's side-stepping the problem. Technically FERPA does allow student grades to be posted using a portion of the SSN - however this ignores the problems that arise due to SSNs changing (they do!) and foreign students who may not have or know their SSN.

Question from Phil, community college:
2 points : The trend or desire to get away from the use of social secrurity numbers conflicts with the trend in many states and with many accrediting agencies towards greater tracking for outcomes assessment purposes. Only with social security numbers can a person's progress from one school or institution to the next be checked with any validity. I'd urge institutions considering getting away from social security numbers to consider some of these implications.

Second point: You state that the Privacy Act requires "public institutions" to make use of social security numbers voluntary. In fact, that law applies to "federal, state and local agencies" - some (admittedly a small number) of public schools will not be considered to be subject to the law. See, e.g., Krebs v. Rutgers (concluding that the public institution Rutgers is not a "state agency").

Michael A. Corn:
First point: absolutely right. We as a society have a strangely bifurcated approach to this. On one hand we want more efficient government and the kind of service that a national ID could provide - on the other hand we're loath to support a national ID on the grounds that it is seen as too invasive. The need to track individuals across institutions is really unworkable w/out SSNs at this point in time. This is why it's critical that everyone understand that we're not talking about the total elimination of the SSN - but rather its casual use as an ID or similar uses such as a computer logon. Since the SSN has become such a valued commodity for theft, it does behoove any institution that collects SSNs to be very careful in how it maintains them and how and to whom it releases them. There are many circumstances that we find it is totally appropriate and may even be in the individuals interest to disclose their SSN. However we now review these centrally ensuring the disclosure is both appropriate and legal. Second point: Correct - this is why I strongly encourage anyone approaching this problem to work closely with their Legal Counsel on this issue.

Question from vivian calderon, Univ CA Office of the President:
SSNs are currently used to track students from one institution to another--this serves accountability purposes--we need to track enrollments of high school students from outreach programs to colleges and universities and we need to track community college transfers to senior colleges and universities. What alternative(s) do you suggest if the SSN can no longer be used?

Michael A. Corn:
I think you'll see I've addressed this to some degree elsewhere. This isn't a question that any one school or system can tackle alone. It can only be addressed collaboratively with all the parties that would be involved in any solution. Digital certificates or some sort of state higher ed ID might be workable.

Comment from Lucinda Patten, Fielding Graduate Institute:
The UC system requires written requests for records, signed by each student with a photo ID and their SSN, to obtain an academic record, unless the govt requires information regarding that particular student ~ then, the record is made available. And, although information is made public, the UC system also assigns a PIN to further protect the ID and SSN of each student.

The maintenance of school records are not the problem nor the solution for 'safeguarding SSNs'. I believe SSNs are the best and most accurate way to identify work completed (or not) by students, because supposedly, there is only one SSN assigned to each individual.

I am much more concerned with identity theft occurring through the use of credit cards and payments of debt - online or land-based - when copies (or old, out of date and no longer needed) records of payments made, aren't shredded and/or credit histories can be obtained through phone calls or other ways and means that aren't verified and/or thoroughly validated using measures that require tight security measures.

I had my identity borrowed/stolen by someone who worked for either a credit company or a student loan processing company in Illinois... s/he bought a home and defaulted on payments which negatively affected my ability to obtain credit and which I had to spend time correcting with TRW and other reporting agencies. Credit card companies and lending institutions need to be more circumspect with regard to research before accepting applications for credit and/or changing existing data.

However, I am MUCH more concerned with the Islamic/Muslim/Arab/Egyptian/Palestinian terrorist acts against citizens of Israel and the US than the safeguarding of SSNs.

We are soon to have the bio-chip and/or the product stamp (currently used on all marketed products) lasered into our hands or foreheads to supposedly 'safeguard' our identities, due to all the credit card fraud (check out the latest news re:the Islamic Egyptian who just got caught for making fraudulent IDs for the 911 terrorists, here on American soil!) and identity stealing that has created not only soaring interest rates on credit cards that have left no other option for many except to file for bankruptcy, but has greatly added to the spiraling downfall of our economy!

Let us spend our time, energy and resources being creative in other directions, asking other questions, that have greater significance and will create deeper meaning and more positively affect the future of America and our citizens... thanks for listening.

Question from S. Hilton, large research university:
Everyone at my university pretty much agrees that access to ssn information should be limited to those offices with a "need to know". However, all the offices believe *they* have that need to know to conduct their own day to day business. How do you address those arguments? Which offices really need the information?

Michael A. Corn:
By moving away from using the SSN as the primary person identifier w/in your systems you can largely eliminate the need for these offices to use the SSN. And if they do have a legitimate need, then by all means provide it but take whatever steps are necessary to ensure they're collecting, maintaining and disclosing SSNs appropriately and in accordance with your institutions policies.

Question from Jay DiFrank @ Gannon University:
We have had 5 incidents of identity theft in the past 6 months. We have 2800 students and 600 non-student employees. Are our incidents high enough to conclude that there is a problem here at our school?

Michael A. Corn:
It typically takes an individual whose identity is stolen 3-5 years to recover completely. I'd take that many incidents as a serious wakeup call.

Question from Sheila Ochner, University of Texas at Austin:
Were you asked for a cost of implementations for the removal of the SSN from the business processes of your university and how did you validate those estimates. Can you share the approximate costs for a school of your size? Did you break down costs based on the basis of "largest good for least effort"? Did you also include the cost of increased staffing for support of a unique university identifier?

Michael A. Corn:
I'd have to admit, we didn't do a formal cost analysis: we realized that this was something we simply had to do. If you contact me off line (my # is on the website) I'd be happy to discuss the costs (I'm told we're running out of time) that are quantifiable.

Comment from DJ, a medium size university:
Students seem to be uneasy with the common display of SSNs to other students. Our library system displays the SSN with the student name and the referenced material. Students working in the library see many social security numbers of other students (and faculty for that matter) each day.

Question from Suzanne Dmytrenko, Registrar San Francisco State University:
The web is helping us to keep data secure. However, the issue of identifying students for faculty - say on a web class list - without their ssn as a secondary identifier has raised some questions...How do you deal with two students with the same name in the same class without putting their ssn? (we thought of birthdate...)

Michael A. Corn:
Clearly there are some internal reports where an SSN is appropriate - however in the case you mention a student ID number (as might be printed on their ID card) would work.

Comment from Former Student:
I have to agree with Mr. Corn on the "what if students forget" questions. I can stll remember my Student ID # from UMass...and I graduated in 1975!! Now, unfortunately, that particular school has gone back to using the SSN as the Student Number. (I have two children as students there now.)

Question from Jim, university:
What did you mean by "If it were a private school (and not beholden to the privacy act)" ? Which Privacy act are you talking about? What responsibilities do private schools have ?

Michael A. Corn:
I'm not sure about private schools, my guess is that they're limited by their state laws - by the Privacy Act I mean the Privacy Act of 1974. The DOJ has a text of it available at http://www.usdoj.gov/04foia/privstat.htm.

Question from Ronald, midwestern state u:
I can envision real complications in maintaining accurate academic records for the many transfer students we enroll who have attended multiple other institutions if each of the other institutions have their own unique ID numbers and do not also provide SSN somewhere on the transcript. How doe the U of I plan to handle that problem? Should AACRAO or some other try to establish some guidelines for that? (P.S. your comments today have been very helpful!)

Michael A. Corn:
Thanks. I wish we had a perfect solution to this issue of cross-institutional identification. I suspect a long term solution will come out of organizations like CREN, Internet2, or eduCause - surely AACRAO would be an appropriate body to address the question. For today, we're simply examining each data exchange as we become aware of them and tactically dealing with them as best we can (most organizations seem willing to put protections in place to ensure confidentiality). But for the time being I think that's the best we can do.

Question from Paul Pagliarulo:
Can students use their assigned identifier to access all student services i.e. email, web registration IVR etc.?

Michael A. Corn:
No - we've traditionally been highly decentralized. Most services rely on a campus assigned 'netid' or network ID - though our ID office does provide a number of services which use the University ID Number as the login. We've looked at unifying authentication for electronic services and in principle made a goal of reaching this, however it'll take some time to reach this.

Question from Maurya, National Science Foundation:
Mr. Corn, What is you opinion on how Federal agencies collect data using SSN #'s on students in US higher learning institutions? Do you feel students are protected when they fill out a survey form that asks for SSN #'s?

Michael A. Corn:
I'm really not informed enough to venture a guess. But the real issue (as I mentioned elsewhere) is to think of the SSN not so much as 'special' but one of a host of pieces of confidential data. Needing to sleep soundly at night, I'm going to believe they secure such data and SSNs as securely as possible. :->

Question from Rick, Public 4 year:
Do you have a sample of a good disclosure statement?

Michael A. Corn:
Sure - we've some samples at http://www.ssn.uillinois.edu/html/ssn_disclosure.html with more upto date models to be added soon.

Andrea L. Foster (Moderator):
That's all the time we have today. Thanks for participating, Mr. Corn. And thanks to our listeners for their thoughtful questions.

A transcript of this chat will be available shortly at this URL.

Michael A. Corn:
Again I'd like to thank The Chronicle and to thank everyone who has participated. Feel free to visit our web site http://www.ssn.uillinois.edu and to contact me directly if you've other questions I can help with. It's also important to note that we do have an individual on all 3 University of Illinois campuses that is responsible for policy implementation on that campus (I'm responsible for University Administration) and their contact info is also on our web site.