From the issue dated August 2, 2002
|
|
|
ID Theft Turns Students Into Privacy ActivistsColleges respond by reducing reliance on Social Security numbers in databasesBy ANDREA L. FOSTER Benjamin M. Brummett, an incoming senior at the University of Texas at Austin,
He doesn't fill in the space on exams that is reserved for a Social Security number. When he gets credit-card receipts, he tears them in half so the credit-card number is divided. Then he throws each half in separate trash bins. "I don't want the wrong person stumbling across my credit-card number and making Internet purchases," he says. Mr. Brummett's concern about his privacy burgeoned a year and a half ago, when an impostor requested a credit card in his name, using his Social Security number. Capital One, with which Mr. Brummett already had an account, sent the card out before realizing that the impostor had cited the wrong maiden name for Mr. Brummett's mother. The company then prevented the impostor from activating the card. Since that scare, Mr. Brummett has become an activist, appearing in the local news media to decry the university's use of Social Security numbers. Like many institutions, Austin uses the number as a key identifier for individuals in computer databases throughout the campus. During the last academic year, he headed the Student Bill of Rights Committee, a group that in large part promotes privacy rights for students at Austin. Ferment Beyond Austin Political ferment surrounding the use of Social Security numbers is not limited to Austin. Students at several other colleges are demanding that administrators and faculty members wean themselves from attaching Social Security numbers to vast amounts of personal student information. Students say the shift would reduce the risk of "identity theft" -- the use of personal information such as a Social Security, credit-card, or bank-account number to gain access to someone's money or credit. As many as 700,000 people are victims of the crime each year, and it was the top consumer complaint last year, according to the Federal Trade Commission. Identity thieves see students as enticing prey because they often have a clean credit history and are cavalier about guarding their privacy. The student pressure is prompting some institutions to act. The University of Florida and Northern Illinois University are restricting the visibility of the Social Security number as a result of student concerns, and student needling is prompting Austin to more quickly reexamine the use of the number. Revisions to state laws that limit colleges' display of the numbers to government documents like payroll and financial-aid records are forcing other colleges to make changes. But progress is slow. Hobbled by tight budgets, many colleges are reluctant to buck tradition and make costly changes to computer systems used in many departments, including housing, academic-records, and admissions offices. To revamp such systems could cost at least half a million dollars, estimates Jay E. Foley, director of consumer and victims services at the Identity Theft Resource Center, a nonprofit group in San Diego that educates the public about identity theft. Nearly half of colleges nationwide still use Social Security numbers as the primary means to track students in academic databases, according to a March survey by the American Association of Collegiate Registrars and Admissions Officers. The survey also shows that 79 percent of colleges display students' Social Security number on official transcripts. Privacy gaps abound at colleges. Since May, Austin and at least three other colleges have discovered that some of their publicly accessible computers were infected with software that secretly records computer users' keystrokes. At Texas, the finding prompted administrators to advise 180 students to change their university passwords. The Secret Service is investigating whether a Russian crime ring is responsible for installing the software, and is advising colleges to check their computers for the program, which could allow criminals to find out computer users' credit-card numbers. In July, Resicom, a Doylestown, Pa., company that provides telephone services to colleges, confirmed that a glitch in its programming had enabled Web surfers to view the names, addresses, and Social Security numbers of as many as 2,000 students. Leidy Smith, the president of Resicom, says his company serves between 50 and 100 colleges, but he doesn't know how many different colleges the students were from. Such mishaps show how easy it is for impostors to steal students' identities. "As more and more of our administrative systems are on computers attached to the Internet, any database that is left insecure could lead to the exposure of Social Security numbers," says Daniel J. Updegrove, vice president for information technology at Texas' Austin campus and co-chairman of an Educause committee on network security. Mounting Concern Concerns over identity theft are mounting at the Austin campus. In addition to the discovery of the keystroke software and Mr. Brummett's scare, Naufil M. Mulla, then a university senior and honors student, was arrested in March for credit-card fraud after he allegedly purchased food with other students' debit cards without their knowledge. The charge was dismissed in May after he received counseling. Austin students were so concerned about the issue that The Daily Texan, the student newspaper, did a four-part series on identity theft in March 2001 that touched on the plight of Mr. Brummett. It also mentioned how Social Security numbers are widely used on the campus and how easy it is to receive a credit card in someone's name using their Social Security number. The president of the Student Government Association at Texas, Katie A. King, made the privacy of Social Security numbers a major part of her election platform. She and another incoming senior, Elliott W. Kruppa, head of the Cabinet of College Councils, a group representing the student councils of the University of Texas System, met with administrators in July about plans to curtail the use of the number on the campus. A Never-Ending Struggle Unlike Mr. Brummett, victims usually don't discover that someone has tried to assume their identity until years after the crime occurs, experts say. An impostor can run up a whopping credit-card debt, and arrange for the bill to be sent to an address other than the victim's. In this way, the victim could remain in the dark while charges are accumulating. Only when the victim's credit history is reviewed, for instance when the victim seeks to purchase a home, does the scam come to light. For many victims, trying to erase the debt and reclaim a good credit history is a never-ending struggle. They are shuffled from one government agency to another as they try to report and resolve the crime. And just when they think the nightmare is over, another charge pops up in their name to indicate that the impostor is on the prowl again. "Once you're a victim, you need to be in for a long, long journey," says Stanton S. Gatewood, chief privacy officer and chief information assurance officer at the University of Southern California. He says some victims of identity theft at the university have battled for six years to resolve their cases. Los Angeles, where the university is located, has one of the highest reported incidences of identity theft among American cities, according to the Federal Trade Commission. Mr. Gatewood declines to say how often this type of theft occurs at USC, but says he receives at least one call every two days from someone inquiring about the issue. He says the university, in some cases, still uses Social Security numbers to identify students but hopes to end its reliance on the numbers in about a year. "It's a long, slow process," he says. Within the last six months the institution started issuing new campus identification cards to replace the old ones that had Social Security numbers on them, Mr. Gatewood says. The new card has another nine-digit number on it. Northern Illinois decided to curtail publishing students' Social Security numbers after the Student Senate asked the university last December to stop using the number to identify students. "I had noticed through taking part in my classes that many times attendance was taken by Social Security number," says Kevin J. Miller, who led the petition drive and is now president of the university's Student Association. "Many times, grades were publicly posted by Social Security number, which was sometimes accompanied by a person's name." Administrators partly heeded the petition but told Mr. Miller that the university had budget constraints. Beginning in September, the university will use a new identification number on forms and documents that are widely visible, such as on class lists and grade rolls, says Anne C. Kaplan, the vice president for administration. She acknowledges that the change is a "stopgap" solution, and that overhauling the campus network would cost millions of dollars and take years to complete. Administrators at other colleges who are in the midst of converting their systems away from identifying individuals by their Social Security numbers can understand the university's predicament. The University of Michigan system began replacing the Social Security number with another identifier in 1995 and still hasn't completed the process, says Virginia E. Rezmierski, an expert on privacy issues who is an adjunct associate professor at Michigan's School of Information and the Gerald R. Ford School of Public Policy. Once colleges plug the number into one database, it tends to crop up everywhere as the key identifier for an individual, she says. Colleges that decide to make the investment sometimes find it cost-efficient to do other network upgrades at the same time. The University of Florida, for example, is moving to substantially reduce its use of Social Security numbers, while at the same time working to provide a complete and up-to-date directory of every member of the university community, says Michael Conlon, director of data infrastructure there. The university will move to a new eight-digit identifier for students and faculty and staff members in January. That number, he says, not Social Security numbers, will appear on university identification cards. He says he doesn't know how much the project will cost. Mr. Conlon credits Cory B. Kravit, who graduated from Florida last year, with goading the administration into action. Mr. Kravit was chairman of a Student Senate committee on Social Security privacy, and persuaded the Senate to pass a resolution that asked the administration to stop using Social Security numbers. He joined other student organizations to lobby the Florida Legislature to support a bill that would limit the ability of state agencies, including public colleges, to display the number. The legislation is pending. Also, Mr. Kravit testified before the Ways and Means Committee of the U.S. House of Representatives in May 2001 on the widespread use of Social Security numbers at Florida. Students are outspoken about the issue at the University of Texas at Arlington, too. A measure was introduced into the Student Congress in March that would give prospective students the option of omitting their Social Security numbers from application forms. The measure was not adopted during the last academic year but it will still be considered during the upcoming year, says Christopher H. Featherstone, a junior who is president of the Congress. Students at some colleges are pushing their institutions to stop providing information about them to outside vendors, partly because of fears over identity theft. At Louisiana State University at Baton Rouge, the Student Senate adopted a resolution in March that asks the administration to prohibit the marketing of credit cards on the campus, and to stop the alumni association from providing data about graduates to credit-card companies. Disturbed by Marketing Donald Hodge Jr., a member of the Student Senate and a second-year law student, says he decided to help write the resolution because he was disturbed by what he viewed as aggressive marketing practices by credit-card companies on the campus. The alumni association also was providing graduates' personal information to credit-card companies and other marketing firms, he says. Clifford A. Vannoy, senior vice president of the LSU alumni association, acknowledges that his group has given graduates' names and addresses to a credit-card company. Of the student petition, he says, "I don't have a copy of it, so it's difficult for me to comment on it." Mr. Hodge notes that the university had been displaying students' Social Security numbers on their university identification card, known as the Tiger Card. That practice will stop this fall, says Toni C. Frey, manager of the Tiger Card office. At Brigham Young University, some student journalists went undercover to show how easy it is for someone to assume a student's identity. The journalists went into the campus bookstore and reported purchasing items using other students' credit cards and campus debit cards. The bookstore cashiers didn't check to see whether the photograph on the debit card, known as a Signature Card, matched the student who made the purchases, says Jesse M. Coleman, a senior who co-wrote the article that resulted from the investigation. After the article ran in February in the student newspaper, The Daily Universe, Mr. Coleman says the bookstore started cracking down and checking the photographs on Signature Cards. But they still were not regularly asking for photographic identification when students made credit-card purchases, he says. Students are not the only ones pressing colleges on the Social Security issue. Arizona, California, Maryland, New York, and Wisconsin all have passed laws that restrict colleges' ability to use or display the number. New York's law, which took effect last July, prohibits colleges from displaying an individual's name next to his or her Social Security number. At New York University, the law prompted the university to stop printing Social Security numbers on receipts from on-campus purchases, says John H. Beckman, a university spokesman. Erasing Hard Disks Even more sweeping changes are possible. Austin's Mr. Updegrove says that public colleges may want to reconsider whether they continue to make Internet access freely available to the public in libraries and other computer centers. One way to reduce the risk of identity theft, Mr. Updegrove says, would be to require any user of publicly available computers to show some identification before receiving a password to the network. Colleges could even program their public computers to erase their hard disks and reinstall their software after each user logs off, which Austin has done on some of its computers. "Even if someone put rogue software on [the computer], it would be gone by the time the next person logs in," says Mr. Updegrove. Such a task is not particularly time-consuming or expensive, but it takes skill, he adds. It is easy to pick up a student's Social Security number at Austin, says Mr. Brummett. He recalls walking inside the economics building there last year and finding boxes of exams that included students' names and Social Security numbers. Sheldon Ekland-Olson, the provost, says that administrators are in the middle of figuring out precisely what changes to make in the use of Social Security numbers, and when. "The students are expressing some serious interest in making sure that it gets done, and that has helped motivate us to get it done quicker," he says. http://chronicle.com Section: Information Technology Page: A27
|
Copyright © 2002 by The Chronicle of Higher Education