Princeton stores student ID data without policy

And starting next year, the dorm room information will not only be recorded but will be securely streamed real-time over the campus Wi-Fi network.

The recent installation of the keyless lock system over the summer, and the planned expansion of its capabilities, is just the latest addition to data-gathering practices that have expanded over the years since the introduction of the TigerCard in 2004. The PUID data are stored in separate databases with separate restrictions on which administrators can view them. However, the University retains the capability to draw on data from different sources to create a composite image of a student’s daily whereabouts on campus.

Policies governing the access and storage of this data have not been updated in conjunction with the data-gathering expansion.

The University currently has no explicit policy that regulates data gathered from students, such as when they use their PUIDs, nor a policy that specifies the length of time this data will be stored for, according to University Spokesperson Martin Mbugua.

Data recorded from student cards currently goes back to June 2010, when a new system was installed. Mbugua declined to discuss the technical details of this new system.

“That seems like a long time,” said computer science professor Ed Felten, the former chief technologist for the Federal Trade Commission and the director of the Center for Information Technology Policy, referring to the two-and-a-half years back to 2010. He said the University should only retain the data for as long as it can be useful, especially for crime investigations. Data stored beyond a certain length of time is unlikely to reveal new crimes, he said.

A possible value for retaining historical data, he said, is to compare when crimes are discovered on campus and when they actually happened. He said that in his judgment, data should only be stored for the period of time when it is reasonable that a crime will be discovered.

But Mbugua said the University does not actively mine its data looking for crimes.

“The University does not search data to see if it reveals an incident,” he said.

‘We know where everybody went’

The new keyless locks, made by Spain-based security company SALTO, register every attempt to open a room door, a feat impossible with the previous brass key locks. SALTO itself advertises its system highlighting this feature.

“Without having to go to the doors we know where everybody went at any point in time,” Marc Handels, SALTO vice president of marketing and sales, said in a company video. According to Mbugua, the University currently stores the identity and specific location of every attempt to open a dorm room.

Get the best of the ‘Prince’ delivered straight to your inbox. Subscribe now »

The advertisement shows that doors are not connected to Wi-Fi, and that door entry information is stored in every card and periodically added to a database through a Wi-Fi connected hotspot.

In a recent interview with a campus security website, however, Michael Mahon, SALTO senior vice president and the official responsible for working the keyless lock deal with the University, told a campus security website that the Princeton system did actually allow for real-time door tracking. “Princeton opted to connect the interior XSR locks via Wi-Fi to enable real-time audit tracking for access transactions, instantaneous lock down and remote door scheduling,” Mahon said. He declined to comment to The Daily Princetonian.

According to Mbugua, the Wi-Fi system will only be available on campus locks in 2013.

In the meantime, dorm room access data is only updated four times a year, the number of times students have to present their cards to a SALTO hotspot to have the card revalidated.

But data gathered from accessing campus buildings is already gathered live by the Department of Public Safety. Warnings are received live by DPS whenever an exterior door is left open for too long, according to Mbugua. A University database also records the identity of every student that enters a building using his PUID.

In any case, the University would not face legal barriers if it sought to record information from students.

“American law doesn’t require a specific authorization for information to be gathered by an institution like the University,” University Counsel Hannah Ross said. The recorded data can be disclosed to third parties in the case of a subpoena or court order but according to Ross this has never been requested.

However, internal offices including Housing, Life Safety and Security Systems, Dining Services, the Office of the Dean of Undergraduate Students and the Department of Public Safety do have access, under different circumstances, to all or parts of this data that can track the location of students throughout the day.

Data access limited to specific officials

There is no uniform access policy for all the PUID-related information. Only “system administrators and authorized staff” have routine access to PUID data, Mbugua said, as part of their work duties.

Most notably, the Office of the Dean of Undergraduate Students has access to all data recorded from the PUIDs. Besides Dean of Undergraduate Students Kathleen Deignan, there is one other ODUS administrator who has access to this data: secretary to the Committee of Discipline, Associate Dean Victoria Jueds.

Data from PUIDs can be used for internal disciplinary and criminal investigations, Mbugua confirmed. The Department of Public Safety, however, only has routine access to building entry data. Any other data that may prove useful in an investigation must be requested from ODUS.

“The request must be with a specific purpose and within a specific time frame,” Mbugua said.

Administrators within the Facilities Life Safety and Security Systems office have routine access only to building and room entrance information. Mbugua said that the official responsible for administering the keyless locks system, Life Safety and Security Administrator Keith Tuccillo, has access to this data.

Housing, Dining Services, and Library administrators only have access to data relevant to their offices. Housing and Dining Services said they did not monitor this information. Library administrators can only match a student with a particular book as long as the book is checked out by the student, Mbugua said.

Mbugua and Information Technology Security Officer Anthony Scaturro declined to identify the specific identity or number of individuals who have access to data recorded from PUIDs, citing concern for the security of the data.

While the University does not have explicit policies regulating the conditions under which authorized administrators have access to student data, the access is restricted to as few people as possible, according to Scaturro.

“The University uses a concept called the principle of least privilege,” Scaturro said. “If a person doesn’t need the data to do his or her job, no access is granted.” He added he did not have access to most University databases.

None of the PUID-associated data are specifically listed in the University’s Information Security policy, but Scaturro said that data not specifically mentioned are considered “confidential,” which is the fourth-highest level in the University’s five-level information sensitivity hierarchy.

Policies provide little specifics

Two departments do have guidelines governing data use — Life Safety and Security Systems Office and the Library. Both acknowledge that data may be disclosed to third parties if a court order or subpoena is issued.

The most specific policy to discuss PUID-related records is the Campus Access Control System privacypolicy, which regulates records associated with door entry. The policy was last updated in October 2010, before the introduction of the keyless lock system, but, according to Mbugua, it regulates both entry to buildings and entry to dorm rooms.

The policy says authorized personnel “shall not use CACS data to investigate the whereabouts of a specific individual.” However, data can be monitored “as required for internal control, governmental regulations or other legitimate business purposes.”

But, the University does not have an overarching policy regulating PUID-associated data as a whole, and policies governing access to certain types of data do not provide specifics on how data can be stored or for what length of time. It is not clear whether federal law that governs University handling of student data applies to PUID data.

Mbugua said data retention policies are governed by the overall University guidelines on data retention, which outline rules for the handling of University records, including student academic information. There are no specifics related to the PUID. The University records retention website also has a section on records held by Public Safety, but that section is currently under construction.

In addition, the University Information Security policy does not address the length that data gathered from students will be stored for.

“The policy is designed to be a framework and not a data classification library,” Scaturro said.

In addition, there is one federal act that protects the confidentially of students’ educational records. The Family Educational Rights and Privacy Act, however, does not detail how long records should be kept for and leaves this decision to the discretion of every school.

The University defines educational records as “those records, files, documents and other materials that contain information directly related to a student and that are maintained by the University.”

These records can also be disclosed to school officials for educational reasons. Students serving on University committees, such as the Committee on Discipline, are considered school officials, in addition to employees “fulfilling their professional responsibilities,” according to Ross, the University counsel.

But the University is unsure whether card data can be considered an education record under FERPA law in the first place.

Ross said she believes it is “likely” that the data is covered under the act. However, due to the uncertainty, Princeton protects this data as if it fell under FERPA.

Frank LoMonte, a specialist in FERPA law and executive director of the Student Press Law Center said, however, that the data probably does not fall under the act. A record only becomes regulated by FERPA when an individual record is put together, he said.

In that case, though, “that doesn’t mean [the data] is not legally confidential,” LoMonte said.

FERPA also allows any student to ask for his or her personal information kept under the act to be disclosed. In general, Mbugua says there is good reason to keep records of student data.

“In every area you look at there is a reason why the data is being noted or recorded. The primary reason is to provide services to students,” he said.

For Scaturro, who said he had attended some of the meetings between the University and SALTO before the installation of the keyless locks system, there are safety reasons why the University would monitor the data.

“If there is an emergency or a kind of situation that involves violence ... it would be nice to know who is in the building,” he said. “I can vouch for the fact that invasion of people’s privacy is definitely not something that was even suspected [in these meetings].”