Student and employee location data will be kept by the university for up to 30 days to aid in contact tracing efforts, according to Oklahoma State University’s reopening plan.
The reopening plan was announced on June 4, 2020, and is publicly available online.
“Leveraging existing campus technology, OSU has developed analytics to identify employee and student movement across the OSU campus via WiFi access points,” the website reads.
In addition to using data from WiFi access points, the plan also specifies class schedules, ID card transactions, and housing and office assignments as data that will be leveraged to aid in contact tracing.
Also of importance is the data that will not be stored. According to the university’s website, no content data is, or will be collected from individual devices. The plan limits the distribution of this location data to University Health Services.
“This location data will be held in extreme confidence and shared only with leadership of University Health Services (UHS) when cases arise for which location information is useful,” the website reads.
The O’Colly reached out to the university and privacy experts to find answers to several questions surrounding implementation of this policy. University officials responded in a collection of written statements through email. Below is an overview of what they had to say, in addition to expert opinions regarding the privacy aspect of this new policy.
1. How specifically is this data being stored, and how is it being secured?
Dr. Christie Hawkins, associate vice president and director of institutional research and analytics, said in a written statement that the location data would be stored on servers that are physically located on campus. The servers are owned by OSU, and not leased through a third-party.
Hawkins said server security would be maintained by university OSU’s information technology department.
2. The Cowboys Coming Back plan reads "Leveraging existing campus technology, OSU has developed analytics to identify employee and student movement across the OSU campus via WiFi access points.” What “existing technology” is being leveraged, and has it been used on campus previously? Basically, is the location tracking technology new, or is it just the analytics that are new this semester?
Hawkins goes on to explain the nature of OSU’s previous use of WiFi access point data. She said while the WiFi access data has been collected by the university for some time, it has never been used by Institutional Research and Analytics.
“Location data is tied to the access point, not the user,” Hawkins said in her statement. “While this data is stored for 30 days by IT, normally it’s only used for things like connection counts and network analysis.”
3. In the age of targeted advertising, near real-time location data on so many individuals is incredibly valuable. What kind of enforceable assurances are in place that the university will not share this data with any third party marketing partners, or use the data for the university’s own marketing decisions? Furthermore, what prevents the university from using this location data to maximize revenues from student spending, even without sharing it with any third parties?
Shanon Rigsby, the university’s public information officer, provided the answer to this question in the same written statement, using information given to her by Hawkins.
“OSU takes the personal privacy of students and employees very seriously,” the statement reads. “Beyond the protection granted to students through the Family Educational Rights and Privacy Act, OSU places the utmost importance on the ethics of how data may be used.”
Rigsby said the OSU Orange Key Account Services agreement gives the university the right to share information from its computing system with the relevant authorities during a health or public safety emergency. She said the data would only be shared with University Health Sciences leadership, and only in relation to necessary contact tracing efforts.
Additionally, she emphasized the limited nature of the data being collected in this manner.
“It is also important to note that WIFI access point data is strictly location data and does not include any device content data,” her statement reads.
Rigsby said this information would only be used by institutional research and analytics in the event of a positive COVID-19 test. She said the data could be used to determine who was in close contact with a COVID-19 positive individual, as well as identifying buildings with multiple positive COVID-19 tests.
“We have never used WIFI data for analytic purposes,” Rigsby said. “It’s solely being used for this health crisis.”
4. Has OSUPD ever previously used student location data collected by the university, and will they have access to this location data? What would prevent them from doing so?
Capt. Colt Chandler of the OSUPD provided a written statement in response to this question. He said OSUPD has previously used device location data for the purpose of recovering stolen property.
“OSUPD has used student location data collected by Rave Guardian/ IT for emergency phone call location and pinging to expedite services,” Chandler said in his statement. “I estimate the practices were put in place after the installation of WIFI access points and with the invention of Reverse 911 technology.”
Rigsby added to this information, saying in her statement that although OSUPD has and continues to use location data to track devices, they will only ever track the devices, and not the students themselves.
5. Would this location data not be considered a record, and what exemptions exist within the Oklahoma Open Records Act that the university could cite to keep this data sealed?
This, more than any of The O’Colly’s other inquiries, seemed to cause disagreement between university officials, and outside education rights and transparency advocates.
In a written statement provided to The O’Colly, Associate General Counsel Brandee Hancock said the location data could legally be kept on a need-to-know basis by the university.
Hancock claims in her statement that employee location data is protected by an exemption within the Oklahoma Open Records Act, while student data is protected by the Family Educational Rights and Privacy Act (FERPA).
After receiving this statement, The O’Colly requested university counsel cite the specific exemptions in both FERPA and the Oklahoma Open Records Act which allowed this data to remained sealed.
In a follow up email, Senior Staff Attorney Gaylan Towle II cited 51 O.S. § 24A.7(A)(2) of the Open Records Act. According to the text of the act, this emption allows personnel records be kept confidential “where disclosure would constitute a clearly unwarranted invasion of personal privacy.”
The protections against disclosure of student location data, however, seem to be less clear-cut.
Towle re-asserted Hancock’s claim that FERPA protects student location data in his follow up email.
“Because of the protection afforded to education records under FERPA, this student location data would not be disclosed pursuant to an Open Records Request,” the email reads.
However, a representative of the Foundation for Individual Rights in Education (FIRE) indicated his disagreement with that assertion. FIRE Senior Research Counsel Adam Goldstein said interpreting FERPA in this manner was a misreading of the law.
“I’m skeptical of that explanation,” Goldstein said. “The core reason I’m skeptical is, this isn’t what FERPA is supposed to do.”
He said there may be privacy laws on the books that the university could use to shield student location data, but FERPA wasn’t it.
“FERPA is just not a general privacy law, it’s just not meant to protect everything that might be private,” Goldstein said. “I think if you carry out the logic that this information is protected by FERPA, you run into a bunch of illogical outcomes, and a bunch of obstacles.”
For example, he said, if this information is covered by FERPA, students have a right to inspect their personal location data.
“So, what provisions have they made for students to be able to inspect their location data?” Goldstein asked.
He said another aspect of FERPA is that it doesn’t just limit the public’s access to information, but institutional access to information.
“FERPA doesn’t just limit access under Open Records Law, it limits access within the institution to people who have a legitimate educational need to see it,” Goldstein said. “Well, this information is not educational, so the list of people who have an educational need to this information is: nobody.”
Goldstein said he also took issue with labeling location data as an educational record.
“There’s things on campus you may be doing that are education related,” Goldstein said. “But there’s things on campus you may be doing that aren’t education related. Like, how does it relate to your education, if you go have a taco?”
“If this information is of you not engaging in any educational activity, then it’s even less educational than it would otherwise be,” Goldstein said. “And I think it’s not particularly educational to begin with.”
However, a transparency advocate who spoke to The O’Colly for this story had a more optimistic assessment of the University’s ability to withhold the location data under FERPA. The Director of the Brechner Center for Freedom of Information, Frank LoMonte, seemed more confident in the university’s ability to claim a FERPA exemption, but emphasized that the specifics of this matter have not yet been litigated. He said it’s difficult to say for certain how courts would rule on this issue, but said the data could be protected by FERPA if it could be used to identify an individual student.
“The threshold question with FERPA, is ‘is this information about a particular, identifiable student, that is stored as part of that student’s permanent record?’ If data is stored with a student’s permanent record, and it identifiably points to a particular student, than it can be covered by FERPA even if it is not educational in nature,” LoMonte said.
He said individual student’s location data would likely be protected by the law. However, if you ask for broad, aggregate data, that information would likely need to be released.
“If somebody just wanted data on, ‘how many students are you tracking,’ or something of that nature, that’s absolutely not protected by FERPA, and that should be readily given out,” LoMonte said.
Despite disagreeing about the strength of the FERPA exemption for student location data, both LoMonte and Goldstein said students should be given access to their own location data if the university intends to attempt to use a FERPA exemption.