Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Rv defcon25 ferpa only your grades are safe - leah

  • Be the first to comment

  • Be the first to like this

Rv defcon25 ferpa only your grades are safe - leah

  1. 1. FERPA: Only Your Grades Are Safe OSINT in Higher Education
  2. 2. Who Am I? ● Data Analyst involved in higher education for over 13 years with an interest in data privacy and security ● Twitter - @Sweet_Grrl ● Email - or
  3. 3. Have You Ever Thought About Your Education Records? ● There are education records? ● What are education records? ○ Basically any records that are ■ Relatedto a student and ■ Maintained by an educational agency or institution or parties acting for them
  4. 4. Have You Ever Thought About Your Education Records? ● What does that all mean? ○ Means ANYTHING the educational institution has collected on you for the ENTIRETY ofyour stay at said institution.
  5. 5. What is FERPA? ● The law applies to ALL schools (in our case, higher education institutions) that receive funds under an applicable program of the U.S. Department of Education.
  6. 6. But Aren’t Those Education Records Safe? ● There’s a federal law that protects it, right? ● That FERPA thing protects everything, right? ● Not just anyone can see my student data, right? ● They don’t just hand over stuff for the asking, right? WRONG!
  7. 7. So what does FERPA do? ● FERPA protects EVERYTHING but directory information.
  8. 8. What the Hell is Directory Info? ● Education records that have been appropriately designated as "directory information" by the educational agency or institution may be disclosed without prior consent. See 34 CFR §§ 99.31(a)(11) and 99.37.
  9. 9. What the Hell is Directory Info? ● FERPA defines directory information as information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed. 34 CFR § 99.3. ● This includes Personally Identifiable Information (PII) such as ○ Student's name ○ Address ○ Telephone number ○ Date and place of birth ○ Honors and awards ○ Dates of attendance ○ Etc.
  10. 10. How do I get Directory Info? ● Directory information is a student’s information that may be released without the consent of the student, unless the student has requested a privacy hold ● So this means you just go ASK FOR IT.
  11. 11. Proof of Concept ● Contacted 10 colleges and universities ● 3 said “Fill out a FOIA (Freedom of Information Act) request” ● 2 said “Go help yourself to our directory” ● 1 said “Give us $50 and we will give you whatever you want” ● 5 schools did not respond ● 50% return on a few minutes of time
  12. 12. Directory Example Kansas State Demo - BEGIN:VCARD VERSION:2.1 TZ:-06:00 REV:2017-03-12T00:15:57-0600 N:REDACTED; FN:REDACTED EMAIL; TITLE:Senior-Bakery Science And Mgmt-B,Minor - Business TEL;VOICE;HOME;PREF:(913) XXX-XXXX ADR;HOME:;REDACTED;Manhattan;KS;66506;USA LABEL;HOME;ENCODING=QUOTED-PRINTABLE:REDACTED=0D=0AManhattan, KS 66506=0D=0AUSA ADR;HOME:;REDACTED;Overland Park;KS;66210-1304;USA LABEL;HOME;ENCODING=QUOTED-PRINTABLE:REDACTED=0D=0AOverland Park,KS 66210-1304=0D=0AUSA NOTE;ENCODING=QUOTED-PRINTABLE:Thisinformation was retrieved from=0D=0A= the Kansas State University People Directory on March 12, 2017.=0D=0A= Refer to for current information. END:VCARD
  13. 13. Directory Example UT Austin - BEGIN:vCard VERSION:2.1 N:REDACTED;; FN:REDACTED TITLE:REDACTED ORG:TheUniversity of Texasat Austin;Department of GeologicalSciences, Jackson School of Geosciences ADR;TYPE=WORK;ENCODING=QUOTED-PRINTABLE:;JSG ;The Universityof Texas atAustin =0D=0ADepartment of GeologicalSciences, Jackson School of Geosciences =0D=0A1 University StationC1100 =0D=0AAustin, TX 78712 ADR;TYPE=HOME;ENCODING=QUOTED-PRINTABLE:;;REDACTED =0D=0AAUSTIN, TX78705-4014 TEL;VOICE;HOME:REDACTED TEL;VOICE;WORK: TEL;FAX;WORK: EMAIL; LABEL;TYPE=DOM,WORK,POSTAL;ENCODING=QUOTED-PRINTABLE:The Universityof Texas at Austin =0D=0ADepartment of GeologicalSciences, Jackson School of Geosciences =0D=0A1 University StationC1100 =0D=0AAustin, TX 78712 LABEL;TYPE=DOM,HOME,POSTAL;ENCODING=QUOTED-PRINTABLE:REDACTED =0D=0AAUSTIN, TX78705-4014 PRODID:UTdirectory END:vCard
  14. 14. What does a Freedom of Information Act (FOIA) Request look like and what does it get you? A FOIA is simply a written request that describes the records you seek. I am seekingto contact your students who might be interested in programs and degreesat SCHOOL. In order for us toreach them, I kindly request your studentdirectory information that isavailable under the Texas Public Information Act.
  15. 15. What Does the FOIA Get You? ● Anything listed as directory information ● In the previous example, this information was provided: ○ Name ○ Address ○ Telephone number ○ Place of birth ○ Major field of study ○ Dates of attendance ○ Most recent previous educational institution(s) attended ○ Classification ○ Degreesand awards received.
  16. 16. What $50 can get you ● Asper the previous examples, I sent out my standard email: ○ I am writingto request a listing of student directory information. What steps do I need to take in order to obtain this information? Additionally, is there a cost involved? Thank you for your help. ● School responded and stated that there was a $50 programming fee and to contactthe office again ifI were interested. ● I requested all data that could be classified as student directory information
  17. 17. What $50 can get you ● Contactstated that they could provide all data I requested, with the exception ofemail ● Sent off $50 ● Within 10 business days, data was ready ● I provided a secure link toupload data
  18. 18. What $50 can get you On March 10, 2017, student data was uploaded to my account ● 22,006 student records containing all the information I had requested, including international student information ● And this is COMPLETELY LEGAL
  19. 19. What’s the big deal? ● Colleges and universities automatically opt in students ● Opt-out paperwork is often hard to find and can require multiple steps ● This data is not very well protected ● Anyone can use it for a variety of purposes
  20. 20. Using Higher Education OSINT ● Can use it to construct a false identity ● Can use it to get further credentials ● Can use it to mess with international students ● Can use it for...
  21. 21. Scary Stu ...But Wait, There’s More! ● Not only can your directory information (aka education records) be provided, treatment (medical and mental care) records can become education records.
  22. 22. HIPAA and Student Medical Records The Standards for Privacy of Individually Identifiable Health Information, known as the HIPAA Privacy Rule, establishes the standards to protect patients' personal health information (PHI). Student medical records (treatment records) are usually protected by HIPAA.
  23. 23. FERPA Loopholes Due to wording of FERPA, records that SHOULD be protected by HIPAA can lose HIPAA protection and become records protected ONLY by FERPA
  24. 24. When “Treatment” Records Become “Education” Records At postsecondary institutions, medical and psychological treatment records of eligible students are excluded from the definition of “education records” if they are made, maintained, and used only in connection with treatment of the student and disclosed only to individuals providing the treatment. See 34 CFR § 99.3 “Education records.” These records are commonly called “treatment records.”
  25. 25. When “Treatment” Records Become “Education” Records An eligible student’s treatment records may be disclosed for purposes other than the student’s treatment, provided the records are disclosed under one of the exceptions to written consent under 34 CFR § 99.31(a) or with the student’s written consent under 34 CFR § 99.30.
  26. 26. When “Treatment” Records Become “Education” Records If a school discloses an eligible student’s treatment records for purposes other than treatment, the records are no longer excluded from the definition of “education records” and are subject to all other FERPA requirements.
  27. 27. What the DOE Says about it! "Under Ferpa, if the institution discloses treatment records to anyone other than the treatment provider or another professional of the student’s choice, the records become education records, and all of the Ferpa provisions," including the disclosure exemptions, "then apply to those records," the statement says. "Thus, Ferpa would permit the treatment records to be disclosed in litigation between the student and the institution if the records are relevant for the institution to defend itself." The Education Department’s email to The Chronicle (of Higher Education) in response to a request for clarification.
  28. 28. DOE and Lack of action Despite a “call to action” by DOE in August 2015 requesting feedback by October 2, 2015, NOTHING has been changed. seeks-public-input-guidance-protecting-privacy-student- medical-records
  29. 29. Real Life Repercussions of FERPA Loophole This loophole has been exploited publically.
  30. 30. FERPA and the Rape of Jane Doe ● March 2014 ○ Jane Doe is allegedly gang raped by three members ofthe university’sbasketball team over a 12 hour period in multiple locations ○ Jane Doe reports sexual assault to both local police and campus authorities ● March 2014 ○ After reports of rape, university does not begin investigation and approves the three students named to play in NCAA tournaments
  31. 31. FERPA and the Rape of Jane Doe ● April 2014 ○ University formally begins investigation without disclosure ● May 2014 ○ Local district attorney did not move forward due to low possibility ofa guilty verdict/insufficient evidence ● May 2014 ○ The three students named are suspended indefinitely from the basketball team
  32. 32. FERPA and the Rape of Jane Doe ● May 2014 ○ Following suspension, the university found the three students guilty ofsexual misconduct and banned them from campus for up to 10 years ● December 2014 ○ University administrators required university counseling center to hand over medicalrecords in preparation of lawsuit ● January 2015 ○ Jane Doe files lawsuitagainst university
  33. 33. FERPA and the Rape of Jane Doe ● January 2015 ○ University defends using medicalrecords and cites legality ofuse under FERPA ● January - August 2015 ○ Case ismoved to court ● August 2015 ○ University reaches settlement - $800,000 and four years of paid tuitionand housing along with a change inpolicy for admitting students with a history of sexual assault/misconduct
  34. 34. FERPA and the Rape of Jane Doe ● But why does this all matter?
  35. 35. FERPA and the Rape of Jane Doe ● The university accessed her medical records, including her mental health records ● The university pulled the records in anticipation of the lawsuit, without consent ● The university converted them to “education” records, making their use COMPLETELY LEGAL UNDER FERPA ● The records were then used against Jane Doe in court
  36. 36. So What Does That Mean For Me? ● Your confidential medical records could become records anyone can look at ● Your confidential medical records could be used against you ● Your confidential medical records could potentially be used negatively in the future
  37. 37. What Can I Do About? ● Opt out of data sharing at ANY institution of higher education you ever attended ● Tell everyone you know to do the same thing ● Contact your state’s higher education group ○ ● Contact your congress critters
  38. 38. What’s Next? ● Explore how to use student data as a pivot to other personal information
  39. 39. Thank You Questions? Comments?
  40. 40. Appendix - FERPA, Jane Doe, and Other Articles of Interest