To rectify the situation, the department merely required the University to provide written assurance that its administrators understand the requirements of FERPA concerning the release of student information. That was done in a memo dated January 14, and the case was essentially closed.
But a sour aftertaste from the whole experience lingers with some people. Even though they knew it was prohibited, university officials in the spring of 1998 provided the Social Security numbers of 35,000 students, faculty and staff to two private companies as part of its CatCard program. These companies, MCI and Saguaro Credit Union, were attempting to sell people their services, and the University would profit from each person enrolled by the companies.
After intense public outcry, University President Peter Likins admitted the mistake, acknowledged the law had been broken and the Social Security numbers were retrieved. At the same time, U.S. Congressman Jim Kolbe said he would seek a "legislative solution ... to ensure it doesn't happen again."
A few weeks later, William Carpenter filed a complaint with the Department of Education alleging the University had violated FERPA. Carpenter, a pseudonym for a student who prefers to remain anonymous, pointed out the identity theft, privacy invasion and other problems that could result from the release of the information. "The social dangers exemplified by the University's conduct are evident," he told the federal agency.
Carpenter was also outraged at the University motives, writing, "I am very disturbed ... about the ramifications of what appears to have been a quietly-orchestrated, deliberate plan to violate, for a profit, our rights under FERPA...."
A spokesman for the department originally said a finding in the case should be reached within a few months, but the reasons for the delay were several.
After being notified of the complaint in December 1998, and then given two time extensions, UA Attorney Michael Proctor replied on April 1, 1999. He argued in part that under some circumstances the release of the information could have been permissible. Plus, he added, "A single release of a secure, eligibility-validation database ... which release was immediately corrected by the university, does not constitute a pattern or practice of release in violation of FERPA."
Calling that a nonsense argument, Carpenter points out numerous other possible violations by the university of FERPA and says, "they're really not policing this stuff very well. There are still leaks galore." Included among the instances he cites are some university departments until recently making available what he labels "confidential student records" on the Internet.
Carpenter, who requested anonymity because of a series of events concerning his grades and campus activities he believes are retribution for his filing the complaint, also wonders why the University just didn't tell the Department of Education, "We screwed up." He assumes that campus officials wanted to diminish the chance of a class-action lawsuit over the release of the information so they intentionally tried to lengthen the investigation process. "Obviously they tried to delay it," he says, "hoping the statute of limitations for a lawsuit would run out. A lot of people wanted to sue."
But he also admits that much of the delay in resolving the case was caused by the education department. When he visited their offices in Washington, D.C. in 1999, he found only two investigators for the entire country and a three-foot-high stack of complaints that had yet to be investigated.
University spokeswoman Sharon Kha disputes that the UA tried to stretch the process out. "That opinion assumes facts and conduct which are just not true," she says. "Rather than foot dragging, the university responded very quickly. We were extremely aggressive in retrieving the information."
Kha also says she doesn't have any information on the student's allegations of intimidation, and even if she did she couldn't comment on them because of FERPA. But, she points out, retribution on campus is subject to disciplinary procedures.
Local consumer advocate Willy Bils, who helped Carpenter prepare his complaint, believes this case illustrates a severe problem with the use of Social Security numbers as personal identifiers. "We need to prohibit the use of SSNs by all state-funded institutions and activities," he says, "to illegitimize any form of universal identification by an SSN or date of birth. Their use should be limited only to those cases mandated by federal legislation."
Bils also blasts Kolbe for his lack of follow-through. A spokeswoman for the congressman, however, said he did co-sponsor legislation which would have addressed the problem, but the proposed bill has gone nowhere.
One outcome of the CatCard brouhaha that was achieved, though, was the enactment of an Arizona law requiring the university by June 30 of this year to assign identification numbers to all faculty, staff and students that is different from their Social Security number unless otherwise requested. Kha indicates this deadline was met for employees last August, and in late-December the university stopped using Social Security numbers to identify newly-enrolled students.
For the time being, however, that still leaves most students on campus with identification that contains their Social Security numbers. "Current students may change their number anytime," the university spokeswoman says. While the university has not yet made an effort to notify them of that possibility, it does intend to do so, according to Kha.
The lengthy CatCard case has frustrated Carpenter. But, he says, "I had an obligation to show others that if you stand up for what is right, you can't be run off."