Personally Identifiable Information
Personally Identifiable Information, or PII is a hot topic these days. Google “Personally Identifiable Information” and you will get nearly 17 million matches — mostly government and business policies on protecting it. Generally, these policies dictate that an entity will collect no more information than it needs to perform a specific function, will share that information with only those who need the information to perform the function, and will protect that information from unauthorized access.
Policy is not always enforced and from time to time we learn that some entity has inappropriately shared our PII. Sometimes this breach of confidentiality results in harm to an individual’s finances, reputation, or physical well being.
TRSD Policy JRA-R describes the acceptable use and protection requirements for student information. Unfortunately, the policy is routinely violated — if it is ever enforced at all. Earlier this year, my TRSD student was marketed to by a private company that employs some Timberlane employees. The Timberlane employees illegally obtained directory information and provided it to their other employer who used that information to sell to a minor. I alerted the Superintendent of Schools to this ethical lapse and possible criminal behavior on 5/14/2013 and was assured on 5/14/2013 that “This is being addressed system wide this week.” I have heard nothing since.
Despite not having an effective program of PII protection, Timberlane this week asked us to provide a LOT of information that they do not need to educate our kids to an untrusted third party through an insecure database. I encourage all parents to contact the SAU and ask that this database be taken offline and purged of all PII data. Here’s why…
I do not know much about InfoSnap, but I noticed two things about this database that disturb me. First, I was allowed to access my child’s personal information after entering a fifteen digit code that was mailed to me. Anyone could have taken this document out of my mail box and accessed and modified information about my minor child. Since parents were not alerted to the mailing, stolen letters would not likely have been noticed or reported. An attacker would not even need the letter. While the fifteen digit code may look secure, it is only really secure if you are trying to access a specific account. Because infoSnap is infiltrating a LOT of schools and issuing a LOT of snapcodes, a person or program would be able to access some record by entering similar codes.
Timberlane could have made this system infinitely more secure by distributing the letter and code separately and not associating the code with the application. Even better, InfoSnap could have prefixed all TRSD snapcodes with a PIN that could have been distributed via the Alert Now phone notification system. Even better, before providing access to the database, a user could be presented with a challenge (the child’s date of birth and homeroom are pre-populated and would be a suitable challenge).
The second thing that bothers me is that autologon is enabled and lastlogon is preserved. Autologon allows a web page to remember the last user. If this is enabled, the next person to use the system is presented with the username of the previous user and only needs to guess a password to gain access. Even if you do not check ‘Remember me’, simply clicking on the Email Address field will reveal a list of entries that includes the username of the last user. It’s a poor practice to use an email address as the userid. Chances are the the email and Infosnap accounts share the same password, so a breach of one is a breach of both. In other words, both accounts are protected by the lowest level of security. The password requirement is for six characters. 123456 and password are both valid passwords.
Assuming we want to put our children’s PII on the internet, a better registration process would have looked like this…
- automated call to parents alerting them to the mailing of the InfoSnap letter
- including a four digit PIN which combined with a mailed snapcode would provide first access to the system
- warning them to contact the school if the letter was not received by a certain date
- registration process challenging parents for evidence of eligibility for access (dob of child, homeroom of child)
- userid which is not an email address
- no option to save userid on computer
- no caching of userid values
- strong password requirement
We should protect our kids at least as well as we protect out debit cards.
Let’s talk about the data TRSD is putting at risk. As far as I am concerned, none of the following are required to educate a child. Putting this information at risk is unnecessary and therefore not allowed…
- Child’s Place of Birth
- Primary Language
- Student’s Mailing Address (if different from parent)
- Does father reside at address of student
- Does mother reside at address of student
- Parents’ Employer/Occupation
- Employer Address
- Parent/Guardian’s Primary Language
- Unenrolled Children Living at Address of Student (with their PII)
- Student’s Physician
- Student’s Dentist
- Medicaid Coverage
- Private Insurance Coverage
- List of Prescription Medications
- Medical Conditions
- Physician for ‘Special Medical Conditions’
- Special Medical Conditions
- Contact Information for ‘At Least’ Two Neighbors or Relatives (with their PII)
What should you permit the school to store on InfoSnap? Nothing. What little information is required to facilitate the education of a child should be stored in a locked room accessed only by trained and trusted custodians.
The last page of the registration process is an electronic signature with no specific purpose…
The electronic signature below and its related fields are treated by Timberlane Regional School District like a handwritten signature on a paper form.
I assume this somehow acknowledges that acceptance of risk, but that is not stated and I would not sign a blank form for anyone.
Finally, the database was pre-populated, so too much information was put at risk without parental oversight.