(Webmaster's note: This message has been left intact. Spelling, etc, has not been changed.)
The New Catcard and Privacy Concerns
For those of you who don't know me, my name is Terry Bressi and I have worked at the University in one capacity or another for the past 5 years and am currently an engineer at the Lunar and Planetary Lab. The other day I learned that the University of Arizona has released at a minimum the name, address, and social security number of practically every faculty, staff, and student associated with the campus without their consent to two commercial vendors - MCI and Saguaro Credit Union in their attempt to expedite the new Catcard program in violation of multiple internal University policies and state and federal Privacy laws. If interested please read on, otherwise disregard the rest of this email.
Yesterday in the course of obtaining our new Catcard's, Andrew Tubbiolo and I came across some disturbing facts concerning the implementation of this new program. I was checking out a web page at "http://www.catcard.arizona.edu/telecomm.html" that dealt with the long distance services offered by the new card and was surprised to read that accounts are generated and setup automatically for all card holders. I then read down further to the section that explained how to use the calling card and was even more surprised to learn that to use the service all you need to do is enter your social security number and an LD Pin number. This tweaked our curiosity enough to walk over to the temporary Catcard center and get additional information. After arriving, we were presented with a legally binding contract that they wanted signed before the Catcard would be issued and being an individual who almost always reads the fine print, I turned the document over and was amazed to learn that by signing the document, I was subjecting myself to legally binding terms with the long distance commercial carrier MCI and Saguaro Credit Union.
We wanted to find out more about these programs through the vendors so Andrew called MCI at the contact number listed on the contract (1-888-520-8632). He got hold of an individual named Kelly and asked her if he was a current member of the Campus long distance program through the New Catcard program at the UofA. She verified this fact and proceeded to give him a pregenerated LD pin number and his social security number with very little prompting from Andrew and no verification of who he was. Mind you, she already had his social security number (SSN), name, address, and pin number before he had ever visited the Catcard center. Myself and another indivudual decided to test out the system and also called MCI. This time they asked us to verify our identity and then proceeded to verify our social security number and address. Since I don't do business with MCI and I didn't release my SSN, I asked her how she got the information and she replied it was released by the University.
After some more checking around, we walked back over to the Student Rec Center and talked to Liz Taylor who is currently managing the implementation of the Catcard program and she verified with us that they had indeed released this information without prior consent for everyone associated with the University and admitted that they may have made a mistake but that University lawyers were looking for an interpretation of existing laws that would make the information exchange legal. To her credit, Liz Taylor was very forthright with answers to all my questions and was genuinely concerned with this problem.
Next, we did some more digging and found that the release of the SSN was in direct violation of policy #416.0 - Arizona Board of Regents 6-912 dealing with the access and release of employee information and with the Family Educational Rights and Privacy Act of 1974 which only allows the release of predefined "directory information" without prior consent. The SSN is not considered 'directory information'. In addition, special circumstances are outlined where non-public information can be released of which none were met in this instance. The special circumstances outlined included public health and safety, subpoened records, and specific government agents of the institution. Commercial vendors who offer services unrelated to the academic performance hardly fit these criteria. In addition there is a special ruling for social security numbers which state that any institution that asks for the SSN must inform the indivdual being asked whether or not the release is mandatory and to what purpose the release will be used. Needless to say, the University has failed these criteria on all accounts.
I plan to pursue this matter through the Staff Advisory Comittee, the Board of Regents, the state Dept. of Education, and the Federal Policy Compliance Office through the U.S. Dept. of Education whose purpose is to monitor compliance with the Privacy Act of 1974 and has authority to cut Federal Education Funds to any institution that does not comply. The following proposal numbers have been generated through the FRS system and directly pertain to this case:
L909338 - CyberMark LLC (Company contracted to issue the Catcard)
Although I haven't checked, I believe these numbers can be used to reference UofA contracts generated for these companies through the Purchasing Dept.
There was no reason for the Univesity to use this tactic to meet their Catcard goals. With only marginal extra effort, the University could have met the spirit and the letter of all laws and policies by simply having a form where all persons who received the new card could choose whether or not they wanted their personal information to be released to third party commercial vendors instead of forcing it down everyone's throat and compromising everyone's privacy in the process. I pass this information on to you so that you can decided for yourself what actions if any are warranted because the University has shown by example that they are unwilling to let you decide for yourself. I have included all the information that I can think of that's needed to validate my findings. MCI and the Catcard folks will say that the account isn't actually opened until the service is used for the first time but Andrew showed that it's not all that hard for someone to call up with or without a SSN, activate the service which sets up a $150.00 credit line, and start charging long distance phone calls to someone else's account with information provided by the University and made legal when you signed that document to get your new card. Thanks for your time.