Arizona Daily Wildcat April 3, 1998
Privacy issues still surround CatCard
UA officials originally envisioned a universal identification card that would conveniently connect many on- and off-campus functions, but some cardholders are concerned that the university may have gone too far in its quest for seamless services.
According to the University of Arizona's contract with card provider CyberMark, the UA's CatCard goals include establishing a unified identification and transaction card system that would provide access to a variety of on-campus services and off-campus businesses and ensure that current information systems could be expanded in the 21st century.
The CyberMark contract, obtained yesterday by the Arizona Daily Wildcat after a 10-day wait for information requested under the Arizona Public Records Law, states the university plans to eventually have an "affiliate database," which would consolidate information now scattered among various university departments, CatCard Director Elizabeth Taylor said.
"An example of what the database could do is enable students to change their address once, instead of having to go to every department on campus and change it there," she said. "It would be much more convenient."
The initial focus of the database is "locator information" like Social Security numbers, bank accounts and graduation dates. Future plans include adding additional biographical and demographic data to the system, the contract states.
But Terrence Bressi, a Lunar and Planetary Lab engineer who first raised questions of CatCard invasion of privacy last month, said in an e-mail Wednesday that such a stockpile of information is adding insult to injury.
"The University, through existing policy, is blatantly disregarding the privacy rights of everyone associated with the University. I have NOT been asked if I wish to participate in the University's 'Affiliate Database Project,' nor have I been asked if it is all right if a private entity has access to my information," Bressi wrote.
Bressi began researching the privacy issue when he called MCI regarding the calling card feature of the new CatCards and was asked to verify his Social Security number.
Since his initial discovery, Bressi has sent numerous e-mails regarding his findings to various campus listservs.
University attorneys then realized that CatCard officials had released student, staff and faculty Social Security numbers to Saguaro Credit Union and MCI Telecommunications Corp.
University Attorney Michael Proctor said it is likely the university violated state and federal law by releasing the information. The Family Education Rights and Privacy Act prohibits universities from releasing "personally identifiable information" without students' consent.
Taylor said CatCard officials, in their zeal to streamline services, released the Social Security numbers to MCI only to be used as authorization codes.
"I am embarrassed by this oversight," Taylor said. "In hindsight, it was wrong."
MCI has since purged the Social Security numbers from its computers and has agreed not to solicit to students, faculty or staff, Taylor said.
People who want to activate the MCI calling card feature of their CatCards must now call MCI customer service to set up an account. Before the privacy issue arose, cardholders could simply call MCI and activate a pre-existing account by verifying their Social Security numbers.
Bressi, who obtained portions of CyberMark's proposal from UA Procurement and Contracting Services, also questioned in his message how much information is stored on the CatCard.
Documents CyberMark sent to the UA show that the smart chip has the ability to store information including name, home and campus addresses, date of birth, race, graduation date, university affiliation and residence hall name and number. It also has room for other unspecified bits of information.
Taylor, however, said the UA decided to include only basic information on the cards.
The information on the magnetic strip includes name, student or employee identification number, ISO number, and bank PIN number if the cardholder has a Saguaro account. The Smart Chip contains the student or employee number, name, ISO number, date of birth and university affiliation, CatCard application forms state.
"The only information stored on the card is what is on the form students signed when they received their CatCards," Taylor said.
Part of the university's switch to the new CatCards included removing Social Security numbers from the face of the cards and replacing them with ISO numbers. ISO numbers are 16-digit codes that work with the Saguaro Credit Union debit system and are similar to credit card numbers.