Does Information Contained in Systems Logs at Colleges and Universities Constitute Education Records?

Article excerpt

Abstract

In 2001, researchers at the University of Michigan studied the logging and monitoring activities of college and university system administrators. This paper provides a discussion ofthe study and its recommendations for the handling of log data. To frame the discus

sion, the authors review the key issues and original intent of the Family Educational Rights and Privacy Act (FEPA). They discuss the results of the current study and explore whether these results are consistent with practices and protections intended under FERPA legislation. Finally, they briefly discuss the potential impact of the USA Patriot Act relative to college and university collection, sharing, and retention of log data containing student transactional information.

Introduction

GROWING TECHNOLOGY DEPENDENCY

Information technology has become an integral part of college and university environments, critical to libraries, institutional business practices, instructional methods, and most noticeably student and faculty communications. As institutions of higher education carry out more of their business and mission over networked information infrastructures, it is increasingly important to provide a secure environment for individual and corporate data. Three basic aspects of security must be ensured: confidentiality, validity, and integrity. Confidentiality is important because academic environments are places of exploration and inquiry. Individuals in these environments must be free to create new ideas and products, protected from the chilling effect of a premature disclosure of not yet fully formed ideas and inventions. The validity of data within systems must be ensured because modified or false data can drastically affect the lives and reputations of individuals, alter the results of research, and disrupt the business functions of the institutions. Systems dependent on network infrastructure must also have integrity. They must be protected from unauthorized intrusion or tampering that can result in damage to resources and denial of services to the community that depends on them.

OPEN ENVIRONMENTS OF INFORMATION SHARING

Campus information technology systems are vulnerable to abuse and misuse because of their complexity. By their nature, colleges and universities maintain diverse, multiple platform, networked, open environments. These are places where the rapid exchange and sharing of information can occur without unnecessary barriers. Access to information from many different locations by students, faculty, or staff, is necessary to maintain this level of information sharing. Censorship and surveillance of work and communication in these communities are incongruous with the mission of the institutions. System administrators often find the campus community's desire for an open environment is in conflict with actions they must take to secure and manage these information technology resources. How can they maintain the openness of these electronic environments while protecting the confidentiality, validity and integrity of the networks?

INCREASED LOGGING AND MONITORING OF SYSTEMS

To solve this discrepancy and fulfill their duties, system administrators have increased logging and monitoring activity. Logging is the collection of machine and network transaction information. Logs can show how many people were using particular machines at a given date and time. They can show how many attempts to access particular data files, applications, or hardware were unsuccessful, and from what machine, location, and time such attempts were made. Logs can also show which resources individual users accessed, how long they used the resource, what the address was of the machine they were using, and even the user's ID and/or account number. System administrators have increased such logging activity primarily to better manage the systems and be aware of potential abuses of systems and individuals. …