During the past few weeks, CMU administrators have held meetings, made policy decisions, and taken action to try to protect students’ privacy. These efforts follow an article published in The Tartan eight weeks ago about the vulnerabilities of using Social Security numbers (SSNs) as student identification numbers. Threats to student privacy and safety at CMU include the publishing of SSNs on the Web, printing them on cash register receipts, and asking students to state them aloud to make purchases. The easy accessibility to student SSNs is a concern because it increases the likelihood that students may become victims of the increasingly common crime of identity theft.
Business Services has addressed the problems of students verbally stating their SSN to make purchases at Entropy by requiring additional photo identification and student signatures.
“If a purchase is made at Entropy and the card does not scan, for whatever reason, the cashier asks for another photo ID or a social security card,” said Assistant Vice President for Business Services Neal Binstock. “The cashier also asks the customer to provide us with the student ID number, to be entered by hand. The cashiers have been instructed to be as discrete as possible when the need arises to request the student ID number.”
In addition, students using Campus Xpress are now asked to sign their receipts, an action which was not previously required.
“[This is] very similar to when you sign a receipt if you have used a MasterCard or Visa at some other merchant. The practice is also used to provide protection for the student, primarily in the event of a disputed charge on their campus account,” said Binstock.
Binstock said that these changes are in response to ongoing privacy issues related to the use of the student ID number. He added that like any process, it is not 100 percent secure and he encourages students to take responsibility to protect their privacy.
At Entropy, as well as the Computer Store and four off-campus vendors, SSNs are still printed on receipts. According to Binstock, this practice is a standard part of the proprietary software used at those locations and in order to remove, the SSNs numbers from receipts, a programming change is required from the software’s supplier. Binstock said that CMY has asked the software vendors to make the necessary programming changes. The vendors, who told Business Services that other universities have already made similar requests, could not commit to a time frame to make the changes, however.
While Binstock’s staff has worked to find solutions to the risks inherent in CMU’s current practice of using SSNs, it is the responsibility of Enrollment Services to make decisions regarding how students are identified within the University.
“Meetings have been held within the Enrollment Group to discuss this issue and to formulate strategies to reduce student risk,” said John Papinchak, Director of Enrollment Services. He added that changing to a randomly generated student ID number is an integral part of an upcoming redesign of the Student Information System. There is currently no time estimation for that project, according to Papinchak.
Some strategies to reduce risk include efforts to disseminate information about the risks associated with CMU’s widespread use of SSNs.
“Enrollment Services is working on the development of an informational piece to provide students regarding the use of their SSN as their student ID numbers, personally identifiable information, and their ability to request an alternative id number,” said Papinchak.
Faculty and staff have also been reminded of the importance of maintaining student privacy and exercising care when using SSNs.
“Enrollment Services has had repeated contact with teaching instructors and department staff to inform and to remind them to not post student ID numbers on the Web,” said Papinchak.
He said his department has contacted instructors who posted full or partial SSNs on the Web and informed them to stop the practice. In addition, an error in the policy’s Web site has been changed to correctly indicate that “partial ID numbers should not be posted or used in courses, either in paper or via the Web,” said Papinchak.