SlideShare ist ein Scribd-Unternehmen logo

Rv defcon25 ferpa only your grades are safe - leah

R
reconvillage

http://reconvillage.org/only-your-grades-are-safe-osint-in-higher-education/

Technologie
1 von 40
Downloaden Sie, um offline zu lesen
FERPA: Only Your Grades Are Safe OSINT in Higher Education
Who Am I? ● Data Analyst involved in higher education for over 13 years with an interest in data privacy and security ● Twitter - @Sweet_Grrl ● Email - leahfigueroa22@gmail.com or sweetgrrl1222@protonmail.com
Have You Ever Thought About Your Education Records? ● There are education records? ● What are education records? ○ Basically any records that are ■ Relatedto a student and ■ Maintained by an educational agency or institution or parties acting for them
Have You Ever Thought About Your Education Records? ● What does that all mean? ○ Means ANYTHING the educational institution has collected on you for the ENTIRETY ofyour stay at said institution.
What is FERPA? ● The law applies to ALL schools (in our case, higher education institutions) that receive funds under an applicable program of the U.S. Department of Education.
But Aren’t Those Education Records Safe? ● There’s a federal law that protects it, right? ● That FERPA thing protects everything, right? ● Not just anyone can see my student data, right? ● They don’t just hand over stuff for the asking, right? WRONG!
So what does FERPA do? ● FERPA protects EVERYTHING but directory information.
What the Hell is Directory Info? ● Education records that have been appropriately designated as "directory information" by the educational agency or institution may be disclosed without prior consent. See 34 CFR §§ 99.31(a)(11) and 99.37.
What the Hell is Directory Info? ● FERPA defines directory information as information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed. 34 CFR § 99.3. ● This includes Personally Identifiable Information (PII) such as ○ Student's name ○ Address ○ Telephone number ○ Date and place of birth ○ Honors and awards ○ Dates of attendance ○ Etc.
How do I get Directory Info? ● Directory information is a student’s information that may be released without the consent of the student, unless the student has requested a privacy hold ● So this means you just go ASK FOR IT.
Proof of Concept ● Contacted 10 colleges and universities ● 3 said “Fill out a FOIA (Freedom of Information Act) request” ● 2 said “Go help yourself to our directory” ● 1 said “Give us $50 and we will give you whatever you want” ● 5 schools did not respond ● 50% return on a few minutes of time
Directory Example Kansas State Demo - http://search.k-state.edu/ BEGIN:VCARD VERSION:2.1 TZ:-06:00 REV:2017-03-12T00:15:57-0600 N:REDACTED; FN:REDACTED EMAIL;INTERNET:REDACTED@k-state.edu TITLE:Senior-Bakery Science And Mgmt-B,Minor - Business TEL;VOICE;HOME;PREF:(913) XXX-XXXX ADR;HOME:;REDACTED;Manhattan;KS;66506;USA LABEL;HOME;ENCODING=QUOTED-PRINTABLE:REDACTED=0D=0AManhattan, KS 66506=0D=0AUSA ADR;HOME:;REDACTED;Overland Park;KS;66210-1304;USA LABEL;HOME;ENCODING=QUOTED-PRINTABLE:REDACTED=0D=0AOverland Park,KS 66210-1304=0D=0AUSA NOTE;ENCODING=QUOTED-PRINTABLE:Thisinformation was retrieved from=0D=0A= the Kansas State University People Directory on March 12, 2017.=0D=0A= Refer to http://search.k-state.edu/ for current information. END:VCARD
Directory Example UT Austin - https://directory.utexas.edu/ BEGIN:vCard VERSION:2.1 N:REDACTED;; FN:REDACTED TITLE:REDACTED ORG:TheUniversity of Texasat Austin;Department of GeologicalSciences, Jackson School of Geosciences ADR;TYPE=WORK;ENCODING=QUOTED-PRINTABLE:;JSG ;The Universityof Texas atAustin =0D=0ADepartment of GeologicalSciences, Jackson School of Geosciences =0D=0A1 University StationC1100 =0D=0AAustin, TX 78712 ADR;TYPE=HOME;ENCODING=QUOTED-PRINTABLE:;;REDACTED =0D=0AAUSTIN, TX78705-4014 TEL;VOICE;HOME:REDACTED TEL;VOICE;WORK: TEL;FAX;WORK: EMAIL;TYPE=INTERNET:REDACTED@utexas.edu LABEL;TYPE=DOM,WORK,POSTAL;ENCODING=QUOTED-PRINTABLE:The Universityof Texas at Austin =0D=0ADepartment of GeologicalSciences, Jackson School of Geosciences =0D=0A1 University StationC1100 =0D=0AAustin, TX 78712 LABEL;TYPE=DOM,HOME,POSTAL;ENCODING=QUOTED-PRINTABLE:REDACTED =0D=0AAUSTIN, TX78705-4014 PRODID:UTdirectory END:vCard
What does a Freedom of Information Act (FOIA) Request look like and what does it get you? A FOIA is simply a written request that describes the records you seek. I am seekingto contact your students who might be interested in programs and degreesat SCHOOL. In order for us toreach them, I kindly request your studentdirectory information that isavailable under the Texas Public Information Act.
What Does the FOIA Get You? ● Anything listed as directory information ● In the previous example, this information was provided: ○ Name ○ Address ○ Telephone number ○ Place of birth ○ Major field of study ○ Dates of attendance ○ Most recent previous educational institution(s) attended ○ Classification ○ Degreesand awards received.
What $50 can get you ● Asper the previous examples, I sent out my standard email: ○ I am writingto request a listing of student directory information. What steps do I need to take in order to obtain this information? Additionally, is there a cost involved? Thank you for your help. ● School responded and stated that there was a $50 programming fee and to contactthe office again ifI were interested. ● I requested all data that could be classified as student directory information
What $50 can get you ● Contactstated that they could provide all data I requested, with the exception ofemail ● Sent off $50 ● Within 10 business days, data was ready ● I provided a secure link toupload data
What $50 can get you On March 10, 2017, student data was uploaded to my account ● 22,006 student records containing all the information I had requested, including international student information ● And this is COMPLETELY LEGAL
What’s the big deal? ● Colleges and universities automatically opt in students ● Opt-out paperwork is often hard to find and can require multiple steps ● This data is not very well protected ● Anyone can use it for a variety of purposes
Using Higher Education OSINT ● Can use it to construct a false identity ● Can use it to get further credentials ● Can use it to mess with international students ● Can use it for...
Scary Stu ...But Wait, There’s More! ● Not only can your directory information (aka education records) be provided, treatment (medical and mental care) records can become education records.
HIPAA and Student Medical Records The Standards for Privacy of Individually Identifiable Health Information, known as the HIPAA Privacy Rule, establishes the standards to protect patients' personal health information (PHI). Student medical records (treatment records) are usually protected by HIPAA.
FERPA Loopholes Due to wording of FERPA, records that SHOULD be protected by HIPAA can lose HIPAA protection and become records protected ONLY by FERPA
When “Treatment” Records Become “Education” Records At postsecondary institutions, medical and psychological treatment records of eligible students are excluded from the definition of “education records” if they are made, maintained, and used only in connection with treatment of the student and disclosed only to individuals providing the treatment. See 34 CFR § 99.3 “Education records.” These records are commonly called “treatment records.”
When “Treatment” Records Become “Education” Records An eligible student’s treatment records may be disclosed for purposes other than the student’s treatment, provided the records are disclosed under one of the exceptions to written consent under 34 CFR § 99.31(a) or with the student’s written consent under 34 CFR § 99.30.
When “Treatment” Records Become “Education” Records If a school discloses an eligible student’s treatment records for purposes other than treatment, the records are no longer excluded from the definition of “education records” and are subject to all other FERPA requirements.
What the DOE Says about it! "Under Ferpa, if the institution discloses treatment records to anyone other than the treatment provider or another professional of the student’s choice, the records become education records, and all of the Ferpa provisions," including the disclosure exemptions, "then apply to those records," the statement says. "Thus, Ferpa would permit the treatment records to be disclosed in litigation between the student and the institution if the records are relevant for the institution to defend itself." The Education Department’s email to The Chronicle (of Higher Education) in response to a request for clarification. http://www.chronicle.com/article/Just-How-Private-Are-College/228229/
DOE and Lack of action Despite a “call to action” by DOE in August 2015 requesting feedback by October 2, 2015, NOTHING has been changed. https://www.ed.gov/news/press-releases/department-education- seeks-public-input-guidance-protecting-privacy-student- medical-records
Real Life Repercussions of FERPA Loophole This loophole has been exploited publically.
FERPA and the Rape of Jane Doe ● March 2014 ○ Jane Doe is allegedly gang raped by three members ofthe university’sbasketball team over a 12 hour period in multiple locations ○ Jane Doe reports sexual assault to both local police and campus authorities ● March 2014 ○ After reports of rape, university does not begin investigation and approves the three students named to play in NCAA tournaments
FERPA and the Rape of Jane Doe ● April 2014 ○ University formally begins investigation without disclosure ● May 2014 ○ Local district attorney did not move forward due to low possibility ofa guilty verdict/insufficient evidence ● May 2014 ○ The three students named are suspended indefinitely from the basketball team
FERPA and the Rape of Jane Doe ● May 2014 ○ Following suspension, the university found the three students guilty ofsexual misconduct and banned them from campus for up to 10 years ● December 2014 ○ University administrators required university counseling center to hand over medicalrecords in preparation of lawsuit ● January 2015 ○ Jane Doe files lawsuitagainst university
FERPA and the Rape of Jane Doe ● January 2015 ○ University defends using medicalrecords and cites legality ofuse under FERPA ● January - August 2015 ○ Case ismoved to court ● August 2015 ○ University reaches settlement - $800,000 and four years of paid tuitionand housing along with a change inpolicy for admitting students with a history of sexual assault/misconduct
FERPA and the Rape of Jane Doe ● But why does this all matter?
FERPA and the Rape of Jane Doe ● The university accessed her medical records, including her mental health records ● The university pulled the records in anticipation of the lawsuit, without consent ● The university converted them to “education” records, making their use COMPLETELY LEGAL UNDER FERPA ● The records were then used against Jane Doe in court
So What Does That Mean For Me? ● Your confidential medical records could become records anyone can look at ● Your confidential medical records could be used against you ● Your confidential medical records could potentially be used negatively in the future
What Can I Do About? ● Opt out of data sharing at ANY institution of higher education you ever attended ● Tell everyone you know to do the same thing ● Contact your state’s higher education group ○ https://www2.ed.gov/about/contacts/state/index.html?src=ov ● Contact your congress critters
What’s Next? ● Explore how to use student data as a pivot to other personal information
Thank You Questions? Comments?
Appendix - FERPA, Jane Doe, and Other Articles of Interest http://www.documentcloud.org/documents/1677748-jane-doe-v-university-of-oregon-dana-dean-altman.html https://www.plainsite.org/dockets/2jilqax1z/oregon-district-court/doe-v-university-of-oregon-et-al/ https://www.scribd.com/document/273536278/Jane-Doe-v-University-of-Oregon-Settlement-Agreement https://katieroseguestpryal.com/wp-content/uploads/2017/01/Pryal_When_Ferpa_Doesnt_Protect_Students.pdf http://www.chronicle.com/article/Education-Dept-Seeks-to/232463/ http://chronicle.texterity.com/chronicle/20150313a?pg=18#pg18 https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html

Empfohlen

FERPA Introduction
FERPA IntroductionFERPA Introduction
FERPA Introduction
amerrev76
 
FERPA Workshop LSC-M Oct 2016
FERPA Workshop LSC-M Oct 2016FERPA Workshop LSC-M Oct 2016
FERPA Workshop LSC-M Oct 2016
Seth Larsen
 
FERPA
FERPAFERPA
FERPA
VCU Division of Sutdent Affairs & Enrollment Services
 
Ferpa training ihp faculty and staff
Ferpa training ihp faculty and staffFerpa training ihp faculty and staff
Ferpa training ihp faculty and staff
Susan Reynolds
 
Confidentality Training by Madison Co. Schools
Confidentality Training by Madison Co. SchoolsConfidentality Training by Madison Co. Schools
Confidentality Training by Madison Co. Schools
Atlantic Training, LLC.
 
The Uninterrupted Scholars Act: How Recent Changes to FERPA Can Improve Educa...
The Uninterrupted Scholars Act: How Recent Changes to FERPA Can Improve Educa...The Uninterrupted Scholars Act: How Recent Changes to FERPA Can Improve Educa...
The Uninterrupted Scholars Act: How Recent Changes to FERPA Can Improve Educa...
mdanielsfirstfocus
 
Inservice confidentialityshowfornewparas
Inservice confidentialityshowfornewparasInservice confidentialityshowfornewparas
Inservice confidentialityshowfornewparas
Kate Zingarelli
 
Confidentiality and Special Education Training by Madison County Schools
Confidentiality and Special Education Training by Madison County SchoolsConfidentiality and Special Education Training by Madison County Schools
Confidentiality and Special Education Training by Madison County Schools
Atlantic Training, LLC.
 

Empfohlen

FERPA Introduction
FERPA IntroductionFERPA Introduction
FERPA Introduction
amerrev76
 
FERPA Workshop LSC-M Oct 2016
FERPA Workshop LSC-M Oct 2016FERPA Workshop LSC-M Oct 2016
FERPA Workshop LSC-M Oct 2016
Seth Larsen
 
FERPA
FERPAFERPA
FERPA
VCU Division of Sutdent Affairs & Enrollment Services
 
Ferpa training ihp faculty and staff
Ferpa training ihp faculty and staffFerpa training ihp faculty and staff
Ferpa training ihp faculty and staff
Susan Reynolds
 
Confidentality Training by Madison Co. Schools
Confidentality Training by Madison Co. SchoolsConfidentality Training by Madison Co. Schools
Confidentality Training by Madison Co. Schools
Atlantic Training, LLC.
 
The Uninterrupted Scholars Act: How Recent Changes to FERPA Can Improve Educa...
The Uninterrupted Scholars Act: How Recent Changes to FERPA Can Improve Educa...The Uninterrupted Scholars Act: How Recent Changes to FERPA Can Improve Educa...
The Uninterrupted Scholars Act: How Recent Changes to FERPA Can Improve Educa...
mdanielsfirstfocus
 
Inservice confidentialityshowfornewparas
Inservice confidentialityshowfornewparasInservice confidentialityshowfornewparas
Inservice confidentialityshowfornewparas
Kate Zingarelli
 
Confidentiality and Special Education Training by Madison County Schools
Confidentiality and Special Education Training by Madison County SchoolsConfidentiality and Special Education Training by Madison County Schools
Confidentiality and Special Education Training by Madison County Schools
Atlantic Training, LLC.
 
FERPA CVAD Foundations Program
FERPA CVAD Foundations ProgramFERPA CVAD Foundations Program
FERPA CVAD Foundations Program
Erin Cora Turner
 
Ou ferpa training emily created
Ou ferpa training emily createdOu ferpa training emily created
Ou ferpa training emily created
Emily DeLano, M.Ed
 
FERPA
FERPAFERPA
FERPA
Dodge City Public Schools
 
FERPA for Parents
FERPA for ParentsFERPA for Parents
FERPA for Parents
ggcbearessentials
 
Ferpa Training for MGH Institute student employees
Ferpa Training for MGH Institute student employeesFerpa Training for MGH Institute student employees
Ferpa Training for MGH Institute student employees
Susan Reynolds
 
Instructional design project
Instructional design projectInstructional design project
Instructional design project
East Carolina University
 
Maintaining education records at the business offices of the university of da...
Maintaining education records at the business offices of the university of da...Maintaining education records at the business offices of the university of da...
Maintaining education records at the business offices of the university of da...
Karin Rilley
 
FERPA Tutorial for Faculty & Staff
FERPA Tutorial for Faculty & StaffFERPA Tutorial for Faculty & Staff
FERPA Tutorial for Faculty & Staff
GallaudetRegistrar
 
New banner training
New banner trainingNew banner training
New banner training
uvuadvisortraining
 
FERPA tutorial
FERPA tutorial FERPA tutorial
FERPA tutorial
GallaudetRegistrar
 
FERPA - SCASFAA 2015
FERPA - SCASFAA 2015FERPA - SCASFAA 2015
FERPA - SCASFAA 2015
DJ Wetzel
 
Hipaa101 training2020
Hipaa101 training2020Hipaa101 training2020
Hipaa101 training2020
VicHaight
 
Unit I: Education Records
Unit I: Education RecordsUnit I: Education Records
Unit I: Education Records
cplacetvcc
 
OASFAA 2008 Conference FERPA
OASFAA 2008 Conference FERPAOASFAA 2008 Conference FERPA
OASFAA 2008 Conference FERPA
petemacchia
 
Who uses-student-data-infographic (Data Quality Campaign)
Who uses-student-data-infographic (Data Quality Campaign)Who uses-student-data-infographic (Data Quality Campaign)
Who uses-student-data-infographic (Data Quality Campaign)
JenniferMarano2
 
Confidentiality Training by Spotsylvania County Schools
Confidentiality Training by Spotsylvania County SchoolsConfidentiality Training by Spotsylvania County Schools
Confidentiality Training by Spotsylvania County Schools
Atlantic Training, LLC.
 
rec_report_counsellors.ppt
rec_report_counsellors.pptrec_report_counsellors.ppt
rec_report_counsellors.ppt
JoshuaPhillCatubig
 
Confidentiality Training by Jacksboro ISD
Confidentiality Training by Jacksboro ISDConfidentiality Training by Jacksboro ISD
Confidentiality Training by Jacksboro ISD
Atlantic Training, LLC.
 
Js 836116 jsdoc_410934
Js 836116 jsdoc_410934Js 836116 jsdoc_410934
Js 836116 jsdoc_410934
Melinda Korologos
 
Student data privacy manifesto
Student data privacy manifestoStudent data privacy manifesto
Student data privacy manifesto
Caitlin Sharp
 
Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017
reconvillage
 
Rv defcon25 osint tactics on source code intelligence - simon roses
Rv defcon25 osint tactics on source code intelligence - simon rosesRv defcon25 osint tactics on source code intelligence - simon roses
Rv defcon25 osint tactics on source code intelligence - simon roses
reconvillage
 

Weitere ähnliche Inhalte

Ähnlich wie Rv defcon25 ferpa only your grades are safe - leah

Ou ferpa training emily created
Ou ferpa training emily createdOu ferpa training emily created
Ou ferpa training emily created
Emily DeLano, M.Ed
 
FERPA - SCASFAA 2015
FERPA - SCASFAA 2015FERPA - SCASFAA 2015
FERPA - SCASFAA 2015
DJ Wetzel
 
OASFAA 2008 Conference FERPA
OASFAA 2008 Conference FERPAOASFAA 2008 Conference FERPA
OASFAA 2008 Conference FERPA
petemacchia
 
Confidentiality Training by Spotsylvania County Schools
Confidentiality Training by Spotsylvania County SchoolsConfidentiality Training by Spotsylvania County Schools
Confidentiality Training by Spotsylvania County Schools
Atlantic Training, LLC.
 
Confidentiality Training by Jacksboro ISD
Confidentiality Training by Jacksboro ISDConfidentiality Training by Jacksboro ISD
Confidentiality Training by Jacksboro ISD
Atlantic Training, LLC.
 

Ähnlich wie Rv defcon25 ferpa only your grades are safe - leah (20)

FERPA CVAD Foundations Program
FERPA CVAD Foundations ProgramFERPA CVAD Foundations Program
FERPA CVAD Foundations Program
 
Ou ferpa training emily created
Ou ferpa training emily createdOu ferpa training emily created
Ou ferpa training emily created
 
FERPA
FERPAFERPA
FERPA
 
FERPA for Parents
FERPA for ParentsFERPA for Parents
FERPA for Parents
 
Ferpa Training for MGH Institute student employees
Ferpa Training for MGH Institute student employeesFerpa Training for MGH Institute student employees
Ferpa Training for MGH Institute student employees
 
Instructional design project
Instructional design projectInstructional design project
Instructional design project
 
Maintaining education records at the business offices of the university of da...
Maintaining education records at the business offices of the university of da...Maintaining education records at the business offices of the university of da...
Maintaining education records at the business offices of the university of da...
 
FERPA Tutorial for Faculty & Staff
FERPA Tutorial for Faculty & StaffFERPA Tutorial for Faculty & Staff
FERPA Tutorial for Faculty & Staff
 
New banner training
New banner trainingNew banner training
New banner training
 
FERPA tutorial
FERPA tutorial FERPA tutorial
FERPA tutorial
 
FERPA - SCASFAA 2015
FERPA - SCASFAA 2015FERPA - SCASFAA 2015
FERPA - SCASFAA 2015
 
Hipaa101 training2020
Hipaa101 training2020Hipaa101 training2020
Hipaa101 training2020
 
Unit I: Education Records
Unit I: Education RecordsUnit I: Education Records
Unit I: Education Records
 
OASFAA 2008 Conference FERPA
OASFAA 2008 Conference FERPAOASFAA 2008 Conference FERPA
OASFAA 2008 Conference FERPA
 
Who uses-student-data-infographic (Data Quality Campaign)
Who uses-student-data-infographic (Data Quality Campaign)Who uses-student-data-infographic (Data Quality Campaign)
Who uses-student-data-infographic (Data Quality Campaign)
 
Confidentiality Training by Spotsylvania County Schools
Confidentiality Training by Spotsylvania County SchoolsConfidentiality Training by Spotsylvania County Schools
Confidentiality Training by Spotsylvania County Schools
 
rec_report_counsellors.ppt
rec_report_counsellors.pptrec_report_counsellors.ppt
rec_report_counsellors.ppt
 
Confidentiality Training by Jacksboro ISD
Confidentiality Training by Jacksboro ISDConfidentiality Training by Jacksboro ISD
Confidentiality Training by Jacksboro ISD
 
Js 836116 jsdoc_410934
Js 836116 jsdoc_410934Js 836116 jsdoc_410934
Js 836116 jsdoc_410934
 
Student data privacy manifesto
Student data privacy manifestoStudent data privacy manifesto
Student data privacy manifesto
 

Mehr von reconvillage

Mehr von reconvillage (7)

Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017
 
Rv defcon25 osint tactics on source code intelligence - simon roses
Rv defcon25 osint tactics on source code intelligence - simon rosesRv defcon25 osint tactics on source code intelligence - simon roses
Rv defcon25 osint tactics on source code intelligence - simon roses
 
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkin
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkinRv defcon25 keeping an eye on mobile applications - mikhail sosonkin
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkin
 
Rv defcon25 into the birds nest - a comprehensive look at twitter as a rese...
Rv defcon25 into the birds nest - a comprehensive look at twitter as a rese...Rv defcon25 into the birds nest - a comprehensive look at twitter as a rese...
Rv defcon25 into the birds nest - a comprehensive look at twitter as a rese...
 
Rv defcon25 how to obtain 100 facebook accounts per day through internet se...
Rv defcon25 how to obtain 100 facebook accounts per day through internet se...Rv defcon25 how to obtain 100 facebook accounts per day through internet se...
Rv defcon25 how to obtain 100 facebook accounts per day through internet se...
 
Rv defcon25 burner phone challenge - dakota nelson
Rv defcon25 burner phone challenge - dakota nelsonRv defcon25 burner phone challenge - dakota nelson
Rv defcon25 burner phone challenge - dakota nelson
 
Rv defcon25 attack surface discovery with intrigue - jonathan cran
Rv defcon25 attack surface discovery with intrigue - jonathan cranRv defcon25 attack surface discovery with intrigue - jonathan cran
Rv defcon25 attack surface discovery with intrigue - jonathan cran
 

Kürzlich hochgeladen

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 

Kürzlich hochgeladen (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

Rv defcon25 ferpa only your grades are safe - leah

  • 1. FERPA: Only Your Grades Are Safe OSINT in Higher Education
  • 2. Who Am I? ● Data Analyst involved in higher education for over 13 years with an interest in data privacy and security ● Twitter - @Sweet_Grrl ● Email - leahfigueroa22@gmail.com or sweetgrrl1222@protonmail.com
  • 3. Have You Ever Thought About Your Education Records? ● There are education records? ● What are education records? ○ Basically any records that are ■ Relatedto a student and ■ Maintained by an educational agency or institution or parties acting for them
  • 4. Have You Ever Thought About Your Education Records? ● What does that all mean? ○ Means ANYTHING the educational institution has collected on you for the ENTIRETY ofyour stay at said institution.
  • 5. What is FERPA? ● The law applies to ALL schools (in our case, higher education institutions) that receive funds under an applicable program of the U.S. Department of Education.
  • 6. But Aren’t Those Education Records Safe? ● There’s a federal law that protects it, right? ● That FERPA thing protects everything, right? ● Not just anyone can see my student data, right? ● They don’t just hand over stuff for the asking, right? WRONG!
  • 7. So what does FERPA do? ● FERPA protects EVERYTHING but directory information.
  • 8. What the Hell is Directory Info? ● Education records that have been appropriately designated as "directory information" by the educational agency or institution may be disclosed without prior consent. See 34 CFR §§ 99.31(a)(11) and 99.37.
  • 9. What the Hell is Directory Info? ● FERPA defines directory information as information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed. 34 CFR § 99.3. ● This includes Personally Identifiable Information (PII) such as ○ Student's name ○ Address ○ Telephone number ○ Date and place of birth ○ Honors and awards ○ Dates of attendance ○ Etc.
  • 10. How do I get Directory Info? ● Directory information is a student’s information that may be released without the consent of the student, unless the student has requested a privacy hold ● So this means you just go ASK FOR IT.
  • 11. Proof of Concept ● Contacted 10 colleges and universities ● 3 said “Fill out a FOIA (Freedom of Information Act) request” ● 2 said “Go help yourself to our directory” ● 1 said “Give us $50 and we will give you whatever you want” ● 5 schools did not respond ● 50% return on a few minutes of time
  • 12. Directory Example Kansas State Demo - http://search.k-state.edu/ BEGIN:VCARD VERSION:2.1 TZ:-06:00 REV:2017-03-12T00:15:57-0600 N:REDACTED; FN:REDACTED EMAIL;INTERNET:REDACTED@k-state.edu TITLE:Senior-Bakery Science And Mgmt-B,Minor - Business TEL;VOICE;HOME;PREF:(913) XXX-XXXX ADR;HOME:;REDACTED;Manhattan;KS;66506;USA LABEL;HOME;ENCODING=QUOTED-PRINTABLE:REDACTED=0D=0AManhattan, KS 66506=0D=0AUSA ADR;HOME:;REDACTED;Overland Park;KS;66210-1304;USA LABEL;HOME;ENCODING=QUOTED-PRINTABLE:REDACTED=0D=0AOverland Park,KS 66210-1304=0D=0AUSA NOTE;ENCODING=QUOTED-PRINTABLE:Thisinformation was retrieved from=0D=0A= the Kansas State University People Directory on March 12, 2017.=0D=0A= Refer to http://search.k-state.edu/ for current information. END:VCARD
  • 13. Directory Example UT Austin - https://directory.utexas.edu/ BEGIN:vCard VERSION:2.1 N:REDACTED;; FN:REDACTED TITLE:REDACTED ORG:TheUniversity of Texasat Austin;Department of GeologicalSciences, Jackson School of Geosciences ADR;TYPE=WORK;ENCODING=QUOTED-PRINTABLE:;JSG ;The Universityof Texas atAustin =0D=0ADepartment of GeologicalSciences, Jackson School of Geosciences =0D=0A1 University StationC1100 =0D=0AAustin, TX 78712 ADR;TYPE=HOME;ENCODING=QUOTED-PRINTABLE:;;REDACTED =0D=0AAUSTIN, TX78705-4014 TEL;VOICE;HOME:REDACTED TEL;VOICE;WORK: TEL;FAX;WORK: EMAIL;TYPE=INTERNET:REDACTED@utexas.edu LABEL;TYPE=DOM,WORK,POSTAL;ENCODING=QUOTED-PRINTABLE:The Universityof Texas at Austin =0D=0ADepartment of GeologicalSciences, Jackson School of Geosciences =0D=0A1 University StationC1100 =0D=0AAustin, TX 78712 LABEL;TYPE=DOM,HOME,POSTAL;ENCODING=QUOTED-PRINTABLE:REDACTED =0D=0AAUSTIN, TX78705-4014 PRODID:UTdirectory END:vCard
  • 14. What does a Freedom of Information Act (FOIA) Request look like and what does it get you? A FOIA is simply a written request that describes the records you seek. I am seekingto contact your students who might be interested in programs and degreesat SCHOOL. In order for us toreach them, I kindly request your studentdirectory information that isavailable under the Texas Public Information Act.
  • 15. What Does the FOIA Get You? ● Anything listed as directory information ● In the previous example, this information was provided: ○ Name ○ Address ○ Telephone number ○ Place of birth ○ Major field of study ○ Dates of attendance ○ Most recent previous educational institution(s) attended ○ Classification ○ Degreesand awards received.
  • 16. What $50 can get you ● Asper the previous examples, I sent out my standard email: ○ I am writingto request a listing of student directory information. What steps do I need to take in order to obtain this information? Additionally, is there a cost involved? Thank you for your help. ● School responded and stated that there was a $50 programming fee and to contactthe office again ifI were interested. ● I requested all data that could be classified as student directory information
  • 17. What $50 can get you ● Contactstated that they could provide all data I requested, with the exception ofemail ● Sent off $50 ● Within 10 business days, data was ready ● I provided a secure link toupload data
  • 18. What $50 can get you On March 10, 2017, student data was uploaded to my account ● 22,006 student records containing all the information I had requested, including international student information ● And this is COMPLETELY LEGAL
  • 19. What’s the big deal? ● Colleges and universities automatically opt in students ● Opt-out paperwork is often hard to find and can require multiple steps ● This data is not very well protected ● Anyone can use it for a variety of purposes
  • 20. Using Higher Education OSINT ● Can use it to construct a false identity ● Can use it to get further credentials ● Can use it to mess with international students ● Can use it for...
  • 21. Scary Stu ...But Wait, There’s More! ● Not only can your directory information (aka education records) be provided, treatment (medical and mental care) records can become education records.
  • 22. HIPAA and Student Medical Records The Standards for Privacy of Individually Identifiable Health Information, known as the HIPAA Privacy Rule, establishes the standards to protect patients' personal health information (PHI). Student medical records (treatment records) are usually protected by HIPAA.
  • 23. FERPA Loopholes Due to wording of FERPA, records that SHOULD be protected by HIPAA can lose HIPAA protection and become records protected ONLY by FERPA
  • 24. When “Treatment” Records Become “Education” Records At postsecondary institutions, medical and psychological treatment records of eligible students are excluded from the definition of “education records” if they are made, maintained, and used only in connection with treatment of the student and disclosed only to individuals providing the treatment. See 34 CFR § 99.3 “Education records.” These records are commonly called “treatment records.”
  • 25. When “Treatment” Records Become “Education” Records An eligible student’s treatment records may be disclosed for purposes other than the student’s treatment, provided the records are disclosed under one of the exceptions to written consent under 34 CFR § 99.31(a) or with the student’s written consent under 34 CFR § 99.30.
  • 26. When “Treatment” Records Become “Education” Records If a school discloses an eligible student’s treatment records for purposes other than treatment, the records are no longer excluded from the definition of “education records” and are subject to all other FERPA requirements.
  • 27. What the DOE Says about it! "Under Ferpa, if the institution discloses treatment records to anyone other than the treatment provider or another professional of the student’s choice, the records become education records, and all of the Ferpa provisions," including the disclosure exemptions, "then apply to those records," the statement says. "Thus, Ferpa would permit the treatment records to be disclosed in litigation between the student and the institution if the records are relevant for the institution to defend itself." The Education Department’s email to The Chronicle (of Higher Education) in response to a request for clarification. http://www.chronicle.com/article/Just-How-Private-Are-College/228229/
  • 28. DOE and Lack of action Despite a “call to action” by DOE in August 2015 requesting feedback by October 2, 2015, NOTHING has been changed. https://www.ed.gov/news/press-releases/department-education- seeks-public-input-guidance-protecting-privacy-student- medical-records
  • 29. Real Life Repercussions of FERPA Loophole This loophole has been exploited publically.
  • 30. FERPA and the Rape of Jane Doe ● March 2014 ○ Jane Doe is allegedly gang raped by three members ofthe university’sbasketball team over a 12 hour period in multiple locations ○ Jane Doe reports sexual assault to both local police and campus authorities ● March 2014 ○ After reports of rape, university does not begin investigation and approves the three students named to play in NCAA tournaments
  • 31. FERPA and the Rape of Jane Doe ● April 2014 ○ University formally begins investigation without disclosure ● May 2014 ○ Local district attorney did not move forward due to low possibility ofa guilty verdict/insufficient evidence ● May 2014 ○ The three students named are suspended indefinitely from the basketball team
  • 32. FERPA and the Rape of Jane Doe ● May 2014 ○ Following suspension, the university found the three students guilty ofsexual misconduct and banned them from campus for up to 10 years ● December 2014 ○ University administrators required university counseling center to hand over medicalrecords in preparation of lawsuit ● January 2015 ○ Jane Doe files lawsuitagainst university
  • 33. FERPA and the Rape of Jane Doe ● January 2015 ○ University defends using medicalrecords and cites legality ofuse under FERPA ● January - August 2015 ○ Case ismoved to court ● August 2015 ○ University reaches settlement - $800,000 and four years of paid tuitionand housing along with a change inpolicy for admitting students with a history of sexual assault/misconduct
  • 34. FERPA and the Rape of Jane Doe ● But why does this all matter?
  • 35. FERPA and the Rape of Jane Doe ● The university accessed her medical records, including her mental health records ● The university pulled the records in anticipation of the lawsuit, without consent ● The university converted them to “education” records, making their use COMPLETELY LEGAL UNDER FERPA ● The records were then used against Jane Doe in court
  • 36. So What Does That Mean For Me? ● Your confidential medical records could become records anyone can look at ● Your confidential medical records could be used against you ● Your confidential medical records could potentially be used negatively in the future
  • 37. What Can I Do About? ● Opt out of data sharing at ANY institution of higher education you ever attended ● Tell everyone you know to do the same thing ● Contact your state’s higher education group ○ https://www2.ed.gov/about/contacts/state/index.html?src=ov ● Contact your congress critters
  • 38. What’s Next? ● Explore how to use student data as a pivot to other personal information
  • 40. Appendix - FERPA, Jane Doe, and Other Articles of Interest http://www.documentcloud.org/documents/1677748-jane-doe-v-university-of-oregon-dana-dean-altman.html https://www.plainsite.org/dockets/2jilqax1z/oregon-district-court/doe-v-university-of-oregon-et-al/ https://www.scribd.com/document/273536278/Jane-Doe-v-University-of-Oregon-Settlement-Agreement https://katieroseguestpryal.com/wp-content/uploads/2017/01/Pryal_When_Ferpa_Doesnt_Protect_Students.pdf http://www.chronicle.com/article/Education-Dept-Seeks-to/232463/ http://chronicle.texterity.com/chronicle/20150313a?pg=18#pg18 https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html