You have /5 articles left.
Sign up for a free account or log in.

The word "Doxing" in block letters against a white background featuring a plant.

Eugene Zvonkov/Getty Images

A billboard truck trolled public streets around Harvard University, broadcasting the names and faces of students who signed an open letter blaming Israel for the terrorist attack perpetrated by Hamas. As reported by The Harvard Crimson and other outlets, students associated with organizations that signed on to the letter composed by the Harvard Undergraduate Palestine Solidarity Committee have since faced doxing attacks and threats of professional blacklisting. According to the Crimson, four of the blacklisting sites published students’ full names, class years, photos, hometowns and club memberships—all of which is directory information eligible to be published without student consent under the Family Educational Rights and Privacy Act, or FERPA. The very legal framework intended to safeguard student privacy actually enables violating it.

Freedom of speech is not freedom from consequence, as these students are learning. At least nine of the original 34 student organizations that signed the statement later withdrew their support for it. One student leader admitted that she had not read the full statement prior to her organization’s endorsement, and she subsequently resigned from her leadership role. Students who endorsed the letter without careful due diligence will likely be more circumspect in the future, while those who endorsed it in earnest have ample opportunity to learn why many found it so abhorrent.

But the doxing-truck debacle offers another stark lesson—that of FERPA’s obsolescence.

The Family Educational Rights and Privacy Act of 1974 was signed into law as the Buckley Amendment in response to what its principal sponsor characterized as “the growing evidence of the abuse of student records across the nation.” In its original form, FERPA permitted colleges and universities to release directory information without students’ consent, including full names, class years, home addresses and participation in officially recognized activities (like student organizations). Regulations following a 1998 amendment added student photographs, along with email addresses, to the types of directory information that could be made public without consent. (While colleges are required to give students the right to opt out of disclosure of this directory information, a 2020 investigation by the World Privacy Forum found that FERPA notification and opt-out procedures vary from institution to institution, and that many make it unduly confusing or burdensome for students to exercise this fundamental right to privacy.)

The very category of “directory information” belies the utility in publicizing these data: in the days of phone books, sharing printed directories of personal contact information was generally limited to the community of students enrolled in a school and facilitated useful activities like phone trees to announce closures during inclement weather. But in the age of big data, online publication of directory information makes students vulnerable to doxing and other forms of online and real-world harassment. What’s more, educational directory information can be cross-referenced, manually or algorithmically, against social media and other digital identifiers to profile, categorize, sort and target students, exposing them to various forms of exploitation and surveillance.

FERPA itself has always harbored this internal contradiction. It defines personally identifiable information (PII) as any direct or indirect identifier, or “other information that, alone or in combination, is linked or linkable to a specific student.” While it’s easy to assume that FERPA protects personally identifiable information, six types of PII—including student name and date and place of birth—are explicitly considered directory information and therefore eligible for disclosure without consent. Student photographs, for example, convey facial characteristics contained in the FERPA PII definition for biometric records. An additional seven types of directory information— including email address, phone number, student organization membership, even heights and weights for athletes—likely satisfy the PII “linked or linkable” standard.

Notably, the Harvard doxing truck displayed students’ names and photographs, while the other online doxing attacks and professional blacklists documented students’ class years and hometowns—all directory information. Details about student club membership, another piece of directory information, enabled doxers to out students and uncover their social media handles and employment history.

Scholars and educational privacy advocates have long recognized FERPA’s insufficiency for the digital era. In fact, FERPA protections were weakened just as the digitization of education increased the scale, scope and significance of students’ educational records. The school officials provision, added in 2008 to enable third-party access to students’ educational records at a time when colleges were increasingly adopting online learning services and outsourcing other aspects of the student experience, is like a FERPA magic wand: when waved over contractors, consultants, volunteers and others, it transforms them into school officials eligible to access FERPA-protected educational records. And the data flows do not stop there—redisclosure of student data is permitted, and educational records can be passed downstream to other parties that satisfy the generous “school official with legitimate educational interest” standard. Digital transformation in higher education could not occur without the FERPA magic wand that transforms ad-tech companies like Google and Facebook into school officials with legitimate educational interests.

Furthermore, any FERPA protections that survived digital transformation may ultimately be moot, as the 2002 Gonzaga University v. Doe case established that students have no private right of action with respect to potential FERPA violations. Only the U.S. Department of Education can bring action against an institution by threatening its federal funding, a penalty considered so severe it has never been issued. Perhaps this is just as well, as the datafication of education makes it impractical, if not impossible, for students to meaningfully exercise their rights under FERPA to review and correct or otherwise amend their educational records.

Given these provisions—the directory information loophole, the school officials loophole, the redisclosure loophole and the wrist-slap loophole—it is time to acknowledge that FERPA no longer meaningfully functions to protect student privacy. FERPA has fallen.

The systemic failure of FERPA matters because privacy matters to learning. Intellectual privacy enables students—and all of us—to explore ideas, ask questions, discuss preliminary conclusions with close confidants, develop creative works, make mistakes and, perhaps most importantly, change our minds. Neil Richards describes intellectual privacy as a “zone of protection that guards our ability to make up our minds freely” and “protection from surveillance or interference when we are engaged in the processes of generating ideas.” It is intellectual privacy that guards against the chilling effect predicated on fear of social sanction or official punishment—particularly at the fuzzy margin between acceptable and controversial speech.

The chilling effect is palpable in today’s college classrooms. The Knight Foundation reports that 65 percent of students agree that the climate on their campus prevents some people from saying what they believe because others might find it offensive. Fifty-nine percent of students report self-censoring in class; of those, 62 percent do so out of fear of negative reactions or retribution from classmates, according to Heterodox Academy’s 2022 Campus Expression Survey. A Universities of Wisconsin system report suggests that these fears are not unfounded, as 58 percent of students agree that a classmate should be reported to university administrators for saying something in class that others feel causes harm to certain groups of people. Furthermore, while 71 percent of students say privacy is important to develop intellectual ideas, many students do not trust their institutions’ stewardship of their personally identifiable information, including a disproportionate number of students of color and from low socioeconomic backgrounds. This lack of intellectual privacy impairs learning.

Yet students also understand and value this zone of intellectual privacy—even on behalf of those with whom they profoundly disagree. Harvard Hillel, the university’s home for Jewish identity, culture and fellowship, issued a principled call for student privacy:

“Harvard Hillel strongly condemns any attempts to threaten and intimidate co-signatories of the Palestine Solidarity Committee’s statement, including the bus on campus displaying the names and faces of students affiliated with the groups who have signed it. We will continue to reject the PSC’s statement in the strongest terms—and demand accountability for those who signed it. But under no circumstances should that accountability extend to public intimidation of individuals. Such intimidation is counterproductive to the education that needs to take place on our campus at this difficult time.”

FERPA may be obsolete, but intellectual privacy isn’t. Checking the FERPA compliance box is no longer sufficient to protect learner privacy, whether from the relatively harmless intrusions of redisclosure between campus administrative offices or from the larger threats of malicious doxing attacks or profiling by data brokers. It is incumbent on us as educators to determine how to incorporate intellectual privacy into our curricula and the student experience.

Sarah Hartman-Caverly is a reference and instruction librarian at Pennsylvania State University at Berks and lead editor of Practicing Privacy Literacy in Academic Libraries: Theories, Methods, and Cases (ACRL, 2023).

Next Story

Found In

More from Views