Miami University student I.D. cards may be used for more than just swiping into buildings or buying lunch. In fact, student I.D. cards also store students’ personal identification numbers and chronicle the cardholder’s activities.
Student I.D. cards have the student’s plus number encoded in the magnetic strip and also have a PIK number on the chip on the card, which is a unique number to identify the I.D.
According to Joseph Bazeley, information security officer for IT Services, when the magnetic strip is swiped, the reader is able to pull out the plus number, which is then recorded in the system.
“While there is little information actually stored on the card, it is important to remember that the vast majority of student information is stored in BannerWeb, and we have the ability to link other systems to Banner to either access or store information,” Bazeley said. “The badge access system does contain some information about students, which is accessible to a Miami employee accessing the badge access system through a workstation.”
According to Miami University Police Department (MUPD) Lt. Benjamin Spilman, the ability to track student activity based on card swipes is not new or exclusive to the “smart cards,” which were first issued to students living in dorms this fall.
“With the old I.D. cards, whether you used it at a point of sale, at Shriver Center or at a dining hall or anywhere else with a magnetic swipe reader, there’s always been that ability to find that information after the fact,” Spilman said.
Logged and loaded
Whether a student has the new or old-style I.D. card, a transaction log within the swipe access software tracks card activity. For the new cards, this log also records when a student uses their card to open a door or if they have attempted to access a room they don’t have access to. Those records, however, are FERPA protected, meaning the university isn’t actively monitoring them.
“We would only go looking through these records when a Miami employee had a legitimate need to see that information, and when we did that we would only be looking for the specific information that was requested,” Bazeley said.
One such request would be to aid in a police investigation, during which Bazeley said law enforcement would need a subpoena to access the records. However, unlike other law enforcement agencies, Spilman said MUPD does not need such an order to access the information because it is stored on Miami’s servers.
“To my knowledge, there’s not a subpoena issued for that information,” Spilman said. “[Issuing a subpoena] is not something that typically has to be done.”
Spilman added that MUPD rarely uses the information collected from Miami I.D. cards in investigations, instead opting for other techniques.
“Like so many other things, it’s a resource,” Spilman said. “Having the resource available doesn’t mean that it’s used every single investigation. I think [student I.D. card records] are probably very rarely used.”
‘It takes more than a phone call’
Another example of a records request that would be approved includes releasing the data for use in a disciplinary hearing with the Office of Ethics and Student Conflict Resolution (OESCR), Miami’s student court, to confirm whether or not a student had swiped into his/her room around the time he/she said.
Susan Vaughn, director of OESCR, said the records are rarely accessed and are mainly used for safety purposes.
“The records are accessed by our office maybe once or twice a year,” Vaughn said. “I could see other offices might need them to verify whether or not a person has actually been on campus.”
Although data can be accessed if necessary, Vaughn said it is not necessarily being collected, but it is being stored. Therefore, students should expect a lot of privacy because there has to be a really good reason to access the records.
“It’s kind of like how much money is in your account. Well, who has the right to know that? Not a lot of people. So I would say laws would govern that, and students should expect a high level of privacy because that’s what we tell students,” Vaughn said.
During a hearing with OESCR, students have the right to see everything in their file and can verify the information, including when they used their I.D. cards, Vaughn said.
According to Bazeley, removing identifying information from an I.D. card would prevent students from being able to use a meal plan, the Recreational Sports Center, checking out at the library, paying for printouts, vending machines and numerous other things, so it’s necessary to keep that information on the cards.
Still, in an effort to protect student privacy, Vaughn said it takes more than a phone call to access the records and the school also documents any record requests.
“It’s probably going to take more than a phone call saying ‘hey, give me some records,'” Vaughn said. “They’re going to want to know why you want them.”
Despite the safety benefits and technical necessities of storing data generated from the use of student I.D. cards, the collection of personal information does not sit well with every Miami student.
Sophomore J.D. Armor, who uses the new I.D. card to access his dorm room in Scott Hall, was unaware that select Miami faculty has the ability to view his whereabouts based on his swipe activity.
“It almost feels like Big Brother, being tracked like that,” Armor said. “It’s not that I didn’t realize they could probably collect it, but to use (my swipe data) in ethics hearings or something like that seems invasive.”
According to Bazeley, the university is committed to maintaining student
records safely and securely. The records are housed within the secure data center, which is regularly patched with anti-virus and firewall measures.
Bazeley also said any information collected from I.D. card activity is stored on Miami’s servers for one year before being deleted, per the school’s record retention policy.
“The records will be stored for one year and then they are destroyed,” Bazeley said. “Pretty much every record that Miami creates in the course of doing business falls into some form of a records retention schedule, and the time frame for the door logs was confirmed by the university secretary who maintains that records schedule.”
Still, Armor said many of his friends were surprised to learn about just how much the school could know about her schedule.
“I don’t really think it’s something people think about,” Armor said. “Most of my friends probably never considered the possibility of someone knowing when they went in and out of their room. It’s not a normal thing to worry about.”
While Vaughn acknowledged that the system is not perfect, she still believes the security benefits of the new system outweigh the privacy concerns.
“I think it’s a really, really good idea to have the swipe access,” Vaughn said. “I guess a side note is that it does allow you to see if a student has entered in or out of (their rooms), but I think it has more safety value, like if your swipe is stolen you can actually shut it off.”