InCommon Federation Discussions About Online Student Services

Title: FERPA, and Shibboleth, and the uApprove extension

Recently I sent a query to the ICPL email list, asking for opinions as to whether the Shibboleth uApprove mechanism is "FERPA compliant". I've pasted my original query in at the bottom of this note.

I got two responses -- both from lawyers who are familiar with FERPA and its interpretations (the responses came from Tracy Mitrano and Peg O'Donnell). I've pasted their responses in at the bottom of this note. They said that if we authenticated the user, and interpreted their clicking "Approve" as signed and dated consent, then yes, this mechanism would be FERPA compliant.

I know this list includes some Registrars... I would be curious to hear your thoughts on the FERPA compliance question.

Thanks!

> > At 11:33 AM -0400 4/17/09,  wrote:
> > > : 
> > From: 
> Subject: FERPA and Shibboleth
> I work with the Shibboleth project, and
> I'm looking for opinions about how FERPA relates to a Shibboleth
> extension developed by our Swiss partners.
>
> Shibboleth (http://shibboleth.internet2.edu) is a Web Single SignON
> system (SSO). It can be used both within a campus and cross-domain --
> providing SSO capability with external services. Shibboleth also
> provides for the filtered release to a Service provider (SP) of
> ldap-directory attributes describing the browser user. The filters can
> be specific to each SP. For the library use case, the only released
> attribute may be a persistent opaque identifier, allowing
> personalization at the SP site without releasing any PII. For software
> from Microsoft ( https://downloads.channel8.msdn.com/ ), the
> attributes MUST include Affiliation=student. For discount airline
> tickets, the attributes may include affiliation, name, and email
> address.
>
> In some of these cases, for students who have opt-ed out under FERPA,
> this attribute information could include attribute information that
> the institution may not be allowed to release to external SPs. I'd
> note that many external SPs are providing services related to
> instruction (eg WebAssign, iTunes, etc), and thus should qualify for
> the FERPA "loophole".  There are, however, SPs that are
> not so closely tied to instruction -- eg discount air tickets. In
> these  situations, I believe that FERPA would prohibit release of
> the attribute information. In addition, an institution's privacy
> policy (if there is one) might prohibit release.
> SWITCH, the Swiss Higher Education and
> Research Network, has developed uApprove
> (http://www.switch.ch/aai/support/tools/uApprove.html ), an extension
> to the Shibboleth Identity Provider component. It allows a browser
> user to approve or block the release of attribute information the
> first time they access each SP. (The user's decision is logged.) If
> you'd like, go to the uApprove site and try it yourself, using their
> demo accounts. (Scroll down to "There is a demonstration site,
> where you can see the ArpViewer in action."). (Note --ArpViewer
> was an earlier name for uApprove.)
> A campus could configure Shibboleth such that releasing attributes X,
> Y, and Z to any SP in InCommon (the US Higher Ed Federation) would
> require user approval.. (eg for attributes  Name,
> eduPersonPrincipalName, email, etc).
>
> My question is -- if a site deploys Shibboleth in this manner, and a
> student clicks "Approve" to release attributes to a specific
> eternal SP, does that action constitute Approval under FERPA
> ?

Tracy Mitrano replied:

At 11:51 AM -0400 4/17/09, Tracy Mitrano wrote:

> My first thought is that if the student
> approves, there is no problem.  FERPA constrains institutions
> that maintain education records, but the student may release
> attributes (which, whether covered under FERPA or not, as directory
> information, is another question entirely) or even their entire
> transcript if they so choose.  
> The law does not prohibit a student's release of an education record
> related to the student him or herself.

Peg O'Donnell replied:

At 1:25 PM -0400 4/17/09, O'Donnell, Margaret wrote:

> From your description it sounds like the
> student gives their approval
> for the school to release the necessary data by clicking on the
> approval
> button. If that is the case, I would apply the electronic
> signature
> analysis which is as follows:
>
> Sec.  99.30     (d) ``Signed and dated
> written consent'' under this part
> may include a record and signature in electronic form that--
>     (1) Identifies and authenticates a particular
> person as the source
> of the electronic consent; and
>     (2) Indicates such person's approval of the
> information contained in
> the electronic consent.
>
> So you would need to be comfortable saying there was identification
> and
> authentication as well as approval.