InCommon Federation Discussions About Online Student Services

[Brendan Bellina <>]

What is required for an authentication event to be sufficient to be used as an electronic signature?

Brendan

On May 11, 2009, at 2:27 PM, Karen Schultz <> wrote:

Steve –

Under FERPA, student consent trumps everything.  If the student is appropriately authenticated and that authentication is sufficient to qualify as an electronic signature, then the institution is considered to have collected the student’s consent and is permitted to release the specified information.

                     Karen

 

 

Karen Schultz

University Registrar

Penn State University

114 Shields Building

University Park, PA 16802

(814) 863-3681  

 

 

From: []
Sent: Monday, May 11, 2009 12:32 PM
To: inc-student
Subject: [InC-Student] FERPA, and Shibboleth, and the uApprove extension

 

Recently I sent a query to the ICPL email list, asking for opinions as to whether the Shibboleth uApprove mechanism is "FERPA compliant". I've pasted my original query in at the bottom of this note.

 

I got two responses -- both from lawyers who are familiar with FERPA and its interpretations (the responses came from Tracy Mitrano and Peg O'Donnell). I've pasted their responses in at the bottom of this note. They said that if we authenticated the user, and interpreted their clicking "Approve" as signed and dated consent, then yes, this mechanism would be FERPA compliant.

 

I know this list includes some Registrars... I would be curious to hear your thoughts on the FERPA compliance question.

 

Thanks!

At 11:33 AM -0400 4/17/09, wrote:

:

From:

Subject: FERPA and Shibboleth

I work with the Shibboleth project, and I'm looking for opinions about how FERPA relates to a Shibboleth extension developed by our Swiss partners.

Shibboleth (http://shibboleth.internet2.edu) is a Web Single SignON system (SSO). It can be used both within a campus and cross-domain -- providing SSO capability with external services. Shibboleth also provides for the filtered release to a Service provider (SP) of ldap-directory attributes describing the browser user. The filters can be specific to each SP. For the library use case, the only released attribute may be a persistent opaque identifier, allowing personalization at the SP site without releasing any PII. For software from Microsoft ( https://downloads.channel8.msdn.com/ ), the attributes MUST include Affiliation=student. For discount airline tickets, the attributes may include affiliation, name, and email address.

In some of these cases, for students who have opt-ed out under FERPA, this attribute information could include attribute information that the institution may not be allowed to release to external SPs. I'd note that many external SPs are providing services related to instruction (eg WebAssign, iTunes, etc), and thus should qualify for the FERPA "loophole".  There are, however, SPs that are not so closely tied to instruction -- eg discount air tickets. In these  situations, I believe that FERPA would prohibit release of the attribute information. In addition, an institution's privacy policy (if there is one) might prohibit release.

SWITCH, the Swiss Higher Education and Research Network, has developed uApprove (http://www.switch.ch/aai/support/tools/uApprove.html ), an extension to the Shibboleth Identity Provider component. It allows a browser user to approve or block the release of attribute information the first time they access each SP. (The user's decision is logged.) If you'd like, go to the uApprove site and try it yourself, using their demo accounts. (Scroll down to "There is a demonstration site, where you can see the ArpViewer in action."). (Note --ArpViewer was an earlier name for uApprove.)

A campus could configure Shibboleth such that releasing attributes X, Y, and Z to any SP in InCommon (the US Higher Ed Federation) would require user approval.. (eg for attributes  Name, eduPersonPrincipalName, email, etc).

My question is -- if a site deploys Shibboleth in this manner, and a student clicks "Approve" to release attributes to a specific eternal SP, does that action constitute Approval under FERPA ?

 

Tracy Mitrano replied:

 

At 11:51 AM -0400 4/17/09, Tracy Mitrano wrote:

My first thought is that if the student approves, there is no problem.  FERPA constrains institutions that maintain education records, but the student may release attributes (which, whether covered under FERPA or not, as directory information, is another question entirely) or even their entire transcript if they so choose.  
The law does not prohibit a student's release of an education record related to the student him or herself.

 

Peg O'Donnell replied:

 

At 1:25 PM -0400 4/17/09, O'Donnell, Margaret wrote:

From your description it sounds like the student gives their approval
for the school to release the necessary data by clicking on the approval
button. If that is the case, I would apply the electronic signature
analysis which is as follows:

Sec.  99.30     (d) ``Signed and dated written consent'' under this part
may include a record and signature in electronic form that--
    (1) Identifies and authenticates a particular person as the source
of the electronic consent; and
    (2) Indicates such person's approval of the information contained in
the electronic consent.

So you would need to be comfortable saying there was identification and
authentication as well as approval.