Students’ Expectation of Privacy: Legal and Ethical Considerations


Chula G. King
The University of West Florida


The Internet is having a profound impact on the growing availability of substantive information. Nowhere is this more evident than in academic institutions where the use of electronic resources is becoming increasingly vital for education and training. Much of the information that is needed by students for completion of assignments and research papers is proprietary. The information is available from online services that provide numerous databases containing journal articles, statistics and other information. More and more colleges and universities subscribe to these online services and make them available to their students via the Internet. When students access online services that utilize privacy invasion techniques such as cookies, web bugs and port scans, their expectation of privacy may be unknowingly compromised. This can have legal consequences for colleges and universities making the online services available to students. In addition, it can have ethical ramifications for professors who require Internet based assignments, and by doing so place their students in privacy compromising environments.

In the United States, the legal consequences relate to the Family Educational Rights and Privacy Act (FERPA). Enacted in 1974, FERPA seeks to ensure the confidentiality of student records and personally identifying information by preventing their disclosure to unauthorized persons without express written consent. Educational institutions that fail to abide by the provisions of FERPA are denied federal funding.

The ethical ramifications revolve around the trust relationship that must be established between the professor and student. That trust relationship requires the professor to not only respect the student per se, but also ensure confidentiality of student information. When that confidentiality may be compromised, the professor has a responsibility to inform the student of the potential compromise. To do this, the professor must be knowledgeable of the environment to which his or her students are exposed.

This study and examines the degree to which personally identifiable information may be unknowingly released when students use the Internet to complete class assignments and conduct research. The data source consists of 31 online services that provide access to numerous journal articles and other information. With each service, online click through behavior is mimicked to determine the students’ exposure to privacy invasion techniques, including cookies, web bugs and port scans.

Cookies are small text files that are placed on a visitor’s hard drive by a web page server. They act as a type of identification card that enables a company to recognize repeat visitors to its web site. Cookies allow companies to store not only the information provided by a URL submission, but also any additional information that a user may provide during a visit. In addition, they allow companies to track the click through behavior of visitors to their web site.

Web bugs are either visible or invisible graphics that are placed on a web page by a company that is not affiliated with the web site. The company that supplies the graphic also places its cookie on the computer of the visitor to the web site. This allows the non-affiliated company to capture information about visitors to the web site containing web bug.

A port scan is a series of messages sent by one computer to another computer. Port scans are often used by hackers attempting to break into a computer to learn which computer network services, each associated with a “well known” port number, the computer provides. More recently, port scans are being used by online companies and service providers to gather information about visitors to their web sites.

Online services that use or allow others to use any of these techniques produce an environment in which personally identifiable information such as e-mail address and name may be captured as students search for journal articles, et cetera. If the student uses a university dial- in account, he or she could be associated with the specific university. That information may be coupled with specific articles that are accessed to produce a detailed profile of the student.

The analysis reveals that 22 of the online services examined deposit cookies on the computers of visitors to their sites. Two employ web bugs and five utilize port scans. Seventeen of the sites allow or require the submission of personally identifiable information. However, only nine of the sites include privacy policies that disclose what information is collected and how it is used.