A Bill to Warn Students About Predatory Colleges Without Violating Their Privacy

For many Americans, the opportunities provided by a college education can also be a gateway to a more lucrative career and better life, but it can also be a gateway to insurmountable debt. Too many institutions of higher learning in this country could be better described as tuition collection machines whose graduates stand little chance of earning above the minimum wage.

The targets of these predatory institutions are overwhelmingly persons of color or low-income, which is very much by design. The ACLU, student advocates, and a growing number of members of Congress have been seeking to address this problem by providing prospective students with better information about these predatory institutions.

Multiple bills currently pending in Congress are focused on providing information about the rate of return students receive on their investment at various U.S. colleges and universities. Initially, their sponsors’ arguments are quite compelling. Imagine, they say, how great it would be if the federal government could gather data from all of America’s post-secondary schools, compare student outcomes across relevant measurable groups, and use that data to provide student consumers with rate-of-return and other valuable information before they enroll? Of course, that sounds pretty good.

But now imagine that same data could be repurposed by the federal government to target a wide variety of vulnerable students, like undocumented students, Muslim students, or students with certain combined attributes, like those who were not born in the United States and are majoring in chemistry? Imagine further that this new, massive collection of private student data becomes an irresistible target for ill-intentioned hackers. Suddenly a national database of sensitive, highly personal student data doesn’t sound so good. In fact, it sounds quite problematic. That is certainly one of the reasons why, since 2008, federal law has prohibited the creation of one.

Bills that propose to limit the use of a new federal student database to benevolent purposes offer only a temporary and false sense of security. Such protections can be swiftly stripped from a law any time Congress believes there is a justification for doing so.

So what then do we do? Do we choose to protect the consumer interests or privacy interests of vulnerable students, knowing full well that the failure to do either could lead to devastating consequences? Fortunately, thanks to a new, creative congressional bill, we may just be able to do both.

In late November, U.S. Sens. Ronald Wyden (D-Ore.), Marco Rubio (R-Fl.), and Mark Warner (D-Va.) introduced the ‘‘Student Right to Know Before You Go Act of 2017.” The goal of the act is to provide prospective students with better information to guide what college they decide to attend. To that end, the bill also aims to expose predatory educational institutions that charge students tens of thousands of dollars to enroll in programs that offer them little chance of graduating or finding a well-paying job.

The intriguing part about the bill is that it employs a relatively new technological approach that would enable the federal government to make the calculations it needs and provide the resulting data to student consumers without creating a massive federal repository of highly sensitive, personal student data. This approach is called secure multi-party computation.

Here is how it works.

Ordinarily, to run the computations sought by the Student Right to Know Before You Go Act — such as determining the student dropout rate for first generation students at various colleges — the federal government would need to create a new database that collects, combines, and stores massive amounts of student data from every postsecondary educational institution in the nation. Once collected, that data would remain in the hands of the federal government. The institutions that provide the data would no longer have control over whether and how long it is stored, or whether it is used for purposes beyond the calculations for which it was provided. And that massive, sensitive database would also be vulnerable to data breaches, like the large-scale hacks of the Office of Personnel Management and Equifax.

On the other hand, with secure multi-party computation, the postsecondary institutions’ student data never leaves the educational institutions’ possession in an accessible form. Instead, the only thing they are asked to share is encrypted data, on which only limited, pre-approved calculations can be performed. The underlying sensitive data is inaccessible to the federal government and the other participating educational institutions. Perhaps most importantly, no massive database of student information is ever created that can later be repurposed or hacked.

Of course, a secure multi-party computation system, in and of itself, is not enough to guarantee student privacy. If the system’s computations produce data that identifies specific students — which is to say it’s not de-identified and aggregated — that would violate student privacy. Likewise, if too many data points — like a student’s state of residence, gender, race, course of study, expected graduation year, and Pell Grant status — can be combined in producing a single computation, the results may produce a small enough cohort to allow individual students to be identified. Fortunately, because the Student Right to Know Before You Go Act strictly limits the number of calculations the secure multi-party computation system can perform, prohibits combining too many datasets, and does not allow additional computations to be added without an act of Congress, the bill appears well focused on protecting both students’ consumer interest and privacy.

Without question, certain administrative oversight processes — like independent system audits — will need to be put in place to give all stakeholders confidence the secure multi-party computation system is designed and functions precisely as mandated by the act. In addition, Congress must consider whether there are additional protections needed to ensure that individuals have sufficient control over their data, how it is used, and whether analytics are performed on it. At first blush, however, it certainly appears the bill may be offering a safer, more prudent alternative to mass government data collection for this and, perhaps, future applications.

Whether adopting the Student Right to Know Before You Go Act is in the best interest of America’s students certainly requires further debate and discussion — the ACLU has not yet reached such a conclusion — but insofar as Congress is concerned about protecting vulnerable students’ consumer interest and privacy, this innovative piece of legislation certainly seems like the right place to start the conversation.

Stay Informed