Security Infrastructure Enhances Student Privacy, Data Protection, and Can Make Life Easier

Simon Krauss
Deputy General Counsel

Jan 31, 2017

In the days of typewriters and post offices, students knew that their educational data, everything in that mysterious file ominously referred to as “your permanent record,” could only be read if someone went into a school’s file room or someone made a copy and mailed it to someone else. For a long time, there were no state and federal laws that read directly on student academic privacy. Eventually, both state and federal laws were enacted which provided increased and detailed protections. While these laws protect each student’s data, complying with the details of each federal and state privacy law can result in a legal minefield for those that need to access a student’s data. As student privacy rules and regulations become more complex, there is an increasing need to leverage a more modern approach to privacy controls and data security.  Such an approach would enable automation of regulatory compliance as well as increased protections for student records.

The Legal Landscape

Student privacy laws began with the federal Family Education Rights and Privacy Act (FERPA) in 1974. Additional state and federal laws have added restrictions and complexity to the safeguarding of student records.  These laws have followed the arc of the internet and now often include provisions that arise out of schools using online services such as a focus on parental notification and consent when student data is released to third parties.  In the U.S., issues such as how data is collected and how it will be used have become hotly debated topics among parent advocates, school administrators, online service providers, and legislatures.

Digital Tools to Manage Academic Privacy Requirements

While the intention of each federal and state student privacy law is good, it is easy to see how all of the laws, taken together, can lead to confusion as to who is to be allowed access to what student data, when is access allowed, and when parental consent is necessary. There is the additional demand that the schools provide sufficient data security.  This regulatory complexity paired with the need for sufficient data security can stretch resources for school officials. In addition, the fragmented nature of regulation may stifle any company or institutional innovation due to uncertainty as to what may be legally permissible.

A possible solution lies in automating compliance with privacy requirements through the adoption of modern cryptography techniques that inherently limit access.  This approach provides more refined access control beyond ensuring that only the educational institution’s faculty and staff have access to student records. Additionally, cryptography will make school records much more difficult to hack, thereby protecting the integrity of the records and the privacy of the student (such as: grade tampering at the University of Iowa reported on 1/23/17 and extortion hacking at Michigan State).

For example, with the appropriate digital security in place, a high school senior may electronically authorize a school to permit certain universities to receive the student’s academic record. Using security such as a Public Key Infrastructure (PKI), the high school may transmit an encrypted student’s academic transcript to the universities that the student has authorized to receive those records and only those universities would have the necessary key to decrypt the record. PKI also authenticates the student and the transcript.  Because the student’s electronic record is encoded with the appropriate legal access controls, only the student’s academic transcript is sent. Other records, such as household income or medical records, are not transmitted. Similarly, in the event a health care provider needs a student’s medical records, the appropriate digital security would ensure that only the student’s medical records are sent. More granular security controls also mean that student data can be de-identified and aggregated to enable researchers and third parties working with educators to improve the educational process.

CableLabs and Kyrio’s research and experience managing digital security for cable, wireless, and the electrical grid have demonstrated the value in using cryptographic access control. Using cryptography to automate privacy controls through a digital security infrastructure means less legal confusion for administrators, enhanced privacy and data security for students, and room for greater educational innovation.  Additional benefits can occur by adding blockchain technology in addition to cryptography, topics addressed in these previously published blogs.

Blockchains and the Cable Industry
Hello Blockchain . . . Goodbye Lawyers?

By Simon Krauss, Deputy General Counsel, CableLabs


  Hello Blockchain . . . Goodbye Lawyers?

Simon Krauss
Deputy General Counsel

Apr 19, 2016

As the blockchain technology star begins to eclipse Bitcoin and the other cryptocurrencies that rely upon it, there has been an increase in research and development into using blockchain for “smart contracts.” Smart contracts are computer programs that facilitate, verify, execute, and enforce a contract. While smart contracts have existed to a limited extent for years in the commodities markets, vending machine, or adjustable rate mortgage industries, blockchain technology enables smart contracts to expand to cover new uses and, ultimately, become mainstream because contracts in blockchains are attestable, immutable, and visible.

What is a Contract? What is Blockchain?

A contract, in its simplest terms, is an agreement between people to do or refrain from doing something in exchange for something else. The agreement, generally, can be formed through a mutually signed document, a series of emails, verbal communication, clicking “I Agree” or any action showing agreement. A contract may be formed by the simple nodding of the head. A “person” can be a human being or an entity created in law with the ability to contract, like a corporation or a limited liability company. In order for an agreement to be upheld legally, the agreement cannot be against the law. Yet another reason why you don’t see drug dealers in court -- criminal court excepted.

Blockchain is a cryptographic technology that is used to create distributed, verifiable electronic ledgers to record events. For more elaboration refer to Steve Goeringer’s post. Smart contracts leverage blockchain technology to not only record the individuals and the amounts in the transaction but can also set up a self-executing “if this than that” structure using scripts.

A Smart Contract in Action

For example, if you and I were to agree upon a price for you to buy my car, we would both be worried about certain risks. I would be afraid whether or not your check will clear. You would be concerned if I actually hold a clear title to the car, whether the car is mechanically sound, if there are any liens on the car, and would want to confirm the odometer reading is accurately stated on the title. Addressing these concerns may take a week or more. With a blockchain, all the concerns are addressed simultaneously.

For this example, let’s assume we are living in the near future and the title (VIN number, ownership and odometer reading – the latter due to my car phoning in to update its secured record), and any liens are encoded on the blockchain, the payment will be in Bitcoin (or some other cryptocurrency), and my contract with the mechanic can also be on the blockchain. I would load the coded representation of our agreement onto the blockchain. The blockchain would immediately determine if you had the funds, I had the proper title, check for the “this car is okay” approval from the mechanic, check (and pay off) any liens and then, if all the conditions are present, transfer your payment to me, and transfer and record the title on the blockchain. We receive the mutual “okay” on our smart phones and I give you the car key. The sale of the car becomes spontaneous. So long as the cryptography is sound, there is no longer the need for trust. That is, I would not have to trust you to have the funds to purchase the car and you would not have to trust that I actually had title to the car, the car was mechanically sound, there were no liens on the car, and the odometer reading is correct.

Smart Contracts in the Cable Industry

Smart contracts can remove friction and provide transparency in the cable supply chain. For example, smart contracts could ensure that every time a cable operator shows a movie, appropriate payments are instantaneously made all the way down the programming supply chain. There is no need for audit as the transaction history is readily secured and apparent in the blockchain. Smart contracts could also reduce costs by streamlining content purchasing based upon industry standards. Smart contracts could also be readily applied to advertising insertion with payment made in real time.

So We Don’t Need Lawyers Anymore?

For certain simple transactions, for which you probably wouldn’t hire a lawyer, you still wouldn’t need a lawyer. However, the use of blockchain may reduce the need for a using a lawyer to resolve post-contract issues like lack of payment or, in the previous example, bad title. Smart contracts may reduce the need for litigators but become an additional tool for the transactional lawyer to master. The question may be better phrased as, “do lawyers need to learn coding along with Latin?” or “do coders need law degrees?” or even, “is coding a new role for paralegals?” Written contracts are legal documents and while you are free to draft your own, drafting for others constitutes practicing law without a license – which is against the law. While smart contracts will undoubtedly impact lawyers and the practice of law, smart contracts will not eliminate the need for lawyers right away. Smart contracts may, however, be one of several technologies that will bring us one step closer to eliminating or reducing the need for lawyers in the future.