Case Study: Arkansas State University Privacy Policy and Web Trackers

This is a case study of the Arkansas State University privacy policy and the prevalence of web trackers on ASU websites. Although this case study is specific to Arkansas State University, the approach and tools used along with the findings presented here are quite typical of many colleges and universities.

As such, this privacy policy case study should serve as a blueprint for any institution looking to develop a more mature understanding of the tools and gadgets they have chosen to use on their websites and the institution’s online privacy practices and privacy policies.

For those CMO’s and CIO’s already too busy to do their own assessment, checkout the Online Privacy Policy Assessment Service for information on an assessment of your institution.

Case Study Summary

The selection of Arkansas State University for this case study was made out of a desire to use a public college or university in Arkansas because Arkansas has a clear and unambiguous privacy law for public entities. Because this law has been in place for several years, privacy policy maturity and compliance were expected to be high.

Within the population of public colleges and universities the decision to select Arkansas State University was made as a result of the belief the institution has sufficient resources to properly implement a privacy policy under the law and because the institution acknowledges the law directly in its own privacy policy. Arkansas State University was also chosen based on the initial scans because they offer a strong case study of the disconnect between the privacy policy and operational uses of web trackers.

Case Study Focus

The case study will focus on 2 areas of interest.

First, the Arkansas State University Privacy Policy of the university websites will be assessed for consistency and sufficiency within the statutory and policy framework of the Arkansas Privacy laws for public entities and the institution’s other privacy policies.

Second, the privacy practices will be assessed operationally as practiced with particular emphasis. This assessment relies on various tools designed to identify the presence of electronic ‘trackers’ based on pre-defined fingerprints of cloud devices, including those that fall under the category of cookies, flash cookies, web beacons, local shared objects (LSO), social widgets used for collecting site analytics, behavioral analytics, content filtering, ad programs, and user tracking.

Case Study Findings

Based on the assessments of the Arkansas State University Privacy Policy found throughout the ASU operated or maintained websites, it appears ASU is not in compliance with the Arkansas Privacy Policy law. This conclusion includes the opinion ASU is not even close to being in compliance and would have considerable work to become compliant.

Furthermore, it appears ASU may not have an active control system in place to ensure ASU privacy practices are in compliance with applicable law or that they are functioning as advertised. This includes a conclusion the online privacy policy exists outside the formal institutional policy governance framework and specifically other privacy related policy.

Although some compliance issues were expected, the extent of the perceived compliance gaps were so significant spot checks of other public institutions in Arkansas were also performed. Sadly, these spot checks revealed compliance with the 2004 compliance deadline appears to be a major failure amongst colleges and universities.

Arkansas Privacy Policy Law

Effective July 1, 2004 Arkansas Act 1713 of 2003 established requirements for state and local governments and agencies to incorporate machine readable privacy policies into their web sites.

Arkansas Act 1713 of 2003

AN ACT TO REQUIRE STATE AND LOCAL GOVERNMENTS AND STATE AGENCIES TO INCORPORATE MACHINE READABLE PRIVACY POLICIES INTO THEIR WEBSITES.

BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF ARKANSAS:

(a) Each unit of state and local government and each state agency that operates or maintains a website shall incorporate a machine readable privacy policy into each of its websites no later than July 1, 2004.

(b) The privacy policy statement shall be published on the state or local government’s or state agency’s website and for each statement, shall include:

(1)(A) A description of the data the unit of government or agency collects on its website and how the data will be used by the unit of government or agency;

(B) The type of data and the purposes for which data is shared with other entities;

(C) Whether the unit of government’s or agency’s data collecting and sharing practices are mandatory, or allow a browser to opt in or opt out of those practices; and

(D) An explanation that certain information collected by the governmental unit or agency is subject to disclosure under the Arkansas Freedom of Information Act of 1967, § 25-19-105 et seq.; and

(2) A link to, or instructions for, locating the website’s policy reference file, which shall identify the uniform resource locator for the website’s policy statements and shall indicate those portions of the website and the website’s cookies that are covered by each statement; and

(3) A link to the website’s human-readable privacy policy.

Arkansas Privacy Policy Law Assessment

Compared to the privacy laws enacted in other states, the Arkansas Privacy Policy law is very straightforward and focuses solely on the requirements for publishing a privacy policy and disclosing the entity’s data collection and sharing practices without placing any limits on those practices.

Accordingly, the Arkansas Privacy Policy law is not a privacy law per se in that it does not define standard or restrictions for privacy rights other than the disclosure requirements to be included in a public entity website privacy policy.

The narrow focus and clarity of the Arkansas Privacy Policy Law makes it extremely easy to create a simple checklist for use in a simple compliance audit of any Arkansas public college or university privacy policy.

As an additional aid to the privacy policy compliance audit every institution could look at the State’s website Arkansas.gov Privacy Policy and its 3 supporting policies used by almost all other agencies. This suggestion is based solely on the State’s Privacy Policy appearing to contain all the elements required by the law with sufficient descriptive information. However,  what is contained in the policies does not appear to be technically or operationally accurate on many of the State’s websites.

Arkansas Colleges and Universities

The University of Arkansas appears to not even have a privacy policy accessible on their many websites by link, instruction or by searching which yields a small selection of departmental privacy policies.

NorthWest Arkansas Community College was also checked and does not appear to have a privacy policy for its websites and seems to be relying primarily on FERPA and Acceptable Use to govern privacy. Of particular concern on the NWACC site is the Google Custom Search which displays the search results on a page with social widgets for Facebook and Twitter.

To illustrate the privacy concern for this practice a search on “venereal disease” was executed and the Facebook widget traffic examined (below) which reveals the search terms and my personal Facebook profile ID being passed to Facebook.com showing that I have searched for “venereal disease”.

NWACC Online Privacy

Click to Enlarge

A very similar process of personally identifiable data collection and sharing occurs when using the library catalog search function with Google and Google Books cookies.

To further evaluate the prevalence of web trackers in use by Arkansas colleges and universities an examination was performed on public and private colleges and universities in Arkansas using a seed list of each institution’s main website. This examination was performed using a web crawler designed specifically to crawl sites looking for the fingerprints of trackers using a database of 900+ trackers.

In this context, trackers refer to first-party cookies, third-party cookies, scripts, web beacons and widget technologies used in conjunction with web and user analytics, advertising, tracking, social sharing, and social login.

The scan results shown here (below) reflect only the site homepage, a link level 0 and the known trackers found. The results are color coded to show the institutions in yellow, all Google trackers in green, Facebook in dark blue and all other trackers in red.

Trackers on Arkansas College and University Websites

Click to Enlarge

Arkansas State University Privacy Policy

The Arkansas State University website Privacy Policy is a fairly short privacy policy. At only 274 words it is a fraction of the State of Arkansas Privacy Policy. The Privacy Policy does acknowledge Arkansas Act 1713 of 2003 including a link to the Act. Because it is so short it is provided here in its entirety.

“Thank you for visiting the websites of Arkansas State University (ASU). Your privacy is very important to us. We have created this statement to demonstrate our commitment to online privacy and to comply with Arkansas Act 1713 of 2003.

We collect no personal information about you when you visit our sites, unless you choose to make such information available to us. When you visit any site hosted by ASU, our server automatically recognizes the Internet domain and IP address from which you accessed our site. This information does not result in the identification of your personal e-mail address or any other personal information.

In addition, we monitor the volume and timing of access to the site by collecting information on the date, time, and pages accessed by visitors. The information we collect is used to better understand general site usage patterns, improve site usability, and improve the content of the site. None of this information is shared with other organizations or tied to any individual user.

If you choose to share personal information with us — by sending us an email message or filling out an electronic form with personal information — we will use the information only for the purposes you authorized.. Some of the information may be saved for a designated period to comply with Arkansas’ archiving policies, but we will not disclose the information to third parties or other government agencies, unless required to do so by state or federal law.

ASU sites contain links to other sites, not hosted by ASU. Neither ASU, nor any ASU employee, are responsible for the privacy practices or the content of those sites.”

Arkansas State University Privacy Policy Framework

To fully and properly assess the online privacy practices at ASU the assessment must look beyond mere compliance with the Arkansas Privacy Policy law and assess the ASU privacy policy within the broader ASU policy framework that deals with privacy concerns.

The result of this additional assessment steps is two main conclusions:

  1. The ASU website privacy policy does not appear to have been formalized as an institutional policy under the policy framework of the university. This results in the appearance of the website privacy policy being an actual policy under the institutional policy governance model either directly or indirectly.
  2. The ASU websites data collection and sharing practiced are not consistent with several formal institutional policies related to privacy, advertising, and data collection.

The following examples illustrate these findings.

Protection of Privacy Policy

Protection of Privacy Policy (Number 06-19) is a short and concise declaration of the institution’s obligations to protect the privacy rights of faculty, staff and students. However, it only speaks to the release of transcripts, photographs and donor information.

The Protection of Privacy Policy is silent on Arkansas Act 1713 of 2003 and offers no affirmation of a statutory or moral obligation to safeguard the privacy rights and interests of visitors to the institution’s websites be they faculty, students, or the public. Of particular note are the more sensitive websites dealing with financial aid, library and research, and health services.

Human Research Policy

Human Research Policy (Number  02-03) affirms the ethical requirements for conducting research on human subjects at the university. The Policy establishes the Belmont Report principles as the governing standard which includes among other things informed consent of subjects and confidentiality in reporting research data.

The Policy sets forth the following definition:

“Under the terms of this policy, any systematic activity involving the collection and/or analysis of data on human subjects for the purpose of advancing generalizable knowledge qualifies as human research, unless this activity is specifically exempted by current Federal regulations.”

The Policy is silent on the specific collection of data on human subjects by ASU and third parties via the institution’s websites which in several cases would fall under the definition provided in the Policy.

Moreover, it is assumed that a researcher interested in obtaining social media data on students or employees would be required to seek approval under this policy. Whereas the collection, aggregation and analysis of this same data by others does not.

Taping/Filming of Movies, Commercials and Documentaries Policy

Taping/Filming of Movies, Commercials and Documentaries Policy (Number 06-20) defines the requirements for filming on campus. The particular provision of this policy relevant to online privacy is the Taping/Filming Policy requires the producer to ”obtaining permission for taping/filming of occupants of all university housing facilities”.

However, the online browsing histories of university housing residents are collected by ASU websites which many would argue is far more invasive and potentially detrimental than capturing their images.

The real question for concern is the institutional use of surveillance and security video on campus where the images and footage would almost certainly be viewed via a web based application thereby placing it under the the Arkansas Privacy Policy law for application website users.

This then begs the question as to the privacy rights of those persons whose images are being captured, potentially tracked or analyzed by behavioral analytics software using these systems. Systems which almost certainly contain analytics or other web tracking elements.

Privacy Policy Assessment Method

The ASU Privacy Policy assessment for compliance used the Arkansas Privacy Policy law which was deconstructed into an assessment checklist of questions provided here.

  1. What are all of the ASU operated or maintained website(s)?
  2. Has ASU incorporated a machine readable privacy policy into each of its websites?
  3. For each ASU Privacy Policy statement does it include:
    1. A description of the data the unit of government or agency collects on its website and how the data will be used by the unit of government or agency;
    2. The type of data and the purposes for which data is shared with other entities;
    3. Whether the data collection and sharing is mandatory, or allows a browser to opt in or opt out.
    4. An explanation that certain information collected is subject to disclosure under the Arkansas Freedom of Information Act of 1967, § 25-19-105 et seq.
  4. Does each ASU Privacy Policy statement include a link to, or instructions for, locating the website’s policy reference file with the URL for the website’s policy statements?
  5. Does each ASU Privacy Policy indicate those portions of the website and the website’s cookies that are covered by each statement?
  6. Does each of the ASU Privacy Policy statements include a link to the website’s human-readable privacy policy?
  7. Determine what data are being collected by each of the websites operated or maintained by ASU.
  8. Determine what data is being shared by ASU with other entities.
  9. Are each of data being collected and/or shared described including how it is used?
  10. Does the description of any data being shared include the purpose for sharing the data?
  11. For the data being collected and/or shared does the description indicate if it is mandatory or allowances for opt-in or opt-out?
  12. For the data being collected or shared does the description indicate if the data are subject to FOIA?
  13. For each portion of any ASU website issuing cookies are they covered by the Privacy Policy statement?

ASU Privacy Policy Assessment Results

The result of applying this assessment for Arkansas State University was the conclusion Arkansas State University does not appear to be in compliance with the Arkansas Privacy Policy law. In fact, one might conclude ASU is not even close to being in compliance with the law.

That opinion reflects, as you will see in later sections of the case study, ASU does not include a university privacy policy statement on many of the ASU websites it operates or maintains.

Equally important is the Arkansas State University Privacy Policy asserts that it collects no data other than what the user chooses to provide through forms or emails. The Policy does acknowledge it captures the domain and IP address information in the server logs along with page statistics for site administration including the following declaration:

“None of this information is shared with other organizations or tied to any individual user.”

This declaration appears to be wholly inaccurate technically and operationally.

Collusion Graph Arkansas State University

Click to Enlarge

The evidence for this conclusion comes from examining the ASU websites for evidence of known web trackers which collect and share site user data. Shown here is the Collusion graph for just three ASU websites.

This particular output shows the results from visiting only 5 university website pages. The 3 sites actually visited, astate.edu, mycampus.astate.edu, and asbtdc-asu.com are highlighted by the blue halo.

Also shown are the 32 other sites that were not visited but were informed of the page visits. 5 of these sites, shown with a red halo, are advertising, market researchers and data aggregators.

For each of these sites Ghostery (not shown) was also used to verify the presence of known trackers. The use of Ghostery allowed for an easy review of the trackers own privacy policies when it was published. This process woule easily support the creation of an accurate ASU privacy policy specific to each website and the trackers employed within the site.

Additional insights were developed by using the Track the Tracker crawler on select university sites to link level 1 shows similar results in a more simplifed visual showing a variety of analytics, social sharing, trackers, and widgets used just on these sites at a very shallow link level.

Web Trackers on Arkansas State University Websites

Click to Enlarge

To gain a truer picture a URL harvester was used to obtain the primary subdomains, the internal link level 2 and 3 URLs, and the university sites operated outside of the .edu domain. This list of URL’s was refined to create a seed list for a deeper crawl at link level 2 & 3 and below  revealing an even greater number of trackers.

Web Trackers on Arkansas State University Websites

Click to Enlarge

For a regular user of Arkansas State University websites, this more detailed examination reveals the reality of the data collection and sharing of user browsing history across all properties. This detail also offers a perspective that is likely going unrealized by the ASU privacy or compliance officer or the CIO and other members of the university leadership.

Additionally, it would seem reasonable to also conclude the users of ASU websites, the students and employees and public, are also not aware of the extent their online history is being tracked and shared with third party commercial entities.

To better understand the implications of this degree of user tracking, some specific ASU websites were examined in more detail.

Arkansas State University MyCampus Portal

The university provides a portal under the university domain referred to as MyCampus. The MyCampus portal is operated “in partnership with Campus EAI” as part of the CampusEAI Consortium. As such, it would seem the MyCampus website is an official ASU website and would fall under the scope of the Arkansas Privacy Policy law as a site operated or maintained by ASU.

The examination of the MyCampus website pages that are publicly visible were found to contain a link to a Privacy Policy. An examination of this privacy policy revealed it was the privacy policy of CampusEAI not the privacy policy of ASU or the university website cited earlier.

Although this policy acknowledges the use of Google tracking tools it fails to address the other tools collecting and sharing the user’s browsing history data.

Because ASU is relying  on the CampusEAI Consortium privacy policy, and because the CampusEAI privacy policy fails to satisfy many of the elements of the State’s Privacy Policy law including technically being incomplete, a conclusion was reached the ASU MyCampus website appeared to not be in compliance.

Arkansas State University Library

The Dean B Ellis Library home page uses Google Analytics and sets a cookie from EBSCO (epnet.com). The page includes a link to the ASU Privacy Policy. EBSCO powers the One Search feature on the home page with search results redirecting to an EBSCO Industries page which shares information with 4 additional sites. The EBSCO site does not contain the ASU privacy policy and the privacy policy that is provided does not appear to comply with Arkansas Privacy Policy laws.

In practical terms this means that anyone submitting a search on the library page using OneSearch has that search captured by Google Analytics then is redirected to a vendor hosted site that sets additional cookies for the search. This redirection is not disclosed and the ASU Library website Privacy Policy does not describe this data collection and sharing practice.

The ASU Catalog searches are submitted on the ASU Library website under the subdomain structure of http://dbellis.library.astate.edu using the Web Voyager application. The catalogue websites do not appear to contain a privacy policy statement by link or by instructions on how to locate them.

An examination of the ASU catalog website in operation reveals the search page and search results pages sets a series of cookies under the ASU library domain for syndetics.com a third party and Google.com and books.google.com. Some of the Google cookies will not expire for 10 years.

An attempt was made to examine the Syndetics privacy policy found on their website (Bowker.com) by the Privacy Policy link return a page unavailable error.

Similar issues exist with the searchable databases some of which include ezproxy authentication.

Arkansas State Univeristy Event Tickets

Arkansas State University uses Choice Ticketing Systems (ChoiceTicketing.com), a third party, for a private labeled event ticket sales. The Arkansas State University Event Ticket’s website does not appear to have a Privacy Policy anywhere visible on the website including the main landing page or any subsequent pages on through the sales checkout page.

In addition to not being able to locate a Privacy Policy on the university ticket sales website, Choice Ticketing Systems does not provide a privacy policy on its corporate website. Incidentally, Arkansas State University is a featured client case study of their cloud services solution.

Choice Ticketing does use its own cookies and Google Analytics.

Arkansas State University Google Sites

There exist several other sites operated under under the ASU Google Sites for academic and select administrative purposes. The examination of these sites (Example 1Example 2) was unsuccessful in locating any privacy policy despite the fact these sites are operated and maintained by ASU for university administrative and academic business under the university Google Site account noting these sites do set Google cookies.

NOTE: The examination of the ASU Google sites also revealed a likely configuration error which allows navigation to the ASU Google Sites from ASU links including site search results which are not accessible directly. Additionally, the URL of ASU Google sites can be explored allowing authentication to be bypassed.

Arkansas State University Athletics

Arkansas State University Athletics Department website (astateredwolves.com) is hosted by College Sports Direct who provides comprehensive web services to over 1500 colleges and universities.

Astateredwolves.com is an official Arkansas State University website, even though it is hosted by a third party, which would seem to be covered by Arkansas Act 1713 or 2003.

However, the Arkansas State University Athletics Privacy Policy on the site is the privacy policy of the site operator JumpTV USA Holdco., Inc. not the Arkansas State University Privacy Policy cited above.  As with other such occurrences at ASU, the privacy policy reflects the laws of Florida for commercial entities and does not appear to be compliant with Arkansas Privacy laws for government entities or even the ASU privacy policy found on its main website.

Similarly, if you follow the links on the site to the “Arkansas State’s Official Online Store” you are directed to RedWolvesGear.com hosted and operated by another third party, Advanced-Online, covered by the privacy policy of that company not the university. Unlike the Athletics website, it could be reasonably argued the Red Wolves Gear site is not a university website much like any retail store that might sell college apparel.

Collusion Graph Arkansas State University Athletics

If the site is operated directly under contract by the university as an outsourced service, then the site might be considered an official site under the Arkansas Privacy law.

One method commonly used to establish clarity on what is or is not an official site is a notice to the user that they are leaving an official site or a site covered by the Arkansas Privacy laws. That method of notifying users has not been employed on any third party site regardless of its status as an official university site or not.

Together, the 2 athletics sites depicted here share data with 9 other third-party sites of which 4 are considered trackers.

Web Trackers on Arkansas State University Athletics Websites

ASU Small Business and Technology Development Center

The Small Business and Technology Development Center (SBTDC) is operated by the College of Business in partnership with or as a funded activity of the Small Business Administration. The main website for SBTDC operates under the main university website and links to the same Privacy Policy.

SBTDC also operates a separate site under the http://asbtdc-asu.com/ domain name using a blog format which nearly mimics the main site. This second ASBTC site is a branded institutional site of the university and SBTDC and every indication suggests it would fall under the umbrella of an ASU operated or maintained site and the Arkansas Privacy Policy law.

Unfortunately there is no evidence of a Privacy Policy for this site or a link to the main university privacy policy.

NOTE: It should be noted that in the footer of this site’s pages is a copyright attribution for a third party reserving all rights to the third party not to the university.

Collusion Graph ASU SBTDC Websites

Click to Enlarge

More than any other university website examined in this assessment, the SBTDC sites employ a significant number of widgets, analytics, and social sharing tools. This is especially the case with the second SBTDC blog site which shares site user information with 20 other sites, 7 of which are common to the main university website pages 3 of which are known tracker sites.

The assessment of departmental sites and special function sites within the ASU web properties would result in a number of additional examples of site not having a privacy policy or having a privacy policy which does not meet the elements required of the state law or which reflects the data collection and sharing practices detected on the sites.

Web Trackers on ASU SBTDC Websites

Click to Enlarge

In other words, the weaknesses and gaps in the ASU privacy policy model appear to be chronic and pervasive. Given how easy it is to perform this assessment and detect the weaknesses describe here, it would seem reasonable to conclude Arkansas State University is not auditing its privacy controls for compliance and that its web governance practices are not focused on online privacy.

 

Follow the link for more information on using the Online Privacy Policy Assessment Service for your institution.

This entry was posted in Case Studies, Privacy and tagged , , , , , , , , . Bookmark the permalink.

3 Responses to Case Study: Arkansas State University Privacy Policy and Web Trackers

  1. T Wrights says:

    I am now not positive where you are getting your information, but great topic.

  2. The Higher Ed CIO says:

    Hopefully you can follow the links I provided and check out the university web pages yourself and confirm my findings.

  3. Troy Stephen Augustine slc says:

    These are really good tips particularly for those new to the web privacy. Short but very precise info… Appreciate your sharing this one.

Comments are closed.