To: The Faculty Committee on Privacy and The Graduate Student Council From: Amy Bruckman Date: September 19th, 1993 Subject: Privacy implications of the MIT Card As you may know, MIT is moving towards a new identification card with magnetic strips. This card can be used for a variety of purposes such as opening laboratory and dormitory doors, getting in and out of parking lots, buying food on meal plans, making other purchases on campus, scheduling medical appointments, and borrowing books from the library. I will discuss each of these in turn. The new system is being evaluated on a trial basis by a number of departments at MIT. What it will eventually be used for and when this will occur is still being determined. This report reviews the privacy implications of this technology. It is based on conversations with Larry Maguire at Housing and Food Services/The MIT Card Office, Anne Glavin at Campus Police, Registrar David Wiley, Gerry Hornik at the Media Lab, Robert Dankese of Financial Planning and Management, and Jonathan Kutchins of the Exeter Group, the consulting firm handling this project. THE MIT CARD Larry Maguire of Housing and Food Services is in charge of the new MIT Card. The cards have three magnetic strips on them- one for most functions, one for the library, and one reserved for future use. Reader devices for doors, parking lot gates, and food services will be hard wired in to a central Vax computer running VMS. This Vax will not be on any network. A dispatcher at Campus Police will have a terminal hard wired into the system. Some other administrators will be given dialup access. Dialups will be accepted only from pre-approved extension numbers and of course will require a password for access. No data about the individual is stored on the magnetic strip. The strip merely contains a person's MIT ID number and a number unique to that card so that it can be canceled if necessary. All other information is stored on the Vax. The software running on the Vax is a commercial product in use at a number of universities. Asked how many people already have the new cards, Maguire says that "we are currently distributing about 10,000 MIT Cards to the whole student body. There are about 1300 employee cards out to date but eventually all employees should have them so that's another 10,000." DORMITORY DOORS The new cards will be used to open dormitory doors. The software can record all entries, but Maguire has elected to record only unsuccessful entries. Maguire said he would consider recording successful entries in the future only if there developed a serious campus security problem. LABORATORY DOORS The Media Lab requested to be the first lab to use the new cards for laboratory door locks. I spoke with Gerry Hornik, and he said doing the whole building would cost $80,000, so it seems likely that only the lobby doors will be done if any at all. Mr. Hornik and I talked about the social implications of the new locks. With the current combination locks, graduate students in one group can tell those in another group their lab door combination. If students have to ask official permission to be allowed in another lab, they might decide not to bother to ask (or might even be turned down if they did ask). This would decrease communication within the lab. Hornik suggested that perhaps faculty and graduate students should be given access to all lab doors, but UROPs only to the door of the group they are working in. In any case, the Media Lab faculty should consider the social implications of the change in lock technology. The locks' cost makes this moot for the time being. MEALS Student meal plans will be on the new card. Meal plans are no longer mandatory. Bills for meal plans will contain only the total amount. However, an itemized list of what was eaten will be kept for the purpose of resolving billing disputes. It is thus possible for a parent to request an itemized list of what was eaten to check the total sum when their real motivation was to find out what junior is eating. This data is stored for one year. LIBRARY One of the three magnetic strips on the new card will be identical to that on the current library card. The library card and ID card will be unified. The way the library system works will be otherwise unchanged. MEDICAL The pharmacy may use the new card for charges via an extension of the billing system used for meals. This possibility is just being explored. According to Mr. Maguire, the Medical Department currently has no other plans to use the card. (I have not been in direct contact with the Medical Department.) PARKING The parking software needs to keep track of who comes and goes to prevent people from using their card to park two cars. These are called "pass back violations"- one person passes his or her ID card back to a friend. Chief Anne Glavin has opted for a "soft" passback system. If the system believes that someone has entered twice, it will note the violation, but will still open the gate. It is possible to implement a "hard" pass back system which would refuse to open the gate in such instances. A hard system has two problems. First, traffic may back up behind the person who finds they now have to back out because it won't let them in the lot. Second, it is possible to throw the system off in certain circumstances- for example, by loaning your car to a friend. Suppose that Jerry's car is in the shop, but he has an important errand to run after a Privacy Committee Meeting. Fred loans Jerry his car. After Jerry returns, the system now thinks that Jerry mysteriously went out without ever going in and that Fred never left. When Fred arrives at work the next morning, a hard pass back system would lock him out, since he's technically still in the lot and trying to enter a second time. A soft system would simply record the violation, and a human looking at the data would be able to determine that nothing drastic has gone on. What the Campus Police will be checking the data for is not little inconsistencies like that, but some who appears to be regularly parking multiple cars on one ID. Chief Glavin hopes this soft system will work, but reserves the right to change to the hard system if necessary. The software has the ability to list more than one person as the user of a car. This will permit car pooling (for example in the case of couples where both people are at MIT affiliates.) If only one member of a couple is at MIT and the other member wants to remove the car from the lot, that person will have to borrow the other person's ID card. There will be a phone at the gate to call the dispatcher to get in and out of the lot in the event of a lost card. Many people have assigned parking places far from their offices. This is particularly true of graduate students who park in the commuter lot. Those who work late often move their car to a nearer lot in the late afternoon for reasons of safety as well as convenience. Chief Glavin plans to implement a central lot which permits after hours parking for this purpose. This offers some flexibility, but not as much flexibility as the current system. Asked whether this after hours lot would accommodate students who live too close to get commuter lot stickers, Chief Glavin replied that "I can't say for sure what the criteria would be for operating an after hours lot - it is at this point merely a thought for the future. However, my own opinion is that as long as you hold an MIT ID card, you should be able to park in the lot after hours - obviously this would be the case regardless of where you live. We would probably require parkers to be out of the lot by 7:00 am unless they were assigned to that garage anyway." All that is planned for now is one test system at Westgate. Chief Glavin emphasizes that all lots will not have gates right away and in fact gates may never be put on many lots. Chief Glavin reserves the right to use parking lot data in police investigations. This data will not be released to anyone else inside the Institute or out without a court order. The kinds of reports Chief Glavin wishes to produce to help in the management of MIT's parking lots are purely statistical in nature and don't require information about individuals. However, Chief Glavin plans to keep the complete data for a period of approximately two years. SOCIAL SECURITY NUMBERS One piece of very good news for privacy on campus: MIT plans to stop using social security numbers as MIT ID numbers. Registrar David Wiley writes, "Yes, we will be changing to a nonSocSec ID when we cut over to the new computer system. It is likely to be next summer (though of course could be delayed). All students will get a new MIT ID at that time and a new ID card. The system will recognize students under their old ID, of course, but only the new ID will be used on grade sheets, etc. We are doing it because of student privacy issues, and the new system allowed us to design the functionality so that it could work. Thanks for your interest and support." At Maguire's suggestion, I spoke with Bob Dankese of Financial Planning and Management about staff ID cards. Mr. Dankese is on the Board of Directors of the MIT Credit Union, and is interested in and knowledgeable about privacy issues. He has been assigned by his boss, Vice President for Financial Operations James Culliton, to remove social security numbers from staff ID cards. Mr. Dankese has been investigating the feasibility of this change with all of the Institute's various administrative systems. He believes that the change will be surprisingly easy and probably can be accomplished within the next few months. (He hasn't yet spoken with Executive Director of the Medical Department Linda Rounds.) MY RECOMMENDATIONS Here are my recommendations, based on the research I've done: To both the Privacy Committee and the GSC: It might be nice to write a letter to appropriate members of the administration thanking them for making the decision to make MIT ID numbers no longer Social Security Numbers. I'd send the letter to Larry Maguire, Bob Dankese, Jim Culliton, Constantine Simonides, David Wiley, and President Vest. It would be nice to let them know that there are people who care about these issues, and their decision is appreciated. To the Privacy Committee: * Speak with Chief Glavin further about the data she intends to record * Speak with Linda Rounds of the Medical Department about her plans * Follow up on all these issues again in January to see how these the actual implementation of the MIT Card is progressing To the Graduate Student Council: * Follow up with Chief Glavin in three to six months to see how evolving changes will impact graduate student parking regulations * Check with Larry Maguire regularly to see if card locks are planned for any laboratories. When they are, speak with the department concerned about the social impact of the new locks.