UB can track your location every time you swipe your UB Card.
Card readers across campus track when you eat dinner, go home and ride the bus. The card registers when you get Moe’s and if you are a loyal Bulls fan. All your swipes are recorded and some departments share your habits with people outside of UB. For example, if you go to football games and swipe into your dorm, Athletics might advertise future events in your building.
UB insists the UB Card is not a system for gathering, packaging and selling personal data.
But, a two-month investigation by The Spectrum shows reams of student data is collected, researched and kept throughout UB and that students have little idea who has their data and when it gets collected.
Many students The Spectrum spoke to are concerned about this lack of transparency with their data. Their concerns come three months after Facebook admitted to selling the personal data of 87 million users and one month after Amazon’s Alexa — a device widely used by students — recorded and sent out the private conversation of a Portland couple.
“Overall, I would say I’m concerned with what happens when we use our cards and who could see it,” said Sana Syed, a sophomore political science major. “If I heard more clarity and a logical explanation from the school as to why they need [to use] this information, I would feel a lot better.”
Finding out about UB data collection is not easy. The Spectrum filed Freedom of Information requests to get data on one of our editors, but only got some answers about what UB collects. We asked dozens of staff and only some have shared how they use student data.
Part of the problem is that UB does not have a centralized office that manages all data on students. This means one student’s data can not be seen by one department or UB employee. But it also makes tracking who is collecting what tricky.
At least 25 departments and UB offices collect student data, but only select administrators, including President Satish Tripathi and Provost Charles Zukoski, have access to all the data. Campus Living has 24/7 access to dorm and apartment swipes and its administrators share these swipes with University Police, who use the information to search for missing persons. A few third parties — including the CBORD Group’s GET and Ticketmaster — have access to student data, but UB insists third parties don’t share or sell that data.
UB does not give students the names of the dozens of people in over 25 departments who can see their data, nor would UB provide those names to The Spectrum. The departments include academic departments like social work, engineering and psychology, and broader departments like Campus Living and Parking and Transportation.
“Personally, I don’t think departments are doing a good job of informing people who has their information, because no student really has a solid answer,” Syed said.
Who’s looking at your data?
Each of the over 25 departments set “their own regulations” for the UB Card, according to the UB Card policy statement. The Spectrum asked four different departments for their policies, but got no answers. Departments were either unable or unwilling to tell us their policies.
Kate McKenna, director of issues management and stakeholder communication, said UB has policies to protect student data and that most data stays within the university. McKenna said there are “only a few instances” where data is shared outside UB but “sensitive information is never shared” or “sold.” Third parties like GET collect student card transactions, according to McKenna, but data remains “completely confidential” and GET “does not sell” or “use it for any other purpose.”
UB, she said, primarily collects data like your person number, card number and name. Some departments, however, can access more information. Parking and Transportation Services, for instance, can see class standings based on collective data. Campus Dining & Shops can see student sporting event attendance and recreation center use, 24/7.
Adam Levin, a consumer advocate, former director of the New Jersey Division of Consumer Affairs and founder of CyberScout said it’s important for students, faculty and staff at UB to know who is collecting their data and what the purpose is.
“Some people would say, ‘Well look at the benefit we give you [by collecting data], because we make you aware of all these terrific opportunities in terms of food or upcoming athletic events.’ That’s fine, but I think people need to know,” Levin said.
UB owns all card access data, information gathered from your card usage. A number of academic departments get rid of card access data after a year but others, like CDS, maintain all data from a student’s time at UB.
Over 25 departments can view your card access data yet it isn’t collected into one place, meaning one student’s card use history can’t be seen by a single department.
Jason Kelley is a STANLEY regional technician. STANLEY Security installs and provides services for UB’s card access system, but the university hasn’t explicitly said STANLEY is the school’s official vendor of swipe card services, according to Kelley.
Some schools take a centralized approach to their card system, Kelley said, leaving one department responsible for all card access decisions.
“The idea of an integrated system is that it can be used to accomplish the tasks that the customer requires or wants it to be used for, from the mundane to the extraordinarily complex,” Kelley said. “UB falls somewhere in the middle of that range.”
Levin said the issue with a non-integrated system is some departments may not be as competent or qualified at data management as other departments. A centralized system, he said, can be properly managed with secure protocols and provide university-wide data education to staff and students.
The opacity of the UB Card policy may upset incoming European international students even more than domestic students as they are particularly sensitive to data collection. In the past year, various European countries and the European Union have passed laws allowing consumers more access to information on how and why their data is collected. Specifically, on May 25, the EU passed the General Data Protection Regulation. The GDPR gives EU citizens more rights over their data and requires organizations to explain why they collect data.
Levin said there should be a clearly understood, opt-in policy for any place data is being collected.
“An interesting question to ask is if there are students from the EU at UB and is there an instance where they could have an issue with GDPR,” Levin said.
“I don’t see the EU coming after a university and hitting them with a €20 million fine. But in light of Facebook and the Cambridge Analytica situation, and Facebook’s commitment to bring their policies more into light, I think this is where we’re going. It’s going to create a paradigm shift and the question is how quickly.”
In March, The Guardian revealed how Cambridge Analytica, a firm that collected social media data, used information from close to 87 million Facebook users and then sold it for profit.
“It would be fine, personally, if departments explain to me where exactly my data is going instead of saying it’s just going to third parties,” said Andy Cruz, an undecided freshman.
“They may know what that third party is doing with my data but I don’t know what they’re doing with my data. It would be [good] if UB could break it down more for me, so I’m more aware of where it’s going and who has access.”
Other students shared Cruz’s concerns. Even if UB is not sharing much of their data now, students wonder how UB might, in coming years, use their data.
Both McKenna and UB spokesman John DellaContrada insist UB will not sell student data for profit or use it to do anything but enhance student services.
For instance, McKenna said CDS uses data to research how students purchase food. CDS can then offer what students want and make changes to UB dining experiences.
But some data is shared outside the university. Third parties, like GET, Ticketmaster and First Transit, have access to your data and some can use it to summarize how you use your UB Card. McKenna said most data collected stays within UB and is not shared.
“That data is used for providing a better experience for students within those departments,” McKenna said. “There are only a few instances where transactional data is shared outside of the university, and when it is only necessary information. Sensitive information is never shared and information is never sold.”
Mark Bartholomew, a UB law professor with a focus of intellectual property and cyberlaw, said it’s good practice to let consumers, like students, know as much as they can about how their data is being used.
“These things should be as understandable as possible for students,” Bartholomew said. “To the extent that different rules that departments make it harder for students to realize how their data is being used, it should be incumbent upon the departments to let them know.”
Protecting your data
UB Card data is classified as both internal-use and public data, according to McKenna.
Each of the 25 departments has people who can access the department’s data. These people are data custodians, trustees and administrative data users. Data custodians and trustees are able to grant access to UB data.
McKenna did not provide names of data custodians, trustees and administrative data users and said the list is “not public information.”
UB’s Data Access and Security Policy says "senior management,” including President Satish Tripathi and Provost Charles Zukoski, are “eligible for access to enterprise-wide university summary/aggregate data.” Under the policy, senior management can give office staff access to data “as deemed appropriate.”
The policy does not name data custodians, trustees and administrative data users but does say administrators like the “executive vice president for finance and operations” and the “vice president for student affairs” — now the vice president for student life — are data custodians. Currently, that would be Laura Hubbard and A. Scott Weber.
“Those who have access to card system data must agree to university and department policies regarding data security and must acknowledge that the data they have access to will remain confidential –– that it will not be used unethically or for purposes beyond the scope of what it is intended for,” McKenna said.
Cruz said people should have the right to know who has access to their information.
“It’s what you’re up to and there’s no reason for [departments] not to give you your data, even if it’s owned by UB,” Cruz said.
Card systems, like the one used by CDS, don’t register date of birth, credit card numbers or social security numbers. Some departments, like Athletics, are able to see where students live, though.
“Athletics works in partnership with Campus Living and has made a business case to link Campus Living address data to Athletics’ card system data,” McKenna said. “In this case, only building names for students are linked from Campus Living to Athletics because there was no business need for Athletics to have students’ full address information.”
Only departments that make a “business case” to use students’ addresses can access that data, according to McKenna.
Levin said departments should “absolutely” inform students when the information they gather goes beyond basic information.
“The truth is [departments] lose nothing by telling you they’re doing this and, in fact, might gain more respect from students from what they’re doing,” Levin said.
“Students may even pay more attention, understanding that advertising doesn’t show up because there was an epiphany and [UB] decided they were there. When it comes to privacy and security, the only way people are going to be more focused on privacy is the more aware they are of where their data is going.”
There are some third parties, however, which can receive student data.
GET, an app for the UB Card, receives card users’ identifier information, but does not sell UB data, McKenna said.
There are policies and laws that protect UB’s non-public information against unauthorized access, disclosure or misuse, McKenna said. Policies and laws include UB’s Data Access and Security Policy, the Personal Privacy Protection Law and the Family Educational Rights and Privacy Act that limit sharing data without individual consent. The data access and security policy says state agencies, including UB, must “notify individuals if there is a security breach involving their restricted confidential data.”
If students want their card access data, they have to make a request.
The Spectrum requested an editor’s card access data from CDS and CSE IT. Both CDS and CSE IT emailed The Spectrum card access data following our request. The requests showed meal credit uses, sporting event attendance and a door access history. Campus Living did not respond to our request and referred us to Student-Wide Judiciary or UPD. UPD provided The Spectrum with data on our editor, following our request. The Spectrum attempted to get the same editor’s data from Campus Life multiple times and did not receive the department’s policy on obtaining card records.
The UB Card policy allows departments to create and enforce their own policies for how they give data to students, faculty and staff.
The Spectrum reached out to multiple departments about their card usage policies, including Campus Life, the School of Pharmacy and Pharmaceutical Sciences and the School of Social Work. All these departments said they either did not have policies, were not aware of policies or did not respond to our questions.
“When an individual inquires about their own data, it is up to the discretion of the department to decide how the request is filled,” McKenna said.
On April 20, The Spectrum requested all of an editor’s card access data from UB under the Freedom of Information Law. The Spectrum received records kept by CDS on June 15 but received no other department’s records at UB.
Chris Austin, director of parking and transportation services, said the card system provides his department with passenger counts by bus stop and route. Austin said his department is also aware of class standing and a “general sense of transit use” by on-campus students versus off-campus students. The data, Austin said, is truncated and encrypted to maximize integrity and security.
Stampede buses are equipped with card readers — a total of 26 swipe card stations across all buses, according to Austin. The card system is part of a contract with First Transit, another third party.
UB and First Transit management can login to a secured software system and server to run reports on passengers based on time, date, semester and bus stop.
Both use aggregate information, according to Austin, and can research any additional support like individualized data reports.
“As for research, it provides useful institutional information on passenger counts, locations and trends that is invaluable to our transportation management efforts,” Austin said. “It has not been used for marketing, or monetized in any way.”
Parking and Transportation Services uses Passio Technologies, a third party software, to count passengers on Stampede buses. The Spectrum could not get an editor’s card access data from Austin because of a “dollar cost affiliated with the additional technical support” but with the support, Parking and Transportation could research individual student data.
The basics of BASIS
The Department of Computer Science and Engineering Information Technology manages the card access system, BASIS. The system is composed of a card access security server and a separate database server that stores card access data.
Each card reader connects to a panel in a nearby closet or space. The panels can access the BASIS servers. From there, BASIS keeps track of card access data, and departments can generate reports based on a person’s card usage.
Christian Miller, CSE IT director, is the system administrator. Miller oversees administrator accounts, UB cardholder accounts and access rules for physical spaces.
Matt Stock, a former CSE IT director, started the BASIS system in 2001 when CSE began rehabilitating the department’s office spaces.
Stock said CSE had an older card access system for student lab access but other common spaces, like the mailroom and TA offices, used keys. The older system, according to Stock, required CSE to program each door using a laptop.
“Each semester, the administrative staff in the department needed to collect and hand out hundreds of keys,” Stock said in an email. “As IT director in CSE, I decided that using the BASIS card access system to replace the locks for most of the common spaces made sense.”
There are hundreds of UB spaces that use card readers. The university doesn’t provide card readers for the system, and departments must pay for their own readers. BASIS users pay a software licensing fee and a service fee based on how many readers they have. Each reader costs $100, according to CSE’s website.
“It’s a grassroots solution to a problem because it was something the campus needed. CSE makes absolutely no money on the system,” Miller said.
Stock said BASIS was originally only for CSE and individual card data was manually entered into a database. He said he built a tool that would integrate databases throughout UB to make things like physical space access more efficient.
“This allowed us to create rules to automatically add people to doors if they were registered for a specific class, if they were faculty in a particular department, etc.,” Stock said.
Stock said the school of medicine and the nursing school began using the system after CSE created it. CSE contributed software and hardware maintenance as schools shared the system’s infrastructure.
“UB now has much better security, an improved audit trail on who accessed spaces and when and UB spends a fraction of the time as it did when everyone handled keys,” Stock said.
Some places at UB have their own stand-alone systems, separate from BASIS.
In 2016, the Student Association introduced a separate card system for event management. The system is operated through Computer SOS, a third party, and uses an updated student database, according to SA Entertainment Coordinator Marc Rosenblitt.
SA pro-staff have access to the system, as do a limited number of university administrators,like University Events Director William Regan.
Rosenblitt said SA built the system for crowd management rather than as a marketing tool.
“We’ve never used it as a marketing tool, but there’s been some discussion about it to be able to reach out to those individuals that have registered [for SA events] in the past,” Rosenblitt said.
The card of the future
In October 2017, CDS introduced MiFare chip cards to medical school faculty, staff and students. CDS has issued over 12,000 chip cards to the medical school community, and all freshmen will receive the card starting in June, according to Ray Kohl, CDS marketing manager.
Kohl said CDS will be able to offer new technology, like wearable IDs with new UB card readers. The UB Card agreement informs users their card contains a magnetic stripe, a computer chip and/or a radio with an antenna.
Joshua Sticht, deputy chief of UPD, oversees UPD dispatchers, who are officers that can constantly see Campus Living door usage. Sticht said the new card readers at the Jacobs School of Medicine and Biomedical Sciences have caused issues for his officers at the downtown campus.
“The issue we bumped into is they put all these new card readers in the medical school and now, those don’t [communicate] with the other card readers in other buildings that are already existing there,” Sticht said. “As much as we might like to look at the technological capabilities of the system, our biggest hurdles is for my officers not to have four different IDs to get into all the different buildings down there.”
Sticht said UBIT is in the process of updating or replacing existing card readers at several downtown buildings, and he’s confident things will be in place by August, when officers will be stationed downtown.
A single card system isn’t used throughout UB. For instance, UPD has immediate access to the Campus Living system for missing persons reports. UPD has to submit requests to CDS for any card access data, but Sticht said there has never been a situation where someone didn’t cooperate in an emergency.
“If you could imagine a missing persons incident where someone could be a danger to themselves and we’re talking about a weekend, at 2 a.m., it would streamline our process when we’re looking to see all that in real time,” Sticht said. “But we have access to the Campus Living one which really, of all of them, is the one that is most important for us.”
Jamie Kang, an industrial and systems engineering professor, researched the UB Card’s potential to track students and their campus activity in December 2017. Kang said her research proves the card is a good data source for mining activity-mobility information, or tracking people in real-time based on card usage.
Miller said an integrated system throughout the university would probably be more intrusive than what CSE IT would want to manage.
“We really don’t use the system as a surveillance tool to track where people are going,” Miller said. “There’s no ulterior motive. We just put the minimal amount of information we need to make sure various users are authorized to get into certain spaces they can enter.”
Benjamin Blanchet is the senior features editor and can be reached at benjamin.blanchet@ubspectrum.com and @BenjaminUBSpec on Twitter.
Benjamin Blanchet is the senior engagement editor for The Spectrum. His words have been seen in The Buffalo News (Gusto) and The Sun newspapers of Western New York. Loves cryptoquip and double-doubles.
