Betsy DeVos
U.S. Secretary of Education
400 Maryland Avenue, SW
Washington, DC 20202-8520
June 16th, 2019

Re: Email providers violate FERPA

Dear Secretary DeVos:

Thank you for your work on our education systems, and the environment within our colleges. They are where a lot of our future citizens learn practical ways to deal with challenges to our basic values. In particular, I think our Constitution can be regarded as a succinct description of those basic values, and should be taught to all students before they are let loose on society.

I would like to alert you to a potential situation and an opportunity to set an example of how one such challenge should be dealt with.

We expect our citizens to believe they have the right to be "secure in their persons, houses, papers, and effects" (the 4th Amendment). Federal law supports this at the post office by making the unauthorized opening of mail a crime. For educational records and communications we have FERPA. But, while the post office is very diligent about implementing the law, our educational institutions (that work with more modern methods of communication and set an example for students) are quite careless. Instead of setting the expectation that communication (e.g. via email) can be private and secure, today we set the opposite expectation - that it is not!

Many email service providers scan email to extract information. For example, we have this about Google:-

The expectation is that information so extracted is passed on to third parties (advertisers and marketeers).

By enforcing existing law (FERPA) properly we can set the correct expectation. To do this, the following needs to happen:-

  • 1) Educational institutions are notified that they may be in violation of FERPA if they allow staff to use an email provider suspected of "reading" the content of email, or if they provide a default email service to students via an email provider suspected of "reading" the content of email.
  • 2) Students are allowed to choose an email provider not supported by the institution for their email, in which case they are presumed to have given "FERPA" consent to send information to their email provider.
  • 3) The minimum acceptable standard for an email provider supported by an educational institution is a contractual obligation to not "read" the content, or a contractual obligation to not distribute the extracted information to "non-exempt" parties, with adequate policing and penalties.
  • 4) The target standard is encryption/decryption of the content on end devices controlled by the sender or receiver of the email, with all intermediate devices carrying/storing only encrypted content. Decryption keys will be generated and stored only on devices controlled by the receiver of email.
  • 5) The sender's device is able to tell the difference between an encryption key for a receiver obtained via a distribution system, and one that is directly obtained from a receiver's device, and warn the sender if the former is true.

    If this became Department of Education policy, we would have a system that sets a good example of what privacy is achievable, and what will be demanded of any email system by all citizens outside the educational system. I think it would also help President Trump in his quest to contain technology companies supporting "fake media". It may also be a warning shot across the bow to any company offering new technology that they at least consider the effect of their specific implementation on the rights of citizens guaranteed by our Constitution.