Single use website privacy in academia

Posted on by

It’s grad’ school admissions time again (yay!) which means I’m knee-deep in requests for letters of recommendation. Just as an example, one student has requested letters for 7 different institutions. Writing the actual letters is not a big deal (hey Nick you owe me a beer!) but the websites some Universities use for admissions are a royal P.I.T.A.

One such website (used by a mid-size college in that big metropolis near Cape Cod MA) is “LiasonCAS“.  The premise seems rather innocent and simple at first – the University uses such a site to coordinate the upload of application materials, so nothing gets lost along the way, and presumably this saves a lot of collating work that would have previously been done by a grad’ school administrator. The problem is, there are hundreds of these sites, all commercially operated, and all requiring their own User ID / Password combination.  This creates 2 problems…

Problem 1 – too many passwords

I’m a strong believer in never using the same password twice, hence my reliance on the open source KeePass application, which stores passwords (typically random strings of 20+ characters) in an encrypted file. All told, I have 200+ unique log in IDs. Just to emphasize the size of the problem here, I recently consolidated my logins for Elsevier journals into a single user ID, and it broke the portal set up to do this. It turns out I had reviewed for 37 separate Elsevier journals over the years, and some extensive ‘phone tech support was required to give me a single account to manage them all.

So the problem here is do I really want to register for yet another website, create a unique user ID, have all my contact info’ out there in the cloud?  Am I ever going to use this website again?  Probably not, which means it’ll just sit there waiting to be hacked a decade from now, resulting in a bunch of spam and junk-mail or ‘nuisance phone calls. Over the years, on top of the 200+ login UN/PW combo’s mentioned above, I would guess I’ve accumulated at least that number again in single-use website visits.  This is not good for security.  And no, it’s not as simple as me going to the trouble of making another 200+ unique UN/PW combos for all these sites. I don’t want a KeePass database filled with junk.

Problem 2 – Draconian privacy policies

Like most admissions portals, the one mentioned above requires that you agree to their privacy policy as a condition of signing up for the privilege of submitting materials.  Most people breeze through these things when signing up for a site, which is no big deal if you’re going to use it regularly and it’s a necessity for your job. Apple’s iTunes EULA is notoriously squirrely about privacy issues, but if you wanna use an iPhone, deal with it.

However, in the case of a single-use site, these policies need a bit more scrutiny. What exactly are you agreeing to, for this one-time use?  Here’s the section from LiasonCAS’ policy on what they (the site owner and the University by extension) can do with your information. There’s a bunch of guff about using your contact info’ for contests, surveys and promotions, which is worrying in itself. But then there’s this:

3.10. Other Uses. In addition to the uses specifically identified in this Section 3 (Our Uses of Your Personal Information), we may use Personal Information you submit in any other manner we reasonably deem necessary in order to provide you with the information, products and services you request from us….

Essentially what they’re saying here, is they can do what the hell they like with your data, so long as they can write it off as “necessary” for the service you request.  What you’re requesting of course, is the privilege of uploading stuff for admissions. And the price you pay is them having the freedom to shill your data out to their spammy partners under the guise of necessity.

This is not cool.

So what to do instead? In this case I found the email address of the Dean for the graduate school in question, and emailed them the letter directly. Sure, it took another 5 minutes but at least all my personal contact info isn’t sitting out there on some nondescript company’s website waiting to be sold.

New Year’s Resolution for academics – fight the requirement to create a new User ID / Password for any website that you know you’ll probably never use again.