Colorado State University’s Directory: A Nightmare Waiting to Happen

Like many universities and colleges, Colorado State University has a directory. Unlike many universities, the CSU directory also contains the full legal name, college, department, major, mailing address, and phone number of every student enrolled on campus that hasn’t opted-out via RAMweb, the university’s student dashboard.

From a privacy and a security standpoint, this is a distressing concern. From potential stalkers and attackers to web spammers are able to find identifying personal information about a potential target with as little as a student’s name. The search does fuzzy matching on any input, making it not only possible to locate a specific person enrolled, but a collection of individuals with matching names instantaneously.

Their directory clearly appears to be developed for the purpose of locating students, indicating that this was surely not a case of “inclusion by accident”. The page provides, (albeit vague) information for students to remove their information from the directory. The fact that the directory is opt-out in the first place is a direct indicator that it was designed and tested for this purpose. CSU’s privacy concerns page (pre-writing a defense about this behavior is always a good sign, right, Facebook?) analogizes this service to a phonebook, but what phonebook has ever been delivered to every person in the world?

Even if it were restricted to only those within the university, it still presents a wide open door for any prying student to learn more about someone they barely know. The statistics on violent crime, especially of a sexual nature on campuses are harrowing enough without universities providing information on students this brazenly in the public.

That’s scary.