School ICT Policies Thread, Usernames - Should they identify a pupil? in School Administration; Bit of an odd title, but I couldn't think of anything more appropriate.
I was discussing with John last night ...
13th November 2009, 12:16 PM #1
Usernames - Should they identify a pupil?
Bit of an odd title, but I couldn't think of anything more appropriate.
I was discussing with John last night network usernames and he told me that according to BECTA you should not use usernames for pupils that identify them by age or name, such as 09jbloggs.
Has anyone got any links to this information? Anyone do it?
13th November 2009, 12:24 PM #2
I think I read this on the Becta site once. My reading of it would be...
- no year identifier
- no gender identifier
- no full names
- no firstnames
So JBloggs is fine but 09JBloggs, JohnBloggs, JohnB, 09BloggsJohn - would all be bad as they all contain quiet a bit of info that makes it easier for an outsider to identify the exact student?
Personally I can't see any other way of creating 800 unique usernames that the students will remember other than use their surname in some way.
13th November 2009, 12:26 PM #3
I suppose you could use a unique ID if they have one in SIMS/SERCO MIS etc.
13th November 2009, 12:26 PM #4
I can't see an issue with usernames which are local to your school lan.
It's more things such as email where the address should identify their, age, gender, location esafety guidelines really.
13th November 2009, 12:29 PM #5
That I can understand.
It's more things such as email where the address should identify their, age, gender, location esafety guidelines really.
13th November 2009, 12:29 PM #6
Sounds like a typical piece of advice given by people who haven't quite followed things through. A couple of points though:
1. Does the username and password get used in a public place or outside the school?
2. Will teachers only ever use their childrens pupils number to adress them when outside of the school on trips etc?
3. Will pupils ever be able to identify themsleves by a random series of numbers\letters given to them and remember it and will the school pay for someone to man the 'I've forgotten my username' desk?
Nice when you're given advice without a few examples of solutions!
13th November 2009, 02:25 PM #7
For the very reasons Dos_Box touches on, this is why Becta struggles to gain respect from a lot of school technical staff, myself included. So much of their advice is half-baked I rarely even bother to read it these days.
All my logon usernames include the person's real name, and always have. I'd actually like to hear an example of why it would be bad to use this even for email addresses, because I'm having a hard time imagining a scenario where a student would be using their school email address publicly with a requirement of anonymity.
13th November 2009, 02:27 PM #8
A school I know uses roll numbers (I think I mean roll numbers) from SIMS.
Pupil knows this number well as it is used for other things.
Thanks to SC-UK from:
GrumbleDook (13th November 2009)
13th November 2009, 02:28 PM #9
12bloggsf would be year 5 here!
13th November 2009, 04:25 PM #10
With all respect to DB and AT ... B*11*cks
Becta put out the recommendation based on data protection guidance and esafety guidance from a heap of places and just collate it. Having a go at them for doing this is pretty pointless and hiding your head in the sands about wider issues.
1 - a kid emails a mate about something, who then replies but includes a mate outside of the school. The person outside of the school is an adult, and then now might have name, approx age (cause they understand that 09 at the beginning of the userid in the email means they started at the school in 2009) the surname or forename (so many schools have it as jbloggs or janetb) and they are also likely to get the forename from the email too. It is not about a single piece of data that makes it dangerous but when you string it together.
2 - People hate giving real, flesh and blood people a number as their identity. "I'm not a number, I am a free man!" I hear you cry ... well, how many of use know our NI number off the top of our head. I am pretty sure that ex-forces / police / etc can remember their numbers too! There is nothing wrong with introducing this to the kids as long as it is done in a timely, professional and sensible fashion. Roll numbers from MIS are fine ... if your school uses ID cards then get this number onto the ID card. If someone wants a password reseting then just ask for their card. Job done ... simples!
3 - When Becta (and others) give guidance or a framework too many people say "this is the way we have now been told to do it!" so they don't give too many examples anymore because people don't think for themselves and just point the finger if it is not right for their school. They just can't win. Before you have a go at the lack of examples about it why not say ... "hey, let's think of some ways to improve this!"
I bet that if I was to suggest we do this though we will get a slack handful that say something, but people are more than happy to jump on the bandwagon about BSF, job applications, salary scales ... I guess we all have different priorities.
Thanks to GrumbleDook from:
leco (13th November 2009)
13th November 2009, 05:11 PM #11
I have to agree with GrumbleDook on this one. The important word in all of this is GUIDANCE. They offer advice for solutions and better ways forward of doing things for us in schools, this doesn't mean we have to jump at it and obey their every offering, but simply look at the procedures and form our own best practice that will work for the school.
As GD pointed out, it's not the one piece of information, but the string of it together. It's a sad state of affairs that we live in a world where we have to be so aware of potential abuse scenarios.
In one of my schools, we're looking at ways of stopping pupils using the current e-mail systems at home, as they don't have any need in this particular school to do that. This will probably end up being a internally hosted solution (we have Exchange, so will probably look to introduce students onto this as well as staff) but its for that very reason, abuse. We firstly don't want them to go accessing all the e-mails for the other pupils as they have the same password to make it easier for our ICT Coordinator, but for cyber-bullying as well as the other even less savoury versions of abuse.
Anyone who gives out advice, unless it comes with a law backing it that we should adhere to x y and z we should look at with our sensible heads on and see if there is even a glimmer of something that we can use to make our networks and system more secure and less open to any form of abuse for/by/to the pupils.
That said, using a roll number doesn't remove that personal touch unless they're going to send an e-mail from email@example.com to pupil firstname.lastname@example.org saying:
then it's a bit pointless. Ok, from logistical points of view, using their roll number is great as you're not going to get duplicates (well, you shouldn't do).
Blah blah .. yatta yatta ..
Anyway, I think I've said enough for now! lol.
13th November 2009, 06:06 PM #12
My point exactly. The email address is used in isolation so incredibly rarely that any message including their email address is almost certainly going to include their real name as part of the message. So, no disrespect GrumbleDook, but the example you gave is one I had already considered and I don't think it holds much water. You are quite right in saying that "it is not about a single piece of data", which is precisely why I would argue against using a roll number from MIS, since that's a second piece of data the 3rd party now has in addition to the name that was in the message.
Originally Posted by aptproductions
My criticism of Becta was a general one, not just to do with the DP guidance the OP mentioned. They do also put out recommendations that aren't simply based on collations of other people's guidance; last time I checked they were still insisting that Schools Agreement was bad value for money (which I disagree with) and their report 2 years ago that concluded Office 2007 was not worth upgrading to used a frankly laughable methodology.
Last edited by AngryTechnician; 13th November 2009 at 06:11 PM.
13th November 2009, 06:37 PM #13
The example was from several real ones, where one child who had been groomed / molested was forced to help groom another child and from where someone used family members and friends to unwittingly get access to kids that could be susceptible to grooming. That is the reason I raise it.
I know it is about managing the risk and some schools will choose to educate pupils and staff to try and protect that way, others will choose solutions such as anonymising userids. I just don't want people to think that the things put forward have not been thought about carefully.
It is also worth saying that the roll number is a school specific piece of information that is only used for set reasons, and should it be used by someone you would not expect it from then alarm bells ring. An example would be spammers randomly sending to email@example.com and not having a first name to say "dear 21435" instead ... so Roll Number is not a sensitive piece of information and unlikely to contribute to adding significant data to identify someone (paraphrasing comments from the company who looked at DP for Becta).
Last edited by GrumbleDook; 13th November 2009 at 06:42 PM.
13th November 2009, 07:24 PM #14
I appreciate the example is both real and horrifying, but I maintain that having a pseudonymous email address would probably not have helped in such a case, so I just don't think it was a great example of why we shouldn't use names in email addresses. That said, I did find an example (below) which I think does make a good case for an email address that isn't simply their name.
On re-reading the thread it occurred to me no-one has yet posted where this guidance on usernames/email addresses actually came from. I couldn't find anything from Becta about usernames specifically, but I found two references on email addresses:
- The first, here, talks about the requirements to become an accredited ISP, and says:
As per my above argument, I don't believe that obfuscating/omitting the students name in their email address does protect their anonymity in the vast majority of cases.
The provider will enable the institution to reduce the risk to pupils by having email addresses that protect pupils' anonymity.
- The second piece of advice I could find is this page which says:
This is certainly a different way of looking at it; one I hadn't considered, and that I agree with. It's not anonymity that is compromised, but their protection from exposure to unknown 3rd parties. This is mitigated somewhat by the fact that the 3rd party must either already know the name of the pupil, or is planning to simply guess some common names.
Careful consideration should be given to the format of email addresses to reduce the risk of unsolicited attention directed towards individual pupils from people outside the school. For example, if individual pupil addresses were created in a format such as firstname.lastname@example.org...ation .sch.uk
, there is a risk of people from outside the school being able to guess a valid email address and hence contact pupils direct
. This is reduced if a non-specific convention is used, such as a combination of letters and numbers.
This is sound advice, but I stand by my criticism of some of Becta's other work, which can tend towards 'ideal world' examples rather than pragmatism, something I think is often desperately needed by schools suffering from a lack of experienced or skilled IT staff. Something can be thought through carefully and still be in need of having common sense applied. In addition, there is a difference between not reading Becta's guidance religiously and sticking my head in the sand. Other methods of policymaking do exist.
Last edited by AngryTechnician; 13th November 2009 at 07:29 PM.
13th November 2009, 08:00 PM #15
To be honest, it has been guidance for so long that that reasonable measures to anonymise students from the outside world (paraphrased of course) that the exact references are forgotten.
Good points raised and I would also introduce another option on why anonymity can be important. 3rd parties which may attempt to contact a student may also include parents who are no longer allowed access to the child. They already have some information (ie names and age) and should they understand the process used for generation of emails then they can make a stab at it. Using things like roll number seriously reduce the chances here too. Unfortunately some elements of social services don't always talk to those working with schools on technology so ideas like this only come to the fore when there is cross-over. CEOP training is an eye opener and so are conversations with the Local Safeguarding Children Board ... I wish that more examples are given but as I said, my frustration is that if Becta give examples (or, as you rightly mentioned, their infrequent instructions!) then they told they are telling people what to do.
An area where I disagree with folk like RBCs and NEN is the use of email@example.com ... it is a dead giveaway that it is a school and whilst it does not take a lot to work out a school domain the insistence that you should use it seems to just contradict some of their other guidance.
I wish that there was a large bank of examples of how people do what and enough examination of whether it made a difference, but it tends to be small, and my frustration is that this thread smacked of "Becta know nothing" instead of being helpful ... hey, what will we do if Becta goes? Who will people blame then?
By Dodgex1 in forum General Chat
Last Post: 23rd April 2009, 02:58 PM
By jamesmay in forum AV and Multimedia Related
Last Post: 31st March 2009, 01:20 PM
By mark in forum Jokes/Interweb Things
Last Post: 18th October 2008, 07:04 PM
By KWestos in forum Wireless Networks
Last Post: 18th September 2008, 05:27 PM
By DaveP in forum Hardware
Last Post: 11th May 2007, 03:00 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)