+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
School ICT Policies Thread, Usernames - Should they identify a pupil? in School Administration; Bit of an odd title, but I couldn't think of anything more appropriate. I was discussing with John last night ...
  1. #1

    Edu-IT's Avatar
    Join Date
    Nov 2007
    Posts
    7,140
    Thank Post
    403
    Thanked 622 Times in 568 Posts
    Rep Power
    181

    Usernames - Should they identify a pupil?

    Bit of an odd title, but I couldn't think of anything more appropriate.

    I was discussing with John last night network usernames and he told me that according to BECTA you should not use usernames for pupils that identify them by age or name, such as 09jbloggs.

    Has anyone got any links to this information? Anyone do it?

  2. #2

    tmcd35's Avatar
    Join Date
    Jul 2005
    Location
    Norfolk
    Posts
    5,665
    Thank Post
    850
    Thanked 893 Times in 738 Posts
    Blog Entries
    9
    Rep Power
    328
    I think I read this on the Becta site once. My reading of it would be...

    • no year identifier
    • no gender identifier
    • no full names
    • no firstnames


    So JBloggs is fine but 09JBloggs, JohnBloggs, JohnB, 09BloggsJohn - would all be bad as they all contain quiet a bit of info that makes it easier for an outsider to identify the exact student?

    Personally I can't see any other way of creating 800 unique usernames that the students will remember other than use their surname in some way.

  3. #3

    Edu-IT's Avatar
    Join Date
    Nov 2007
    Posts
    7,140
    Thank Post
    403
    Thanked 622 Times in 568 Posts
    Rep Power
    181
    I suppose you could use a unique ID if they have one in SIMS/SERCO MIS etc.

  4. #4

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,609
    Thank Post
    647
    Thanked 1,615 Times in 1,445 Posts
    Rep Power
    421
    I can't see an issue with usernames which are local to your school lan.

    It's more things such as email where the address should identify their, age, gender, location esafety guidelines really.

    Ben

  5. #5

    Edu-IT's Avatar
    Join Date
    Nov 2007
    Posts
    7,140
    Thank Post
    403
    Thanked 622 Times in 568 Posts
    Rep Power
    181
    It's more things such as email where the address should identify their, age, gender, location esafety guidelines really.
    That I can understand.

  6. #6

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    10,384
    Thank Post
    597
    Thanked 2,168 Times in 992 Posts
    Blog Entries
    23
    Rep Power
    629
    Sounds like a typical piece of advice given by people who haven't quite followed things through. A couple of points though:

    1. Does the username and password get used in a public place or outside the school?
    2. Will teachers only ever use their childrens pupils number to adress them when outside of the school on trips etc?
    3. Will pupils ever be able to identify themsleves by a random series of numbers\letters given to them and remember it and will the school pay for someone to man the 'I've forgotten my username' desk?


    Nice when you're given advice without a few examples of solutions!

  7. #7

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    394
    For the very reasons Dos_Box touches on, this is why Becta struggles to gain respect from a lot of school technical staff, myself included. So much of their advice is half-baked I rarely even bother to read it these days.

    All my logon usernames include the person's real name, and always have. I'd actually like to hear an example of why it would be bad to use this even for email addresses, because I'm having a hard time imagining a scenario where a student would be using their school email address publicly with a requirement of anonymity.

  8. #8
    SC-UK's Avatar
    Join Date
    Feb 2009
    Location
    London
    Posts
    569
    Thank Post
    36
    Thanked 85 Times in 71 Posts
    Rep Power
    30
    A school I know uses roll numbers (I think I mean roll numbers) from SIMS.

    Pupil knows this number well as it is used for other things.

  9. Thanks to SC-UK from:

    GrumbleDook (13th November 2009)

  10. #9


    Join Date
    Sep 2007
    Location
    UK
    Posts
    5,417
    Thank Post
    1,436
    Thanked 876 Times in 562 Posts
    Rep Power
    645
    12bloggsf would be year 5 here!

  11. #10

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,935
    Thank Post
    1,341
    Thanked 1,783 Times in 1,106 Posts
    Blog Entries
    19
    Rep Power
    594
    With all respect to DB and AT ... B*11*cks

    Becta put out the recommendation based on data protection guidance and esafety guidance from a heap of places and just collate it. Having a go at them for doing this is pretty pointless and hiding your head in the sands about wider issues.

    1 - a kid emails a mate about something, who then replies but includes a mate outside of the school. The person outside of the school is an adult, and then now might have name, approx age (cause they understand that 09 at the beginning of the userid in the email means they started at the school in 2009) the surname or forename (so many schools have it as jbloggs or janetb) and they are also likely to get the forename from the email too. It is not about a single piece of data that makes it dangerous but when you string it together.

    2 - People hate giving real, flesh and blood people a number as their identity. "I'm not a number, I am a free man!" I hear you cry ... well, how many of use know our NI number off the top of our head. I am pretty sure that ex-forces / police / etc can remember their numbers too! There is nothing wrong with introducing this to the kids as long as it is done in a timely, professional and sensible fashion. Roll numbers from MIS are fine ... if your school uses ID cards then get this number onto the ID card. If someone wants a password reseting then just ask for their card. Job done ... simples!

    3 - When Becta (and others) give guidance or a framework too many people say "this is the way we have now been told to do it!" so they don't give too many examples anymore because people don't think for themselves and just point the finger if it is not right for their school. They just can't win. Before you have a go at the lack of examples about it why not say ... "hey, let's think of some ways to improve this!"

    I bet that if I was to suggest we do this though we will get a slack handful that say something, but people are more than happy to jump on the bandwagon about BSF, job applications, salary scales ... I guess we all have different priorities.

  12. Thanks to GrumbleDook from:

    leco (13th November 2009)

  13. #11
    soveryapt's Avatar
    Join Date
    Jan 2009
    Location
    Lancashire
    Posts
    2,402
    Thank Post
    648
    Thanked 277 Times in 244 Posts
    Rep Power
    78
    I have to agree with GrumbleDook on this one. The important word in all of this is GUIDANCE. They offer advice for solutions and better ways forward of doing things for us in schools, this doesn't mean we have to jump at it and obey their every offering, but simply look at the procedures and form our own best practice that will work for the school.

    As GD pointed out, it's not the one piece of information, but the string of it together. It's a sad state of affairs that we live in a world where we have to be so aware of potential abuse scenarios.

    In one of my schools, we're looking at ways of stopping pupils using the current e-mail systems at home, as they don't have any need in this particular school to do that. This will probably end up being a internally hosted solution (we have Exchange, so will probably look to introduce students onto this as well as staff) but its for that very reason, abuse. We firstly don't want them to go accessing all the e-mails for the other pupils as they have the same password to make it easier for our ICT Coordinator, but for cyber-bullying as well as the other even less savoury versions of abuse.

    Anyone who gives out advice, unless it comes with a law backing it that we should adhere to x y and z we should look at with our sensible heads on and see if there is even a glimmer of something that we can use to make our networks and system more secure and less open to any form of abuse for/by/to the pupils.

    That said, using a roll number doesn't remove that personal touch unless they're going to send an e-mail from 12345@school.com to pupil 67890@school.com saying:

    Dear 67890

    Blah blah .. yatta yatta ..

    Regards
    12345
    then it's a bit pointless. Ok, from logistical points of view, using their roll number is great as you're not going to get duplicates (well, you shouldn't do).

    Anyway, I think I've said enough for now! lol.

  14. #12

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    394
    Quote Originally Posted by aptproductions View Post
    That said, using a roll number doesn't remove that personal touch unless they're going to send an e-mail from 12345@school.com to pupil 67890@school.com saying:

    Dear 67890

    Blah blah .. yatta yatta ..

    Regards
    12345


    then it's a bit pointless. Ok, from logistical points of view, using their roll number is great as you're not going to get duplicates (well, you shouldn't do).
    My point exactly. The email address is used in isolation so incredibly rarely that any message including their email address is almost certainly going to include their real name as part of the message. So, no disrespect GrumbleDook, but the example you gave is one I had already considered and I don't think it holds much water. You are quite right in saying that "it is not about a single piece of data", which is precisely why I would argue against using a roll number from MIS, since that's a second piece of data the 3rd party now has in addition to the name that was in the message.

    My criticism of Becta was a general one, not just to do with the DP guidance the OP mentioned. They do also put out recommendations that aren't simply based on collations of other people's guidance; last time I checked they were still insisting that Schools Agreement was bad value for money (which I disagree with) and their report 2 years ago that concluded Office 2007 was not worth upgrading to used a frankly laughable methodology.
    Last edited by AngryTechnician; 13th November 2009 at 05:11 PM.

  15. #13

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,935
    Thank Post
    1,341
    Thanked 1,783 Times in 1,106 Posts
    Blog Entries
    19
    Rep Power
    594
    @The AngryTechnician
    The example was from several real ones, where one child who had been groomed / molested was forced to help groom another child and from where someone used family members and friends to unwittingly get access to kids that could be susceptible to grooming. That is the reason I raise it.

    I know it is about managing the risk and some schools will choose to educate pupils and staff to try and protect that way, others will choose solutions such as anonymising userids. I just don't want people to think that the things put forward have not been thought about carefully.

    It is also worth saying that the roll number is a school specific piece of information that is only used for set reasons, and should it be used by someone you would not expect it from then alarm bells ring. An example would be spammers randomly sending to number@school.com and not having a first name to say "dear 21435" instead ... so Roll Number is not a sensitive piece of information and unlikely to contribute to adding significant data to identify someone (paraphrasing comments from the company who looked at DP for Becta).
    Last edited by GrumbleDook; 13th November 2009 at 05:42 PM.

  16. #14

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    394
    I appreciate the example is both real and horrifying, but I maintain that having a pseudonymous email address would probably not have helped in such a case, so I just don't think it was a great example of why we shouldn't use names in email addresses. That said, I did find an example (below) which I think does make a good case for an email address that isn't simply their name.

    On re-reading the thread it occurred to me no-one has yet posted where this guidance on usernames/email addresses actually came from. I couldn't find anything from Becta about usernames specifically, but I found two references on email addresses:

    1. The first, here, talks about the requirements to become an accredited ISP, and says:

      The provider will enable the institution to reduce the risk to pupils by having email addresses that protect pupils' anonymity.
      As per my above argument, I don't believe that obfuscating/omitting the students name in their email address does protect their anonymity in the vast majority of cases.


    2. The second piece of advice I could find is this page which says:

      Careful consideration should be given to the format of email addresses to reduce the risk of unsolicited attention directed towards individual pupils from people outside the school. For example, if individual pupil addresses were created in a format such as firstname.lastname@schoolname.geogra...ation .sch.uk, there is a risk of people from outside the school being able to guess a valid email address and hence contact pupils direct. This is reduced if a non-specific convention is used, such as a combination of letters and numbers.
      This is certainly a different way of looking at it; one I hadn't considered, and that I agree with. It's not anonymity that is compromised, but their protection from exposure to unknown 3rd parties. This is mitigated somewhat by the fact that the 3rd party must either already know the name of the pupil, or is planning to simply guess some common names.


    This is sound advice, but I stand by my criticism of some of Becta's other work, which can tend towards 'ideal world' examples rather than pragmatism, something I think is often desperately needed by schools suffering from a lack of experienced or skilled IT staff. Something can be thought through carefully and still be in need of having common sense applied. In addition, there is a difference between not reading Becta's guidance religiously and sticking my head in the sand. Other methods of policymaking do exist.
    Last edited by AngryTechnician; 13th November 2009 at 06:29 PM.

  17. #15

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,935
    Thank Post
    1,341
    Thanked 1,783 Times in 1,106 Posts
    Blog Entries
    19
    Rep Power
    594
    To be honest, it has been guidance for so long that that reasonable measures to anonymise students from the outside world (paraphrased of course) that the exact references are forgotten.

    Good points raised and I would also introduce another option on why anonymity can be important. 3rd parties which may attempt to contact a student may also include parents who are no longer allowed access to the child. They already have some information (ie names and age) and should they understand the process used for generation of emails then they can make a stab at it. Using things like roll number seriously reduce the chances here too. Unfortunately some elements of social services don't always talk to those working with schools on technology so ideas like this only come to the fore when there is cross-over. CEOP training is an eye opener and so are conversations with the Local Safeguarding Children Board ... I wish that more examples are given but as I said, my frustration is that if Becta give examples (or, as you rightly mentioned, their infrequent instructions!) then they told they are telling people what to do.

    An area where I disagree with folk like RBCs and NEN is the use of user@school.location.sch.uk ... it is a dead giveaway that it is a school and whilst it does not take a lot to work out a school domain the insistence that you should use it seems to just contradict some of their other guidance.

    I wish that there was a large bank of examples of how people do what and enough examination of whether it made a difference, but it tends to be small, and my frustration is that this thread smacked of "Becta know nothing" instead of being helpful ... hey, what will we do if Becta goes? Who will people blame then?

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Anyone identify this font?
    By Dodgex1 in forum General Chat
    Replies: 9
    Last Post: 23rd April 2009, 01:58 PM
  2. Identify this Projector mounts
    By jamesmay in forum AV and Multimedia Related
    Replies: 15
    Last Post: 31st March 2009, 12:20 PM
  3. [Website] Identify these old Computers - quiz
    By mark in forum Jokes/Interweb Things
    Replies: 16
    Last Post: 18th October 2008, 06:04 PM
  4. How to identify an IP address
    By KWestos in forum Wireless Networks
    Replies: 7
    Last Post: 18th September 2008, 04:27 PM
  5. Can Anybody Identify This Cable?
    By DaveP in forum Hardware
    Replies: 9
    Last Post: 11th May 2007, 02:00 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •