Topics Map > University of Chicago > IT Services > Phones & Internet Connections > Directories & Information
Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security > Identity Management

Online Directory - Data Protection FAQs

This article provides answers to a number of frequently asked questions regarding the privacy of directory data. IT Services and the Directory Office take the privacy of the members of the University community seriously.

Who may see my Directory data?

How may I set my Directory profile to private?

I am a student, but I am also a staff member. Does this mean my information automatically becomes visible to the general public, i.e., it is no longer hidden?

What is a "logged in user" versus a "non-logged in user"?

What can the "general public," that is, "non-logged in user" see?

Why is there a mailable link in the Directory for email addresses?

Does the inclusion of mailable links mean that my account can be compromised?

Would adding an image or some other intermediary step remove the possibility of receiving spam?

Can anyone query UChicago's LDAP server and download Directory user data?

Why can’t I hide or entirely remove my email address as faculty or staff?

May I contact the Directory Office regarding this FAQ or with my privacy concerns?


Who may see my Directory data?

Students: Because FERPA is enabled by default for students, your information is automatically hidden from anyone other than logged in faculty or staff - including other students - unless you choose to have it made visible.

Per the federal guidelines dictated by FERPA (the Family Educational Rights and Privacy Act), the University withholds the public release of your Directory information, which causes your Directory information to be suppressed. You may enable or disable FERPA at any time and as many times as you choose. Additional information about FERPA may be found here: Student Records and FERPA.

Faculty or Staff: Your information is available to the general public unless you opt to make it private. Note, however, that while you may remove or hide most of your information, you cannot remove or hide basic information like your email address and your name.

For more information on what constitutes the general public, and why you should take them into consideration in deciding on the visibility of your Directory profile, please see the questions, contained in this FAQ: "What is a "logged in user" versus a "non-logged in user"?' and 'What can the "general public" or a "non-logged in user" see?'

For more information on the why you are unable to hide basic information such as your email or name, please see the question, contained in this FAQ, "Why can't I hide or entirely remove my email address as faculty or staff?

How may I set my Directory profile to private?

Students:

To elect to have your information re-hidden (or to have it made public), log in to myUChicago at my.uchicago.edu with your CNetID and password. From the home page, click on the "Welcome, <your name>" button in the top right corner of the page and select My Profile from the drop-down menu. On your profile page, your current FERPA status is listed next to "FERPA Directory Information". If you wish to edit your FERPA status, select Edit next to your current status, then select Edit FERPA/Directory Restrictions on the next page.

On the option page, select the button Restrict All Fields to enable FERPA and or Release All Restrictions to disable FERPA if you have previously enabled it.

Faculty or Staff: To elect to set your Directory entry to private, visit the online Directory, and select the Sign In button on the upper left-hand corner of the screen to sign in, if you have not signed in already. After you have logged in, select this same button, which will now read, "Welcome, [Your Name]." This will take you to the page "Modify Your Directory Entry:," where you will be able to edit your privacy settings.

If you already have additional contact information (designated as "Office," "Lab," "Home," or "Miscellaneous"), select the respective contact you wish to make private, and then select the box next to Hide this information from non-UChicago Viewers. This will set your profile to private, making non-basic information (i.e., information other than your name and email) invisible to the general public.

Note: As stated, if you do not currently have contact information of the types designated above - "Office," "Lab," "Home," or "Miscellaneous," - there is no information the privacy settings of which you may change, because you cannot hide your default or basic information (name, email, affiliation, etc.). The privacy setting to make information visible or invisible is for additional information contained in the above-mentioned designated contact types, and not for your basic information like your name and email.

I am a student, but I am also a staff member. Does this mean my information automatically becomes visible to the general public, i.e., it is no longer hidden?

No. If you are a student but also a staff member, your student status ensures that FERPA protection will remain enabled for your information, including basic information, unless you opt to remove it. Your information will remain hidden.

What is a "logged in user" versus a "non-logged in user"?

A "logged in user" is an individual with an active status who uses a valid CNetID or UCHADID and password who has authenticated to (logged in to) the online Directory website; this includes current students, faculty, and staff. A "non-logged in user" may refer to either an individual who is not faculty, staff, or a student and has no formal ties to the University or to an individual who is faculty, staff, or student, but who is not currently logged in to the Directory. Thus, "non-logged in users" are not necessarily users who should not have full (logged in) access to the Directory, although they may be.

A non-logged in user is considered part of the "general public."

What can the "general public," that is, a "non-logged in user" see?

Non-logged in users, who may include people who have full access to the Directory but have simply not logged in, can see up to 25 entries maximum for any given search and those entries are for individuals who have elected to have their non-basic Directory contact information visible to the general public and for students who have elected to remove FERPA protection. Only logged in users have the ability to search for and find the non-basic or non-default or additional information of individuals listed in the Directory whose profiles have been set to "Private" - including students, faculty, and staff.

Note that non-logged in users can still view the basic information (name and email) of faculty and staff because the people relying on anonymous access (i.e., access to the Directory without logging in first) vary from current University faculty, staff, and students who may log in but have not, to former colleagues, alumni, retired faculty and staff, spouses of faculty members, and members of University affiliate organizations, etc. For this reason, we encourage you to carefully consider making your Directory information invisible to the general public.

Why is there a mailable link in the Directory for email addresses?

The reason there is a mailable link in the Directory rather than an image (like a CAPTCHA) or some other intermediary step is because there was extremely high demand across campus for mailable email links to facilitate the process of sending email.

The Directory Office has responded to the demand for both privacy and mailable links by limiting the maximum number of search results a non-logged in user can receive for any one search to 25.

Does the inclusion of mailable links mean that my account can be compromised?

No. The inclusion of mailable links is not a security concern; the only concern--and it is not a security one--is the possibility that an individual could receive spam. However, as stated above, the maximum number of search results a non-logged in user can receive for any one search is 25 – a provision put in place to protect users' privacy and to prevent a large number of emails from being accessible for the purposes of spamming through an automated program. Access to a person's deliverable email address does not give an individual either access to services they are not entitled to (e.g., access to email, wireless, Directory authentication, etc.), and neither does it give them the ability to elevate privileges beyond what they are able to otherwise receive.

Instances of individuals receiving spam in such numbers as to be significant are extremely rare. If you find that you are receiving an inordinate amount of spam through your UChicago email address, you may contact the ITS Service Desk.

Would adding an image or some other intermediary step remove the possibility of receiving spam?

No. Spam, unfortunately, has become a constant of the virtual world. Both the online Directory and LDAP are regularly trawled for email addresses automatically and manually. Even if IT Services were to remove mailable links and were to include some type of CAPTCHA-like provision, spammers would (and do) still perform scraping attacks.

Can anyone query UChicago's LDAP server and download Directory user data?

Not quite. While LDAP is publicly query-able for those who know how to query it, there are limits, as explained above, in the amount of results a search will produce. This means searching for all accounts starting with the letter "A," for example, will cause a limited number of results to be returned.

Someone's ability to publicly query LDAP and obtain Directory user data is equivalent to the ability of someone who is not logged in to the Directory (a "non-logged in user") to search for and find information. That is, it is intentionally very limited. Querying LDAP to obtain Directory data will not allow an individual to view any information that he would not otherwise be able to view.

To learn more about LDAP and how this technology is employed by the University, please see Using LDAP Affiliations for Authorization and LDAP Authentication.

Why can’t I hide or entirely remove my email address as faculty or staff?

The purpose of the online Directory is to facilitate communication among members of the University community. While you may choose to hide or delete details like your office phone number, office location, title, and department, and even your preferred email address, the inclusion of your email address represents the minimum needed to ensure that others are able to reach out to you if necessary.

Recall, as stated earlier in the FAQs, that "others" includes a wide variety of people who may not - or may no longer - have the ability to log in to the Directory. It may often be the case that the individuals reaching out to you are former colleagues or students, retired staff or faculty, individuals in your field interested in your research, or other individuals with some tie to you who may not be formal members of the University of Chicago.

May I contact the Directory Office regarding this FAQs or with my privacy concerns?

Of course! IT Services and the Directory Office work to ensure that your Directory data is protected, and that you have the ability to modify what information is displayed. To contact the Directory Office with feedback, suggestions, concerns, or inquiries, send us an email at directory@uchicago.edu. We look forward to hearing from you.




Keywords:privacy private "general public" "logged in user" "non-logged in user" viewers   Doc ID:37466
Owner:Astrid F.Group:University of Chicago
Created:2014-02-10 13:14 CSTUpdated:2016-09-13 06:26 CST
Sites:University of Chicago, University of Chicago - Sandbox
Feedback:  0   0