The University was tracking students, faculty and staff members’ movement across campus during the fall semester based on location data from WiFi access points without informing them, interim University President Mark Wrighton told the GW community Friday.
Wrighton said in an email to students, faculty and staff that officials collected the location data along with “de-identified” descriptors, like gender, to inform the Division for Student Affairs and the Division of Safety and Facilities on how community members use campus spaces. Wrighton said he learned about the project, which ended in December, after interim Provost Chris Bracey told him in early January, shortly after Bracey learned of the project himself.
“Regrettably, however, the University neglected to inform members of our community in advance of commencing this analytical project,” he said.
GW’s privacy policy states that any party acting on behalf of GW processing data from the GW community must make a privacy notice available explaining how the information will be used.
Wrighton’s email states that officials may have had the ability to collect individualized data, but officials did not do so for the project. Wrighton said officials will destroy any remaining data that they collected last semester for the project.
“Members of the faculty also became aware of this pilot, and there were discussions about what would be done in the future,” Wrighton said in an interview.
Officials launched a new office to oversee data privacy and ethics in January 2019.
University spokesperson Crystal Nosal declined to say which officials oversaw and approved the data collection effort, why officials didn’t issue an announcement about the project until now and whether the Office of Ethics, Compliance and Privacy was aware of the data collection.
Wrighton said officials will not move forward with efforts to conduct a similar project in the future without establishing a committee made of students, faculty and staff to develop a set of policies and a “University position” on the use of the GW community’s data.
“The University deeply regrets that this project took place without proper review or safeguards, and we will work to make sure that such an incident is not repeated,” he said in the email.
The Faculty Senate will discuss an update titled “tracking and student privacy” from Arthur Wilson, the chair of the senate’s executive committee, at its meeting this Friday according to the senate’s agenda. Wilson did not return a request for comment.
Brian Ensor, the associate vice president for cybersecurity, infrastructure and research services, explained how officials conducted the pilot project in an article posted on the company review platform, Upshot, in December. The article has since been deleted, but the behavioral analytics company Degree Analytics tweeted a link to the article on Jan. 7.
Nosal also declined to confirm that Ensor authored the original article that he posted, outlining GW’s partnership with Degree Analytics. Degree Analytics works with educational institutions to track and analyze students’ activities around campus, like class attendance based on Zoom participation and physical presence in classrooms, according to its website.
The Washington Post reported in December 2019 that Degree Analytics uses WiFi data to track where students go to improve their experience. Aaron Benz, the founder of the company, said Degree Analytics could identify that a student who does not spend much time in dining spaces or cafeterias on campus could be dealing with food insecurity or an eating disorder, the Post reported.
The Post reported that students can opt out of Degree Analytics’ data collection efforts if they click “no” on a window that asks whether they want to help “support student success, operations and security,” but Benz told the Post that few actually do so.
A spokesperson for Degree Analytics did not return a request for comment. Nosal also declined to state when GW partnered with Degree Analytics on the project.
Wrighton said in an email that Ensor’s article contained several inaccuracies, like the implication that the project analyzed individualized data, although the de-identified data that officials collected to track student space utilization did include individual descriptors like gender.
“The privacy of our GW community members was of utmost importance to this pilot,” Wrighton said. “The data included in the heat maps for space utilization and dashboards for student utilization for certain spaces was aggregated and de-identified.”
Wrighton said in his email that the article also incorrectly implied that officials conducted a similar project at GW Law in 2019. He said officials discussed a potential project at the law school but did not implement it.
“Our original plan was to launch a pilot at GW’s Law School, and we had even mapped out 6,000 access points across the Law School’s buildings,” the deleted article states. “Then the pandemic struck and everything changed.”
Ensor’s now-deleted article states that officials could collect data on how many students used campus spaces based on swipes recorded at GWorld card readers in buildings like Gelman Library, but they could not determine how long students stayed in those buildings.
He said in the article officials could use data on the amount of time students spend in a building to assess which students were most “at-risk” to help the University adjust their services accordingly.
Ensor said officials worked with Cisco System’s Country Digital Acceleration Program – a group that helps leaders in government and academia with “digital transformation” – and Degree Analytics to collect data and interpret it to improve student services.
A spokesperson for Cisco did not return a request for comment.
“We would integrate Degree Analytics’ software with our learning management platform,” the article states. “Then, pulling anonymized data based on network usage, we could generate actionable insights using Degree Analytics dashboards and reports aligned with the types of questions we want to answer.”
Ensor said in the article that the onset of the pandemic pushed officials to reconsider how they could use this location data to generate maps of GW’s campus indicating which buildings and floors were used most to develop a cleaning schedule to best limit the spread of COVID-19.
“Knowing where they congregated could help us communicate effectively with students about these changes,” the article states. “This meant we could build some social accountability into the conversation, instead of leaving students with the impression they were being policed.”
Ensor said that during officials’ efforts to complete the data collection project, they were “mindful” of privacy issues and looked to only collect data from students that they need to make “more informed decisions and deliver better services.”
GW’s privacy policy states that any University office or contractor that collects personal information for GW should only collect the “minimum amount” of necessary information. The website states that anyone collecting personal information must inform individuals of what data is being collected and establish a “lawful basis” for the collection of this information by taking actions like getting consent.
“Collecting no more information than is necessary minimizes the information that the university must secure and hold private,” the policy states.
Experts said universities can often access student demographic data based on their student IDs but should practice “policy-aware” data collection when conducting research efforts like this.
Bhavani Thuraisingham, a professor of computer science at the University of Texas at Dallas, said institutions should generally collect data like this with informed consent from users, as doctors would when they advise patients on how to move forward with medical decisions.
“We need policies for all of these functions or operations because if you don’t have appropriate policies, then everybody can go kind of wild, you see, and start collecting data,” she said.
Tara Suter and Erika Filter contributed reporting.