The College Fix

Lawsuit Challenges University’s Authority to Track Students Through Data Collection

December 8, 2020

(The College Fix)—ANALYSIS: Lawsuit filed over swipe-card data collection could pave way for precedent on students’ Fourth Amendment rights

An important lawsuit is unfolding that has the potential to affect the Constitutional rights of college students across the United States.

College students don’t sign away their privacy rights the minute they set foot on a public university’s campus. To most this would seem like an obvious statement, but evidently not to the administrators of Indiana University Bloomington.

In 2018, campus officials illegally accessed the swipe-card data of several students without a warrant as part of a university-wide investigation into the hazing practices of certain fraternities, according to a lawsuit filed against the school.

The four students currently suing Indiana University Bloomington over the privacy invasion were never involved in any wrongdoing, did not give their consent to have their data accessed, and were unaware that campus officials even had the ability to access the swipe-card data.

“The students are asking the university to admit wrongdoing, take steps to change policies around accessing student data and inform students of those policies. They want to ensure that the rights of IU students — and ultimately all university students — are protected,” according to a news release about the lawsuit, filed in late October.

This lawsuit will not itself make significant changes to legal precedent, but its outcome will be indicative of how the courts will interpret privacy rights in the years to come if — and likely when — its ruling is appealed to higher courts.

This is one of the first times universities’ use of student data, especially universities tracking their students, is being litigated. Are educational institutions subject to special carve outs from respecting students’ Constitutional rights? It will be interesting to see what the courts say.

Swipe cards, which have become increasingly common on college campuses, act like a universal key to dormitories, dining-halls, discussion sections, and other university amenities.

If used maliciously, collected swipe-card data could be used to determine “who attended the meetings of a disfavored political organization, or who is seeking medical services, or even who a student is romantically involved with,” according to the complaint filed by Liberty Justice Center on the students’ behalf.

Warrant-less intrusion into students’ privacy can only be justified if the university is dealing with “exigent circumstances,” the complaint states.

Lead counsel for the Liberty Justice Center, Jeffrey Schwab, said “exigent circumstances” are, essentially, emergency situations.

“Police officers [acting as representatives of the government] can’t bust into your house unless they have a warrant or if a police officer has a reasonable belief that there is imminent physical harm or relevant evidence is being destroyed,” Schwab said in an interview.

Similarly, a university can only access students’ data legally if they obtain a warrant or if there is a real-time emergency threatening the well-being of students on campus. IU’s use of its students’ data met neither of those criteria, the lawsuit alleges.

The students, who were all associated with the fraternity Beta Theta Pi, had their data accessed without a warrant and without their consent. Their fraternity was being investigated for a history of dishonest conduct, endangering others, and hazing. Since the investigation was not related to a real-time emergency, none of these alleged offenses met the criteria for an exigent circumstance.

Public universities wear multiple hats. They are educational institutions, landlords, and peace-keeping agents with the power to enforce the law. This means that they are held to the same strict Constitutional standards under the Fourth Amendment that the Supreme Court affirmed in the 2018 case of Carpenter v. United States to include the protection of private data.

When asked what he hopes the outcome of the case will be, Schwab said he hopes for two results that will “prevent university officials with nefarious reasons from accessing data.”

First, he said he hopes that the university will be required to “set up protection that limits or prevents them from accessing that data unless it goes through due process.”

Second, Schwab said that he is pushing for there to be protection in place that would provide “notice to the students in advance and a process to ensure that they are not just accessing this data without a relevant purpose.”

According to the complaint against Indiana University Bloomington, there were few protections in place that would have prevented a predatory individual from accessing students’ data if they wanted to stalk or harass them.

This may seem like a small story in the middle of the election news cycle, but its litigation has the potential to affect rulings across the country as we continue to wrestle with the question of privacy protection in a world of data collection.

All public institutions are in a position of public trust that obliges them to protect the safety and privacy of students. Students at public universities do not waive their Constitutional rights when they enroll.

The results of this case are yet to be seen. We can only hope that IU will be held accountable for its misuse of student data and that the rights of students to be secure against unlawful searches and seizures will be affirmed.