The Indiana Lawyer

Lawsuit Claims IU Violated Constitution In Search of ID Card Data

October 29, 2020

(The Indiana Lawyer) – According to the complaint, the four plaintiffs were freshman pledges to the Beta Theta Pi fraternity when IU began investigating allegations of a hazing incident in the fall of 2018. The plaintiffs told the university they were in their dorm rooms at the time in question, and IU accessed the swipe data from their student identification cards to verify their testimony as to their whereabouts.

Although IU sanctioned Beta Theta Pi, the plaintiffs were not found guilty of any wrongdoing.

The four plaintiffs are being represented by the Liberty Justice Center, a Chicago-based nonprofit that claims victory in the U.S. Supreme Court decision in Janus v. AFSCME, which prohibited government unions from charging shop fees to nonmembers.

“Students don’t give up their constitutional rights just because they live in public university dormitories,” Jeffrey Schwab, senior attorney at the Liberty Justice Center, said in a Thursday news release. “If state universities are going to collect data on student movements in and out of college buildings and dorm rooms, then they must take steps to protect that data and establish a process to protect their students’ privacy before accessing it.”

In a statement, Indiana University Bloomington acknowledged it had accessed the ID card swipe data but, citing precedent, said it was acting appropriately in balancing privacy rights against student health.

 “The law does not support the plaintiffs’ allegation that our pulling three days of data for the purpose of investigating troubling allegations affecting student wellbeing is a violation of privacy nor a breach of contract,” IU said. “That limited data was available to a small number of individuals for the specific purpose of examining facts. In a previous case, Medlock v. IU, the 7th Circuit Court of Appeals agreed with our judgment that student privacy interests must be balanced against the interests of their health and safety.”

Known as a “CrimsonCard,” the ID card is used by students for many activities including getting into campus buildings, checking out library books, purchasing meals from the dining halls and snacks from vending machines, printing class materials on university printers, and doing laundry.  In addition, the card can be used at numerous businesses near the university.

The lawsuit asserts that IU retains historical records collected from the use of these ID cards and, in the investigation of the alleged hazing incident, reviewed the data to check the alibis of several students, including the plaintiffs. Moreover, according to the complaint, students have not been given the opportunity to have a neutral decision-maker review the request to access the swipe data.

“The privacy concerns in this sort of data are significant: IU officials could use this kind of swipe-card data to determine who attended the meetings of a disfavored political organization, or who is seeking medical services or even who a student is romantically involved with,” the complaint states. “And since it could potentially be stored indefinitely, investigators need not determine that there is probable cause before tracking it – historical records could be consulted for anyone who falls under suspicion.”