Since 2012, Senators Ron Wyden (D-OR), Senator Marco Rubio (R-FL), Senator Mark Warner (D-VA), and Representative Duncan Hunter (R-CA) have introduced four versions of the Student Right to Know Before You Go Act (SRTKBYG), designed to create a postsecondary student-level data network. An improved data network is essential for a foundational infrastructure to provide students and families, policymakers, and institutions with the tools they need to make better-informed decisions about colleges and universities. But the latest version of SRTKBYG includes two notable changes that raise unanswerable questions about feasibility of system implementation and, importantly, whether the system can fulfill the information needs of students, policymakers, and institutions. The bill:
- Requires the use of Secure Multi-Party Computation (MPC), or another more stringent technology, and
- Requires a change in legislation before calculating any new metrics or changing definitions for existing metrics.
The bill defines secure multi-party computation as “a computerized system that enables different participating entities in possession of private sets of data to link and aggregate their data sets for the exclusive purpose of performing a finite number of pre-approved computations without transferring or otherwise revealing any private data to each other or anyone else.” In other words, it would require institutions, the Department of Education, and other federal agencies to submit encrypted data; the system would run pre-determined algorithms and produce an output of aggregate data; and no party in the system would have access to unencrypted underlying data (which, with MPC protocols, would prove useless if gained and decrypted in isolation), other than the information they originally submitted. It’s a promising, though emerging, technology designed to protect privacy.
These new provisions raise six serious questions about system feasibility.
1. Is MPC technology well-tested enough to be able to manage reporting from more than 5,000 institutions of higher education? While MPC has existed conceptually for some time, it has only recently become more of a possibility, and has not been implemented widely or at great scale. Some examples of successful implementation do exist, but none that require reporting from multiple entities to calculate hundreds of metrics. Additional research, development, and testing is necessary before relying upon the technology at scale. Moreover, it’s unclear when such a system could reasonably be developed and at what cost, raising serious questions about whether MPC is feasible for the purposes of the legislation.
2. Do institutions have the technological capacity to submit data using MPC? Technical, resource, and analytic capacity varies widely across colleges and universities, with some underresourced institutions relying upon only one – or even less than one – full-time staff member to complete annual data reporting requirements. Institutions may face complications and hurdles to implement MPC effectively. While the bill allows institutions to use a third-party servicer to conduct data reporting, institutions would need to submit student-level data to that servicer, potentially compromising the security benefits of MPC.
3. Will institutions face duplicate reporting requirements? Institutions currently report student-level data to the National Student Loan Data System (NSLDS) to allow the Office of Federal Student Aid (FSA) to administer student grant and loan programs. These program administration responsibilities will remain if SRTKBYG becomes law, and FSA likely will need to maintain access to student-level data – access that is prohibited in the bill. To accommodate both FSA and SRTKBYG data system requirements, institutions may have to report data on Title IV aided students twice, increasing reporting burden.
4. Will the data system “break” if one institution does not comply or makes a reporting mistake? In some instances of MPC, where agreeance and compliance of all parties is required, an intentional failure to report or a non-intentional error will lead to a system that stops functioning altogether. Each year, some institutions fail to report to IPEDS or make accidental errors in their reporting. The National Center for Education Statistics monitors data for these mistakes and works with institutions to remedy them, but doing so can be a time-intensive process that continues for over a year after the initial deadline. If the entire data system hinges on perfect reporting by all 5,000+ institutions, it almost certainly will not function. Moreover, MPC makes it nearly impossible to assess whether students have been matched incorrectly across data sets, or to resolve why some students may not match at all.
5. What happens if MPC proves unworkable or better technology is developed? Writing specific technologies into law limits systems’ abilities to adapt in ways that implement new, unanticipated, and better technological solutions and security protections. For instance, in 1999 South Korea passed a law requiring the use of Internet Explorer for any online purchases. The law intended to secure data using the strongest technology of the day, but did not foresee how quickly Internet Explorer would become out-of-date. Because technology changes so quickly – and legislation so slowly – South Korea’s online merchandising markets rapidly lost their ability to compete. While MPC may seem cutting-edge today, our nation’s data systems will exist for decades to come, and must be able to implement the latest and greatest security protocols without relying on Congressional action.
6. Will the lack of a governance process for calculating new or revised metrics undermine the utility of an SLDN? By requiring legislative change for any new data element or metric, including different definitions of existing metrics, the bill creates an extraordinarily rigid system that could quickly become outdated, as is the case with many of today’s IPEDS data elements. As an example, the legislation would restrict the Department from requiring institutions to submit new data such as a new student demographic characteristic without each institution’s individual agreement. The legislation would also prohibit calculation of a new metric that does not require any new underlying data to be collected, such as calculating graduation rates over different periods of time. Requiring a change of statute for a simple change in a reporting metric would needlessly frustrate and inhibit the ability of policymakers and other stakeholders to ensure postsecondary data is consistent with the needs of students and families, policymakers, and institutions of higher education.
Any data system must secure student data effectively and use industry leading technology to do so. Students also deserve access to accurate and complete information about college outcomes before investing their time and money. Students have a right to know. Policymakers have a right to know. And neither can afford to wait until a nascent technology is ready.