Have you ever worked in an environment where you were responsible for building systems that complied with FERPA and you worked with your school's general counsel and compliance team on that?

What you are saying about e-mail is simply not factual. Student e-mail is inside the FERPA environment, and is considered private to the student. It was designed to be that way. If a student sets up forwarding to go to someone else, that's their problem. The student e-mail uses the same SSO as the LMS, so it's nonsense to act like someone else could have access to e-mail.

Then the lawyers are incompetent morons. There's "no benefit" to telling the student their own grade at all when viewed from that perspective. You could just not give them any feedback. Or you could allow them to consent to it, which is what the law asks.

It is a dodge. Society should not just say "oh those silly lawyers". These people are not being responsible. They are not doing their jobs.

As someone who transitioned from working in startups and technology to a university, it is hard to describe how different the environment is.

It looks very weird and is hard to understand from the outside, and unfortunately all technology vendors are on the outside.

Basically every technology has an impedance mismatch when brought into the university environment. And when you combine them together it keeps getting worse.

That's why you see things in this thread like CS professors who operate their class using pen and paper and maybe a spreadsheet.

I worked with a lawyer who was the on-staff general counsel for a mid size private university who was not an incompetent moron.

One thing I really appreciated that she did was refuse to put e-mail disclaimers in the bottom of e-mails, because she said they had zero legal weight and actually were negative from a legal perspective, since it means people might think they have legal weight (when they don't).

Overzealous e-mail admins would periodically want to do it because it's what everyone else does, not to mention vendors of frankly B.S. software whose only value prop was adding a disclaimer to all the email that went out of Exchange or Google Workspace.

No, the lawyers are not "incompetent morons", and I highly doubt you have the legal training and domain experience to be qualified to make that assertion.

You would be surprised at the number of frivolous lawsuits and seemingly "zero risk" decisions that wind up turning into actual legal risk and legal fees.

The legal world is a lot more complicated than you think. I've been in some of these conversations. Quite frankly, you don't know what you're talking about.

> You would be surprised at the number of frivolous lawsuits and seemingly "zero risk" decisions that wind up turning into actual legal risk and legal fees. [¶] The legal world is a lot more complicated than you think.

The law is a lot like an app: It has to take into account a gazillion edge cases and corner cases — not to mention that people can be ignorant and/or malicious. It really is complicated, as you say above.

Well done on not hurling insults at @ndriscoll, BTW. Personal attacks don't persuade the target, and they can turn off onlookers who might be undecided. (Competent lawyers learn early that judges and jurors don't like personal attacks and can be less inclined to believe the attacker.)

The thing is, I don't need that training to recognize that they are failing to contribute to society. This is why I'm saying that it is indeed a dodge. "It's complicated and you don't understand it" isn't an excuse for making the world worse. And yes, it is fully possible for a someone to make that judgement without a large background in law, because it's taking a holistic look at "what was the purpose of this law, and are they interpreting it in line with that purpose?" The details don't matter; the outcomes do. Their job is to deal with the details to reach the desired outcomes. If society is better off for putting them on a boat and sending them into the middle of the ocean, then they are incompetent.

Refusing to give a student their own data because of a privacy law that's meant to give the student control over their data is them failing. Full stop. There's no room for excuses for government funded entities to act in the exact opposite way that they are supposed to to avoid their fear of government imposed penalties from a deliberate misinterpretation of what the entire thing is about. That's incompetence by everyone involved. It is people going out of their way to make the world a worse place to act important. Absolutely unacceptable.

It's like if teachers aren't teaching the kids to read or add, the details about all the compliance stuff they need to worry about and how the school "can't" remove disruptive kids from a class or whatever is missing the point; the schools can't sacrifice actually doing their job at the alter of compliance, or we should just shut them down since all they do is waste resources. The compliance people should be figuring out how to shield the actual workers/create plausible deniability if the law is supposedly that stupid.

The world is complicated. Laws like FERPA are written with good intentions, but there are a lot of gray areas open to interpretation, and bad actors will take advantage of those gray areas to bring lawsuits for selfish purposes that universities have to spend money to defend themselves and possibly pay expensive penalties over. So lawyers advise how to follow laws in the most risk-free way.

Blaming lawyers or Instructure for "failing to contribute to society" is both incredibly immature and factually wrong. It's not the 1980's where jokes about "kill all the lawyers" get laughs.

I'm going to be blunt: you seem to have a kind of black-and-white, adolescent understanding of the world where it's split up into good actors and bad actors, and good actors should do what's right (regardless of the law) and bad outcomes are the result of bad actors. But that's not how the world works. Everybody involved can be intelligent and trying to do their best, and we get suboptimal outcomes because this stuff is hard. Writing laws that protect student data while maximizing student convenience are probably never going to get it perfectly right in every situation. But insulting the lawyers or the schools or Instructure as "failing to contribute to society" or insulting the law as "supposedly that stupid" is to deeply misunderstand everything.

FERPA does not have a lot of "gray areas open to interpretation". It's a well-understand body of law, case law, and regulations, and things like whether or not you can e-mail a student a grade are settled questions.

It's not a misunderstanding of everything, especially for schools that are government funded. They have a mission, they receive resources from everyone else to do that mission. If they are then worried about penalties for some frivolous side distraction, and choose to not accomplish their mission for fear of that, then why are we funding them to start with?

Frankly it's a perspective that I've only developed as I got older and realized that such excuses are poor, and that the real world has quite a few people in it who don't really care about the outcomes of what they're doing, or even understand why they're there. To me it feels adjacent to the adolescent view I often see on this site/reddit around "why is the company laying people off when they're making lots of money?" It's because those people aren't needed for anything, and those jobs aren't a form of charity. They exist for a purpose. If they no longer have a purpose, why would you keep paying that person?

If people are going to exist as obstructions to the purpose of the institution we're trying to serve, then they are useless. It's like a computer security worker saying the best way to be secure is to unplug everything, and push for policies that no one shall use computers for anything. Completely missing the point.

Finding ways to follow the law in the most risk-free way to the detriment of everyone is exactly missing their purpose in the world, and everyone should rightly call such a person incompetent and useless. It's casual acceptance of this kind of incompetence culture that slowly leads to societal decline. It's the same kind of thing as when Berkeley took down their lectures because of the ADA. How about the same state that ignores federal immigration and drug law say that actually they're going to keep giving away their free educational materials because they want universal education, and giving those lectures away is strictly better than not doing that, and if the feds want it made accessible, they can fund a project to do so?

I really don't know what to tell you. You're literally calling for universities to either break the law or not worry so much about following it, and calling people who do want to be careful about following the law "incompentent and useless".

If you don't see how extreme that is, and how much society would break down if everyone started thinking laws were optional and ought to be ignored when they prevent you from accomplishing your "mission", I just don't know what to tell you.

Quite the contrary: society very obviously runs because people ignore policies and laws constantly. That's why following all laws exactly is considered a protest or subversion strategy: malicious compliance.

Like the entire AI industry could only work by completely ignoring copyright law. Basically no software could be written if developers were concientious enough to check for and avoid patents first. Tradesmen ignore safety policies. Doctors ignore limits on hours. People do work on their homes with no permits.

Part of being an adult is exactly knowing which rules are important and which you ignore.

Individuals can choose which laws to ignore, like when they jaywalk.

Corporations, universities, etc. are very different. They create policies which are documented and which their employees are required to follow. They engage in risk analysis.

"Part of being an adult" has nothing whatsoever to do with the laws and regulations that apply to organizations. You're making a severe category error.

Organizations are made of individuals who I assure you regularly ignore or don't even read the policies they are "required" to follow.

I don't know what world you live in. Everywhere I've ever worked, that gets you fired. Real quick.

I've worked at a couple F100s and a startup.

At IBM, vim was specifically banned by legal because of reputational risk because the license asks you to consider donating to children in Africa, and IBM didn't want to be called out for not doing so. Guess which editor pretty much everyone in my org used? We also weren't allowed to move furniture because of some union agreement, but guess how many people cared when furniture mysteriously moved from an empty office room into ours? None.

At the startup, people in our satellite office in Arizona openly mocked the California HR harassment training over lunch. It was also an open secret that one of the managers started dating a report. As far as I know many years later they've both moved on to other jobs and they're still together. Nothing bad happened.

Breaking some policies will absolutely get you fired, but that's mostly around doing things you shouldn't be doing, and even then usually only matters if someone else that has some power might themselves get in trouble/have more work/lose something because of what you did. Others no one will care about. Again, part of growing up is figuring out which policies have a purpose and which came from some busybody.

I also already gave the entire AI industry as an example. We know for a fact that Meta trained on pirated material, and it's pretty obvious that everyone else does too. It's blatant industry wide flouting the law. The realpolitik answer here is everyone knows that enforcing the law here would be the final nail in the coffin for China superceding the West, so it's not going to happen.

Just to be clear:

E-mailing a student their grade is not "breaking the law".

Not e-mailing a student their grade is not "being careful about following the law". It is just sheer laziness.

A university may develop a policy of "we don't e-mail grades" for another reason, but FERPA is not a valid reason.

"Just to be clear":

It's not "sheer laziness". I can almost guarantee you that Instructure would prefer to e-mail the grade itself, and probably had the code working somewhere before feedback from universities told them to remove it.

There are absolutely cases where sending an e-mail to the wrong person is a violation of FERPA. Can you guarantee that your software will never be configured to accidentally e-mail someone besides the student? That no administrator will ever accidentally set up the wrong e-mail address? Because you're not sure if you can make that guarantee, it's legally safer to restrict it to the actual LMS login.

Yes, I have written software that would email a student information that was in scope for FERPA.

It’s rather simple to restrict sending email to @student.uni.edu and then further force their email to match the username and email address that is synced from the SIS.

How much FERPA compliant software have you written?

That's great for you. I've been in meetings with lawyers around FERPA compliance.

You are right that if you are creating a custom tool you can create that restriction easily.

But if you are creating a learning management system where administrators can configure it a million different ways and the university lawyers want to make sure that administrators don't set it up the wrong way, it makes sense to have that safeguard.

You are looking at the wrong level here. This isn't a software coding issue around technology. This is a policy compliance issue around people. When you create tools you have to consider the possibility of those tools being misused by an employee and mitigate those risks when possible.

> The thing is, I don't need that training to recognize that they are failing to contribute to society.

An old lawyer joke: What do you call 100 lawyers drowning in the ocean? A good start!

(Told to me by my dad, a former attorney till he retired.)

I think the lawyers in a straw-man imaginary world where they say a university can't e-mail any FERPA-covered data to a student (which includes such basic things as what times a student's classes are) don't contribute anything to society. But that's because they're just a figment of one person's imagination.

Actual, real lawyers who work for or at real universities often do contribute quite a bit of valuable work. I enjoyed the one I worked with and think she did a great job of putting the brakes on over-regulating or using legal compliance as an excuse for just not doing work.

That's great to hear. As I agreed elsewhere in the thread, their true purpose is exactly to shield other workers from this sort of nonsense FUD and make-work.

Of course I presume it's also not a strawman because it's not in any way some unique thing to lawyers.

The general counsel at my last university job actually tended to cut through the red tape and excuses of “can’t do this due to legal”.

Lots of fun if a department had been stonewalling for “legal reasons” and she was summoned to a meeting.

This, way too many people think they know the law and build up a wall of thinking based on their erroneous understanding of it. They're often afraid to incur the perceived expense of consulting an actual expert.

The same kind of broken thinking exists across MANY other aspects of life. Turn up the radio in your car to avoid hearing the problem that would be 'easy' to fix now and instead ignore it until it turns into a considerably more expensive repair.

I find it's often the same people that make these kinds of misguided decisions that crow the loudest about "kill all the lawyers". Perhaps because of their fear of being called out for their ignorance.