An official IU GPA calculator allowed students, faculty and staff to access the grades of at least 100,000 current and former students in apparent violation of federal privacy law.
The university took down the tool Tuesday within an hour of being notified about the situation by the Indiana Daily Student.
The calculator appears to have exposed current undergraduate and graduate students from IU-Bloomington, IU-Purdue University Indianapolis, IU-Purdue University Columbus and possibly other campuses, as well as students who graduated in 2015 and later.
The tool, under the domain of the Office of the Vice Provost for Undergraduate Education, allowed students to calculate their GPAs for specific types of classes by selecting the courses that were factored into the calculation. The IDS discovered the search function allowed access to other students’ grades and notified the university.
Grades, test scores and courses taken are education records protected under the Family Educational Rights and Privacy Act, which bars schools receiving public funding from releasing grades without prior written consent.
“This is a clear FERPA violation,” said LeRoy Rooker, former director of the Department of Education’s Family Policy Compliance Office and a leading authority on educational privacy law. “There’s not any gray area here. You just can’t have that.”
IU spokesperson Chuck Carney said Tuesday that he was not aware of the GPA search function until the IDS brought it to his attention. While logged in under a reporter’s student account, he used it to look up his own grades from his Ph.D. program. His GPA and grades popped up on the screen. He got an A in Research Ethics in fall 2009. His eyes widened.
“Well, that’s wild,” he said.
The webpage was intended for internal use only, Carney said, and was not supposed to be available to studentsand others. He does not yet know who is responsible for creating the calculator or making it accessible to students and other IU affiliates, but he said IU webpages usually go through multiple hands before being published.
IU will investigate how many students have been affected and why the calculator was made accessible to students, Carney said.
“We really do take the student security aspect of this very seriously,” he said. “We have to be very, very careful about anything we reveal about a student, and we can’t take these things lightly.”
While it rarely happens, the Department of Education could have pulled IU’s federal funding if the university didn’t fix the problem, said Indiana public access counselor Luke Britt.
The link was protected behind the university’s two-step security login, Duo, so it was only accessible to IU students. After accessing the GPA calculator, students could search other students’ usernames to see their grades. These usernames are public and are stored in a database that IU students can access.
Protecting the database through Duo does not change the situation or make it any less serious of a violation, Rooker said.
“You certainly can’t have a system in place that would let another student go in and see what your grades are,” he said. “Absolutely not.”
IU requires FERPA training for all employees and routinely cites FERPA when blocking the release of information. It has even refused to provide students copies of their own records related to their Title IX hearings.
Privacy attorneys say IU could be vulnerable to disciplinary action for negligence, public disclosure of private information or not tracking disclosures of student records, but whether a claim holds up could depend on whether IU knew the grades were accessible and on how much harm was caused.
The calculator’s webpage stated that the search option was available to users of IU’s Student Information System, which spans all nine IU campuses. The database also includes grades from Advance College Project courses students can take in high school for college credit. The GPA calculator had been online at least since 2018.
Students can report FERPA violations to the Office of the Registrar on their respective campuses or by visiting IU’s website. They can also report violations to the Department of Education.
The IDS received permission from more than a dozen current and former IU students to search their GPAs in the calculator in order to determine the scope of the problem.
Grades appeared to be readily available for students going back to the Class of 2015.
“When you told me you could look up my grades, I almost didn’t believe you,” IU senior Monisha Gowda said. “I can’t believe that something like this has been overlooked at such a large public school.”
Gowda said she never knowingly gave IU permission to publish her grades on a GPA calculator and is confused as to why a search function was included with the tool.
“Knowing someone has access to that is unnerving,” said Gowda, a pre-med student. “It’s my grades. It’s my information. What I choose to do with that is to my discretion – no one else’s.
“Imagining how people could use this to their advantage is just gross.”
No specific abuses of the calculator have been reported. But when the calculator was online, nothing prevented students from publishing each other’s grades on social media or comparing grades with students competing for the same job. The calculator could have been used to compare grades among students applying to medical school or law school. Grade information could be leaked to parents or other parties.
Faculty and staff could have accessed the calculator from their accounts. Professors are not normally allowed to look up students’ grades in courses they didn’t teach, but theoretically, they could have used the calculator to make judgments about their students or to decide whether to recommend them for internships. Sororities could have accessed the calculator to make decisions during recruitment.
This information can also be sensitive for people with political or business aspirations. While FERPA already protects his grades, President Donald Trump famously pressured his former schools to keep his grades sealed, according to testimony by his former personal lawyer, Michael Cohen.
In 2016, basketball fans at the University of Kentucky chanted “GPA” at a Louisiana State University freshman player who failed to meet academic standards for an award. It’s easy to imagine how public access to grade information could haunt student athletes and others in the spotlight.
IU senior Carley Berg expressed concerns over the other information IU collects.
“Are they equally careless with the rest of my information?” she said. “How are we supposed to trust them?”
