[crazygringo]

The world is complicated. Laws like FERPA are written with good intentions, but there are a lot of gray areas open to interpretation, and bad actors will take advantage of those gray areas to bring lawsuits for selfish purposes that universities have to spend money to defend themselves and possibly pay expensive penalties over. So lawyers advise how to follow laws in the most risk-free way.

Blaming lawyers or Instructure for "failing to contribute to society" is both incredibly immature and factually wrong. It's not the 1980's where jokes about "kill all the lawyers" get laughs.

I'm going to be blunt: you seem to have a kind of black-and-white, adolescent understanding of the world where it's split up into good actors and bad actors, and good actors should do what's right (regardless of the law) and bad outcomes are the result of bad actors. But that's not how the world works. Everybody involved can be intelligent and trying to do their best, and we get suboptimal outcomes because this stuff is hard. Writing laws that protect student data while maximizing student convenience are probably never going to get it perfectly right in every situation. But insulting the lawyers or the schools or Instructure as "failing to contribute to society" or insulting the law as "supposedly that stupid" is to deeply misunderstand everything.

[trollbridge]

FERPA does not have a lot of "gray areas open to interpretation". It's a well-understand body of law, case law, and regulations, and things like whether or not you can e-mail a student a grade are settled questions.

[ndriscoll]

It's not a misunderstanding of everything, especially for schools that are government funded. They have a mission, they receive resources from everyone else to do that mission. If they are then worried about penalties for some frivolous side distraction, and choose to not accomplish their mission for fear of that, then why are we funding them to start with?

Frankly it's a perspective that I've only developed as I got older and realized that such excuses are poor, and that the real world has quite a few people in it who don't really care about the outcomes of what they're doing, or even understand why they're there. To me it feels adjacent to the adolescent view I often see on this site/reddit around "why is the company laying people off when they're making lots of money?" It's because those people aren't needed for anything, and those jobs aren't a form of charity. They exist for a purpose. If they no longer have a purpose, why would you keep paying that person?

If people are going to exist as obstructions to the purpose of the institution we're trying to serve, then they are useless. It's like a computer security worker saying the best way to be secure is to unplug everything, and push for policies that no one shall use computers for anything. Completely missing the point.

Finding ways to follow the law in the most risk-free way to the detriment of everyone is exactly missing their purpose in the world, and everyone should rightly call such a person incompetent and useless. It's casual acceptance of this kind of incompetence culture that slowly leads to societal decline. It's the same kind of thing as when Berkeley took down their lectures because of the ADA. How about the same state that ignores federal immigration and drug law say that actually they're going to keep giving away their free educational materials because they want universal education, and giving those lectures away is strictly better than not doing that, and if the feds want it made accessible, they can fund a project to do so?

[crazygringo]

I really don't know what to tell you. You're literally calling for universities to either break the law or not worry so much about following it, and calling people who do want to be careful about following the law "incompentent and useless".

If you don't see how extreme that is, and how much society would break down if everyone started thinking laws were optional and ought to be ignored when they prevent you from accomplishing your "mission", I just don't know what to tell you.

[ndriscoll]

Quite the contrary: society very obviously runs because people ignore policies and laws constantly. That's why following all laws exactly is considered a protest or subversion strategy: malicious compliance.

Like the entire AI industry could only work by completely ignoring copyright law. Basically no software could be written if developers were concientious enough to check for and avoid patents first. Tradesmen ignore safety policies. Doctors ignore limits on hours. People do work on their homes with no permits.

Part of being an adult is exactly knowing which rules are important and which you ignore.

[crazygringo]

Individuals can choose which laws to ignore, like when they jaywalk.

Corporations, universities, etc. are very different. They create policies which are documented and which their employees are required to follow. They engage in risk analysis.

"Part of being an adult" has nothing whatsoever to do with the laws and regulations that apply to organizations. You're making a severe category error.

[ndriscoll]

Organizations are made of individuals who I assure you regularly ignore or don't even read the policies they are "required" to follow.

[crazygringo]

I don't know what world you live in. Everywhere I've ever worked, that gets you fired. Real quick.

[trollbridge]

Just to be clear:

E-mailing a student their grade is not "breaking the law".

Not e-mailing a student their grade is not "being careful about following the law". It is just sheer laziness.

A university may develop a policy of "we don't e-mail grades" for another reason, but FERPA is not a valid reason.

[crazygringo]

"Just to be clear":

It's not "sheer laziness". I can almost guarantee you that Instructure would prefer to e-mail the grade itself, and probably had the code working somewhere before feedback from universities told them to remove it.

There are absolutely cases where sending an e-mail to the wrong person is a violation of FERPA. Can you guarantee that your software will never be configured to accidentally e-mail someone besides the student? That no administrator will ever accidentally set up the wrong e-mail address? Because you're not sure if you can make that guarantee, it's legally safer to restrict it to the actual LMS login.

[trollbridge]

Yes, I have written software that would email a student information that was in scope for FERPA.

It’s rather simple to restrict sending email to @student.uni.edu and then further force their email to match the username and email address that is synced from the SIS.

How much FERPA compliant software have you written?

[crazygringo]

That's great for you. I've been in meetings with lawyers around FERPA compliance.

You are right that if you are creating a custom tool you can create that restriction easily.

But if you are creating a learning management system where administrators can configure it a million different ways and the university lawyers want to make sure that administrators don't set it up the wrong way, it makes sense to have that safeguard.

You are looking at the wrong level here. This isn't a software coding issue around technology. This is a policy compliance issue around people. When you create tools you have to consider the possibility of those tools being misused by an employee and mitigate those risks when possible.