[crazygringo]

"Just to be clear":

It's not "sheer laziness". I can almost guarantee you that Instructure would prefer to e-mail the grade itself, and probably had the code working somewhere before feedback from universities told them to remove it.

There are absolutely cases where sending an e-mail to the wrong person is a violation of FERPA. Can you guarantee that your software will never be configured to accidentally e-mail someone besides the student? That no administrator will ever accidentally set up the wrong e-mail address? Because you're not sure if you can make that guarantee, it's legally safer to restrict it to the actual LMS login.

[trollbridge]

Yes, I have written software that would email a student information that was in scope for FERPA.

It’s rather simple to restrict sending email to @student.uni.edu and then further force their email to match the username and email address that is synced from the SIS.

How much FERPA compliant software have you written?

[crazygringo]

That's great for you. I've been in meetings with lawyers around FERPA compliance.

You are right that if you are creating a custom tool you can create that restriction easily.

But if you are creating a learning management system where administrators can configure it a million different ways and the university lawyers want to make sure that administrators don't set it up the wrong way, it makes sense to have that safeguard.

You are looking at the wrong level here. This isn't a software coding issue around technology. This is a policy compliance issue around people. When you create tools you have to consider the possibility of those tools being misused by an employee and mitigate those risks when possible.