

How to securely distribute student grades? - plg

I teach a small University class (~ 20 graduate students). We have been told that it&#x27;s now against the rules to (a) post grades in a public place (e.g. on a website, on an office door), (b) send students their grades over email, etc. It&#x27;s all about privacy laws.<p>So I&#x27;m asking HNers: can you think of a relatively low friction way for me to distribute grades to my students securely?<p>My University does have a web-based course management system where I can enter grades, and each student can log-in using their University credentials to look up grades, etc ... but I truly LOATH the system my University has chosen to use. It&#x27;s slow, it&#x27;s ugly, it&#x27;s error prone, yuck yuck yuck.<p>I could get each student to generate a public&#x2F;private key pair using GPG, and send me their public key. Then I can send them an email with their grade encrypted. Advantages: it&#x27;s secure; it would also teach them how to use GPG which I am all in favour of. Disadvantages: it&#x27;s clunky for me to send 20 separate emails using 20 separate public keys.<p>HNers: Is there a way I can send a single email to the entire class, with the entire set of grades encrypted in such a way that each student can only decrypt their email and nobody else&#x27;s?
======
mindslight
Think low tech, you don't need or want computer software. In class, ask every
student to submit a 'handle' (which can be any identifier they want), and a
'grade offset', which is just a random number in the range of grades (say
0-100 for numeric grades). Then you publish an email/webpage/office door
posting with a list of handles and corresponding ((grade - offset) mod 101).
Figuring out the range of letter grades is a little harder on specifics, but
still straightforward. This also allows students an explicit opportunity to
not opt in and arrange other methods instead.

------
patmcc
Use the university provided method - students have to deal with it anyway,
most likely, so you're not saving them any hassle. And however slow and ugly
it is, it's already built and (presumably) works.

~~~
carlosdp
I agree with this, as a student at a university that also uses a horrible
system. Why add complexity with GPG key encryption or some other convoluted
method simply for distributing grades? Just use Blackboard and be done with it
in my opinion.

------
asdf3
Use the website the college has provided. This isn't about your convenience or
technical judgement (about a system you don't maintain). It's about the
students and the rest of the college.

That said, encrypt the each grade with a key derived from the students ID
(which is privileged information) and make a webpage to do the decryption for
the students. SHA256 ( ID + Salt ) == Key for symmetric encryption.

\--former IT college staffer

------
brucehart
If it's only 20 students, maybe just ask them to come by your office during
office hours. Most of my professors would just post grades in the hallway
using student IDs, but a few did it this way. It gives you a chance to connect
with the students and give some personal feedback. At the graduate level this
can be helpful not only for them, but also for you since these students are
people you will likely work with later in industry and academia.

If you are not in your office much, then I would just offer the GPG option.
Sending 20 e-mails will not take very long. Out of the 20 students, I bet only
half of them get their act together and e-mail you a key, so it's really more
like 10 emails that you would need to send.

------
maibaum
Make an excel doc with one column as the log of their student ID #'s and grade
in the next column. Include a line at the top for instructions to take the log
of their student ID # to find their grade. Label column headings appropriately

~~~
plg
nice idea but it would still violate the rules... student ID numbers are no
different than names (so says the university)

I could ask each student to send me a password and I could post a symmetric
encryption of their grade using their password ...

~~~
degenerate
Is it a programming/math class? Tell them verbally it's their ID * 2, or
something easy like that. You will not be breaking the rules and they can
still see their grade. Ex: R589390 => R1178780

~~~
plg
yeah it's a question of whether the university would still consider posting
these altered IDs as private information... after all each student can still
decrypt all IDs by dividing them by 2 (since the same encryption rule applies
to all students).

I'm thinking the only way to do this is to have a student-specific password,
either symmetric or public/private key pair

~~~
joezydeco
Tell the student to MD5-hash a text file with one line that looks like this?

ID9999999LastNameFirstNameWHATSMYGRADE

------
mchannon
If you set things up properly, you could be granted 20 public keys and one
single boilerplate e-mail containing everybody's grades, with each one encoded
in their appropriate key.

Everybody would then attempt to decode each cipher, with only one working for
any individual private key.

This isn't all that different from your original posting, except that you now
only need to send one unique e-mail.

(For Beavis, who's getting an F because he never showed up to class, you might
get in trouble with the administration because a simpleton couldn't decode
their grade through this or other sophisticated means.)

------
JoachimSchipper
The sensible answer is clearly just to use Blackboard or whatever; but if you
insist, just make each student write some word or passphrase on whatever they
hand in. Then publish a list of word/grade pairs.

(A.k.a. you can't solve this without either a pre-shared secret or public-key
cryptography; so get yourself a pre-shared secret.)

(Potential pitfall: no matter how many instructions you add, someone is going
to write down his bank password.)

------
brudgers
SASE over USPS meets all privacy requirements, allows communications to be
tailored for each student and uses a proven technology stack to provide robust
and reliable delivery regardless of the student's computing platform or
internet bandwidth.

------
studentthrow
I've had professors do many different things, Blackboard is actual okay for
checking your grades as a student though it does suck to put grades in.

Another option is set up a website with a login id (student id or something)
and have students submit a pin (4-12 chars) and let them use that to login and
see their grades (probably should be ssl).

As for your question I don't see how you could send them encrypted, you could
make up random ids for each student and only give that student their id then
send grades out corresponding to their random ids but that may still violate
privacy issues.

------
spurgu
You could generate personal URLs for each student, pointing to whatever
site/service you choose (for example Pastebin, with an expiry date), then
generate QR codes of those URL:s and hand them out on paper notes.

~~~
plg
nice!

------
stumpyfr
Sound a little "too much" of privacy laws but...if you really need:
[https://bitmessage.org/wiki/Main_Page](https://bitmessage.org/wiki/Main_Page)

------
percomis
How about this: you ask every student to send you a password word. You hash
these passwords, give them the algorithm and send them a list with the hashes
with the grades.

~~~
plg
yeah I like that one

if my university were paying attention they would complain that sending me the
passwords would be insecure... but I suppose each student could hand me a
piece of paper

~~~
maibaum
Have them turn it in on an assignment or write it in the signature box on the
scantron

------
jordsmi
Regardless of if you encrypt it or not, to the school it is still going to be
against the rules. You are still sending it to their email, which someone else
may have access to. If they have access to the computer they may also have
access to encryption keys, etc.

Even though it is terrible I would just stick with the schools system.

------
plg
I think what I'll do is send a list of all grades listed next to the SHA256
hash of their student IDs

They have access to SHA256 so they can privately find their own student ID
hash and then look up their grades

~~~
spurgu
The problem with this is if, for example, only one student got a five (and
they know who), from which the others could deduce that students hash.

------
Mimu
Ask them to come up with an simple idea.

\- If you don't like it they'll have the least grade possible.

\- If they do, use it.

Easy.

Also what kind of rule is that lol? Privacy, really?

