Thomas Meixner, head of the department of hydrology and atmospheric sciences, was shot and killed while walking from a classroom to his office on October 5. He was 52.
Police officers identified the gunman as Murad Dervish, 46, a former graduate student and teaching assistant who was expelled this year for sending violent messages to faculty members.
In the weeks following the shooting, members of the University of Arizona community have accused the administration of missing the warning signs Dervish posed, and of failing to inform the campus. One faculty member said the university had refused to give him the information he needed to get a protection order against Dervish, citing privacy concerns.
In an October 17 statement to the campus community, Robert C. Robbins, the university’s president, listed the actions the administration had taken to deal with the threat the student posed but admitted that those weren’t enough to prevent Meixner’s death.
“If we could have done better, we will acknowledge it and make changes,” Robbins wrote.
A university spokesperson declined to answer questions about how student-privacy laws factored into the institution’s decisions about what information to share with the campus community.
Ferpa just continues to be this this good law gone bad.
Experts in public-information laws say the situation at Arizona points to a concerning trend among colleges: using the Family Educational Rights and Privacy Act, the federal student-privacy law, in ways it was never intended — sometimes to the detriment of campus safety.
Ferpa, which became law in 1974, requires all postsecondary institutions that receive funding from the U.S. Department of Education to grant adult students access to their own educational records, and to restrict other parties’ access to those records. It outlines specific cases when those records can be released to someone other than the student, including in health and safety emergencies.
The cost is steep for colleges found to have violated Ferpa: The Department of Education could yank their federal funding, though it has never done so, according to the Student Press Law Center, a Washington-based group that supports the free-press rights of student journalists.
In recent years, colleges nationwide have taken a stringent approach to the law, using it as a blanket policy for restricting all sorts of student records, said Mike Hiestand, senior legal counsel at the Student Press Law Center. In some cases, colleges have used the law as justification to keep their affairs out of the public eye and to avoid lawsuits or investigation by the Education Department.
“This belief that Ferpa just is this big, huge gag order that prevents” colleges “from ever talking about students is a real misconception,” Hiestand said.
An overly broad application of the law can restrict the flow of critical safety information at institutions like Arizona, where faculty members said they didn’t get the information they needed to protect themselves before and during the shooting.
An Anxious Several Months
The path to Dervish and Meixner’s fatal encounter was dotted with red flags — many of which, faculty members say, they knew nothing about.
While Dervish did not have a criminal history locally, he had spent time in jail in Pennsylvania for assault and driving under the influence, and in California for elder abuse.
As a graduate student at the University of Arizona, Dervish confronted several faculty members last fall after he received poor grades, the Tucson Sentinel reported. He was later removed as a teaching assistant. Department of hydrology officials tried to offer Dervish financial support, the Sentinel reported, but he started sending threatening emails.
Dervish was banned from campus in January and expelled the next month. He appealed the expulsion and continued harassing faculty members, the Sentinel reported.
Photos of Dervish were posted around the department, with instructions to call the police if he was spotted.
While his expulsion was going through the appeals process, everyone was “in a state of purgatory,” a professor in the department told the Sentinel.
The professor, Christopher L. Castro, told the Sentinel he was subjected to Dervish’s threats for months but was unable to tell students and other faculty members about what was happening because of privacy policies. Classes were moved out of the hydrology building, frustrating faculty members and students.
In June, Dervish’s expulsion was finalized. But the threats continued, professors said.
In August, Castro told the Sentinel, he obtained a harassment injunction against Dervish. He felt the campus police weren’t taking his concerns seriously enough. A no-contact order the university had against Dervish had expired when he was expelled.
Castro told the Sentinel that he faced difficulties getting the harassment injunction because the university would not give him the expelled student’s address, citing privacy concerns. So he tapped a private investigator to find the address and obtained the injunction order on August 5. But the Pima County Constables Office never served the order on Dervish.
A spokesperson for the university did not answer a question from The Chronicle about whether student-privacy laws affected its decision not to provide Castro with Dervish’s address.
Castro did not respond to interview requests from The Chronicle. Lawyers for Dervish, who was charged with first-degree murder in Meixner’s death, declined to comment on the case, and the office of Laura Conover, the Pima County attorney, referred The Chronicle to Conover’s October 17 statement.
A Need for Information
David Cuillier, an associate professor and director of graduate studies in the university’s journalism school, said people on campus didn’t feel like the alerts they received helped them stay safe.
“People were confused. Like, ‘Are we supposed to stay in our room? Is it OK now?’” Cuillier said. “That’s where erring on the side of privacy hurts the public.”
Leila Hudson, an associate professor in the School of Middle Eastern & North African Studies and chair of the faculty senate, said there’s concern that a strict understanding of Ferpa may have deterred people from discussing Dervish’s identity and threats before the shooting.
“The ability of members of the university community to protect themselves was hampered by less-than-optimal communications, the origins of which may have been a legal-liability interpretation of Ferpa,” Hudson said, suggesting that Arizona leaders were overly cautious about releasing information on Dervish.
Hudson said it was unfair that the accused shooter was given “unjustified” privacy, while those he’d threatened and others feared violating a law if they discussed his actions.
“This in no way implies a cavalier disregard for Ferpa,” she said in an email to The Chronicle, but rather that university leadership should provide better education to faculty on Ferpa’s emergency exceptions.
Cuillier said that the threats posed by the suspect before the shooting would have qualified for the health-or-safety exception to Ferpa, which allows colleges to release student information when it’s related to an “actual, impending, or imminent emergency,” such as a campus shooting or a terrorist attack.
“Given what we know about this suspect — and he’s innocent until proven guilty — we have a lot of indication here of what he did, and the threats here,” Cuillier, a freedom-of-information expert, said. “These are pretty tangible, severe issues. That’s something that any agency needs to balance versus this person’s privacy.”
Hiestand, of the Student Press Law Center, said the safety threat was clear, since the university had obtained a no-contact order against Dervish.
“There had been some some pretty significant safety issues here that I think were in play,” Hiestand said. “Ferpa is not supposed to stand in the way of releasing information that’s going to protect somebody’s safety and protect them from criminal activity.”
Records can only be released to “appropriate parties,” who may be able to deal with a situation — such as public-health or law-enforcement officials. But LeRoy Rooker, a Ferpa expert and a former director of the U.S. Department of Education’s Family Policy Compliance Office, said that “appropriate parties” can include the general public when its safety is at risk.
The November 13 shooting at the University of Virginia, Rooker said, is a perfect example: Once the university had identified the student suspected of killing three students, it issued alerts that identified him and told people on campus to be on the lookout. If the university pulled information from the suspect’s student records, the health-or-safety exception would have allowed it to release those details.
“Appropriate parties in that instance were any students or any other people who might come into contact with” the suspect, Rooker said.
In an emailed statement to The Chronicle, Pam Scott, a spokeswoman for the University of Arizona, said that privacy concerns did not hinder the work of law enforcement officers, who knew the identity of the suspect.
“There are a host of considerations during an active event that could extend beyond Ferpa, including law-enforcement considerations,” Scott said. “This is someone who was apprehended the same day due to a coordinated effort by law enforcement.”
In the weeks since the shooting, the University of Arizona has announced an independent review of its campus security, to assess how the university handled the shooting.
Additionally, a committee of faculty, staff, and students will issue a set of recommendations on how the university can improve its safety and security.
A Growing Trend
Arizona isn’t the only campus to make headlines for secrecy around a threat to campus safety. In early October, a student at the University of Baltimore posted a TikTok video saying that the university wasn’t doing enough to ensure safety after another student was arrested and charged with assaulting and stalking her, and with carrying a handgun on campus. That student, Jesse Francis, had been released on bail.
In her TikTok, the student, Madison Vital, criticized the university for sending an alert to the campus community more than a week after she reported Francis to the police. In a statement on October 18, the university said it was “constrained by student-privacy law” from providing more details about the incident.
“There are thousands of people going here every day unaware of the fact that this student could literally walk in at any second and kill them, and the administration is pushing it under the rug,” Vital said in her video.
Vital did not respond to requests for comment, and the University of Baltimore declined to speak to The Chronicle.
These cases, Cuillier said, fall into a concerning trend of secrecy in higher education, in issues ranging from presidential searches to parking tickets.
“Nationwide, public universities have become more secretive every year, applying Ferpa in ways it was never intended,” Cuillier said.
Cuillier said colleges misuse the privacy law in many ways, from hiding lunch menus to refusing to release information about sexual assaults by or against students.
“You’ll see universities that will say, ‘No, you can’t have the database of parking tickets and whose tickets we waived because those are educational records,’” he said.
Parking tickets aren’t educational records, Cuillier said. “In fact, they slap it in public on your windshield. If it was such a private record, then it shouldn’t be out there for everybody to see.”
“Ferpa just continues to be this this good law gone bad,” said Hiestand. “It was a law that was passed with really good intentions and good reason when you read about some of the abuse that was taking place,” including education records being shared with potential employers and grades being posted publicly.
Hiestand and Cuillier said all colleges can take steps to ensure safety without compromising privacy. One of those, Hiestand said, is to correct misunderstandings about what Ferpa does and doesn’t require.
For example, Hiestand said, the law allows colleges to release directory information, which can include the name of the student, their dates of attendance, their major, and even their mailing address. Colleges have to decide what their directory information is and notify students, who can opt out of their information’s being released. If they don’t opt out, colleges are free to release directory information without students’ consent. In emergencies, Hiestand said, this information can be vital.
If colleges don’t rethink how they prioritize public safety and individual privacy, something like this can happen again, Cuillier said.
“People just want information so they know what happened and maybe to prevent it in the future,” Cuillier said. “And that’s where this balance between the public’s right to know and individual privacy is off-kilter. It’s off-kilter nationwide.”
More transparency from the university isn’t just important for safety, he said. It’s also key to trust.
“Hiding, sandbagging, stonewalling — that’s going to engender mistrust,” Cuillier said. “It’s at these times when they need to build trust, not break it down.”
