Sometime ago I blogged about the privacy aspects of the more social learning management systems. And as you would expect, suddenly it has come back to bite us.
Currently our LMS is outsourced, but authentication is provided via our LDAP server to which we allow limited secure access by the LMS provider, and only allow them access to student_id, human_name and course_code_list. (This is not quite true - the truth is more complex and messier, as it always is). Student_id is an alphanumeric string that is allocated on the basis of when a student is accepted for a course, and is not readily guessable - no ties to initials, year of entry etc., and is used to log in to systems. In other words, pretty well obfuscated. Course_list is kind of fundamental to the operation of the LMS. Human_name is exactly that, what you are known as.
The problem resolves to the disclosure of Human_name to people you might not want to disclose your name to, much as on a social networking site or role playing game you might not wish to disclose either your identity or aspects of your identity.
Our crude solution to the anonymization problem is to create a new attribute Pseudo_human_name, which we populate with a random string and provide students a 'reveal' facility to allow them to go to our identity management portal where they could click a box to say that they wish to reveal their names. Pseudo_human_name would then be set equal to Human_name. The LMS provider of course has to change so that they enumerate Pseudo_human_name, and we deny them access to Human_name.
As I say crude, but it has the effect of not disclosing information outside of the systems we control that our users don't want disclosed. (And also a good demonstration of the need to keep control of identity management, even if users do seem to behave sensibly on the whole)
Long term we'd like to stop exposing our LDAP servers and use shibboleth and provide a user driven attribute disclosure solution built around Autograph, given that Shib is designed to solve this problem it seems a better solution, and one that's more extensible for more difficult problems ....