K-12

Schools are spying on students on a massive scale, report says

Privacy policies aren't keeping up with the advances in technology services schools use, according to a new report from the Electronic Frontier Foundation.

By Colin Wood

April 14, 2017

EdScoop

Editor’s note: This article was updated April 25 to include a reaction from a technology expert at Fairfax County Public Schools in Virginia.

Schools are spying on students, building huge databases and not asking parents for permission or even telling anyone about what they’re doing, according to a new report published by the Electronic Frontier Foundation.

Based on two years of research, the digital rights group says that K-12 educational institutions are increasingly using technology in classrooms, but privacy policies are lagging behind. Personally identifying information like dates of birth are paired with browsing history, location data and contact lists culled from school-provided devices and often stored indefinitely, said the report, which was released Thursday.

The 49-page report, called Spying on Students, provides a detailed exploration into the privacy issues at play in education today. Among the findings of the report is a recurring trend in which a lack of communication by schools to reveal the nature of their data collection and retention policies puts the burden on students and parents to investigate matters they may not fully understand.

EFF researcher and report co-author Gennie Gebhart said that the purpose of this report is to define the scope of the problem and attract attention from the diverse group of stakeholders involved in the education technology field.

“There are people who are really fired up about this and have a lot of energy to advocate for it, but they can’t do it alone,” Gebhart said.

A 2015 report from the Software & Information Industry Association estimated that the U.S. market for non-hardware education technology alone exceeded $8.38 billion.

Of 152 educational technology services found by EFF, the group found “troubling” trends in privacy policies, data encryption shortcomings, and inadequate data aggregation and de-identification policies. Further aggravating things, the report states, parents who chose to opt out of certain technology programs were met with few alternatives and sometimes “insurmountable” hurdles.

Jim Siegl, a technology architect for Fairfax County Public Schools in Virginia, however, took issue with some of the report’s findings, in a blog post published after the report was released. Contrary to the conclusion that the services were “lacking in encryption, data retention and data sharing policies,” he found that on closer inspection, that 82 percent of the apps, for instance, used encryption.

“The EFF report raised a lot of questions that were not answered,” he said, based on his knowledge of other reports, and his familiarity with CoSN’s Privacy Toolkit and Common Sense Media’s Privacy Evaluation project.

EFF acknowledged it’s challenging to generalize about edtech services because the types of groups involved are so diverse and numerous. This report was designed to gain the attention especially of legislators and companies putting these technologies in schools, Gebhart said.

“There’s so much room for improvement and they all have a role,” Gebhart said. “It’s a collaborative effort in protecting student privacy and taking responsibility for this obligation to protect students.”

Other avenues for remediating these privacy challenges identified by the report include the creation of more comprehensive policy and legislation that is backed by “concrete technological safeguards,” “better” training for teachers on technology and digital privacy, and more digital literacy education for students so they are able to take control of their privacy in the classroom.

A key recommendation of the report is for parents to ask more questions, things like:

What data will the vendor collect?
Does the vendor follow current best practices in data security?
Does the vendor give advance notice when changing its policies?
Will the vendor disclose any student data to its partners?

“We know how to do this, but it’s so difficult to implement consistently across this kind of field. To do that, you need edtech buy in, you need regulation, and resources,” she said. “We have the technology to do this. But it’s going to require a new kind of organization and buy-in and a new sense of gravity that student privacy is something we need to take really seriously.”

Issues of digital rights and privacy are becoming increasingly relevant, according to a 2014 report showing that one-third of all U.S. students use school-issued mobile devices and that a growing percentage of students access online portals and services to complete tests and homework and access study materials. A survey from the same report found that nearly two thirds of parents said they would opt to purchase the device for their child themselves, if allowed.

The ethical questions surrounding educational institutions’ power in the privacy arena are still largely unresolved, Gebhart said. And the legal landscape protecting the privacy of students is spotty.

Federal laws like the Family Educational Rights and Privacy Act (FERPA), extend some privacy rights to students and parents, but only at institutions that receive funding from the U.S. Department of Education. The Children’s Online Privacy Protection Act was enacted by the Federal Trade Commission to protect children under the age of 13 in the private sector.

Both laws have found violators and provide some protection for students of the right age and at the right schools. But the current use and retention of data by schools indicates that more comprehensive policy is required, the EFF report states.

Granular opt-out choices for parents are often not available, however, the EFF report concludes. Participation is typically an all or nothing affair and those who chose data privacy over the digital resources available may find their students are missing educational opportunities.