Security, privacy weaknesses pervade state and local education websites
At a time when concerns about cybersecurity and privacy are growing, among the most insecure websites are state education departments and most local school systems. That’s the high-level conclusion of a new study by the consultancy EdTech Strategies.
“State department of education and school district websites have become indispensable for accessing information about public schools and communicating with school officials,” said Douglas Levin, president of EdTech Strategies and director of the study. “However, analyses of education agency websites suggest a widespread lack of attention to issues of online security and privacy.”
The study found that many sites are not fully using the HTTPS protocol, where “S” signifies secure; instead, they continue to use the older, insecure HTTP protocol. Just over half (26) of the state education departments have this flaw, in one of several ways:
- 12 states don’t offer HTTPS support
- Five states actively redirect from secure to insecure web pages
- Six states don’t automatically redirect visitors to their secure site
- Three states have errors in their website security certificates
Of the 159 school districts evaluated in the study, 69 of them (43 percent) had similar shortcomings.
Using the unsecure HTTP protocol — or directing visitors to sites with that protocol — makes them more vulnerable to insecure connections. Users are then more prone to losing personal data, becoming infected by malware and/or viewing content that was maliciously altered by a third party.
Perhaps even more alarming, and far more common, is the presence of tracking software that compiles information about users’ activity and uses it to help target them with advertisements elsewhere on the web. The study found that 49 of 51 state education departments have some kind of ad tracking and/or online surveillance in place. The same is true of the school systems in the study — 158 of 159 systems use ad tracking and/or online surveillance.
In fact, in many instances, they have multiple trackers and/or surveillance software. Four states — Arizona, Georgia, New York and Tennessee — have five or more. Nearly 20 percent of the school systems (31 of 159) have five or more.
“I have some ideas,” Levin said when asked why these programs are embedded in education websites. First, there are many different types of technology deployed; those that provide information about users — how they’re using the site, where they come from, who they are — can be attractive to website administrators.
The downside, Levin said, is that “it may be encouraging some website administrators to satisfy their curiosity in ways that aren’t appropriate” for K-12 sites.
Another possibility is that “these tools can add some interactivity to what are otherwise rather static sites,” he said, such as linking to social media, “but by embedding those social media widgets in their site, they may not understand it also includes tracking technology.”
The study reviewed the state education departments’ and school systems’ privacy policies. “Based on that review, it’s clear there’s a disconnect,” Levin said. In many cases, the websites “made demonstrably false statements. It’s pretty startling — look at the trackers, look at the cookies, then look at the privacy policies and see the promise that they don’t allow persistent cookies.”
Levin believes that many of these problems are attributable to a lack of maturity in the K-12 sector about IT planning.
“They tend to be understaffed in terms of IT,” he said. He estimated the average IT support-to-user ratio in companies is between 50 and 300 per IT support person, but in schools it can be up to 1,000. And many school districts likely don’t have a full-time IT staff; they may be part-time, or it might be a third-party contractor.
“Questions have already been raised about student-facing apps; the issue of student data privacy has been raised over the past four or five years in the K-12 space,” Levin said. “But that focus is too narrow … In general, because of a lack of IT expertise or a strong culture of IT management in the sector, I think there’s a lack of awareness about how pervasive some of these technologies are and how they work, and they may not understand they’re complicit.”
Reach the reporter at email@example.com and
follow her on Twitter @WaitPatience and @edscoop_news.