Inside school-issued tech: The privacy problem

When Katherine W., a third-grader in Roseville, Calif., was issued a Google Chromebook by her school district, her father, Jeff, was concerned. He wondered how the laptop and its installed applications, which included Google’s G Suite for Education, might impact his daughter’s privacy, according to an April report investigating the use of technology in schools from the digital-rights group the Electronic Frontier Foundation.

Google services “sell ads; they track information on folks,” Jeff reasoned, according to the report. “And we’re not comfortable with our daughter getting forced into that at such an early age, when she doesn’t know any better,”

Although Jeff negotiated to have his daughter use a computer without G Suite for the year, the Roseville City School District made it clear that no such accommodations would be allowed the following year, when Chromebook usage would become mandatory.



READ MORE ON EDUCATION, SECURITY, AND PRIVACY

Big data could bring big problems for kids
Facebook helps motivate the next generation of hackers
How to choose a hacking camp for kids
VTech hack exposes parents’ nightmare: The Internet of broken toys
5 ways to prepare your kid for social media


Under the Family Educational Rights and Privacy Act, the data students use to log into educational-application sets like Google’s—including name, student number, and birthday—may not be shared with the vendor or other parties without written parental consent.

Because the school district did not seek consent from parents when it issued the Chromebooks, the EFF argues, it could not legally share information with Google that would enable it to create student profiles for advertising, market research, or other purposes. But that doesn’t mean Google isn’t collecting or storing any student information.

Neither Google nor the Roseville City School District responded to requests for comment.

Concerns like Jeff’s are prevalent throughout the country, says Bill Fitzgerald, director of the privacy evaluation initiative at the education advocacy nonprofit Common Sense Media. And at the root of them is an apparent disconnect between educational-technology vendors, school administrations, and families.

Understanding data disclosures

A third of all elementary and secondary education students in U.S. schools are using school-issued devices, according to the EFF report. Schools and “ed tech” services collect information ranging from the student’s date of birth and browsing history to search terms, location data, contact lists, and behavioral data, it says.

Fitzgerald argues that responsible collection of student data can positively impact education.

“The reason a lot of companies are collecting this information is because they want to support student learning, period,” he says. But not all software is equal, especially when it comes to privacy.

Of the 118 company privacy policies EFF studied, only 78 have data retention policies or actively delete data after periods of inactivity. What’s more, only 46 of the privacy policies, according to the study, state that the company uses encryption to protect stored data—a widely recognized necessity for even a minimal level of security. And of those 46, “most” use it only to protect client billing information—not student data.

Parents should know which software their children’s schools use to manage student health and attendance records, communication, cafeteria operations, and Internet and network traffic, Fitzgerald says.

“Those are the core services that are used in any school, and they have large amounts of very sensitive data, like families who are on reduced-[cost] or free lunches,” he says. “Then ask for documentation on the exact data points they collect and store.”

That documentation should be readily available in any school district, he says, but it rarely is. “This issue isn’t that vendors are trying to do bad things with student data; the issue is that we don’t fully know where the info is going.”

Ed tech companies that don’t publish a “data dictionary” of what they collect, Fitzgerald says, often cite the potentially changing or proprietary nature their data collection practices, he says. “But students don’t go to school so a vendor can have a proprietary data model about the kid.”

Some school districts are attempting to address privacy concerns by requiring their technology vendors to agree to student data use restrictions. While the Franklin-McKinley School District of San Jose, Calif., for example, requires parents to sign a policy that opts their children into a student program that uses Chromebooks or iPads, it also requires its tech vendors to sign an agreement detailing how they will or won’t use student data, says Hung Nguyen, the school district’s director of information technology.

Nguyen’s team vets potential vendors for compliance with student privacy guidelines it adopted from the nonprofit Silicon Valley Education Foundation, says Yelitza Pena, director of community relations for the school district.

“Vendors are required to sign a contract agreeing to the terms, in order to safeguard us as a district and to ensure that our students’ information is only being used for educational purposes,” she says. The contract prohibits vendors from using the data for advertising purposes and sharing data abroad, she says, adding that no parents have requested to opt their students out of the program.

What You Can Do

Parents should speak up when concerned about their children’s privacy, Fitzgerald says.

“Students are the ones who are most affected by these decisions, and they’re the ones who are consulted the least,” he says. “The people who have the power to make this better are the ones who aren’t affected at all when something goes wrong.”

And school districts should allow parents to review any records they maintain about their children, and support interoperability and data portability, Fitzgerald says.

They should also offer opt-out alternatives, the EFF report’s authors say.

Parents who aren’t comfortable with their children participating in a school tech program in the San Francisco Unified School District can opt out by submitting a request form, says technology teacher Susie Kameny.

“A lot of parents overlook these documents in handbooks,” she says, “but it’s also their responsibility to make sure they understand what their kids are using.”

Ed tech vendors should delete student data after it no longer has an educational purpose, Fitzgerald says. Data indicating how long a student took to complete an assignment, for example, could be deleted before data pertaining to the student’s progress evaluations.

“The only way to fix this problem is to get better at identifying the issues, and applying some common principles and best practices,” Fitzgerald says. “What parents, students, and teachers need to advocate for is for vendors to be clearer about disclosing what they collect, why, and for how long they keep it. If we start there, everyone down the chain can make more informed decisions and ask more precise questions.”