Surveillance Society: Students easy targets for data miners

Surveillance-promoSome companies reveal what they learn about students and who sees that information. But a Post-Gazette study of 143 ed tech providers that serve Pennsylvania schools found that most don’t say how long they keep student data or whether it can change hands in a merger or bankruptcy, and the vast majority say nothing about how they’d handle a data breach.

What kid wouldn’t want to be able to create an electronic science fair poster, with photos and embedded video, using their smartphone — all on the morning bus ride on the day it’s due?

Glogster EDU lets kids do that and, according to its website, it’s setting up “2,000 new teacher accounts daily,” each with, presumably, a classroom full of kids attached.

According to its public statements, though, the Czech Republic-based firm may be assembling more than photos of vinegar-and-baking-soda volcanoes.

The company’s privacy policy said it may collect a user’s “name, address, email … date of birth, gender, country,” as well as “interests, hobbies, lifestyle choices, groups with whom they are affiliated (schools, companies), videos and/or pictures, private messages, bulletins or personal statements.”

It may share information about users with “consumer products, telecom, financial, military, market research, entertainmen, and educational services companies,” according to its website.

“Even if it’s written in our policy, we don’t do this,” said Vojtech Stribrsky, Glogster’s head of sales and marketing. “You kind of remind me that we should revise” the privacy policy.

“That’s a ‘just trust me,’ ” said Khaliah Barnes, director of the student privacy project at the Electronic Privacy Information Center. “Like they have a bridge to sell you in Brooklyn.”

The growing education technology sector is selling the promise of improved student achievement through websites, apps and tools that analyze each child’s strengths and weaknesses. In doing so, though, ed tech companies are lapping up unprecedented amounts of information about students, while laws provide little protection and privacy policies vary wildly.

Some companies reveal what they learn about students and who sees that information. But a Post-Gazette study of 143 ed tech providers that serve Pennsylvania schools found that most don’t say how long they keep student data or whether it can change hands in a merger or bankruptcy, and the vast majority say nothing about how they’d handle a data breach.

“Parents are very nervous, and rightfully so, when third parties are empowered to build dossiers on their children,” said Joel Reidenberg, a Fordham Law School professor who wrote a 2013 study on data privacy in public schools. “Unless they have a means of learning what data is being collected, they have no way to independently assess the risks to their children, and whether this is a good product or a bad product.”

To India and back

Debbie Schwartzberg Levy, a parent of two Upper St. Clair students who consults for ed tech companies, said she trusts the judgment of most of the tech-savvy teachers she’s encountered. But she added that one son was instructed by a teacher to sign up for a website only to find that “his whole school email box was full of emails” from the company from then on.

“How do we know that these are legit apps, legit websites?” she asked.

That question is bedeviling parents, teachers and school administrators nationally, because the flow of student data collected by some ed tech products is loosely regulated and convoluted.

In a rare glimpse into the student data currents, Virginia-based cyber education firm K12 Inc. sued Socratic Learning Inc., of Texas, in 2009, saying the latter had shipped student data to India, only to see it leaked to an Arizona blogger.

The lawsuit was settled. Since then, “K12 has reviewed its procedures for providing access to student information and has restricted access to a limited number of persons having a valid need for the information,” wrote K12 spokesman Frank Giancamilli, in an email response to questions.

K12 provides online courses to around 125,000 students, according to its website. The company powers 22 cyber schools in Pennsylvania alone, including some that it runs for conventional school districts.

In its policies, K12 says it “may collect information regarding you and your children … [to] include: first and last name; billing address; the names and ages of your children; the services you request; registration and enrollment information about your children; and an e-mail address.”

K12 “may share your information with companies that are not affiliated with K12 but who are interested in sending you information about their products and services.“ You can tell K12 not to share your student’s information, but almost no one does that. Mr. Giancamilli wrote that in the past year, the number of the company’s registered students who opted out of having their information shared with other companies for marketing purposes was 12.

“What that really means is that maybe 20 people saw the [do-not-share] option, 14 people understood it and 12 people chose it,” surmised Bill Fitzgerald, who directs the privacy initiative at Common Sense Media, a nonprofit advocate for children, families and schools. He said that on most websites, opting out is done through “a checkbox which you often need to uncheck to opt out, buried at the bottom of a long page that most people never get to.”

Secret sharers

Most ed tech companies publicly reveal something about the data they collect, and who gets to see it. But the majority say little or nothing about data breaches, data deletion, or the fate of student information in the event of a merger or bankruptcy.

Of 143 ed tech vendors serving 31 Pennsylvania school systems included in a Post-Gazette analysis, just 10 pledged to notify districts if their students’ data was stolen. Another four indicated they “may” do that.

Fewer than half said anything about ever deleting the student data they collect — a key means of reducing the scope of any data theft.

“If you’re sitting on a data trove for years, it increases security risks, because it can be hacked or lost” or even sold, said Mr. Reidenberg. “The default [policy],” he said, “should be destruction.”

Fewer than half of the vendors addressed the likelihood that data could be passed to another company, with different privacy rules, in one of the many ed tech mergers or in bankruptcy.

Some companies, like Glogster, gave themselves license to do virtually anything with student data. Fox Chapel School District stopped using Glogster in part because of privacy concerns, even though students there were told to input only their names, according to Donna Beley, executive assistant to the assistant superintendent.

Other firms put no publicly available constraints on their use of student data, but still got district contracts

Should parents worry more about vendors that openly share student data, or those, like Access411 and Virginia-based Big Universe Inc., that keep their practices close to the vest?

“I would be equally worried,” said Mr. Reidenberg. “There’s no reason to assume it’s all innocuous.”

Data is power

Some companies claim that to guide schools, teachers and students, they need a lot of data.

Iowa-based nonprofit testing company ACT Inc., used locally by the Seneca Valley School District, can ask for a student’s “name, home address, email address, telephone number, Social Security number (optional), date of birth, gender, race, ethnicity, citizenship status, year of high school graduation or equivalent, religious affiliation, whether you are right- or left-handed … college plans, extracurricular plans … photograph, disability, and biometric data,” according to its privacy policy.

An ACT spokesman, who refused to talk but responded to questions via email, wrote that “much of that information is optional,” and the questions are designed “to help students with their future plans and to help colleges identify individuals for recruitment and scholarships.”

If someone wants ACT to delete their profile, it “will seek to meet” that request, he wrote.

“It is disconcerting when you see that laundry list of data points,” said Mr. Fitzgerald. Companies shouldn’t use their privacy policies just to reserve their rights to collect information they don’t need, he said. “If you don’t collect it, don’t list it.”

Click to explore excerpts from the data policies of 31 large Pennsylvania school systems and their vendors

Social studies

Ed tech and social media are beginning to converge, with potential implications for students’ future, as colleges, prospective employers and marketers increasingly judge people based on their data dossiers.

The San Francisco company NoRedInk Corp., which claims to help students with grammar and writing, indicates in its privacy policy that it “may collect” students’ login credentials for their Google accounts, adding that, “if you authorize us to connect with your Google account, we may access the information on your Google account that you give us permission to access.”

The firm, whose products have been used by the Norwin School District, will also share student information with Facebook and Twitter, “with your permission,” according to its policy.

NoRedInk did not respond to a request for an interview.

When an app allows a user to sign in through Google, Facebook or Twitter, it “will grab your identification information, but it will also often go a step further and grab your friends list, and then will often go a step further and grab their friends lists,” said Mr. Fitzgerald.

Insecure connections

Companies that sell communications or security products to school districts are expanding into areas that let them track kids’ offline movements.

York-based Access411 provides the Pittsburgh Public Schools with student ID cards they use to scan in every morning. Scott Gutowski, chief of information and technology for the district, said that the company doesn’t get any personal information about Pittsburgh students.

On its website, Access411 bills itself as “the one-stop shop for school safety products and services” including radio frequency ID cards, “weapons detection, biometrics,” and tracking of attendance, visitors, meals and discipline.

There was no privacy policy accessible on the company’s website or in documents provided by the district. Tia Gilbert, customer care manager at Access411, said the company has “a generic policy” but “each district has different policies about how the data is handled.” She did not respond to requests for an outline of the firm’s data practices.

Any company that doesn’t post a clear privacy policy “has no business being used in an educational setting,” said Mr. Fitzgerald. “A student or a parent should have the right to review how that information is handled.”

An earlier version of this story reported that Vantage Learning did not respond substantively to calls and emails. The Post-Gazette subsequently received the privacy policy and the article has been updated to reflect that.

Coming Monday: Most school districts lack basic ed tech data privacy practices. Also: Outside of California, state and federal laws do little to safeguard student data.

Rich Lord: rlord@post-gazette.com or 412-263-1542. Twitter @richelord. Megan Henney, a former Post-Gazette summer intern, is a senior at Penn State University.

geo_states_pennsylvania289px-Seal_of_Pennsylvania.svg***

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s