​What Data Is Your Child’s School-Issued Google Drive Account Collecting?

Springfield Public Schools, the school district for the third largest city in Missouri, are at the center of a frightening breach of data privacy.  Any student or staff member with a district-issued Google Drive account could have personal data compromised.

Cheri Kiesecker at Missouri Education Watchdog reported earlier this month:

What is reportedly happening with Springfield Missouri Public School’s use of Google Drive offers a rare glimpse into Google’s potential to collect data.  School-issued student Google accounts connect to Google Drive which can allow for the ability to Auto-Sync devices to Auto-Save passwords, browsing history and other digital data points from numerous devices used by a single user. For students in SPS this could include digital data from non-school related accounts. 

Fox 5 KRBK originally broke the story reported on what one family, the Elys, found:

Springfield residents Norman and Diane Ely went before the school board earlier this year and asked that the district check into safety concerns regarding private information that was being stored on SPS’s Google Drive. They claimed that since that meeting, nothing has changed.
Tuesday, the Ely’s addressed the board again with more alarming discoveries.

The Elys claim that the SPS Google Drive, given to all SPS employees and students, automatically begins to store information from any device the drive is accessed on. This includes browser history, but also personal information such as files and passwords. They add that even if you log out of the drive, it stays running and recording in the background.
After bringing their concerns forward this past May, they say that despite the evidence presented, no serious action has been taken on behalf of the district.

“They have a lot of evidence and have had it since December, and we have not heard one word from any of them, said Dianne Ely.

With more searching, the Elys have now found even more sensitive information that’s been stored to their daughter’s Google Drive, including 139 passwords to both her and her husband’s different accounts and also voice recordings of both her and her children. 

“My voice to text was being stored as well as any search my kids did, and I could say ‘sure my daughter was searching on Google,’ but my phone uses Safari. When I used my texting app on my iPhone, it recorded my voice, as well as typing out the words and saving it on my Google Drive,” said Brette Hay, the Ely’s daughter and a teacher at Pershing Middle School.

Cheri raised a pertinent question: “Why is Auto-Syncing of devices and Auto-Saving of passwords allowed on any school-issued Google account?”

It shouldn’t be allowed. Cheri notes this breach represents potential problems of several federal laws including Protection of Pupil Rights Amendment, Family Educational Rights and Privacy Act, and Children’s Online Privacy Protection Rule. Read Cheri’s piece as she addresses different questions related to each law.

There’s more to this story at PogoWasRight.org, a privacy news website,  they reported what is even scarier than the data collection, but the accessibility of that data.

To their horror, Henderson and Hay (school district employees) could see what they estimate as the school and personal account credentials of more than 25,000 students and employees in the district. The credentials could be viewed in plaintext and made accessible to anyone with a SPS google account.

So this information was being collected without their consent, but it was accessible by others with district-issued Google Drive accounts and one employee was dealing with identity theft as a result.

The data collection wasn’t limited to school-owned devices, but parents’ personal and work devices as well if they logged into their student’s Google Drive account.

Parents if your student has a school-issued Google Drive account you need to start asking questions. Here are three pertinent ones to ask:

• Can the school district disable Google Auto-Sync and Auto-Save? 
• Did the school district inform parents and students about the types of data collected by Google Drive?
• Who in the school district, as well as, Google can access that information?

I would also encourage parents and students to only log into a district-issued Google Drive account on a school-owned device and only allow your student to do schoolwork on it. At least maintain this practice until your school district can explain to you exactly what data is being collected, who has access to it, and how they are protecting it.

FEPA Passes U.S. House By Voice Vote

Photo credit: UpstateNYer (CC-By-SA 3.0)

The Foundations of Evidence-Based Policymaking Act (FEPA) (H.R. 4174) passed the U.S. House of Representatives by a voice vote on Wednesday afternoon after House rules were suspended in order to pass the bill. The bill was sponsored by Speaker Paul Ryan (R-WI).

This is typically done when a bill is considered “non-controversial.”

That isn’t the case with this bill. Two-thirds of the members present must vote in favor. The debate is limited to 40 minutes, and no amendments can be added.

Since it was a voice vote there was no roll call and we don’t know how each Representative voted.

No one spoke in opposition to the bill. You can listen to the “debate” below, as audio was captured by Cheri Kiesecker:

There is a companion bill in the Senate (S. 2046) sponsored by U.S. Senator Patty Murray (D-WA).

Emmett McGroarty, a senior fellow with American Principles Project, made the following statement before the bill’s passage in the House.

Pressured by powerful lobbyists in Washington, Congress is about to take the first steps toward allowing massive data-mining by ‘researchers’ in the name of ‘transparency’ and ‘evidence.’ This will inevitably result in intrusive dossiers on citizens that will vastly expand the power of the already unaccountable administrative state. Citizens have the right to know that the personal data they turn over to the federal government stays with the agency to which it was submitted, and is not shared with other agencies for other purposes. Trampling on individual rights in this manner is bad enough; doing so without even fair hearing and debate is simply unconscionable. Congress must defeat this bill and protect individual freedom. If Congress refuses to do so, President Trump should veto this bill.

See and share this one-pager on the bill about why student privacy advocates have grave concerns about this bill and don’t find it “non-controversial” in the least.

Colorado Legislature on the Verge of Passing Student Data Privacy Law

Photo credit: Hustvedt (CC-By-SA 3.0)

The Colorado Legislature has considered a student privacy bill this session that would inform parents about what data is collected by schools and provide greater transparency to the process. The bill, HB 16-1423, is sponsored by State Representatives Paul Lundeen (R-El Paso) and Alec Garnett (D-Denver) in the Colorado House of Representatives, and by State Senator Owen Hill (R-El Paso) in the Colorado Senate.

The Colorado House passed the bill last month, the Colorado Senate on Tuesday passed an amended version of the bill. It will go back to the Colorado House and then to the Governor’s desk if the House approves the Senate amended version.

Cheri Kiesecker, a Colorado activist who works extensively on the student privacy issue, shared by email what this bill accomplishes:

• Bans selling personal student information and advertising targeted to individual students.
• expands the protection of and definition of what is pii (personally identifiable information)
• makes contractors and those maintaining student data irreversibly destroy the data when they are finished with it
• Posts the bad actors–if a vendor is found to be substantially misusing student data or in breach of a contract, the education provider will publicly post the name of said vendor and will investigate terminating contract, further use of vendor
• Contractor responsibility for subcontractors’ actions.
• Adoption of privacy policies by school boards.
• Posting of information about contracts on district websites. The bill was amended to require the state and districts to post the contract texts online.
• Districts also must post and explain the type and data points (elements) of personally identifiable information collected.
• Specific requirements for data security and for removal after contracts end. An amendment added Monday says such data can’t be retrievable.
• Guaranteed parent access to information about the data collected on their children and the right to have it corrected.

Kiesecker said the bill does not limit what data is collected, but it provides a step for parents to learn what data is being collected from their student.