A New Student Privacy Policy Office to Be Created for U.S. Department of Education

Politico reported yesterday that one of the upcoming changes at the U.S. Department of Education will be the rcreation of a new Student Privacy Policy Office.

Caitlin Emma writes:

— Other changes that haven’t been reported include the creation of a new Student Privacy Policy Office, which would be housed under the department’s Office of Planning Evaluation and Policy Development. The new approach would essentially break up the current Office of the Chief Privacy Officer, which has been housed under the Office of Management. The Education Department’s former chief privacy officer, Kathleen Styles, was reassigned earlier this year. 

— The new Student Privacy Policy Office would be created by combining and moving two offices out of the Office of the Chief Privacy Officer — the Student Privacy Policy and Assistance Division and the Family Policy Compliance Division. A new rulemaking effort would amend the Family Educational Rights and Privacy Act, the federal law that protects the privacy of student education records, so the Family Policy Compliance Office can administer the law.

— The Student Privacy Policy Office would be charged with providing student privacy assistance to states and school districts, in addition to investigating FERPA complaints. The position of chief privacy officer will move over to the Office of the Chief Information Officer, which has historically dealt with information technology issues. The chief privacy officer would have jurisdiction over issues related to the Privacy Act, which regulates federal record-keeping, and other privacy safeguards.

FERPA desperately needs to be updated, but unless schools, states, and the Feds stop collecting student data, privacy will always be an issue.

Technocratic Corporatocracy Hijacks Public Schools for Profit

Photo Credit: Lexie Flickinger (CC-By-2.0)

Making People Transparent for Profit Through Nontransparent Algorithms

Imagine if everything about you was on a giant billboard and you could see who was buying information about you and making lists. That is exactly what is happening without your knowledge or consent each time you use the Internet. Everything a user does online is tracked and monetized — Google, Facebook, Twitter, Amazon, apps — they all collect your data. A provider of computer-run education programs has admitted that they share the data they gather with 18 “partners.” Invisible analytics, profiling, sharing or selling of data collected without consent or knowledge makes every Internet user vulnerable to manipulation and control, ending personal privacy and sovereignty. 

The process works like this: new data are collected covertly through apps; the collected data is transferred to data brokers who access the new data and combine it with existing data about an individual using nontransparent algorithms. The algorithms create a very detailed profile of individual users; vendors are sold access to the profiles and target individuals based on profile analyses. Google is by far the most used third party analytics tracker and makes 90% of its revenue tracking user searches. In attached bibliography includes multiple examples of how the tech industry not only sells data, but sells data collection programs and devices to measure behaviors and infer emotions and thoughts. 

The documentary, The Creepy Line, explains how tech giants use algorithms to shape behavior and shape thoughts. Google used algorithms to influence voter behavior in the 2016 presidential election In a recently leaked video of a Google company meeting conducted shortly after that election, one employee asked if Google is willing to “invest in grassroots, hyper-local efforts to bring tools and services and understanding of Google products and knowledge so that people can “make informed decisions that are best for themselves.” Google CEO Sundar Pichai responded that Google will ensure its “educational products” reach “segments of the population [they] are not [currently] fully reaching.” Apparently, Google will ensure that Google Chromebooks and the Google manipulated search engine will be standard “education” materials in American schools so that students can make Google informed decisions.

Tracking and “Educating” Children

Schools funded with tax dollars allow the tech industry to collect billions of student data points about every aspect of every student using school issued personal devices by mandating students complete assignments using online tools and apps for classwork and homework on these devices. The data are used to build comprehensive profiles on each student. Every state has a database and students’ personal data can be shared with researchers and companies. Google launched a public relations campaign, Be Internet Awesome, that includes a curriculum and online game for Chromebooks, to promote itself as a “good” company; but a critical analysis of Be Internet Awesome concluded,

. . ., the program’s conceptualization of Internet safety omits key considerations. Specifically, it does not acknowledge the role of companies in keeping data and personal information secure. Instead, its focus on user-centered strategies obscures the degree to which users are often powerless when it comes to controlling how their personal data is used. [It] generally presents Google as impartial and trustworthy, 
which is especially problematic given that the target audience is impressionable youth. 

Transporting human beings without their consent for exploitation is human trafficking. Transporting human beings’ private data without their knowledge or consent is human data trafficking. Transporting children’s private data by collecting it in compulsory schools without parent knowledge or consent to exploit them in the data market is nothing less than institutional child data trafficking.

Failure of Government

Existing federal laws are inadequate for protecting student data privacy. FERPA generally does not apply to online data collection and FERPA was changed by executive rule in 2011, removing parental consent for data collection. FERPA now allows companies (such as Google) to be declared a “school official,” giving them access to student data on par with professionals who have a “need to know” to provide appropriate services to students. HIPPA does not apply to student records. COPPA does not generally apply to schools, and COPPA is rarely enforced even when complaints have been filed, and we know thousands of Android apps are improperly tracking children. There is no federal law regulating companies’ use of online student data.

The FBI recently issued a warning about privacy and security risks of educational technology and the U.S. Department of Education issued guidance that schools should not force parents to consent to third party terms of service. Yet, parents are told they cannot attend the school if they don’t allow their child to have a fill in the blank edtech app or program (e.g., Naviance, or NWEA, or Google Gsuite account). EdTech people say education is the most datamineable industry by far and we know now that students’ social-emotional data is the new goldmine despite the pseudo-science propping up social-emotional learning. The West Virginia teachers strike in Spring 2018 was in part sparked because, among other reasons, teachers were being forced to download Go365, a wellness and rewards app which would track their steps and other health data. Teachers were required to upload a variety of personal health information into the app and saw the program as an invasion of personal privacy

Google’s money wields an enormous amount of influence on U.S. education policy. Under the Obama Administration Google’s lobbyists had essentially unrestricted visits to the White House . A shocking number of White House officials now work for Google or vice versa. The U.S. Department of Education was heavily populated with former employees of organizations associated with Bill Gates, also advocating for computer-administered education. We know tech firms including Google have recently been lobbying the White House for a new federal privacy law on their own terms; Google even provided their own framework for a favorable privacy bill that does not include opt-in consent. It is time for Congress and states to kick the fox out of the henhouse — reject corporatocracy and restore our Constitutional democracy.

Responsibility of Government

U.S. citizens are protected from the government’s invasion of privacy and from property theft. They must also be protected from corporations’ invasion of privacy and theft of their electronically created property. Sovereign citizens cannot be coerced into giving their data or penalized/denied public education services for not consenting to sharing their data. Given that the infrastructure has already been built, Congress must adopt strong privacy laws at least as stringent as the European Union’s global data standards established in its General Data Protection Regulation (GDPR). The FTC should be given rule-making authority and resources to investigate and directly prosecute violations; but by no means should Congress abdicate its responsibility to protect the general welfare of the Americans and allow Silicon Valley to dictate to Congress or the FTC.

Report Reveals a Lack of Transparency In Marketplace of Student Data

Photo credit: Nick Youngson (CC BY-SA 3.0)

Fordham Law School’s Center on Law and Information Policy has released its findings from a multi-year study on the commercial marketplace for the sale and exchange of student information.

Transparency and the Marketplace for Student Data sought to gain an understanding of the commercial marketplace for student data and the interaction with privacy law. Over several years, Fordham CLIP reviewed publicly-available sources, made public records requests to educational institutions, and collected marketing materials received by high school students.

The study uncovered and documented an overall lack of transparency in the student information commercial marketplace and an absence of law to protect student information.

Key findings of the reporter include:

  • Parents and students are generally unable to determine how and why certain student lists were compiled or the basis for designation a student as associated with a particular attribute  like race, religion, and purported interests.
  • It is difficult to ascertain sources for student data: large school districts claim they do not sell directory information except to the military and other educational institutions.
  • Data brokers operating in the student information marketplace frequently change names, merge and have affiliated relationships, making it difficult to identify student data brokers.
  • Despite all of this, students lists are commercially available for purchase on the basis of ethenicity, affluence, religion, lifestyle, awkwardness and even a preceived or predicated need of family planning services.

The findings also revealed that a profitable ecosystem for commercial student data exists, but a lack of transparency and accessibility to information remains.

Based then on the research and the deficiencies in existing law and regulation of the commercial marketplace for student data, Fordham CLIP makes the following policy recommendations:

  • The commercial marketplace for student information should not be a black market. Parents, students, and the general public should be able to reasonably know (i) the identities of student data brokers, (ii) what lists and selects they are selling, and (iii) where the data for student lists and selects derives. A model like the Fair Credit Reporting Act (FCRA) should apply to compilation, sale, and use of student data once outside of schools and FERPA protections. If data brokers are selling information on students based on stereotypes, this should be transparent and subject to parental and public scrutiny.
  • Brokers of student data should be required to follow reasonable procedures to assure maximum possible accuracy of student data. Parents and emancipated students should be able to gain access to their student data and correct inaccuracies. Student data brokers should be obligated to notify purchasers and other downstream users when previously-transferred data is proven inaccurate and these data recipients should be required to correct the inaccuracy.
  • Parents and emancipated students should be able to opt out of uses of student data for commercial purposes unrelated to education or military recruitment.
  • When surveys are administered to students through schools, data practices should be transparent, students and families should be informed as to any commercial purposes of surveys before they are administered, and there should be compliance with other obligations under the Protection of Pupil Rights Amendment (PPRA).

N. Cameron Russell, Executive Director of Fordham Law School’s CLIP, and one of the co-authors of the study, said that Vermont’s recent passage of H.764 – the United States’ first legislation regulating commercial data brokers – is responsive to, and in part inspired by, problems identified in the Fordham CLIP study.

“I recently had the opportunity to testify before the Vermont House Committee on Commerce and Economic Development on the need for closer regulation and oversight of commercial data brokers, and the passage of H.764 requiring data brokers to register with the state as well as include specific information disclosures for brokers of student information underscores the need for an overhaul of the commercial student information marketplace, particularly increased transparency,” said Russell.

Joel Reidenberg, Professor of Law and Founding Academic Director of Fordham Law’s CLIP, says the passage of H.764 in Vermont is likely to have a national impact.

“The Vermont law is likely to become a national model and have a nationwide effect. Data brokers harvest personal information on a national scale and the Vermont registry requirement will result in increased national transparency for the identities and practices of these brokers,” said Reidenberg.

The full report is available below:

Coalition Calls on Congress to Rewrite FERPA

Photo credit: Rob Crawley (CC-By-2.0)

On Tuesday, American Principles Project and individuals from more than 100 organizations including Education Liberty Watch and Eagle Forum called on Congress to rewrite the Family Educational Rights and Privacy Act (FERPA). In a letter to the House Education and Workforce Committee, they implored Congress to recognize that citizens have a property interest in their personal data and that Congress should protect that interest.

“Personal data collection without consent is an affront to freedom,” said Emmett McGroarty, senior fellow at American Principles Project and co-author of the new book, Deconstructing the Administrative State: The Fight for Liberty. “The federal government has no right or authority to vacuum up mountains of personal data on its citizens without their consent, with only the vague intent to “help” them or others make decisions. This is especially true for children.”

The APP-led coaltion submitted five recommendations for the FERPA rewrite:

  1. Do whatever is possible to decrease the amount of data collected on students, especially social-emotional learning (SEL) data. Collection of such data should be eliminated or at the very least a) not collected without informed opt-in parental consent and b) be treated as medical data.

  2. Treat whatever mental health, social emotional, or behavioral data collected for special-education evaluations or any other related program, such as Positive Behavioral Intervention and Supports (PBIS) or Multi-Tiered Systems of Support (MTSS), as medical data that cannot be housed in longitudinal databases.

  3. Use aggregate rather than individual data to the greatest extent possible.

  4. Obtain parental consent if data collected for one purpose is to be repurposed or shared with another federal agency.

  5. Eliminate the current language in FERPA allowing predictive testing.

Read the letter below:

Disclosure: Our editor, Shane Vander Hart, is a signatory of this letter.

President Trump Calls for a Review of FERPA

Photo credit: Nick Youngson (CC BY-SA 3.0)

On Monday, the White House announced that President Donald Trump’s school security plan also includes a review of the Family Educational Rights and Privacy Act (FERPA).

It falls under his mental health reform proposal part of the plan. He is “proposing an expansion and reform of mental health programs, including those that help identify and treat individuals who may be a threat to themselves or others.”

The plan includes “increased integration of mental health, primary care, and family services, as well as support for programs that utilize court-ordered treatment.”

Along with FERPA he is calling for a review of the Health Insurance Portability and Accountability Act (HIPAA), and other statutory and regulatory privacy protections.

The White House said, “Reviews will determine if any changes or clarifications are needed to improve coordination between mental health and other healthcare professionals, school officials, and law enforcement personnel.”

There are obvious privacy concerns. FERPA needs to be strengthened and the White House’s goal is the opposite of that.

Currently, according to the U.S. Department of Education,  FERPA allows schools to disclose a student’s education records, without parental consent, to the following parties or under the following conditions (34 CFR § 99.31):

  • School officials with legitimate educational interest;
  • Other schools to which a student is transferring;
  • Specified officials for audit or evaluation purposes;
  • Appropriate parties in connection with financial aid to a student;
  • Organizations conducting certain studies for or on behalf of the school;
  • Accrediting organizations;
  • To comply with a judicial order or lawfully issued subpoena;
  • Appropriate officials in cases of health and safety emergencies; and
  • State and local authorities, within a juvenile justice system, pursuant to specific State law.

They are also allowed to share “directory” information such as: a student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance without parental consent.

Under FERPA, schools must tell parents and eligible students about that directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them.

A Belated Win for Student Privacy

Photo credit: Nick Youngson (CC BY-SA 3.0)

The U.S. Department of Education recently found that the Agora Cyber Charter School in Pennsylvania did violate the Family Educational Rights and Privacy Act (FERPA). Rules established during the Obama administration weakened FERPA, and there has been concern about how outdated it has become considering the rise of educational tech. So it’s remarkable anyone would be found in violation.

Unfortunately, the original complaint was filed on December 16, 2012, and it took the Department of Education almost five years to respond.

EdSurge reports:

Last November, after reviewing responses from Agora, the Department found that the cyber charter did violate FERPA. To use services from Agora, which contracted with third-party service providers such as K12 Inc., Blackboard, and Sapphire, parents were required to agree to policies set forth by those providers. K12’s Terms of Use policy required students to enter identifiable data and granted the company and its affiliates “the right to use, reproduce, display, perform, adapt, modify, distribute, have distributed, and promote [information put into the platform] in any form, anywhere and for any purpose.”

The Department ruled that requiring students to use third-party services that share student data with unauthorized parties as a condition of enrollment is a violation of FERPA. In its letter, federal education officials wrote that “a parent or eligible student cannot be required to waive the rights and protections accorded under FERPA as a condition of acceptance into an educational institution or receipt of educational training or services.“

Perhaps this is a sign that the Education Department under the Trump Administration will be responsive to parents’ student data privacy concerns. This ruling is a good first step. Let’s hope they significantly reduce the response time.

Protecting Student Privacy By Promoting Student Data Collection?

Photo credit: Nick Youngson (CC BY-SA 3.0)

Gates-funded Data Quality Campaign is going to Congress to weigh in on the Student Privacy Protection Act (H.R. 3157 – 114th Congress) that will be reintroduced this session of Congress.

What could possibly go wrong?

Morgan Polikoff, who they are helping send to DC, is an Associate Professor of K-12 Policy at the Rossier School of Education at the University of Southern California. In a blog post, he made the following suggestions to “strengthen” the bill.

  • Enable states and districts to procure the research they need. The Every Student Succeeds Act’s evidence tiers provide new opportunities for states and districts to use data to better understand their students’ needs and improve teaching and learning. FERPA must continue to permit the research and research-practice partnerships that states and districts rely on to generate and act on this evidence. Section 5(c)(6)(C), should be amended to read “the purpose of the study is limited to improving student outcomes.” Without this change, states and districts would be severely limited in the research they can conduct.
  • Invest in state and local research and privacy capacity. States and districts need help to build their educators’ capacities to protect student privacy, including partnering effectively with researchers and other allies with legitimate educational reasons for handling student data. In many instances, new laws and regulations are not required to enhance privacy. Instead, education entities need help with complying with existing privacy laws, which are often complex. FERPA should provide privacy protection focused technical assistance, including through the invaluable Privacy and Technical Assistance Center, to improve stakeholders’ understanding of the law’s requirements and related privacy best practices.
  • Support community data and research efforts. In order to understand whether and how programs beyond school are successful, schools and community-based organizations like tutoring and afterschool programs need to securely share information about the students they serve. Harnessing education data’s power to improve student outcomes, as envisioned by the Every Student Succeeds Act, will require improvements to FERPA that permit schools and their community partners to better collaborate, including sharing data for legitimate educational purposes including conducting joint research.
  • Support evidence-use across the education and workforce pipeline. We recommend adding workforce programs to Section 5(c)(5)(A)(ii) and to the studies exception in Section 5(c)(6)(C), . Just as leaders need to evaluate the efficacy of education programs based on workforce data, the country also needs to better understand the efficacy of workforce programs. FERPA should recognize the inherent connectivity between these areas to better meet student and worker needs.

Strengthen the bill for who? Not parents, certainly not students. The only groups that stand to gain are those who promote Big Data. What a nightmare if they are successful.

Belittling Parents and Ignoring Evidence Won’t Work

The Collaborative for Student Success (CSS) recently posted a particularly snarky piece blasting the moms who have been fighting back against the miseducation to which their children are being subjected under Common Core (CC). CSS is a propaganda outfit created by Common Core proponents such as the Bill & Melinda Gates Foundation and ExxonMobil to push the national standards. The anti-mom piece (along with a new article repeating the false talking point that the new fed-ed law, the Every Student Succeeds Act (ESSA), does away with CC) sheds no new light on the debate. In fact, it could have been written five years ago, as it ignores mountains of information that refutes its claims – but it does suggest that the moms’ success on social media is getting under the centralizers’ collective skin.

The CSS article contains so many flat-out deceptions that the most efficient way to address them is in bullet-point form. Here goes:

  • CSS repeats the discredited claim that Patriot Journalist Network (PJNET) is a “bot” that manufactures anti-Common Core tweets. Nope. Every tweet issued via PJNET comes from a human, not a bot. It must really annoy Mr. Gates that the moms are using technology to outsmart him and his well-paid troops.
  • CSS claims CC is merely a set of academic standards that some states have “chosen to adopt.” In fact, the U.S. Department of Education (USED) pushed the standards onto the states by tying their adoption to billions of dollars in federal Race to the Top money, during a time of deep recession when states were desperate for cash.
  • CSS denies CC is a “data mining scheme,” but CC is, in fact, a large part of exactly such a scheme. In their rush to qualify for Race to the Top grants, states had to agree not only to adopt the standards but also to build out invasive student-data systems. CC also ushers in “digital learning,” through which corporations and the government collect the millions of data points students emit merely by using a sophisticated interactive software. This data can be used to build personal algorithms that have the potential to map a child’s brain and even dictate his future. When the government first standardizes education through CC and then joins with corporate Big Data to tag and collect every data point from children throughout their K-12 careers, the scheme is much larger and much more nefarious than CSS’s anodyne description of just “English and math standards.”
  • CSS claims federal and state laws “ensure that only parents or a legal guardian can access their (sic) child’s academic records.” This one is a whopper. Even the Family Educational Rights and Privacy Act (FERPA) as traditionally interpreted wasn’t this protective, and since the Obama administration rewrote FERPA by regulation, the government may disclose personally identifiable student data to literally anyone in the world as long as it uses the right language to justify the disclosure. Parents need not even be informed this is happening. And parents have no idea that the interactive software promoted by CC is collecting billions of data points on their children’s performance and even on their personalities.
  • CSS describes CC as “higher standards.” Wrong again. Among many other critics, the top two standards-content experts in the country (Dr. Sandra Stotsky and Dr. James Milgram) refused to sign off on the standards because they were so deficient. The standards dumb down English language arts (ELA) by diminishing classic literature and replacing it with less-demanding nonfiction “informational text” that teachers aren’t trained to teach. They dumb down math by, among other things, 1) requiring failed “fuzzy math” pedagogies, 2) delaying the teaching of Algebra I until 9th grade, thus making it impossible for most students to reach calculus in high school, and 3) stopping with only a partial Algebra II course, thus admittedly preparing students only for a non-selective community college.
  • CSS claims “there’s not much President Trump can do about Common Core,” saying “nobody wants” him to issue a federal mandate that states ditch the standards. But “nobody” is saying he can or should do that. There are many actions his USED could take to relieve the federal pressure points that operate to lock states into CC. And because ESSA contains many of those pressure points, he can work to change or better yet repeal ESSA.
  • CSS claims that students with CC training are making “significant improvements” in ELA and math on state tests. This claim is misleading. In the first place, in many states, such as Kentucky, the state-test scores are mixed, with slight improvement in some areas but decline in others. And as former USED official Ze’ev Wurman points out, even the modest improvements on the CC-aligned state tests may be attributable to students’ and teachers’ becoming more familiar with these relatively new tests. Second, the reality is that Common Core incorporated many of the discredited, progressive fads that many states already had embedded in their standards.  Rather than adopting excellent, proven standards like those of Massachusetts, many states simply continued down the path of low-level standards by adopting Common Core.
  • It’s obvious why CSS focuses on data from state tests rather than from the National Assessment of Educational Progress (NAEP), a test that hasn’t yet been corrupted by aligning it to CC training. Math scores on NAEP have actually declined for the first time in 25 years. In fact, of the 26 states and D.C. that CSS praises for improvement on the state tests, fully 17 showed declines on NAEP scores for 4th-grade math. Only one of the CSS-cited states showed improvement on NAEP in this category. And the NAEP scores get worse the longer students are exposed to CC training. By senior year of high school, students in 2015 (compared with 2013) scored lower in math, about the same in reading, and lower in college-preparedness in both subjects.

An honest observer would at least acknowledge this negative trend, if only to try to explain it away. Could it be that CSS isn’t an honest observer?

  • CSS scoffs at the correct statement that CC requires 50 percent of reading in elementary school, and 70 percent in high school, to consist of nonfiction “informational text.” CSS trumpets that the 70 percent figure refers to reading across all subject areas, rather than only in English class. It’s not clear what CSS is objecting to here, since the tweet CSS complains of is completely true. But CSS fails to note that CC requires at least 50 percent of reading in high-school English class to consist of nonfiction rather than classic literature. It’s beyond dispute that CC diminishes the study of the world’s finest literature and requires teachers to focus instead on newspaper articles, government regulations, etc.
  • CSS bemoans the “completely false narrative” that CC “pushes learning at the expense of fun and playing” in K-2. Our youngest students, CSS implies, will thrive under CC’s workforce-development training. Tell that to the more than 500 early-childhood-development professionals who published an extraordinary statement decrying the developmental inappropriateness of the standards. Could this developmental mismatch be because the identified drafters of CC included not one K-2 teacher or specialist in early-childhood development? And CSS’s claim would come as a surprise to kindergarten teachers across the country, who are forced to push academic drills on little ones who are still learning to tie their shoes. Gotta get the kiddies ready for their entry-level jobs.
  • Defending the indefensible, CSS lauds CC math for “encourag[ing] multiple approaches so that kids can how (sic) to find the answer, not just what the answer is using methods they don’t fully understand.” CSS claims “kids are definitely still learning math the way their parents did” but are privileged to learn other methods as well. World-renowned mathematicians Dr. James Milgrim and Dr. Marina Ratner disagree, pointing out that CC teaches the standard algorithms (the techniques that work first time, every time) at least two years later than they’re taught in the highest-achieving countries. Until then, children are forced to grapple with cumbersome “made up” math strategies that do nothing but confuse them and drive their parents to distraction. By the way, this is exactly the type of progressive math that was tried, and that failed miserably, in California during the 1990’s (after which Dr. Milgram was brought in to clean up the mess). To understand the scientific evidence about why this type of math “teaching” doesn’t work, read Daisy Christodoulou’s Seven Myths about Education.

CSS finds it appropriate to make fun of parents who want the best for their children’s education and who are struggling every day to wrest it from the talons of the Common Core centralizers – “experts” who just know this will all work if parents will only shut up and stop interfering. But belittling parents and ignoring the wealth of well-founded research that supports their arguments is a pretty poor method of persuasion. We’re not sure Mr. Gates is getting his money’s worth from CSS.

In the meantime, moms will keep using technology to outsmart the technocrats’ well-funded mouthpieces. Cosmic justice.

Report: School-Issued Devices Spying on Kids

Photo credit: Brad Flickinger (CC-By-2.0)

The Electronic Frontier Foundation released a report in April that is a must read for those who are concerned about student privacy. In a nutshell, they found these devices are spying on kids who use them, and their parents are blissfully unaware.

From the report‘s executive summary:

Student laptops and educational services are often available for a steeply reduced price, and are sometimes even free. However, they come with real costs and unresolved ethical questions thrroughout EFF’s investigation over the past two years, we have found that educational technology services often collect far more information on kids than is necessary and store this information indefinitely. This privacy-implicating information goes beyond personally identifying information (PII) like name and date of birth, and can include browsing history, search terms, location data, contact lists, and behavioral information. Some programs upload this student data to the cloud automatically and by default. All of this often happens without the awareness or consent of students and their families.

Here are some of the concerns they found after their two-year study of educational tech:

  • Lack of transparency. Schools issued devices to students without their parents’ knowledge and consent. Parents were kept in the dark about what apps their kids were required to use and what data was being collected.
  • Investigative burdens. With no notice or help from schools, the investigative burden fell on parents and even students to understand the privacy implications of the technology they were using.
  • Data concerns. Parents had extensive concerns about student data collection, retention, and sharing. We investigated the 152 ed-tech services that survey respondents reported were in use in classrooms in their community and found that their privacy policies were lacking in encryption, data retention, and data sharing policies.
  • Lack of choice. Parents who sought to opt their children out of devices or software use faced many hurdles, particularly those without the resources to provide their own alternatives.
  • Overreliance on “privacy by policy.” Schools generally relied on the privacy policies of ed tech companies to ensure student data protection. Parents and students, on the other hand, wanted concrete evidence that student data was protected in practice as well as in policy.
  • Need for digital privacy training and education. Both students and teachers voiced a desire for better training in privacy-conscious technology use.

They also note the weakness in the Family Educational Rights and Privacy Act (FERPA) in preventing school districts from disclosing student data from interested third parties.

…it has limitations: it only applies to certain types of student information and there are exceptions that can be exploited. e law is enforced by the U.S. Department of Education, which can cut o funding to noncompliant schools.

FERPA protects students’ “education records” including personally identifiable information. The law also protects information about students’ online activity when they are using school-issued devices, when that information is tied to personally identifiable information; according to the U.S. Department of Education, FERPA protects behavioral “metadata” unless it has been “stripped of all direct and indirect identifiers.

FERPA generally prohibits school districts from sharing student information with third parties without written parental consent. Sometimes school districts use a loophole in the law to get around the parental consent requirement by characterizing ed tech companies as “school officials.”

This report is disturbing, and that is an understatement.

Alabama Workforce-Data Bills Threaten Student, Family Privacy

Photo credit: Jim Bowen (CC-By-2.0)

What with manipulation of currency and theft of jobs, China is held in fairly low repute, especially down South. But some Alabama legislators seem enamored of at least one part of the Chinese system – the one that compiles enormous amounts of data on citizens, beginning when they’re toddlers and continuing through their careers, and swaps this data back and forth among various government agencies for government purposes. One might expect this kind of dangerous nonsense from, say, California, but . . . Alabama?

Parents and citizens are alarmed at two companion bills (SB 153 and HB  97) currently moving through the legislature to create a massive centralized warehouse of education and workforce data. This system would be called ANSWERS, or the Alabama Network of Statewide Workforce and Education-Related Statistics, which would be administered by a new Department of Labor bureaucracy called the Office of Education and Workforce Statistics (the “Office”).

The reach of ANSWERS would be sweeping. Operated by the Office, the system would combine education data (beginning in pre-K) and workforce data to provide information on the effectiveness of educational and workforce-training programs, and to assess “the availability of a skilled workforce to address current and future demands of business and industry.” (The bills don’t explain how the government can predict the “future demands of business and industry”; the Soviet Union tried it, but without much success.) The data could then be analyzed for whatever purposes the bureaucrats come up with, and used for “research” which, if history is any guide, will be ignored if it doesn’t support what the bureaucrats want to do.

How would this work? An Advisory Board would be established to identify the types of data that certain listed governmental entities would have to dump into the centralized warehouse. The statutory (and non-exclusive) list of such data sources includes all education agencies in the state, from pre-school through four-year universities – plus the Departments of Labor, Commerce, and Veterans’ Affairs. So these billions of data points on practically all Alabama citizens would be centralized into one repository to be sifted and shifted by central planners.

But surely the Advisory Board will be constructed so as to protect the interests of children and their parents. Not exactly. Of the 24 members, 22 must be either politicians, bureaucrats, or representatives of specific entities such as higher-education systems. One must represent private industry and know something about data-security (the bills’ only nod to security concerns), and the last shall be a lonely “representative of the public” (not necessarily a parent). The fix, ladies and gentlemen, is in.

The privacy concerns with ANSWERS are staggering. For one thing, although certain proponents have suggested the data would all be de-identified, the bills clearly contemplate the presence of personally identifiable data (by requiring “security clearance . . . for individuals with access to personally identifiable data”). Indeed, the bills specify that the Office would be considered an “authorized representative” under the Family Educational Rights and Privacy Act (FERPA), and the only point of such a designation is to be entitled to receive students’ personally identifiable without parental consent or even notification.

Even if all data were to be de-identified, data can be frequently re-identified – especially when there are hundreds of data points on each individual to enable data-matching. And the bills even specify that the Office is to “link educational, workforce, and workforce training data from multiple sources through quality matching.” In such a vast repository, anonymization will be difficult if not impossible.

No more comforting is the bills’ requirement that the system comply with FERPA and other unspecified privacy laws. Five years ago the Obama administration gutted FERPA by regulation, thus enabling almost unlimited disclosure of personally identifiable student data as long as certain terms are used to justify the disclosure. Do the bills’ sponsors not know this? If not, what are they doing writing legislation that relies on FERPA “protections”?

The bills require no particular system of data-security, leaving that up to the Office. But the Office will have an unenviable task, given that this wealth of extremely sensitive information (including student education data, Social Security numbers from the Labor Department, family income information from student-loan programs, and on and on) will be conveniently assembled into one neat package and therefore made enormously attractive to hackers. One might as well assemble all the crown jewels of Europe into one room and hope jewel thieves don’t notice.

If enacted, ANSWERS would be among the most intrusive longitudinal data systems in the country – only 16 states and D.C. have such an Orwellian system. But most Alabama parents understand that the government has no right to collect highly personal data on their children, or on adults for that matter, and give it to other agencies to track their journey through the workforce and through life. It is none of the government’s business. One would have expected Alabama officials to understand this as well.

An equally fundamental, and troubling, aspect of this contemplated data repository is its adoption of the statist “socialization,” workforce-development philosophy of education. Traditional education in America has been designed to develop each individual to the full extent of his talents, to expose him to the best of human thought; statist education is designed to train him to be a cog in the economic machine. Only if the State adopts the latter philosophy does it need a data repository to track citizens and see how the training is working out.

Fortunately, Alabama State Superintendent Michael Sentance has a strong history in a true educational system rather than a workforce-training system. His experience as Secretary of Education in Massachusetts back when that state educated children better than any other state in the nation should prepare him to recognize the dangers of the ANSWERS network.

In public statements so far, Sentance has focused on the critical problems with data security. The parents of Alabama students are counting on him to go further – to reel in the dangerous inclination of the all-powerful State to collect data on free-born citizens and use it to analyze them as though rats in a laboratory. If Sentance comes out against ANSWERS, that ill-advised scheme will probably go down. Alabama is not China. Supt. Sentance can ensure that it doesn’t become so.