The passage of New Hampshire’s SB 267 will threaten your chid’s personal privacy rights.
New Hampshire students have a unique pupil identifier assigned to them to protect their personal indentity. Their UPI is used when they take the State Standardized Assessment. This prevents testing companies from using or sharing their personal information. The protections that have been put in place to protect children are now at risk of being removed for convenience purposes.
New Hampshire students will be taking the State Standardized Assessments this spring. Many parents have refused the standardized tests for their children, but now there may be even a better reason to refuse these tests.
SB 267 would give testing vendors the student’s name, date of birth, student ID, and the ability to “analyze” the data. If that isn’t bad enough, SB 267 gives exemptions for data sharing and, removes the requirement for the testing vendor to destroy data when it’s no longer needed. SB 267 also leaves out parental consent or recourse. Not only does this violate a child’s 4th Amendment rights, but their civil rights of privacy and personal freedom. Nothing in SB 267 includes language protecting the diagnostic portions of assessment and the data thereof.
As of right now, all states, as well as all the laws connected to and including Every Student Succeeds Act (ESSA), function on the GUTTED version of Family Educational Rights and Privacy Act (FERPA). The Foundations for Evidence-Based Policymaking Act FEPA is also a massive data collection system coming out of the federal level. SB 267 takes NONE of this into consideration from the language, as written.
There has been bi-partisan support in New Hampshire for privacy protections. This was illustrated recently by the decisive passage of the privacy amendment to the New Hampshire Constitution. Even before that constitutional amendment was passed, our state had established such a reputation that the Parent Coalition for Student Privacy ranked New Hampshire as one of the best states in the country in terms of protecting the privacy of students. Unfortunately, SB 267 would take us in the wrong direction.
When Massachusetts administered the MCAS several years ago, all test questions were made public after the assessment was completed. This gave everyone the opportunity to make sure the questions asked were of the quality they expected. Professors at area colleges could look through the questions and make sure they were free from bias and errors. This information is not available to the public using the current standardized assessments in New Hampshire. A lack of transparency on test questions alone should have legislators thinking twice about providing the testing company with our students’ personal information.
11th grade students are required to take the SAT as the standardized assessment. But as you can see from this article from studentprivacymatters.org, they claim that the College Board, “did not deny that they sell students’ personal data – or in their words, “license” the data for a fee to institutions, for-profit corporations and the military.” In addition to selling the data, “….you can see that this script for proctors is written in the most ambiguous way possible, with voluntary questions mixed in with required ones, and no clear indication which is which or that much of this personal data will be shared with third parties for a fee.” That data includes their social security number, which is considered highly sensitive.
They go on to say, “How the College Board gets away with this, year after year, is really a scandal — especially since all the new state laws have been passed banning the selling of student data. Perhaps they are relying on the distinction without a difference of “licensing” the data vs selling it.”
Dr. Peg Luksik has referenced to standardized assessments used in the past, the Educational Quality Assessment (EQA), and how the internal documents said, “we are testing and scoring for the child’s threshold for behavior change without protest.” When past standardized assessments have included questions that do not test academic knowledge, but instead attempt to change the students’ values, attitudes and beliefs, some parents will be concerned about any attempts to provide the testing company with their personal information.
Since these new assessments are adaptive, meaning students will be answering different questions based upon the answers they provide, Dr. Luksik warns about the ability to manipulate the outcome. By allowing testing companies to access our children’s personal information SB267 will cement into law their ability to gain access to their personal information without parental knowledge or consent.
Dr. Luksik explains in this short video why that is dangerous to our children:
The Parent Coalition for Student Privacy released a comprehensive report card on each state’s privacy laws. It is an amazing tool for parents, teachers, legislators, and privacy advocates. The full press release is posted below. You will want to be sure to use the downloadable comparison matrix and share the report cards with your schools and legislators.
Why Student Privacy is Important
Thanks to the federal student privacy law FERPA being weakened in 2011, student’s personal data can be shared outside of school walls, without parents knowledge or consent. The data can be shared and analyzed by government agencies, nonprofits, businesses, researchers, and edtech companies who can further share with third parties, (or even sell student data), or used for advertising to students. Online “Personalized Learning”, computer “edtech” programs that collect millions of points of data, and use hidden algorithms to profile children are not regulated by federal law and are exempted from state laws. Recently, the FBI issued a warning about the dangers of edtech data collection. With multiple data breaches, and cyber hacks into school databases, education performs dead last in terms of cyber security. Over the last few years, parents across the country have gone to schools, state and local boards, state legislators, and asked for transparency and more control of their children’s data. In every state, parents have received pushback, often from the BigTech lobbyists who send representatives to weaken bills and fight privacy legislation. Silicon Valley spends millions to lobby and shape “tech favorable” privacy policies at the federal level. Google led the multimillion-dollar tech industry lobbying blitz in 2018.
Besides the millions of data points collected by edtech, astonishing amounts of student data are stored in local and state databases, often called SLDS, or P20 databases. With the recent passage of Federal law HR4174, making data held in federal and state databases linkable, (shareable) and interoperable, it is more important than ever to minimize what student data, especially sensitive medical, mental health, disability data, goes into these databases. FERPA is a 45 year old law that needs updating. We need a strong data privacy law that ensures opt-in consent, provides enforceable penalties, data minimization, and private right of action to parents. This 2015 Answer Sheet article in the Washington Post, explains the issue and need for student privacy legislation:
“During a February 2015 congressional hearing on “How Emerging Technology Affects Student Privacy,” Rep. Glenn Grothman of Wisconsin asked the panel to “provide a summary of all the information collected by the time a student reaches graduate school.” Joel Reidenberg, director of the Center on Law & Information Policy at Fordham Law School, responded:
“Just think George Orwell, and take it to the nth degree. We’re in an environment of surveillance, essentially. It will be an extraordinarily rich data set of your life.”
Most student data is gathered at school via multiple routes; either through children’s online usage or information provided by parents, teachers or other school staff. A student’s education record generally includes demographic information, including race, ethnicity, and income level; discipline records, grades and test scores, disabilities and Individual Education Plans (IEPs), mental health and medical history, counseling records and much more. [Emphasis added]
Under the federal Family Educational Rights and Privacy Act (FERPA), medical and counseling records that are included in your child’s education records are unprotected by HIPAA (the Health Insurance Portability and Accountability Act passed by Congress in 1996). Thus, very sensitive mental and physical health information can be shared outside of the school without parent consent.
… the federal government has mandated that every state collect personal student information in the form of longitudinal databases, called Student Longitudinal Data Systems or SLDS, in which the personal information for each child is compiled and tracked from birth or preschool onwards, including medical information, survey data, and ….
Every SLDS has a data dictionary filled with hundreds of common data elements, so that students can be tracked from birth or pre-school through college and beyond, and their data more easily shared with vendors, other governmental agencies, across states, and with organizations or individuals engaged in education-related “research” or evaluation — all without parental knowledge or consent.
Every SLDS uses the same code to define the data, aligned with the federal CEDS, or Common Education Data Standards, a collaborative effort run by the US Department of Education, “to develop voluntary, common data standards for a key set of education data elements to streamline the exchange, comparison, and understanding of data within and across P-20W institutions and sectors.”… You can check out the CEDS database yourself, including data points recently added, or enter the various terms like “disability,” “homeless” or “income” in the search bar.”
The US needs to do more to protect students from identity theft, invisible digital profiling, trafficking and selling of their personal data. Children should not be subjected to compulsory surveillance, forced to forego privacy, as a condition of attending public schools. Parents, not corporations, not the government, need to know what data is collected and should have the Right to NO when it comes to sharing or processing their children’s data.
New Report Card Grades Each State On How Well it Protects Student Privacy
In the first of its kind, the Parent Coalition for Student Privacy and the Network for Public Education have released a report card that grades all fifty states on how well their laws protect student privacy.
The State Student Privacy Report Card analyses 99 laws passed in 39 states plus DC between 2013 and 2018, and awards points in each of the following five categories, aligned with the core principles put forward by PCSP: Transparency; Parental and Student Rights; Limitations on Commercial Use of Data; Data Security Requirements; and Oversight, Enforcement, and Penalties for Violations.
Two more categories were added to the evaluation: Parties Covered and Regulated and Other, a catch-all for provisions that did not fit into any of the above categories, such as prohibiting school employees from receiving compensation for recommending the use of specific technology products and services in their schools.
No state earned an “A” overall, as no state sufficiently protects student privacy to the degree necessary in each of these areas. Colorado earned the highest average grade of “B.” Three states – New York, Tennessee and New Hampshire– received the second highest average grade of “B-“. Eleven states received the lowest grades of “F” because they have no laws protecting student privacy: Alabama, Alaska, Massachusetts, Minnesota, Mississippi, Montana, New Jersey, New Mexico, South Carolina, Vermont and Wisconsin.
The report tracks specific versions of state laws over time. For example, many of the state privacy laws enacted since 2013 were modeled after the California’s 2014 law known as the Student Online Personal Information Protection Act (SOPIPA). While California barred all school vendors from selling student data, eight states subsequently passed laws that allowed the College Board and the ACT to do so. Laws with specific loopholes to allow these companies to sell student data were enacted in Arizona, Colorado, District of Columbia, Nebraska, North Carolina, Texas, Utah and Virginia –presumably because of lobbying efforts.
The issue of data security is also critical. The primary federal student privacy law known as FERPA requires no specific protections against data breaches and hacking, nor does it require families be notified when inadvertent disclosures occur. In recent years, the number of data breaches from schools and vendors have skyrocketed, and some districts have even been targeted by hackers with attempted blackmail and extortion. A recent report rated the education industry last in terms of cybersecurity compared to all other major industries. As a result, this fall the FBI put out an advisory, warning of the risks represented by the rapid growth of education tech tools and their collection of sensitive student data, saying that this could “result in social engineering, bullying, tracking, identity theft, or other means for targeting children.”
“The inBloom debacle in 2013 exposed the longstanding culture of fast and loose student data sharing among government agencies, schools and companies,” said Rachael Stickland, co-chair of the Parent Coalition for Student Privacy, parent of two public school children in Colorado and the primary author of the report. “Consequently, parents across the nation began urging their state legislators to address the problem, resulting in a complex web of state privacy laws that are difficult to untangle and understand. Our hope is to bring attention to state laws that make a reasonable effort to protect student privacy and identify those that need improvement. Parents and advocacy groups can use our findings to advocate for even stronger measures to protect their children.”
NPE Executive Director Carol Burris noted, “This report card provides not only critical information regarding the existing laws, but also serves a blueprint for parents to use for lobbying for better protections for their children.”
As Leonie Haimson, co-chair of the Parent Coalition for Student Privacy, pointed out, “FERPA was passed over forty-five years ago and has been weakened by regulation over time to allow for the sharing of personal student data by schools and vendors without parent knowledge or consent. State legislators have stepped up to the plate to try to fill in some of its many gaps and to require more transparency, security protections, enforcement, and the ability of parents and students to control their own data. Yet none of these laws are robust enough in each of these areas. Congress must strengthen and update FERPA, but meanwhile, this report card can serve as a guide to parents and advocates as to which state laws should be strengthened and in which specific ways.”
An interactive map that shows the grades of each state, both overall and in each of the categories is posted here. The report is posted here; here is a technical appendix with a more detailed account of how each law was evaluated. There is also a downloadable matrix with links to all of the state laws, as well as specifying how many points were awarded in every category.
SecurityScorecard, a New York City-based IT security company, said that the education industry is the worst at cybersecurity compared to 17 major industries, EdScoopreports:
In its 2018 Education Cybersecurity Report, the company found that the education industry is not taking many of the necessary steps to protect students from cyber-vulnerabilities. According to the study, the main areas of cybersecurity weaknesses in education are application security, endpoint security, patching cadence, and network security.
Schools collect sensitive information on every one of their students. Digitizing student data makes it easier for educators to view student information, as well as malicious actors. From health data to academic and financial records, a breached student record can provide malicious actors with a stereoscopic view of a student’s life. According to the report, although hackers are becoming more adept at accessing student and school data, the education industry has failed to keep pace with data protection.
Sam Kassoumeh, chief operating officer and co-founder of SecurityScorecard, said university networks are especially vulnerable to cyberattacks. “There is a large surface area of exposure at a university. It’s thousands and thousands of devices distributed over a campus,” he said.
Students often use more than one device on campus and in-class — computers, phones, tablets or other “internet of things” devices — that while beneficial, Kassoumeh said, create “a heterogeneous environment, where all of the devices are not secured equally.”
This primarily focuses on higher education, but I doubt that K-12 schools do any better. I suspect they are worse.
This week I sent a public email to New Hampshire Governor Chris Sununu and New Hampshire Attorney General Gordon MacDonald urging MacDonald to investigate student data mining occurring in the state of New Hampshire:
Dear Governor Sununu,
I am contacting you on behalf of children in the state of New Hampshire about the data mining and the release of personally identifiable information which includes mental health social, emotional, and behavioral data. Our children are being universally diagnosed for mental health interventions in the classrooms of New Hampshire. These techniques are widespread in our state without giving parents informed written parental consent and any disclosure of harmful effects.
I have included in this letter an attachment with questions to the Commissioner of Education and the Attorney General concerning the legality of psychological and psychiatric assessments and treatment in violation of the Protection of Pupil Rights Amendment and SEC. 4001 in ESSA, for Parental Informed Written Consent. Mental health identification and interventions in social, emotional, and behavioral programs are being initiated WITHOUT informed written parental consent. Many marketing propaganda materials are used to “engage” parents to agree to these conditioning concepts without truthfully explaining the appropriate meaning to such techniques and the future impact of their children with mental health coding on their records.
I have attached a list of possible violations that must be investigated to sort out the illegalities of data mining, data sharing and mental health treatment that is being implemented in New Hampshire without the informed written consent of parents.
I am also including information from correspondence between myself, school administrators in New Hampshire and, researchers at Plymouth State University. They will reveal the practice of assessing, diagnosing, treating children and sharing this sensitive data with vendors and researchers.
Teachers in New Hampshire have revealed to me their discomfort with their new role and admit, they are not educated or qualified to treat students. Yet, that’s exactly what they are now required to do in the name of social and emotional learning.
With the recent passage of the amendment to the New Hampshire Constitution that states, “An individual’s right to live free from governmental intrusion in private or personal information is natural, essential and inherent,” this also applies to students attending public schools in New Hampshire.
I am requesting that you intervene immediately. Please request that the Attorney General call a halt to educational data mining activities, and force compliance with all privacy laws for the protection of our children in New Hampshire. Informed written parental consent must be initiated, with penalties for violating our children’s’ privacy through data mining or sharing of personal information.
I will be looking forward to your reply,
Ann Marie Banfield Education Liaison, Cornerstone Action
Violations of Privacy Laws and Data Mining Personal Data on Children
Data Tracking: Collection of PII (Personally Identifiable Information) on babies, children, and teachers identified with a unique national ID, contracted by Institute for Educational Sciences, NCES/IES. Compliance to Obama’s FERPA Executive Order 12866 expanding FERPA to collect and share data.
Data Trafficking: Release Of Personally Identifiable Information, PII, to 3rd Party Contractors: State DOE’s and local schools are able to enter into written agreements with businesses, foundations, higher education, and other Departments, releasing PII because of the loopholes in FERPA, (Family Education Rights and Privacy Act) that redefine school officials. PII, Social,Emotional Behavioral Data, and “womb to workforce” data, is freely given to 3rd party contractors through written agreements contracted by each state DOE.
Treatment, Interventions, Psychological Abuse: ESSA mandates PII collected on attitudes, values, beliefs, and dispositions (grit) carried out by IDEA (Individuals with Disabilities Education Act). All students, birth through college-aged students are identified under Title I for social, emotional, and behavioral change, Child Find. Techniques defined in ESSA include mental health interventions: Positive Behavior intervention and Supports, Response To Intervention, Multi-Tiered System Of Supports, Universal Design For Learning which are performed WITHOUT informed written parental consent.
Privacy Violations: Sharing and Re-Disclosure of PII continues, including data collected on attitudes, values, beliefs, and dispositions, without the knowledge or consent of parents. Directory information is cross-referenced with a unique national ID aligned with teacher collected social/emotional behavioral data collected on the local level. No privacy disclosures are used. Children are being used as a commodity.
Violations Under ESSA, Protection of Pupil Rights Amendment, PPRA: Violations under Title I school-wide through the use of psychiatric, psychological examination, assessment, evaluation, or testing; Psychiatric or psychological treatment/interventions deceptively used in classrooms without the knowledge, disclosure, or written permission of parents. ESSA forbids mental health screening without consent, yet the abuse continues.
Civil Rights Violations: Interventions, treatment, and re-education of attitudes, values, dispositions, and beliefs of children are profound violations of 1st Amendment protections of our God-given right to “right of conscience” and the 4th Amendment protection of our God-given right “to be secure in their persons.” Public Law 103-33, General Education Provisions Act, Sec 438: Federal Government is supervising and directing curriculum creating a “model national curriculum” and a national test. NCES/IES evaluates and monitors students, teachers, funding, principals, schools, districts, and states for mental health data.
Malpractice and Maltreatment of Children and Babies by Teachers and Preschool Caregivers: Teachers/preschool caregivers, (exceeding their professional certifications), are required to screen, evaluate, perform anecdotal behavioral assessments, conditioning, and implement mental health remediation of the child’s attitudes, values, beliefs, and dispositions called social, emotional learning to comply with global initiatives under ESSA. Standards defined by Department of Labor SCANS Report, create the process of “supply-chain management to humans.” This system sets up schools to begin Medicaid reimbursements. All Illegal.
Politicoreported yesterday that one of the upcoming changes at the U.S. Department of Education will be the rcreation of a new Student Privacy Policy Office.
— Other changes that haven’t been reported include the creation of a new Student Privacy Policy Office, which would be housed under the department’s Office of Planning Evaluation and Policy Development. The new approach would essentially break up the current Office of the Chief Privacy Officer, which has been housed under the Office of Management. The Education Department’s former chief privacy officer, Kathleen Styles, was reassigned earlier this year.
— The new Student Privacy Policy Office would be created by combining and moving two offices out of the Office of the Chief Privacy Officer — the Student Privacy Policy and Assistance Division and the Family Policy Compliance Division. A new rulemaking effort would amend the Family Educational Rights and Privacy Act, the federal law that protects the privacy of student education records, so the Family Policy Compliance Office can administer the law.
— The Student Privacy Policy Office would be charged with providing student privacy assistance to states and school districts, in addition to investigating FERPA complaints. The position of chief privacy officer will move over to the Office of the Chief Information Officer, which has historically dealt with information technology issues. The chief privacy officer would have jurisdiction over issues related to the Privacy Act, which regulates federal record-keeping, and other privacy safeguards.
FERPA desperately needs to be updated, but unless schools, states, and the Feds stop collecting student data, privacy will always be an issue.
Oregon Public Broadcasting reports that the former chief information officer for the Oregon Department of Education (ODE) is suing claiming ODE suspended and moved to terminate her because of her whistleblowing about the department’s data collection efforts and requests for access that violated federal privacy laws.
Strangfield suspected her suspension and subsequent moves to have her terminated were not about the conduct and project management questions that her attorneys called “frivolous.” Instead, she believed that top state officials forced her out because she raised privacy and security concerns about a massive database the state is building with records on millions of Oregonians, many of them children.
Strangfield’s attorneys filed a tort claim notice, essentially a warning that she intends to sue, alleging Strangfield was discriminated and retaliated against, in part for blowing the whistle on the database’s shortcomings.
Manning reported back in August about her complaint about Oregon’s statewide longitudinal database system (SLDS) and she was not the only person to express concern:
Officials in school districts across Oregon said they share Strangfield’s concerns about protections for student privacy and security, though they declined to speak on the record to preserve relations with ODE and the Chief Education Office. Multiple analyses from the U.S. Department of Education also laid out security concerns with how Oregon education officials handle data.
Worries came from others at ODE, too.
“One thing I want to be clear about — it wasn’t just Susie who had concerns,” said Amy McLaughlin, the supervisor of ODE’s information security team until she left in 2016. “I had concerns; my team had concerns about making sure that we were in compliance with FERPA.” FERPA is the federal law that prohibits education institutions from sharing data on individual students, without documented research or audit plans.
Springfield Public Schools, the school district for the third largest city in Missouri, are at the center of a frightening breach of data privacy. Any student or staff member with a district-issued Google Drive account could have personal data compromised.
Cheri Kiesecker at Missouri Education Watchdogreported earlier this month:
What is reportedly happening with Springfield Missouri Public School’s use of Google Drive offers a rare glimpse into Google’s potential to collect data. School-issued student Google accounts connect to Google Drive which can allow for the ability to Auto-Sync devices to Auto-Save passwords, browsing history and other digital data points from numerous devices used by a single user. For students in SPS this could include digital data from non-school related accounts.
Fox 5 KRBK originally broke the story reported on what one family, the Elys, found:
Springfield residents Norman and Diane Ely went before the school board earlier this year and asked that the district check into safety concerns regarding private information that was being stored on SPS’s Google Drive. They claimed that since that meeting, nothing has changed. Tuesday, the Ely’s addressed the board again with more alarming discoveries.
The Elys claim that the SPS Google Drive, given to all SPS employees and students, automatically begins to store information from any device the drive is accessed on. This includes browser history, but also personal information such as files and passwords. They add that even if you log out of the drive, it stays running and recording in the background. After bringing their concerns forward this past May, they say that despite the evidence presented, no serious action has been taken on behalf of the district.
“They have a lot of evidence and have had it since December, and we have not heard one word from any of them, said Dianne Ely.
With more searching, the Elys have now found even more sensitive information that’s been stored to their daughter’s Google Drive, including 139 passwords to both her and her husband’s different accounts and also voice recordings of both her and her children.
“My voice to text was being stored as well as any search my kids did, and I could say ‘sure my daughter was searching on Google,’ but my phone uses Safari. When I used my texting app on my iPhone, it recorded my voice, as well as typing out the words and saving it on my Google Drive,” said Brette Hay, the Ely’s daughter and a teacher at Pershing Middle School.
Cheri raised a pertinent question: “Why is Auto-Syncing of devices and Auto-Saving of passwords allowed on any school-issued Google account?”
It shouldn’t be allowed. Cheri notes this breach represents potential problems of several federal laws including Protection of Pupil Rights Amendment, Family Educational Rights and Privacy Act, and Children’s Online Privacy Protection Rule. Read Cheri’s piece as she addresses different questions related to each law.
There’s more to this story at PogoWasRight.org, a privacy news website, they reported what is even scarier than the data collection, but the accessibility of that data.
To their horror, Henderson and Hay (school district employees) could see what they estimate as the school and personal account credentials of more than 25,000 students and employees in the district. The credentials could be viewed in plaintext and made accessible to anyone with a SPS google account.
So this information was being collected without their consent, but it was accessible by others with district-issued Google Drive accounts and one employee was dealing with identity theft as a result.
The data collection wasn’t limited to school-owned devices, but parents’ personal and work devices as well if they logged into their student’s Google Drive account.
Parents if your student has a school-issued Google Drive account you need to start asking questions. Here are three pertinent ones to ask:
Can the school district disable Google Auto-Sync and Auto-Save?
Did the school district inform parents and students about the types of data collected by Google Drive?
Who in the school district, as well as, Google can access that information?
I would also encourage parents and students to only log into a district-issued Google Drive account on a school-owned device and only allow your student to do schoolwork on it. At least maintain this practice until your school district can explain to you exactly what data is being collected, who has access to it, and how they are protecting it.
Education Weekpublished an article this week about how Google has taken over the classroom over the last five years. This raises student data privacy concerns.
If you’re seeing Google reign in your child’s classroom, Matthew Lynch writes there are three reasons why.
Google devices are cheaper. Lynch writes, “Instead of laptops and tablets that were priced outside of what most schools could afford, Google presented the cheaper Chromebook that came complete with a host of free apps for students and teachers.”
Google Apps makes it easier for students to create and share information. Anyone can get a free account, but they also offer paid services at a special price point for schools. Lynch writes, “Students can create a variety of documents through the Google Docs platform and make their content available to share with others in real-time. The sharing extends not just to classmates, but also to educators who can keep better tabs on what their students are doing and learning on any given day.”
Teachers can be more involved with Google. Lynch writes, “The Google Admin panel allows educators to be more involved in what their students are doing on their Chromebooks. They can monitor controls, upgrade software, enroll new students, and otherwise manage the devices handed out to their class with relative ease. Teachers are firmly in control of what their students can and cannot do on their Chromebooks, an attribute that grows increasingly rarer with all of the modern inventions in technology.”
I can attest to Google apps being a useful tool, I use them myself. I’ve been able to play around with Chromebooks (I currently use a MacBook Pro). I also teach government for a local homeschooling co-op, and often students will send me papers using Google Docs.
Even though they offer useful and inexpensive tools with Google’s assent in the classroom there are obvious data privacy concerns.
Joseph Turow, a communications professor at the University of Pennsylvania, wrote for Fortune:
At the very start, the marketing giant hits you with the deal: By giving up information you allow the company “to show you more relevant search results and ads, to help you connect with people or to make sharing with others quicker and easier.”
Yet it’s not really a fair trade. Most people have little understanding of what they’re actually agreeing to give up. A 2015 national survey my colleagues and I conducted showed that Americans don’t buy the tradeoff idea.It also revealed that 58% of Americans are resigned to what’s taking place. They don’t want companies like Google to have control over their data, but they’ve come to believe they don’t have a choice.
The implications of this are profound. Google’s activities may affect the ads you get, the deals you are exposed to, the purchases you make, the discounts you receive, the entertainment and news you see, and your very sense that surveillance is natural. Plus, Google is only one of a gaggle of large companies involved in these sorts of activities—all the while seemingly hoping we don’t understand and are too resigned to push back.
When you use our services — for example, do a search on Google, get directions on Google Maps, or watch a video on YouTube — we collect data to make these services work for you. This can include:
Things you search for
Websites you visit
Videos you watch
Ads you click on or tap
Your location
Device information
IP address and cookie data
Things you create
If you are signed in with your Google Account, we store and protect what you create using our services. This can include:
Emails you send and receive on Gmail
Contacts you add
Calendar events
Photos and videos you upload
Docs, Sheets, and Slides on Drive
Things that make you “you”
When you sign up for a Google account, we keep the basic information that you give us. This can include your:
Name
Email address and password
Birthday
Gender
Phone number
Country
This has me rethinking my use of Google. While any cloud-based service will store data, not everyone uses it.
While they state they do not sell it or give the federal government access to it, they do use it for advertising. They write:
We try to show you useful ads by using data collected from your devices, including your searches and location, websites and apps you have used, videos and ads you have seen, and personal information you have given us, such as your age range, gender, and topics of interest.
If you are signed in and depending on your Ads Settings, this data informs the ads you see across your devices. So if you visit a travel website on your computer at work, you might see ads about airfares to Paris on your phone later that night.
Advertisers only pay for the ads that are clicked, so its up to Google to entice you. They explain what data is used for ads.
We want to help you better understand the data that is being used to show you ads. Why This Ad is a feature that allows you to click a prompt in order to learn why you are seeing a given ad. For example, you might be seeing that ad for a dress because you have been visiting fashion websites. Or if you see an ad for a restaurant, you may discover it is because of your location. This type of data helps us show you ads about things you might find useful. But remember, we never share this data with advertisers.
Now how does their policies differ for school-owned devices? I doubt it does.
If your student uses Google Apps or a Google Chromebook, the Electronic Frontier Foundation offers a privacy guide for parents for students who use Google Apps or who use a Google Chromebook.
Update: I was challenged by a teacher who provided a link to Google’s education privacy policy, Google says that they do not serve ads or use personal information collected in their education core services. Fair enough, I should have so here it is below. There is an important caveat here: “G Suite for Education users may have access to other Google services.” In that case, the overall privacy policy applies.
In G Suite for Education Core Services
The G Suite for Education Core Services (“Core Services”) are listed in the Services Summary and include Gmail, Calendar, Classroom, Contacts, Drive, Docs, Forms, Groups, Sheets, Sites, Slides, Talk/Hangouts, Vault, and Chrome Sync. These services are provided to a school under its G Suite for Education agreement and, as applicable, Data Processing Amendment. (Users and parents can ask their school if it has accepted the Data Processing Amendment.)
User personal information collected in the Core Services is used only to provide the Core Services. Google does not serve ads in the Core Services or use personal information collected in the Core Services for advertising purposes.
In Google services generally
Besides the Core Services, G Suite for Education users may have access to other Google services that we make generally available for consumers, such as Google Maps, Blogger, and YouTube. We call these “Additional Services” since they are outside of the Core Services.
The Google Privacy Policy describes fully how Google services generally use information, including for G Suite for Education users. To summarize, we use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users. We also use this information to offer users tailored content, such as more relevant search results. We may combine personal information from one service with information, including personal information, from other Google services.
Google may serve ads to G Suite for Education users in the Additional Services. For G Suite for Education users in primary and secondary (K-12) schools, Google does not use any user personal information (or any information associated with a G Suite for Education Account) to target ads, whether in Core Services or other Google services accessed while using a G Suite for Education account.
Here is their policy for information sharing:
Information we collect may be shared outside of Google in limited circumstances. We do not share personal information with companies, organizations and individuals outside of Google unless one of the following circumstances applies:
With user consent. We will share personal information with companies, organizations or individuals outside of Google when we have user consent or parents’ consent (as applicable).
With G Suite for Education administrators. G Suite for Education administrators have access to information stored in the Google Accounts of users in that school or domain.
For external processing. We provide personal information to our affiliates or other trusted businesses or persons to process it for us, based on our instructions and in compliance with our Privacy Policy and any other appropriate confidentiality and security measures.
For legal reasons. We will share personal information with companies, organizations or individuals outside of Google if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:
meet any applicable law, regulation, legal process or enforceable governmental request.
enforce applicable Terms of Service, including investigation of potential violations.
detect, prevent, or otherwise address fraud, security or technical issues.
protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law.
They also have a section on parental review and deletion of the student’s information:
The parents of G Suite for Education users in Primary/Secondary (K-12) schools can access their child’s personal information or request that it be deleted through the school administrator. School administrators can provide for parental access and deletion of personal information consistent with the functionality of our services. If a parent wishes to stop any further collection or use of the child’s information, the parent can request that the administrator use the service controls available to them to limit the child’s access to features or services, or delete the child’s account entirely. Guidance for administrators on how to use service controls to accomplish this is available in the G Suite Help Center.
The U.S. Department of Education recently found that the Agora Cyber Charter School in Pennsylvania did violate the Family Educational Rights and Privacy Act (FERPA). Rules established during the Obama administration weakened FERPA, and there has been concern about how outdated it has become considering the rise of educational tech. So it’s remarkable anyone would be found in violation.
Unfortunately, the original complaint was filed on December 16, 2012, and it took the Department of Education almost five years to respond.
Last November, after reviewing responses from Agora, the Department found that the cyber charter did violate FERPA. To use services from Agora, which contracted with third-party service providers such as K12 Inc., Blackboard, and Sapphire, parents were required to agree to policies set forth by those providers. K12’s Terms of Use policy required students to enter identifiable data and granted the company and its affiliates “the right to use, reproduce, display, perform, adapt, modify, distribute, have distributed, and promote [information put into the platform] in any form, anywhere and for any purpose.”
The Department ruled that requiring students to use third-party services that share student data with unauthorized parties as a condition of enrollment is a violation of FERPA. In its letter, federal education officials wrote that “a parent or eligible student cannot be required to waive the rights and protections accorded under FERPA as a condition of acceptance into an educational institution or receipt of educational training or services.“
Perhaps this is a sign that the Education Department under the Trump Administration will be responsive to parents’ student data privacy concerns. This ruling is a good first step. Let’s hope they significantly reduce the response time.
The Foundations of Evidence-Based Policymaking Act (FEPA) (H.R. 4174) passed the U.S. House of Representatives by a voice vote on Wednesday afternoon after House rules were suspended in order to pass the bill. The bill was sponsored by Speaker Paul Ryan (R-WI).
This is typically done when a bill is considered “non-controversial.”
That isn’t the case with this bill. Two-thirds of the members present must vote in favor. The debate is limited to 40 minutes, and no amendments can be added.
Since it was a voice vote there was no roll call and we don’t know how each Representative voted.
No one spoke in opposition to the bill. You can listen to the “debate” below, as audio was captured by Cheri Kiesecker:
There is a companion bill in the Senate (S. 2046) sponsored by U.S. Senator Patty Murray (D-WA).
Emmett McGroarty, a senior fellow with American Principles Project, made the following statement before the bill’s passage in the House.
Pressured by powerful lobbyists in Washington, Congress is about to take the first steps toward allowing massive data-mining by ‘researchers’ in the name of ‘transparency’ and ‘evidence.’ This will inevitably result in intrusive dossiers on citizens that will vastly expand the power of the already unaccountable administrative state. Citizens have the right to know that the personal data they turn over to the federal government stays with the agency to which it was submitted, and is not shared with other agencies for other purposes. Trampling on individual rights in this manner is bad enough; doing so without even fair hearing and debate is simply unconscionable. Congress must defeat this bill and protect individual freedom. If Congress refuses to do so, President Trump should veto this bill.
See and share this one-pager on the bill about why student privacy advocates have grave concerns about this bill and don’t find it “non-controversial” in the least.
Truth in American Education Information 