Spying on Students

Spying on Students: School-Issued Devices and Student Privacy, April 13, 2017 | By Gennie Gebhart, by Frida Alim, Nate Cardozo, Gennie Gebhart, Karen Gullo, and Amul Kalia, Download the report as a PDF.

EXECUTIVE SUMMARY

Students and their families are backed into a corner. As students across the United States are handed school-issued laptops and signed up for educational cloud services, the way the educational system treats the privacy of students is undergoing profound changes—often without their parents’ notice or consent, and usually without a real choice to opt out of privacy-invading technology.

Students are using technology in the classroom at an unprecedented rate. One-third of all K-12 students in U.S. schools use school-issued devices.1 Google Chromebooks account for about half of those machines.2 Across the U.S., more than 30 million students, teachers, and administrators use Google’s G Suite for Education (formerly known as Google Apps for Education), and that number is rapidly growing.3

Student laptops and educational services are often available for a steeply reduced price, and are sometimes even free. However, they come with real costs and unresolved ethical questions.4 Throughout EFF’s investigation over the past two years, we have found that educational technology services often collect far more information on kids than is necessary and store this information indefinitely. This privacy-implicating information goes beyond personally identifying information (PII) like name and date of birth, and can include browsing history, search terms, location data, contact lists, and behavioral information. Some programs upload this student data to the cloud automatically and by default. All of this often happens without the awareness or consent of students and their families.

In short, technology providers are spying on students—and school districts, which often provide inadequate privacy policies or no privacy policy at all, are unwittingly helping them do it.

Since 2015, EFF has been taking a closer look at whether and how educational technology (or “ed tech”) companies are protecting students’ privacy and their data. This paper presents what we have observed and learned about student privacy in the course of our investigation. We aim to more precisely define the problems and issues around student privacy as they affect real students and their families, and to give stakeholders—including parents, students, administrators, and teachers—concrete steps they can take to advocate for student privacy in their own communities.

After an introduction to EFF’s approach to student privacy, we turn to our analysis.

In Part 1, we report on the results of a large-scale survey and interview study we conducted throughout 2016. In particular, we found that in an alarming number of cases, ed tech suffered from:

·       Lack of transparency. Schools issued devices to students without their parents’ knowledge and consent. Parents were kept in the dark about what apps their kids were required to use and what data was being collected.

·       Investigative burdens. With no notice or help from schools, the investigative burden fell on parents and even students to understand the privacy implications of the technology they were using.

·       Data concerns. Parents had extensive concerns about student data collection, retention, and sharing. We investigated the 152 ed tech services that survey respondents reported were in use in classrooms in their community, and found that their privacy policies were lacking in encryption, data retention, and data sharing policies.

·       Lack of choice. Parents who sought to opt their children out of device or software use faced many hurdles, particularly those without the resources to provide their own alternatives.

·       Overreliance on “privacy by policy.” School staff generally relied on the privacy policies of ed tech companies to ensure student data protection. Parents and students, on the other hand, wanted concrete evidence that student data was protected in practice as well as in policy.

·       Need for digital privacy training and education. Both students and teachers voiced a desire for better training in privacy-conscious technology use.

The data we collected on the experiences, perceptions, and concerns of stakeholders across the country highlights the need for ed tech companies to take seriously the privacy concerns of students, parents, teachers, and administrators.

In Part 2, we provide in-depth analysis of ed tech’s legal and policy framework in the U.S. State and federal laws that are supposed to protect student privacy have not kept up with ed tech’s rapid growth. We address:

·       Industry self-regulation. The Student Privacy Pledge, enforced by the FTC and voluntarily signed by ed tech companies, features glaring loopholes in its definitions of what constitutes "student information" and "educational service providers."

·       Federal law. We provide legal analysis of key federal laws the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA), highlighting major flaws in each law—namely, FERPA’s “school official” loophole and questions about parental consent in COPPA.

·       State law. As states bring forward more and more student privacy legislation, three have stood out: California, Colorado, and Connecticut. We describe each state’s current legislation and the ways in which they each take unique steps to protect student data, provide resources to school districts, and rein in ed tech companies.

In Part 3, we turn our analysis into a call for action and present our recommendations for: school administrators, teachers, librarians, system administrators, parents, students, and ed tech companies themselves.

Finally, we conclude by bringing our survey reporting, legal analysis, and recommendations together to briefly state the key problems and issues surrounding K-12 digital student privacy in the U.S.

Want to learn more about digital privacy? Readers of this paper may be interested in digital privacy in general, not just in the educational context. If so, check out EFF’s privacy work5 and our Surveillance Self-Defense guide.6

For the entire report, see link below:

https://www.eff.org/wp/school-issued-devices-and-student-privacy#conclusion

Comments

We really need internet content to preserve free speech and ensure that students have access to factual sources. We could use a history curriculum that is fact based rather than liberal propaganda-based. We need to know what our students are being taught.

Norb Leahy, Dunwoody GA Tea Party Leader