FBI Warns of Grave Cyber Security Threat to Students from School Tech

September 21, 2018

by Karen R. Effrem, MD


Finally! Although the horse may be long out of the barn, the FBI should nevertheless be commended for issuing this warning about the dangers of education technology and cyber security threats for students and their families:

The FBI is encouraging public awareness of cyber threat concerns related to K-12 students. The US school systems’ rapid growth of education technologies (EdTech) and widespread collection of student data could have privacy and safety implications if compromised or exploited.

The warning gives a list of many types of data that can maliciously exploited, rightly saying that this is not all-inclusive:

  • personally identifiable information (PII);
  • biometric data;
  • academic progress;
  • behavioral, disciplinary, and medical information;
  • Web browsing history;
  • students’ geolocation;
  • IP addresses used by students; and
  • classroom activities

The FBI also notes that possible bad outcomes for use by criminals could include “social engineering, bullying, tracking, identity theft, or other means for targeting children.” They then go on to discuss some terrible incidents that have happened:

For example, in late 2017, cyber actors exploited school information technology (IT) systems by hacking into multiple school district servers across the United States. They accessed student contact information, education plans, homework assignments, medical records, and counselor reports, and then used that information to contact, extort, and threaten students with physical violence and release of their personal information. The actors sent text messages to parents and local law enforcement, publicized students’ private information, posted student PII on social media, and stated how the release of such information could help child predators identify new targets. In response to the incidents, the Department of Education released a Cyber Advisory alert in October 2017 stating cyber criminals were targeting school districts with weak data security or well-known vulnerabilities to access sensitive data from student records to shame, bully, and threaten children.

One of the other very important classes of data not fully mentioned in this list is mental health data, which is becoming a huge commodity in the wake of multiple recent school shootings. Given the FBI’s concerns about shaming, bullying, threatening and blackmail discussed in this announcement, it should be seen as especially dangerous that Florida now requires students to disclose any mental health diagnosis (accurate or not) to the school and is attempting to build a statewide data depository that integrates social media posts with school behavioral records, police records, and much more. This concept is already being piloted with federal funds in the Miami-Dade County schools.

Texas is also joining Florida in ramping up widespread school based mental health screening, which is especially problematic in this context, because of the very high false positive rate, resulting in inaccurate data being put in student records along with the treasure trove of other sensitive data being put into this new database that are vulnerable to hacking, and therefore blackmail, by cyber criminals. Alarmingly, it has even been recently reported that a new ed tech application allows all school personnel, including school bus drivers and janitors, to monitor students’ social emotional status on tablets and smart phones.

Another quite disturbing realm of data mining is in the early childhood age group that already has much subjective and sensitive social emotional and family data collected on these innocent children. I have also written extensively about the data collection associated with preschool programs here when discussing the Obama Early Learning Challenge Grants and here when warning about ESSA’s Preschool Development Grants — which actually include Rhode Island’s efforts to integrate DNA data and other health data into preK-12 academic data. Recently a parent deeply disturbed about the explosion of SEL data mining happening in schools wrote about a preschool play table, one of ten new pieces of Orwellian ed tech coming to the market, that performs video and audio surveillance on the young children using it:

This is even more alarming when the preponderance of data continues to show that government preschool is at best worthless, and at worst harmful. We already have plenty of data showing this that is ignored. Why collect more that is vulnerable to misuse?

Hopefully this announcement will make people at the U.S. Department of Education think twice about their latest data mining efforts. Dr. Susan Berry of Breitbart News recently wrote about a video (49:10) exposing Google’s efforts to expand their reach in education. She pointed out how tech giants like “Facebook, Apple, Microsoft, and Pearson… have partnered with the U.S. Department of Education and school districts throughout the country.” She also quoted conservative author and CRTV host Michelle Malkin who wrote at National Review in April:

It doesn’t take undercover investigative journalists to unmask the massive privacy invasion enabled by educational technology and federal mandates. The kiddie data heist is happening out in the open — with Washington politicians and bureaucrats as brazen co-conspirators.

The FBI recommends at the end of the announcement that parents “research existing student and child privacy protections of the Family Educational Rights and Privacy Act (FERPA), the Protection of Pupil Rights Amendment (PPRA), the Children’s Online Privacy Protection Act (COPPA), and state laws as they apply to EdTech services.” However, given the complete gutting of FERPA during the Obama administration and the general refusal of state and federal governments to even acknowledge PPRA’s existence, much less enforce it, it would be much better if Congress would step in and vacate the Obama administrative changes and strengthen PPRA.

And regarding school safety, the Obama era school discipline guidance needs to be withdrawn. Schools should be allowed to act on actual behavior issues with disturbed students, rather than casting a broad net to label and potentially destroy the privacy and reputations of innocent students with grossly inaccurate mental screening surveys that prominent psychiatric experts reject — and stored in databases that even the nation’s premier law enforcement agency admits are vulnerable to hacking and misuse.


Dr. Karen Effrem and her husband have three children. She is trained as a pediatrician and serves as national education issues chairman for Eagle Forum and president of Education Liberty Watch.

Archive: Karen R. Effrem, MD

Leave a Reply

Your email address will not be published. Required fields are marked *