The Electronic Frontier Foundation (EFF) has published a report called Spying on Students: School-Issued Devices and Student Privacy. The report is free of incomprehensible technical jargon, making it easy to read and understand. The EFF conducted a survey on student privacy concerns, though the report goes beyond presenting survey results. A legal analysis of industry self-regulation includes information about loopholes and shortcomings, and a brief analysis of the Family Educational Rights and Privacy Act (FERPA) and Children’s Online Privacy Protection Act (COPPA) is also included. This is followed with information about student privacy legislation in California, Colorado, and Connecticut. Finally, the last section of the report provides recommendations for school procedures, school administrators, teachers, librarians, system administrators, parents, and students.
Aside from the report’s interesting subject matter, I noted three things as I read it. First, the date is front and center on the report cover: April 13, 2017. The date of publication is one of the first things I look for when I start to read a report. I find a number of reports that have no date provided.
The second point of interest is that the EFF recognizes and acknowledges the limitations of the survey results by saying, “Because we used a ‘snowball’ sample and targeted interviews, our findings cannot be considered generalizable or representative.” The EFF does not leave it at that. Several indicators are given suggesting the survey results are not reflective or descriptive of how things are across the country:
Note that these numbers do not necessarily reflect the school adoption of these ed tech products and services nationally. They simply mean that we heard the most about Google, and therefore are in a position to report the most stakeholder experiences with its products.
Again, these numbers do not describe school policy patterns across the country. Instead, these numbers characterize the environments of our respondents, who overwhelmingly experienced a lack of transparency and lack of choice with regard to student privacy.
All too often, reports go no further than to say their survey results show something without any indication or recognition of limitations about the generalizability of the findings.
The third item noted was the survey questions provided in the appendix. It is a brief survey with thirteen questions, and it was a refreshing read, straightforward and not of the push poll variety so commonly seen in surveys these days.
Here are the main findings from EFF’s survey:
- Lack of transparency. Schools issued devices to students without their parents’ knowledge and consent. Parents were kept in the dark about what apps their kids were required to use and what data was being collected.
- Investigative burdens. With no notice or help from schools, the investigative burden fell on parents and even students to understand the privacy implications of the technology they were using.
- Data concerns. Parents had extensive concerns about student data collection, retention, and sharing. We investigated the 152 ed tech services that survey repondents reported were in use in classrooms in their community, and found that their privacy policies were lacking in encryption, data retention, and data sharing policies.
- Lack of choice. Parents who sought to opt their children out of device or software use faced many hurdles, particulary those without the resources to provide their own alternatives.
- Overreliance on “privacy by policy.” School staff generally relied on the privacy policies of ed tech companies to ensure student data protection. Parents and students, on the other hand, wanted concrete evidence that student data was protected in practice as well as in policy.
- Need for digital privacy training and education. Both students and teachers voiced a desire for better training in privacy-conscious technology use.
The EFF also provides questions for parents and things parents they should be on the lookout for:
- What kind of devices, applications, and other technology are being used to teach your child?
- Were you presented with the opportunity to review the privacy policies of these vendors?
- What data are the technology providers and the school district collecting, respectively? Do vendors and schools clearly communicate why they’re collecting that data?
- Are the technology vendors using current best practices to protect the data collected on your child?
- You should be able to choose whether or not any use of your child’s data is collected or used for purposes beyond student education—for instance, product improvement. If data will be used for product improvement, is it properly anonymized and aggregated?
- Will the vendor disclose any student data to its partners or other third parties in the normal course of business? If so, are those conditions clearly stated? What are the privacy practices of those entities?
- In a hardware product like a laptop, are controls available to prevent the vendor and school district employees from using the devices’ webcams, microphones, and location-tracking features to spy on students? What are the school or district’s policies on using those features?
Student use of technology devices has increased considerably over the years, with it now being more common for schools to require the use of devices whether the school issues them to students or not. EFF’s report does not address all possible questions and issues related to student technology use and student privacy.
What data is necessary to educate students? Schools, districts, states, and the U.S. Department of Education don’t really address the issue of whether, or what, data should be collected. The push seems to be to collect as much data as possible. States seem to assume they own student data even though it is not really spelled out as to whether the parent, school, school district, state, or software corporation is the actual owner. Issues of data ownership, transfer of ownership, rights of ownership, and parent rights should be clarified.
Expressed and informed written parental consent should be required before student data is collected. Parents should also be informed about what data may be collected, how the data will be used, who will have access to it, storage security measures, duration of data retention, and how the data will be destroyed at a predetermined time.
Most parents trust the education system and are not aware of the data being collected about their students. As a starter for more information, parents may be interested in reading “Parents Need to Know About Student Data Privacy.” They should also see “What your child needs to know before taking the SAT and ACT,” which indicates that parents and students are often convinced it is beneficial to provide information to the College Board (SAT) and ACT without realizing their profiles may be sold for a profit.
Photo credit: Lucelia Ribeiro via Flickr, CC BY-SA 2.0