Protecting Privacy at the Expense of Privacy

When we think of children, the first thing that comes to mind is their protection; protection from known risks, protection from violence, drunk drivers, illness, and the likes of Madonna and Ashley Judd.  In the age of internet-everything we want kids to be safe from exposure to pornography and child predators who spy on children without our knowledge.  When we’re not with them, we want to find a place where they will be safe and we can feel comfortable they’re under the watchful eye of people who also want to protect them.

Many parents think of school as that place.  We anticipate teachers are concerned for our children’s well-being, Madonna and Ashley Judd won’t be invited for career day, and there wouldn’t be porn or internet stalkers (because we know schools wouldn’t let internet stalkers spy on our kids).

What could go wrong?  How about everything?

As technology has become more deeply embedded in school culture, student level data is being gathered at an accelerated rate.  Tech companies are being given nearly unfettered access to student information via 1:1 devices, online resources and apps used by teachers in classrooms, digital textbooks, and the expansion of adaptive/personalized learning.  Every keystroke, every search term, every bookmark, every internet site, every log-in to a standardized test, is gobbled up, chewed, and swallowed by Big Data.

The proliferation of technology in classrooms has created serious concerns about the glut of data streaming out of classrooms and into the possession of multi-billion dollar corporations.  Google, which has flooded classrooms with Chromebooks, has consistently been the subject of a myriad of litigation involving abusive privacy practices such as intercepting email communications, scanning email for the purposes of targeted advertising, and collecting and data mining children’s personal preferences. A class action filed in March 2016, alleges illegal collection and use of biometric information.  Hello there, creepy internet stalker!

In 2015, Congress passed the reauthorization of the Elementary and Secondary Education Act (ESEA).  However, the bill signed by President Obama failed to either include student data privacy protections or close the loopholes in existing federal law.

In response to mounting evidence of misuse of student data, privacy violations and data breaches, the Software and Information Industry Association and the Future of Privacy Forum collaborated to produce the Student Privacy Pledge, a voluntary effort to commit student service providers to good privacy practices regarding their collection and use of student data.  Since its release in 2014, more than 300 companies have signed the pledge which contains specific prohibitions on selling personal information, and creating student profiles for behavioral targeted advertising.  The pledge was intended to offer reassurances that Google wouldn’t use information about children to inundate them with advertisements.

Since then, many states have adopted legislation to place similar restrictions on how tech companies can use, store, and share student data as it relates to targeted advertising.  Most of the new privacy laws are spearheaded by lobbyists for big data, i.e., Google, Microsoft, and Amazon, and merely codify the Student Privacy Pledge.  If you’re scratching your head wondering why Google, et al, would support legislation limiting their share of what some say will be a $59 billion industry by 2018, ponder no longer.

The Student Privacy Pledge only applies to targeted advertising and states:

“Nothing in this pledge is intended to prohibit the use of student personal information for purposes of adaptive learning or customized education.”

To date, all privacy legislation contains the same or similar language, which means those creepy internet stalkers from whom children need protection get a free pass.  The statutory language carves out an exception that allows service providers to gather student Personally Identifiable Information (PII), for use in digital learning programs.  They just can’t try to sell kids a Happy Meal based web on their browsing habits.

Parents need to know the definition of PII; any data that directly, or in combination with other data, identifies an individual or student, but they also need to understand the breadth of the definition.

For example, privacy statutes and pending bills (see New Hampshire, Oregon, California, Georgia, Arkansas, Maine, Connecticut, Idaho, Delaware, Kansas, and Nevada), define PII as data:

“…including, but not limited to, information in the student’s educational record or email, first and last name, home address, date of birth, telephone number, unique pupil identifier, social security number, financial or insurance account numbers, email address, other information that allows  physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, other student identifiers, search activity, photos, voice recordings, or geo-location information.”

Biometric information is the measurement of people’s physical and behavioral characteristics.  It can include fingerprints, DNA, face, hand, and ear features, as well as typing rhythm, gait, voice recordings, iris scans, and gestures.  Biometric information has been used by schools to track such things as attendance and food purchases.  However, in 2014, Florida became the first state to ban schools from collecting student biometric data.

Nothing, however, prohibits the use of our children’s fingerprints, DNA, heart rate, or iris scans by multi-billion dollar corporations.  And nothing prevents private corporations from taking this information from students without parental consent.  At a time when aspirin can’t be dispensed to a student without a signed release, a parent’s authority to protect their child from invasive surveillance is non-existent.

Current online data privacy legislation is a ruse.  It ultimately protects very little and makes vulnerable some of the most sensitive, private characteristics of our children.  Parental authority is usurped, student privacy is eroded, and tech giants gather PII under the guise of building educational tools, none of which require biometric information to function.  Personally, I think I’d rather have Google try to sell my child a Happy Meal.