Report: School-Issued Devices Spying on Kids

Photo credit: Brad Flickinger (CC-By-2.0)

The Electronic Frontier Foundation released a report in April that is a must read for those who are concerned about student privacy. In a nutshell, they found these devices are spying on kids who use them, and their parents are blissfully unaware.

From the report‘s executive summary:

Student laptops and educational services are often available for a steeply reduced price, and are sometimes even free. However, they come with real costs and unresolved ethical questions thrroughout EFF’s investigation over the past two years, we have found that educational technology services often collect far more information on kids than is necessary and store this information indefinitely. This privacy-implicating information goes beyond personally identifying information (PII) like name and date of birth, and can include browsing history, search terms, location data, contact lists, and behavioral information. Some programs upload this student data to the cloud automatically and by default. All of this often happens without the awareness or consent of students and their families.

Here are some of the concerns they found after their two-year study of educational tech:

  • Lack of transparency. Schools issued devices to students without their parents’ knowledge and consent. Parents were kept in the dark about what apps their kids were required to use and what data was being collected.
  • Investigative burdens. With no notice or help from schools, the investigative burden fell on parents and even students to understand the privacy implications of the technology they were using.
  • Data concerns. Parents had extensive concerns about student data collection, retention, and sharing. We investigated the 152 ed-tech services that survey respondents reported were in use in classrooms in their community and found that their privacy policies were lacking in encryption, data retention, and data sharing policies.
  • Lack of choice. Parents who sought to opt their children out of devices or software use faced many hurdles, particularly those without the resources to provide their own alternatives.
  • Overreliance on “privacy by policy.” Schools generally relied on the privacy policies of ed tech companies to ensure student data protection. Parents and students, on the other hand, wanted concrete evidence that student data was protected in practice as well as in policy.
  • Need for digital privacy training and education. Both students and teachers voiced a desire for better training in privacy-conscious technology use.

They also note the weakness in the Family Educational Rights and Privacy Act (FERPA) in preventing school districts from disclosing student data from interested third parties.

…it has limitations: it only applies to certain types of student information and there are exceptions that can be exploited. e law is enforced by the U.S. Department of Education, which can cut o funding to noncompliant schools.

FERPA protects students’ “education records” including personally identifiable information. The law also protects information about students’ online activity when they are using school-issued devices, when that information is tied to personally identifiable information; according to the U.S. Department of Education, FERPA protects behavioral “metadata” unless it has been “stripped of all direct and indirect identifiers.

FERPA generally prohibits school districts from sharing student information with third parties without written parental consent. Sometimes school districts use a loophole in the law to get around the parental consent requirement by characterizing ed tech companies as “school officials.”

This report is disturbing, and that is an understatement.