Your child may be a history buff or a math whiz. He may excel at soccer or poetry. She may be planning for a career as a doctor or a lawyer. Each kid is unique, but there’s one thing all students have in common: They are data-generating machines.
It’s not just their test scores and attendance records getting socked away. Every student in every school district generates hundreds of data points each year — from their race and gender to their economic status, behavioral issues, biometric data, health status, and more. This tsunami of data is then absorbed and stored by school districts, state databases, educational service providers, websites, and app makers.
Of course, schools have been collecting data on students since there have been schools. In the past, though, this information was squirreled away in filing cabinets or just on computers used in district offices. Now it lives in the cloud, and it’s being accessed by non-educators who want to apply the principles of big data analysis to it.
What could go wrong? Plenty. Potentially damaging information about your child’s medical conditions or behavioral issues could accidentally leak or be exposed by hackers. Private companies could decide to use the information for commercial purposes. Potential employers, insurance companies, or other government agencies may someday lobby to get their hands on this data.
As our children head back to school this fall, student privacy is an issue that should be on every parent’s mind.
Big data, big problems
This massive data collection effort is being undertaken almost entirely with good intentions. By creating databases that collect information over a long period, researchers, for example, hope to identify patterns in the data and use them to improve how kids learn. If the data showed that students who miss 10 or more school days in seventh grade are 70 percent more likely to drop out three years later, educators could use that to identify at-risk kids and intervene earlier.
Here’s where it gets sticky. Many school districts lack the technical expertise to create and manage these databases, so they outsource the job to professional geeks. This is why, in 2008 and 2011, Congress amended the Family Educational Rights and Privacy Act (FERPA) to allow authorized third parties to access sensitive student data.
Contractors have to follow the same rules as school officials when handling this data — which means they can’t sell it or use it for non-educational purposes. But it’s not clear that anyone is making sure these third parties are actually following the rules or protecting the data adequately, and the penalties for abusing the data are minimal. (A bill that prohibits commercial use of student data was introduced by Sens. Ed Markey [D-Mass.] and Orrin Hatch [R-Utah] in June. It’s currently in committee.)
I reached out to Kathleen Styles, chief privacy officer for the U.S. Department of Education, about these concerns.
“We provide regular FERPA guidance for schools on how to protect student privacy, give technical assistance to states, and established the Privacy Technical Assistance Center to provide that hands-on help,” she replied via email. “While we have seen some security breaches in schools — with both paper and digital records — we have seen few significant instances of systemic misuse of student data. We cannot ask our schools to choose between privacy and progress.”
Most parents, meanwhile, don’t know what information is being collected, who has access to it, how it’s being protected, or if it’s even accurate. A backlash from parents caused school officials in nine states to drop plans to share data with inBloom, a startup that created information dashboards for teachers. Last April, inBloom announced that it was shutting down.
Here’s what part of an inBloom teacher dashboard looked like, courtesy of the K12 Dashboards board on Pinterest.
This has not stopped the data from being collected, however. All states maintain massive “longitudinal data systems,” tracking your child from kindergarten through graduation. Dozens of educational technology companies are actively building tools to store and manipulate this data. The problem? Once you collect a trove of data this massive, it becomes an irresistible target — not just for hackers or data-hungry companies, but also for other government agencies that want to use it for their own purposes.
It’s easy to imagine the Department of Homeland Security wanting access to these databases to identify potential terrorists, or the Department of Justice using it to analyze the characteristics of lifelong criminals. At what point does it stop? Will the cop that just pulled you over be able to look up your high-school GPA and see that you were disciplined for smoking in the boys room?
Data sharing gone wild
A greater threat comes from websites or apps that have access to student data with few if any legal restrictions. Most data collection by ed-tech companies is probably also well intentioned, but definitely not all.
Last December, the Electronic Privacy Information Center filed a complaint with the FTC about Scholarships.com, a site that gathers reams of data — including religious and political affiliations, sexual orientation, and mental or physical disabilities — from students seeking financial aid. What Scholarships.com doesn’t reveal is that it shares all this information with an affiliate company, American Student Marketing, which then sells it to advertisers.
Scholarships.com collects vast quantities of highly personal data and then sells it to advertisers via its American Student Marketing subsidiary.
I created a fake profile on Scholarships.com, filling out multiple screens asking for vast amounts of highly personal information. The site then displayed roughly 50 potential scholarships, most of them ranging from $500 to $2,000, none of which had anything to do with the sensitive categories I’d selected.
You don’t have to hand this information to Scholarships.com (though the site strongly encourages it) and you can tell it to not use it for marketing (though the default is to share). But for cash-strapped parents facing tens of thousands of dollars in tuition expenses, the temptation to provide this information -- on the off chance there's scholarship money for your left-handed, transgender, death penalty-opposing child -- may simply be too great.
Scholarships.com may be a particularly egregious example, but it’s hardly the only one. When I signed my son up for SAT testing with the College Board, we were overwhelmed with junk mail from third-rate colleges eager to tap our tuition funds. One particularly desperate institution sent us glossy mailers every week until I called and asked it to stop. (It did, but two months later the mailers started showing up again.)
Last March, Google admitted to using information collected from its free Apps for Education suite, used by thousands of schools, to serve ads on other platforms. (Google has since discontinued the practice.)
Sometime this month the California legislature is slated to vote on the Student Online Personal Information Protection Act (SOPIPA). If signed into law, SOPIPA would require any entity collecting data from K-12 students to use it only for education, encrypt it, and to delete it when it’s no longer useful. The law would also prohibit such entities from selling the data or for using it for commercial purposes.
Trust never sleeps
As with nearly everything involving schools, the student privacy debate is highly political and conflated with other controversial issues (such as the Common Core curriculum) that are mostly unrelated.
Virtually everyone agrees that big data can be extremely useful for education. But schools also need to be extremely careful in what they collect, the companies they share it with, and what happens to the data later. And they need to do a much better job of empowering parents, says Khaliah Barnes, director of the student privacy project for the Electronic Privacy Information Center. EPIC has proposed a Student Privacy Bill of Rights, modeled after the Consumer Privacy Bill of Rights proposed by the Obama administration in February 2012.
“Many parents trust that schools won’t sign their children up for services that violate their privacy, but that’s not always the case,” she says. “Parents shouldn’t have to MacGyver their way into ensuring their children’s privacy.”
Questions, complaints, kudos? Email Dan Tynan at ModFamily1@yahoo.com.