COVID-19 has placed districts, schools, and educators in unprecedented circumstances as they balance health concerns, academic responsibilities, and equity concerns this fall. How does student privacy relate to these issues? For this blog series, Future of Privacy Forum (FPF) has interviewed state, district, and school student privacy leaders, to reflect on lessons learned from the rapid transition to online learning in the spring and to offer best practices regarding student data privacy in the current academic year.
On July 16, FPF spoke with a district privacy leader about lessons learned, how people define privacy, important considerations for tracking attendance, and the importance of vetting products in addition to privacy policies.
FPF: What are lessons learned from online learning last spring? How should they inform preparations and operations this fall?
Interviewee: The first lesson learned is never to assume technology will be used in the way it was designed or intended to be. Never underestimate the creativity of a bored 13-year-old. Do an internet search for any video-conferencing or learning management platform with a date range of March to April, and you will find articles about performance issues. Nobody was immune because no one had planned for learning to take place entirely online.
Another lesson learned is how connected our systems are. All of our systems are highly connected, with the most obvious example being authentication. We saw a fair amount of phishing attacks using the names of widely known edtech vendors and emailing out fake password resets. Another new way we are connected now is that with having students learn from home, school districts became the tech support for everyone’s families. One of the first tech support calls we received was a parent saying the school’s Google domain had broken YouTube on all their computers; every time they went to YouTube, they would get a message saying it was blocked and to contact their Google admin. We also saw this on the MiFi devices that we sent home; the MiFi vendor and parents turned on a parental control setting. This setting was never intended to be a feature that other companies could market as a YouTube filtering feature, but it ended up being used as such.
FPF: How should schools consider and prioritize student privacy this fall?
Interviewee: Two things come to mind. One is it’s always important to have policies and clear communication. A pandemic is not a time to throw those out the window. In fact, they become even more important. In April, we saw a lot of edtech vendors offering free products to schools. Many school districts saw this and decided they had too much on their plates to add new services. I think that was a great decision. However, the situation was causing people to invent solutions on the fly, and everybody was trying to solve problems on their own. So you had people who aren’t typically involved in this process trying to solve problems with technology. So you get what is called shadow IT: basically, technology not going through the normal vetting process. It’s even more important now to know what technologies are being used.
Now that we’ve been virtual for the last four months, it looks like we will be virtual for a long time. When we first shifted to online learning, we accepted a whole set of risks without conducting a risk evaluation and making a mitigation plan. Our business and instructional computing is happening in people’s homes. There are privacy risks when we consider webcams and scarcity of computing resources when everyone in the house needs to work from home, especially if family members share district-provided computers that have access to school data or may even be on the district virtual private network. It is important to acknowledge this risk and make sure there are telework policies, communication and training in place that address how district data will be protected.
FPF: Have you seen the conversation about student privacy change as a result of the shift to online learning?
Interviewee: I am going to break down this question and classify how we think about privacy. We can think about privacy in terms of how it’s regulated in the U.S., so the Family Educational Rights and Privacy Act, which has specific definitions and boundaries. But then there’s the general concept of privacy that, frankly, everyone gets to define in their own way. What privacy means to the average parent is completely disconnected from the legal regime of the various privacy silos.
The best examples of this have been about health and video recordings. I’ve had more conversations about the Health Insurance Portability and Accountability Act this spring, than I have had in my entire K-12 career. These conversations, especially regarding health, are challenging discussions because they can get extremely emotional, and everyone brings their own definitions of privacy to the table. When you think about what makes people anxious, health is big, and so is video recordings of voices, faces, and homes. How is this recording going to be used, protected, and shared? As we look to the fall, conversations about health and student recordings will continue to be two of the most significant areas of concern and ambiguity.
FPF: What tools are schools considering to measure attendance and participation? What should they be cautious of?
Interviewee: When you unpack the idea of what meaningful attendance is, you need to think about whether you are measuring just for the sake of measuring. I believe this is all wrapped up in the conversation around how effective synchronous learning is versus asynchronous learning. I don’t have the background to weigh in on this, but I suspect the answer is different depending on the age of students you’re talking about. Using video conferencing tools to track attendance has received a lot of traction because of the Brady Bunch-style grid, where you can see a large number of kids in the class. You can’t do this in a learning management system tool. In K-6 especially, there is a desire to be able to see everyone in the class. And this resulted in some teachers posting screenshots of their virtual classes on social media, which certainly was a privacy concern.
FPF: With the transition to online learning, do schools want to use learning analytics to measure educational outcomes?
Interviewee: At best, what we have some schools attempting can be described as learning systems activity collection. It is certainly not learning analytics, or at least you cannot draw a direct line between the data these systems are collecting and what an educator would call learning. It’s, at best, tracking activity but not outcomes. I think that’s the phrase I would take out of this: activity not outcome. Schools are attempting to use some activity as a heuristic, rather than measuring the outcome. And there are problems when you’re dealing with multiple systems. Systems don’t measure the same thing in the same way. I would be particularly concerned about a district reporting activity data and combining it with socioeconomic data for analysis without additional controls or conversations about how that data will be used.
There are privacy harms when we consider collecting multiple data points about a student to, for example, create a discipline profile or a truancy search list. It is not good practice to use data to make decisions when we cannot be confident in that data’s quality or completeness. When the underlying data is arguably suspect or incomplete, you’re comparing apples to oranges. Whenever you have a non-technical person attempt to repurpose data, like login information, for another, like attendance, that person will not understand what the data means or how it is collected. The system collects login data for when you log in to an application, but if you’re not a technologist you may not understand that login data looks different depending on whether you’re logging in through a web browser or through an app on your iPad. There might be a case where a student’s primary internet and device access is their phone. So when that student logs in to some application, this won’t be tracked because the product wasn’t designed to be an attendance application.
FPF: What should schools’ vetting processes be like? What aspects should be included?
Interviewee: When we vet applications, we are making sure that they are ready to run in a K-12 environment. When most people talk about vetting, they are talking about vetting the privacy policy and terms of service agreements. I think that’s a good place to start. Vetting the privacy policy is like when you buy a house, and you hire a lawyer to vet the contract. But typically, most people who buy a house also hire a home inspector. They are not interchangeable, and one is not more important than the other; you do both. So when we talk about app vetting, there’s vetting the contract and then vetting the actual product. Vetting the product requires that you look at the product and see how it works: how the accounts are created, the data that is collected, and how the data flows. These are a few of the things a technologist and instructional staff might want to look at.
This interview was conducted by Juliana Cotto on July 16, 2020. It has been edited and condensed for clarity.