FPF’s Student Privacy Newsletter – April 2021

FPF’s Student Privacy Newsletter – April 2021

 

Good afternoon, and welcome to another issue of FPF’s Student Privacy Newsletter! Below, we’ve rounded up noteworthy student privacy issues that surfaced over the last several weeks. We saw new developments in many of the topics we’ve been monitoring over the last year, including student mental health, online learning and associated privacy challenges, and movement on children’s privacy issues around the globe.

Before we get to the news, here are a few updates from FPF:

  • We released a new youth privacy infographic providing an overview of particular opportunities and risks for youth online along with potential protection strategies to encourage global youth privacy protections that balance both protecting and empowering youth online while allowing them to gradually develop autonomy and resilience. Learn more in the accompanying blog post.

  • During FTC Acting Chairwoman Slaughter’s opening remarks at FPF’s February event Privacy Papers for Policymakers, she highlighted edtech as a priority area she is working closely on pursuing related to the pandemic.

  • We hosted a webinar discussing best practices and lessons learned from using video classrooms. Panelist Trevor Toteve, a high school teacher in Houston, was featured in an article by The 74, which also covered the webinar. For more on video and online learning privacy, you can read our Rethinking Video Mandates resource.

  • We published an analysis of a recent New York law that places a moratorium on purchasing and using biometric identifying technology in schools until at least July 2022.

  • Jasmine Park and Amelia Vance authored an EDUCAUSE article synthesizing findings from research over the past decade on college students’ privacy attitudes and expectations confirming that they do care about their privacy and that context matters. A more detailed white paper on this topic will be released later this spring.

  • We released three blog posts highlighting takeaways from our Student Privacy Communications Toolkit, which was published in January. The blog posts offer quick student privacy tips for students, parents, and educators

  • Come work with us! We are hiring two policy fellows and an events and communication assistant to join our Youth & Education team, and several other teams at FPF are hiring as well!  

On to the news…

Latest News

One year into the COVID-19 pandemic, many students are still learning virtually in some capacity. Even as schools begin to reopen, children will likely continue to spend more time online than they did pre-pandemic due to state restrictions, social distancing requirements, and potential long-term changes in remote learning.

  • On March 11, the House Subcommittee on Consumer Protection and Commerce held a hearing focused on children’s online safety during COVID. Representatives expressed significant interest in exploring updates to current children’s privacy regulations to better protect teens online, strengthen children’s privacy enforcement, and address manipulative design. To catch up on children’s privacy-related highlights, FPF’s Amelia Vance live-tweeted the hearing.
  • The Wall Street Journal reports that even as schools reopen physically, many are holding on to remote learning as a contingency plan to respond to fluctuating COVID-19 cases.
  • A RAND research report found that remote learning will exist after the pandemic, as 20% of school districts surveyed plan to offer fully remote options. This data, taken into account with surveys that show a decline in teacher confidence with edtech tools, highlights a need for additional professional development and support. EdSurge attributes this as a potential reason why data privacy is on the minds of state legislatures. For more on remote learning and balancing privacy considerations, see FPF’s webinar on “The Future of Video Mandates.”
  • Student perspective: A high school student wrote an article explaining why she hopes to continue online learning throughout high school. She believes online learning has helped her avoid social pressures like comparing grades and has also given her more space to explore her interests.
  • The Biden Administration filed an amicus brief in support of the school district in Mahanoy Area School District v. B.L., a case slated to go before the U.S. Supreme Court next month on whether public schools can regulate off-campus student speech. Both the Acting U.S. Solicitor General in the amicus brief and the school district in its petition to the court noted that the pandemic and online learning have made this issue especially relevant and in need of attention.
  • As New York City schools begin to reopen, the New York Times reports that there are “nearly 12,000 more white children returning to public school buildings than Black students — even though there are many more Black students than white children in the system overall.” Advocates argue that this stark racial disparityshould drive the city’s public school system to strengthen online learning programs.
    • A Nebraska superintendent wrote an op-ed noting that structural racism and inequities were a problem long before the pandemic, but the pandemic has highlighted these inequities. A McKinsey study found students of color could be 6 to 12 months behind in math, while white students will be 4 to 8 months behind.

We’ve continued to see increased technology-enabled monitoring of students during the COVID-19 pandemic, such as wearable technology to track students on college campuses. Students at some colleges are pushing back against some surveillance tools, citing privacy concerns. In particular, online exam proctoring remains a hot topic in education. And because the Biden administration is requiring states to administer standardized tests this year, the proctoring debate may become a bigger issue for schools that remain remote.

  • New America’s Open Technology Institute (OTI) released a report exploring the implications of monitoring students and workers during the pandemic. The report builds on an event that took place in October 2020 that featured remarks from FPF’s Anisha Reddy. OTI gives recommendations for schools and workplaces on mitigating privacy concerns about surveillance technologies.
  • As schools reopen, we’re also seeing an increase in the adoption of temperature-scanning devices. However, researchers have warned that thermal cameras and “temperature tablet” kiosks are ineffective. The Food and Drug Administration announced it was sending warning letters to some companies for “unapproved, uncleared, and unauthorized thermal imaging systems.” The New York Times reported that while many colleges are using these types of temperature scanners, colleges are unable to say whether the measures are effective at curbing the spread of COVID-19 (for more, read our issue brief from last summer on privacy issues related to thermal scans and temperature checks).
  • New America published a report highlighting college student perceptions of institutional data collection and use during the pandemic. The report findingsindicate that students place significant value on transparency, but generally trust their institutions.
    • A Harvard student penned an op-ed in USA Today arguing that students “need answers” as to why they are being increasingly asked to provide sensitive data. The student notes that edtech has many positive benefits, but edtech companies, governments, students, and universities must all be involved in the process of ensuring appropriate oversight and privacy safeguards.
  • A Northwestern University student filed a complaint alleging that the university failed to inform students about the collection and retention of biometric data through online exam proctoring, potentially violating Illinois’s Biometric Information Privacy Act.
  • At Miami University, some faculty opted to restructure their assessments to not require remote proctoring, given privacy and security concerns. However, they acknowledged that in courses such as foreign languages, it can be challenging to adequately assess students without online proctoring. Students in the University Senate passed two bills addressing proctoring: one advocating for faculty training on Proctorio and another advocating for impartial investigations into the use of remote proctoring services at the university.
  • Research from a recent EDUCAUSE article shows that nearly 63% of higher education institutions in the United States and Canada use proctoring software. The authors note that “the higher education community should take extra care” when using proctoring tools, as they can affect pedagogy outcomes.
  • This Vice article alleges that students are cheating on exams even with the use of proctoring software. Vice spoke to 10 students around the world who believed proctoring services were not effective, based on their experience skirting the surveillance measures.
  • In an article for The Chronicle of Higher Education discussing the proliferation of surveillance tools during the pandemic, Chris Gilliard, a professor studying privacy and inequality, noted that “For a long time, we’ve believed the myth that students didn’t care about these issues. Now, it’s impossible to ignore the way they’re pushing back.”
  • Security researchers found critical vulnerabilities in Netop Vision Pro, a student monitoring program popular in K-12 schools. Before Netop was notified of the issues, network traffic was unencrypted. Though still concerning, these issues are limited to network traffic in physical classrooms, rather than students connecting to their virtual classroom through their home internet.

As we flagged in our last newsletter, addressing self-harm and suicide risks among youth is top of mind for school districts and policymakers right now, and many school districts are considering monitoring software (for more, read our 2019 issue brief on student monitoring privacy issues).

  • Through surveys, a new CDC study found that virtual and hybrid learning settings have the potential to present increased risks “related to child and parental mental and emotional health” in comparison to in-person learning, because children have less access to school-based activities and services. The report acknowledges the limitations of the survey—including the fact that the assessment of emotional well-being was based off of parents self-reporting, which is “subject to social desirability, proxy-response, and recall biases.”
  • Grand Forks schools are concerned about not just the learning gaps due to the pandemic, but also the emotional and social growth that happens in a typical school year. One counselor drew comparisons to a 1997 flood that left schools closed, where the anxiety from the flood was felt long after it resolved. Another Grand Forks counselor considers the pandemic an opportunity for “a renewed focus on the importance of fostering relationships” and supporting students.
  • While some experts claim that the COVID-19 pandemic is a primary driver in the rise of youth suicide risks, others note that the data doesn’t quite match the headlines.
  • According to the Center for Collegiate Mental Health, about one-third of students who sought care from their college counseling center during the second half of 2020 said their visit was related to the mental health effects of the pandemic. The Center published five blog posts describing the impact of COVID-19 on college student mental health from multiple perspectives.
  • Common Sense Media published a report finding that even in the midst of steadily rising rates of mental health concerns and depression (since before the pandemic), “digital media has been a lifeline for many of them to access critical health information, stay connected to their peers, find inspiration, and receive comfort in a difficult time.”
  • Policymakers are continuing to consider investing in student monitoring software to help mitigate mental health risks. A Florida representative requested $2 million dollars for a pilot program that would give school districts participating in the pilot access to a subscription to Gaggle, a company that offers software to track and monitor students on school computers to identify potential self-harm or suicidal ideations. However, the budget request includes language that the technology could also be used to help reduce criminal acts and identify “indications of drug abuse,” leaving room for school administrators to extend monitoring well beyond student wellbeing efforts.
  • The Southern Poverty Law Center published a report on the state of Florida’s use of the Baker Act, which allows law enforcement to involuntarily commit Floridians, including children, to psychiatric facilities. The report includes anecdotes highlighting the harms that come from misuse and overbroad application of the law—in one instance, an 11 year old girl was held in a psychiatric facility without the consent of her parents for jokingly texting a friend “I have so much homework, I’m so stressed, I’m going to kill myself.”

As always, FPF has been tracking state student and child privacy bills. Here are some of the most interesting legislative updates from February and March:

  • Utah HB 243 was signed into law on March 16, 2021. The law creates a state data privacy officer and a privacy oversight committee with jurisdiction to review the privacy policies of government organizations, state and local. The law is significant because it could lead to an increased focus on privacy in the state, including a provision that allows the data privacy officer to report on privacy practices of government entities, such as schools.
  • Virginia HB 2307/SB 1392 (CDPA) was signed into law by the governor on March 2, 2021, making Virginia the second state to enact a comprehensive privacy law. FPF’s Jules Polonetsky noted its passage is “a significant milestone in the United States,” and our legislative team took a deep dive into the law and its implications, availablehere. The child privacy provisions of the law are similar to those proposed in the Washington Privacy Act, requiring controllers collecting data from a known child to collect verifiable parental consent prior to processing the child’s data and to perform a data protection assessment. Because the new law exempts government entities and data covered by FERPA, it is unlikely that the CDPA will have a large impact in the education context.
  • Utah passed a bill that would require new online devices sold in the state to automatically enable filters blocking content that is “harmful to minors.” The bill would take effect January 1, 2022 and require every new mobile device and tablet sold in Utah to have these adult content filters turned on. Internet policy experts argue that this proposal would raise significant First Amendment concerns because the state would be “mandating the filtering of lawful content.”
  • Oregon legislators introduced a bill that would ban school districts from using monitoring software “related to a student’s computer usage.” Although well-intentioned, this bill would present conflicts for most schools, as the Children’s Internet Protection Act requires almost all public schools to monitor student’s online activities.
  • Massachusetts HD. 3725 would create a student privacy law in the state that prohibits edtech companies from selling student data, using student data for targeted advertising, and disclosing student data without meeting certain criteria. Massachusetts legislators introduced a version of this bill in the last session, but it’s passage was likely halted due to COVID—there is a high likelihood that it will be enacted this session. The bill would mandate certain contractual requirements, create a state-level enforcer of the bill, who is authorized to issue statewide product bans, and fines. Beyond state-level enforcement, the bill includes a private right of action that would allow schools or students to bring an action to enforce a violation of the law.
  • Maryland HB 1062 would codify some of the recommendations made by the state’s Student Data Privacy Council, with some deviations. In addition to changing the definition of Operator, Covered Information, Targeted Advertising, and extending the term of the Student Data Privacy Council, the bill would require LEAs to report lists of authorized, unauthorized, and teacher adopted tools to the SEA. The proposed changes to the definition of Operator exclude portions of the Council’s recommendations, and would likely cover general audience companies that would not otherwise be subject to most state student privacy laws.
  • A Minnesota representative authored a bill requiring tech companies to inform schools of data breaches, “destroy or return” data once contracts expire, and prevent tech companies from disseminating student data unless authorized. The bill also limits a school’s ability to access student data such as cameras, searches, and locations.
  • In New York, a higher education package includes a bill that would prevent university employees from requesting details on a student’s immigration status.
  • A Florida legislator proposed an amendment that would require parental consent before student’s grades are shared with law enforcement in response to the Pasco County predictive policing program (as a reminder, FPF wrote this detailed analysis on the student privacy implications of Pasco County’s predictive policing program). Advocates continue to shine the light on this program: the Institute for Justice recently filed a lawsuit against Pasco County on behalf of affected families and the Electronic Frontier Foundation recently published a blog condemning the practice.
  • Texas legislators are considering a bill that would require Texas public schools and charter schools to add cybersecurity requirements to their contracts with providers, limit school district retention of distance learning recordings, and prohibit paying ransom in response to a ransomware attack.

Global News

  • On March 24th, the European Commission shared the EU Strategy on the Rights of the Child. The strategy acts as a complement to the proposed Council Recommendation establishing a European Child Guarantee, to promote equal opportunities for children at risk of poverty or social exclusion. Both initiatives highlight the need for equitable access to digital learning environments and the importance of a “digital environment” that is safe for children to navigate and utilize.
  • The Dutch government launched a “Code for Children’s Rights” similar to the U.K.’s Age Appropriate Design Code, setting forth ten principles for design and data protection to guide how developers should protect children online.
  • The Irish Data Protection Commissioner raised concerns over a proposed Facebook initiative that would alert health authorities if users expressed thoughts related to suicide or self-harm; the authority directed the platform to consult public health authorities in Europe before implementing the feature.
  • In January, the French data protection authority published a summary of the submissions it received in response to its public consultation regarding the digital rights of minors. Inside Privacy published a summary of the report in English, noting that in 2021, the authority will be focusing on exploring “(i) consent and age verification mechanisms; (ii) the conditions under which minors can be granted more autonomy online; and (iii) the exercise of digital rights by minors.”
  • India’s Personal Data Protection bill introduces new requirements for parental consent for users under the age of 18; this blog explores how the proposal would “upend internet usage.”
  • In last month’s newsletter, we shared that Italy’s Data Protection Authority (DPA) ordered TikTok to prevent users with unverified ages from accessing the app. On February 3, the DPA announced that TikTok would ban all Italian users until date of birth information is re-entered. Users under the age of 13 will have their accounts removed. TikTok will also work with the Irish Data Protection Commission to consider using AI as an additional level of age verification.
  • The European Consumer Organisation (BEUC) lodged a complaint with the European Commission against TikTok, arguing that TikTok fails to protect childrenfrom hidden advertising and “potentially harmful” content. They also note that TikTok’s age verification process is ineffective and cite a report that many TikTok users are children under 13. Consumer organizations in 15 countries have also urged their national authorities to look into TikTok’s breaches of EU law.
  • As part of a Singapore initiative to have devices in all schools, all devices, including student-supplied devices, must have software installed that will allow teachers to view students’ screens remotely, as well as restrict “objectionable content.” Affected students started an online petition that has over 6,000 signatures.
  • In Israel, the Education Ministry and Health Ministry clashed over access to dataof students and teachers who have received the COVID-19 vaccine. The Education Ministry sought the data in order to analyze and determine whether a school where someone contracted the virus could be opened, but the Health Ministry citedmedical privacy concerns. Ultimately, the Justice Ministry settled the dispute by allowing the Education Ministry to obtain the names of students who have been vaccinated, and only when someone at a school is infected will the Education Ministry contact the principal and share relevant information.

FYI: Quick Hits

  • On February 1, the FCC announced it is seeking comments on several petitions for emergency relief to expand E-Rate funding to cover remote learning during the pandemic. Initial comments are due on February 16, 2021.
  • A school district in Florida is testing out a gun detection system that incorporates artificial intelligence—if a gun is detected, school resource officers, local police officers, and staff are automatically notified and sent a photo of the suspect. ICYMI: read the 2019 Wired-ProPublica report on similar audio-detection systems in schools and the implications for privacy.
  • Also in Florida—federal lawmakers are requesting an investigation into the Pasco County Sheriff’s Office’s predictive policing system which incorporates student data, joining several public interest organizations in criticizing the program. ICYMI: check out FPF’s analysis of the sheriff’s program.
  • On December 22, New York Governor Andrew Cuomo signed into law a moratorium on schools’ use of biometric identifying technology. The law prohibits schools from procuring or using biometric identifying technology until 2022, and requires the Education Department to conduct a study into the technology.
  • Schools across the country are rethinking disciplinary policies as students learn online. Some experts are looking to reform truancy laws, as well. ICYMI, FPF’s Anisha Reddy and Amelia Vance published an op-ed last November outlining concerns around applying in-person disciplinary policies in a virtual classroom. 
  • Researchers are exploring whether smartwatches can help students with autism“be more independent” in schools through periodic reminders and prompts to interact with classmates and educators. However, schools should be aware that equipping students with wearable technology can raise a host of privacy risks, which we explored last year with a blog entitled As Personal as Data Gets: The Privacy Implications of Wearable Technologies in Schools and a brief on Wearable Technologies & COVID-19.
  • Half of the undergraduate students at Tufts University joined a “marriage pact” app, developed by two Stanford students as a class assignment (now at 6 schools in the US), where participants are algorithmically matched with another student whom they would presumably marry after some time. According to the Marriage Pact’s “Data Principles and Practices” (a self-described informal policy) students can rest assured that their “privacy is not for sale” because the tool does not share any information collected with third parties.
  • The Minnesota Department of Education is revising its data collection systems toexpand the gender options available for LEAs to report to include nonbinary options. Throughout 2019 and 2020, the Department held public feedback sessions, which included concerns about student privacy—the public comment period closed on December 13th; and the state plans to move forward with a program by September 2021.
  • University of Texas at Austin’s computer science department is phasing out a machine-learning system to evaluate applicants for its Ph.D. program. Critics of the program expressed concern the algorithm perpetuates inequities and lack of diversity in the field.

Resources

  • ExcelinEd published “Pathways Matter,” a website illustrating the need for “K-12, postsecondary and workforce strategies [to] connect policies, programs and institutions to each other.”
  • Common Sense Media published a policy report entitled “Safe and Secure VR: Policy Issues Impacting Kids’ Use of Immersive Tech.” The report includes privacy-related recommendations for VR developers.

  • A new paper, Virtual Classrooms and Real Harms, discusses the platforms being adopted for remote learning.

  • IAPP published a comparison between the Children’s Online Privacy Protection Act (COPPA) and the U.K.’s Age Appropriate Design Code. The piece not only explains the distinctions between the laws, but explores the philosophical differences in approaches to children’s privacy. The goal of the Code is to put “the best interests of the child first.” The Code went into effect last September and companies have until September 2, 2021 to come into compliance.

  • The Better Business Bureau published a study examining the unique privacy risks teens face online, finding that “apps targeted to teenage users are more likely to engage in ad serving, include more third-party trackers, ask for more permissions, and offer more in-app purchases.”

  • The Digital Futures Commission and 5Rights Foundation published a report entitled “Child Rights Impact Assessment: A tool to realise child rights in the digital environment,” exploring the possibilities and benefits of introducing a children’s best interests analysis within technological innovations.

  • EDUCAUSE Exchange shared a new podcast episode on the different meanings of privacy used by privacy offers, and why this is important.

  • Last July, the Electronic Frontier Foundation launched the Atlas of Surveillance in collaboration with the Reynolds School of Journalism at the University of Nevada in Reno to provide a resource on surveillance technologies deployed by law enforcement across the country. While compiling this data, they found that many college campuses are acquiring surveillance technologies as well. This reporthighlights their findings on surveillance technologies being deployed on college campuses.

  • A resource we missed from last June: the University of Washington Privacy Office released a Privacy Policy Benchmarking Study that identifies privacy policy best practices and trends within higher education.

  • FPF released two infographics on understanding international data flows, one of which provides a simplified visual of data flows related to education technology.

  • ISTE and ExcelinEd offered best practices for states to support educators in implementing tools for online learning. One of the best practices mentions leveraging federal and state funding for professional development opportunities such as data privacy skills training.

  • The Cybersecurity & Infrastructure Security Agency, a government agency focused on improving cybersecurity across all levels of government, produced a fact sheeton Cyber Threats to K-12 Remote Learning Education to help with the rise of ransomware attacks during pandemic .

  • Australia’s eSafety Commissioner shared an infographic based on a survey of teens’ experiences and responses to encountering negativity online.

  • ConnectSafely shared Safer Internet Day lesson plans for elementary, middle, and high school students, including a topic dedicated to cybersecurity best practices for each age group.

Recess

 

Thanks so much for reading! Let us know if you have news or new resources we should include in future newsletters, or if we missed anything.

Related Resources

  • What We're Reading

    FPF’s Student Privacy Newsletter – January 2021

    Feb 3, 2021

    Good afternoon, and welcome to another year of FPF’s Student Privacy Newsletter! Below, we’ve rounded up noteworthy student privacy issues that surfaced in Dec…

    Learn More
  • Blog, Uncategorized

    Student Data Privacy Interview Series: Back to School with Undergraduate Students: Northeast Private Liberal Arts College Senior

    Feb 3, 2021Alexis Shore

    COVID-19 has placed undergraduate institutions in unprecedented circumstances as they attempt to balance health concerns and academic responsibilities, without…

    Learn More
  • Blog, Uncategorized

    Student Data Privacy Interview Series: Back to School with Undergraduate Students: Northeast Private University Sophomore

    Feb 3, 2021Alexis Shore

    COVID-19 has placed undergraduate institutions in unprecedented circumstances as they attempt to balance health concerns and academic responsibilities, without…

    Learn More