FPF’s Student Privacy Newsletter – January 2021

FPF’s Student Privacy Newsletter – January 2021
Good afternoon, and welcome to another year of FPF’s Student Privacy Newsletter! Below, we’ve rounded up noteworthy student privacy issues that surfaced in December and January. We saw a renewed focus on student mental health, continued attention to student privacy and equity during the pandemic, and several international child privacy developments.

Quick reminder: If you haven’t already, don’t forget to sign up for FPF’s free 10-month Student Privacy “Train-the-Trainer” Program that will help you become a student privacy expert and engage with other student privacy experts from across the country! This year we are offering two programs, one for K-12 (particularly professors at colleges of teacher education) and one for Higher Education. To learn more or nominate someone to join the program, please email Jim Siegl ([email protected]).

Before we get to the news, here are a few recent releases from FPF:

Last but not least, we’re excited to release FPF’s Youth and Education Privacy team’s 2020 Year in Review report, highlighting the Youth & Education team’s work over the past year! Thanks to all of you for sharing our resources and partnering with us – we look forward to collaborating with all of you even more in the year ahead!

On to the news…

 

Top News

For schools that have reopened, many are still unsure about how they can permissibly share student health data with other state agencies under current privacy laws.

  • As a result of the state’s stringent student privacy law, students and families in Louisiana who received free or reduced lunch were precluded from receiving pandemic EBT benefits until an emergency bill was passed. Data Quality Campaign’s Paige Kowalski wrote on the lessons learned from Louisiana and the importance of building data governance into student privacy legislation.
  • A Louisiana school board also sent a request to the state’s Attorney General for clarification about sharing student data with the Department of Health. ICYMI, the U.S. Department of Education published guidance and a blog on FERPA’s requirements for sharing health data, and FPF and AASA published FAQs for School Administrators last March to provide additional plain language and guidance. We also highly recommend this 2019 letter on disclosing student immunization status from USED.

However, reporting and understanding health data isn’t all schools are worried about:

  • As schools continue with remote learning, many educators are considering whetheror not they will require students to have their cameras on, citing privacy concerns. Students are weighing in on the conversation because privacy concerns are also making their education environments more stressful than ever, and some students rely on the ability to learn with their cameras off to support their families.
  • The 74million covered firsthand experiences from students juggling family responsibilities, including taking on the role of being a primary earner and caregiver for siblings, while also learning remotely. One student “works 40 hours a week at a Macy’s distribution center in Tulsa, Oklahoma” while still attending school full time. “They log on to Zoom with their microphones and cameras off and catch up with assignments during lunch breaks.” For more about student privacy and video mandates, check out FPF and the NEA’s privacy and equity considerations for video mandates.   

Concerns about surveillance technology to facilitate the physical return to school remain a top priority for education stakeholders, especially as schools continue to turn to increased data collection through technology like wearables and artificial intelligence. Similar concerns around surveillance technology are top of mind as students learn remotely. Many privacy advocates argue that increased surveillance is not an answer to the pedagogical concerns schools seek to address and could in fact introduce or exacerbate privacy and trust issues.

  • On December 3, a group of senators called on proctoring companies to respondto a range of questions on data protection, equity, and accessibility practices. The Electronic Privacy Information Center (EPIC) published the responses received from ProctorU, ExamSoft, and Proctorio.
  • On December 9, the EPIC filed a complaint to the D.C. Attorney General, alleging that several proctoring companies violated D.C.’s Consumer Protection Procedures Act for “excessive collection” of student information.
  • Consumer Reports conducted a deep dive into the security practices of online proctoring tools.
  • Students continue to push against proctoring and plagiarism detection software.
    • The University of Illinois Urbana-Champaign will discontinue use of a proctoring software after significant student backlash—over 1,000 students signed a petition against the service, citing student privacy and accessibility concerns.
    • Students and faculty joined together to testify before the City University of New York Board of Trustees against the use of plagiarism detection software because of privacy concerns, particularly for marginalized and undocumented students. 
  • A teacher shared their perspective on how and why they monitor their students, finding that classroom monitoring software is a useful tool “that makes a positive difference in the education of [their] special needs students.”
  • And some schools worry about what happens when they don’t monitor students to some extent: a New Jersey school recently entered into a settlement with the family of a former student who was able to communicate with an internet predator over a school-issued device; the family claimed the district failed to institute effective controls to limit the student’s access to inappropriate websites and actors.

Relatedly, the New York Times reports that schools in Las Vegas were pushed to reopenafter an increase in student self-harm, and school districts in the city are investing in student monitoring software to better understand suicide risks and later increased their monitoring program to 24-hours.

  • The Washington Post reports that teachers find it difficult to know when students need help and can’t assess their students’ mental wellbeing. A New Hampshire school district is piloting a monitoring system that incorporates “artificial intelligence to monitor student web activity on school computers and alerts administrators if a student visits a website or uses a search term that indicates they may be at risk for self-harm or suicide.” ICYMI, FPF outlined the privacy costs of schools employing network and social media monitoring in 2019. 
  • Privacy advocates caution against overreliance on monitoring technology to address these harms. Even before the pandemic, the Guardian reported that with such technology, “privacy experts – and students – said they are concerned that surveillance at school might actually be undermining students’ wellbeing.” ICYMI, FPF hosted a 2019 SXSW EDU panel discussing how school safety plans can still incorporate student privacy.
  • Concerns about student wellness are also on the President’s radar, and may result in guidance on the issue. On his second day in office, President Joe Biden signedan Executive Order aimed at supporting schools through the pandemic. The EO directs the Secretary of Education to develop evidence-based guidance for reopening schools; provide advice to schools as they continue hybrid and remote learning with a focus on promoting “mental health, social-emotional well-being, and communication with parents and families”; and provide technical assistanceto schools during the pandemic.
  • In Canada, some institutions are providing students with online counseling services—however, advocates question whether there is sufficient evidence-basis, privacy protections, or benefit coming from these programs.
  • Researchers at the University of South Australia are studying the use of augmented reality (AR) to deliver cognitive behavioral therapy to teens. According to the lead researcher, interactive technologies like AR appeal more to teens and may make them more comfortable than seeking professional help. A recent FPF blog post outlines some privacy concerns related to AR.

International privacy regulators and organizations are taking strong stances and weighing in on children’s privacy.

  • On December 18, Ireland’s Data Protection Commission published its draft “Fundamentals for a Child-Oriented Approach to Data Processing” which sets forth data protection recommendations and principles with regard to children. open for public consultation until March 31, 2020, and learn more about the fundamentals here.
  • On January 27, Italy’s Data Protection Authority accelerated it’s inquiry into children on social media, after its January 22 order requiring TikTok to prevent users with unverified ages from accessing the app and prohibiting users under the age of 13 from registering. This comes after a 10-year-old user fatally participated in a popular challenge she saw on the app—the Authority points topoor attention to the protection of minors” and “default settings falling short of privacy requirements” as reasons for the order, which will be enforced until February 15, 2021. The DPA is now investigating Facebook and Instagram as well, after finding that the same child user had accounts on both platforms.
  • UNICEF’s Office of Global Insight and Policy published a summary of the comments received regarding its public consultation on child-centered AI policies and systems, noting that respondents supported “short courses for parents, children and teachers over the mechanism of data and the meaning of consent, privacy, etc.” Learn about FPF’s submission here
  • The Global Privacy Assembly’s Digital Education Working Group, composed of members from 74 Data Protection Authorities, adopted a joint contribution to the UN Committee on the Rights of the Child on its draft General Comment (GC) No. 25 (202x) on the rights of the child in relation to the digital environment. The contribution highlights the need to protect children from profiling, automated decision making, and commercial exploitation of their data, and to educate children on privacy and data protection.

Security issues have plagued schools at all levels during the pandemic. Just before Baltimore County Schools experienced a ransomware attack that shut down the school system in December, the state of Maryland conducted security audits that found school districts throughout the state are facing security challenges.

  • On December 10, the FBI, CISA, and MS-ISAC published a joint report on theincrease in cyberattacks at K-12 schools that includes best practices and mitigation strategies.
  • On December 2, the House Homeland Security & Governmental Affairs Committee held a hearing on cybersecurity in reaction to spikes in cyber threats across sectors. The Committee heard testimony from the Superintendent from Hartford Public Schools, which experienced a cyberattack that postponed virtual schooling last fall, inciting congressional interest in addressing the issue for the education sector.
  • Cyberattacks aren’t only happening in U.S. schools—in early January, a 4th grade virtual classroom in Canada was hacked multiple times, with the attackers sharing pornographic content during classroom time.

FYI: Quick Hits

  • On February 1, the FCC announced it is seeking comments on several petitions for emergency relief to expand E-Rate funding to cover remote learning during the pandemic. Initial comments are due on February 16, 2021.
  • A school district in Florida is testing out a gun detection system that incorporates artificial intelligence—if a gun is detected, school resource officers, local police officers, and staff are automatically notified and sent a photo of the suspect. ICYMI: read the 2019 Wired-ProPublica report on similar audio-detection systems in schools and the implications for privacy.
  • Also in Florida—federal lawmakers are requesting an investigation into the Pasco County Sheriff’s Office’s predictive policing system which incorporates student data, joining several public interest organizations in criticizing the program. ICYMI: check out FPF’s analysis of the sheriff’s program.
  • On December 22, New York Governor Andrew Cuomo signed into law a moratorium on schools’ use of biometric identifying technology. The law prohibits schools from procuring or using biometric identifying technology until 2022, and requires the Education Department to conduct a study into the technology.
  • Schools across the country are rethinking disciplinary policies as students learn online. Some experts are looking to reform truancy laws, as well. ICYMI, FPF’s Anisha Reddy and Amelia Vance published an op-ed last November outlining concerns around applying in-person disciplinary policies in a virtual classroom. 
  • Researchers are exploring whether smartwatches can help students with autism“be more independent” in schools through periodic reminders and prompts to interact with classmates and educators. However, schools should be aware that equipping students with wearable technology can raise a host of privacy risks, which we explored last year with a blog entitled As Personal as Data Gets: The Privacy Implications of Wearable Technologies in Schools and a brief on Wearable Technologies & COVID-19.
  • Half of the undergraduate students at Tufts University joined a “marriage pact” app, developed by two Stanford students as a class assignment (now at 6 schools in the US), where participants are algorithmically matched with another student whom they would presumably marry after some time. According to the Marriage Pact’s “Data Principles and Practices” (a self-described informal policy) students can rest assured that their “privacy is not for sale” because the tool does not share any information collected with third parties.
  • The Minnesota Department of Education is revising its data collection systems toexpand the gender options available for LEAs to report to include nonbinary options. Throughout 2019 and 2020, the Department held public feedback sessions, which included concerns about student privacy—the public comment period closed on December 13th; and the state plans to move forward with a program by September 2021.
  • University of Texas at Austin’s computer science department is phasing out a machine-learning system to evaluate applicants for its Ph.D. program. Critics of the program expressed concern the algorithm perpetuates inequities and lack of diversity in the field.

Recess

 

Thanks so much for reading! Let us know if you have news or new resources we should include in future newsletters, or if we missed anything.

Related Resources

  • Blog, Uncategorized

    Student Data Privacy Interview Series: Back to School with Undergraduate Students: Northeast Private Liberal Arts College Senior

    Feb 3, 2021Alexis Shore

    COVID-19 has placed undergraduate institutions in unprecedented circumstances as they attempt to balance health concerns and academic responsibilities, without…

    Learn More
  • Blog, Uncategorized

    Student Data Privacy Interview Series: Back to School with Undergraduate Students: Northeast Private University Sophomore

    Feb 3, 2021Alexis Shore

    COVID-19 has placed undergraduate institutions in unprecedented circumstances as they attempt to balance health concerns and academic responsibilities, without…

    Learn More
  • Uncategorized

    FPF Student Privacy Train-the-Trainer Program for Higher Education

    Jan 25, 2021

    FPF Student Privacy Train-the-Trainer Program for Higher EducationWhether you are new to the student privacy world or an experienced practitioner, the one-year…

    Learn More