FPF’s Student Privacy Newsletter – June 2020

Good afternoon, and welcome to the June edition of the Student Privacy Newsletter.

First and foremost, Future of Privacy Forum stands with our Black colleagues, partners, friends, and stakeholders against all acts of racism, injustice, and senseless violence. Here are a few resources related to student privacy and privacy generally that we would like to elevate:

• Student Surveillance, Racial Inequalities, and Implicit Racial Bias, Jason Nance, Emory Law Journal
• Cops and No Counselors: How the Lack of School Mental Health Staff Is Harming Students, ACLU
• 10 Principles for School Safety, Privacy, and Equity
• “Color-blindness” is a bad approach to solving bias in algorithms, Jessie Daniels, Quartz
• Toolkit for Centering Racial Equity Throughout Data Integration, Actionable Intelligence for Social Policy
• How Automated Tools Discriminate Against Black Language, Anna Woorim Chung, MIT civic media
• The Perpetual Line-Up: Unregulated Police Face Recognition in America, Georgetown Law Center on Privacy & Technology
• Race After Technology: Abolitionist Tools for the New Jim Code by Ruha Benjamin
• Algorithms of Oppression: How Search Engines Reinforce Racism by Safiya Umoja Noble
• Automating Inequality: How High-Tech Tools Profile, Police, and Punish the Poor by Virginia Eubanks
• Dark Matters: On the Surveillance of Blackness by Simone Browne

It’s been a busy time for our team as the COVID-19 pandemic continues to spark concerns about education and student privacy. To help support teachers as they navigate this “new normal,” we just released a series of student privacy professional development trainings for educators in response to the unique student privacy challenges raised by the pandemic. We’ll continue to post new and revised trainings throughout the summer – let us know what you want to see, and please share them with your colleagues and on social media.

In honor of the two year anniversary of GDPR in May, FPF published, The General Data Protection Regulation: Analysis and Guidance for US Higher Education Institutions from FPF’s EU data protection and privacy expert, Dr. Gabriela Zanfir-Fortuna. Last but not least, we’ve rebranded FERPA | Sherpa as Student Privacy Compass to better reflect the full scope of our work. Take a moment to check out the new site at www.studentprivacycompass.org.

Now that the spring semester has ended, schools are beginning to prepare, to the extent possible, for the possibility of continued remote learning in the fall semester. However, we’ve seen very few articles that dig into the privacy implications of two reopening issues that are keeping us up at night:

• Schools may require students and educators to disclose health information to try to detect new cases and preemptively protect those at higher risk from the virus as much as possible. Many higher ed and K-12 school reopening plans hinge on additional data collection, such as requiring students and staff to report health status symptoms daily. Schools will need to be prepared with information about how the data will be collected, used, shared, and protected, and how they have planned to mitigate potential explicit and implicit discrimination. They will also need strict policies limiting data use and redisclosure so students and parents are reassured that health information won’t become part of a “permanent record” or used to disadvantage them or their child now or in the future. 
• Schools may adopt new technologies such as temperature checks or thermal scanning to find fevers; using location tracking or wearable devices to detect when students are too close to each other or for contact tracing; and no-touch technology to minimize virus transmission. Many of the discussed technologies are in early testing stages and, in addition to raising privacy risks, may not be effective. As seen with school safety over the past two years, schools may adopt technologies that they think can save lives – with the best of intentions – without carefully researching efficacy or putting sufficient privacy and security controls or policies in place. It is essential that any technologies adopted by schools be evidence-based and have associated policies that can mitigate privacy, security, and equity risks. 

FPF will be releasing information and guidance on these two issues over the summer. Please reach out if you have any questions or resources we can share! 

Top News

As discussed in our last newsletter–this spring’s initiatives were borne from an emergency. Schools are now preparing for what the fall will look like, which will inevitably include robust online learning contingency plans. According to a recent study, 19% of students in the country lack internet connectivity and 21% do not own a computer. This could result in online learning leaving behind an estimated 11 million students–not to mention aggregate the annual “summer slide” learning loss problem.

• Our very own Jules Polonetsky wrote an op-ed for The 74, highlighting how parents and schools can embrace new online learning technologies while also ensuring adequate student privacy protections.
• Author Leah Plunkett recently made the case for increasing student and children privacy protections in light of our increased reliance on the internet.
• A recent study found that only 20% of schools were able to offer “rigorous” remote instruction this spring.
  • Because of the difficulties schools face in effectively reaching every student, some schools opted to end the school year early, finding that online learning isn’t “worth the struggle.”
  • The Wall Street Journal reports that efforts to transition online this spring were ineffective on multiple fronts: teachers weren’t trained to transition online; students without internet or devices were unreachable; parents weren’t equipped to become teachers; and administrators weren’t equipped to address the ensuing issues.
• The question of tracking student progress during the pandemic remains open–how can universities monitor student progress while students learn in virtual environments? SearchEnterpriseAI breaks down the tools institutions are relying on, and Ben Williamson examines the long-term impact AI will have on higher education in this thorough and insightful essay.

As the 2019-2020 academic year winds down we saw several news stories focused on the privacy and security:

• As fears of spreading coronavirus through physical contact became prevalent, the University of Southern California deactivated residential hall fingerprint scanners in favor of facial recognition technology to minimize physical contact. Though the system is opt-in, when campus was in session during COVID-19, students “were required to use the facial recognition technology for entry to their dorms unless they received a medical exemption.”
• In May, Senators Markey (D-MA), Blumenthal (D-CT), Durbin (D-IL), Hawley (R-MO), Cassidy (R-LA), and Blackburn (R-TN) sent a letter to the FTC urging the Commission to exercise its Section 6(b) authority and investigate how data is collected from children. The letter focuses on edtech due to the COVID-related increase in adoption of online learning tools, as well as platforms that collect information from children generally. The Better Business Bureau’s Children’s Advertising Review Unit wrote a letter in support.
• New York’s Attorney General announced an agreement between the AG’s office and Zoom regarding student data privacy and security. Colorado’s State Board is considering pursuing an agreement modeled after the New York one, and parents in Maryland are pushing the AG to consider investigating school contracts with Zoom.
• Routine practices in schools to guard against cyberbullying and access to inappropriate content on school devices are now under increased scrutiny: network monitoring while students learn entirely from home presents new ethical challenges for schools, with little federal guidance.

Remote proctoring tool usage has surged during the pandemic, raising privacy concerns around the world:

• Students at Rutgers find that using the proctoring tool Proctortrack only serves to make student’s “lives worse”—the tool makes students paranoid, is privacy-invasive, and flags innocuous activities as suspicious.
• After ProctorU received pushback when they sent a cease and desist letter in response to higher ed faculty raising privacy concerns about their product, the company published a “Student Bill of Rights for Remote and Digital Work.”
• The University of Amsterdam’s student government filed a lawsuit against the school’s board of directors regarding the mandatory use of remote proctoring tool Proctorio, in violation of their privacy; the court ruled that the university sufficiently demonstrated a lawful basis to continue using online proctoring.

Even though schools are largely no longer meeting in-person, school safety continues to be a topic of discussion.

• In response to the public outcry over the murder of George Floyd by police officers, several school systems are taking a hard look at police presence in their schools and considering alternatives. 
  • The Minneapolis school board unanimously voted to terminate school contracts with the police department and districts across the country are considering doing the same.  Education Week has a roundup in an article called “Do Cops Belong in Schools?”
• The New York State Education Department announced that it will no longer fund facial recognition projects under the same funding stream that was previously used to approve the Lockport facial recognition initiative.
• Boston is considering regulating how school officials may permissibly share information with the city’s law enforcement–the current proposal develops a community board to ensure that schools implement the measure and change policies. Officials are also considering a proposal that would prohibit facial recognition use by the city government, which would ban schools from using the technology.

FYI: Quick Hits

• Colleges across the country have partially opened their campuses to student athletes eager to resume training–in turn, opening their doors to the virus. Administrators are grappling with how to permissibly share information about athletes who do test positive, based on student privacy and health privacy laws.
• The Hechinger Report finds that some companies are claiming product effectiveness based on self-conducted or “shoddy” research, a problem “exacerbated by the coronavirus” since teachers will rely on these claims as they rapidly adopt tools to help teach students now that schools are closed.
• On June 8, the New York Board of Regents announced the state would be pushing back the publication deadline for district Data Security and Privacy Policies to October 1st.
• New York’s Chief Privacy Officer issued a determination in the complaint against Success Academy brought under the state’s student privacy law–finding the school violated the law by disclosing student information without consent. For more context, see Pogo Was Right’s breakdown of the suit and determination.
• The Ohio Supreme Court heard arguments regarding the disclosure of the Oregon District Shooter’s education records to media outlets, requested under public records requests.
• Russian schools will now be equipped with the aptly named “Orwell” facial recognition platform–however, images of parents and students won’t be added to the system without consent and all data will be stored locally, within the school.
• The FTC entered into a settlement with Miniclip, a website that claimed to be a member of CARU’s COPPA Safe Harbor Program long after CARU terminated its membership in 2015. Notably, in his concurrence, Commissioner Chopra advocated for the FTC to use its rulemaking authority to establish a more transparent safe harbor oversight mechanism than case-by-case adjudication.
• New Mexico’s district court dismissed most of the claims the Attorney General brought against a group of ad networks and Google, finding that there was not enough information indicating the ad networks had “actual knowledge” they were collecting children’s data as required by COPPA. However, some of the COPPA and state-level claims against Google survived and will continue to play out in the court.
• North Carolina’s supreme court ruled that, under the state’s Public Records Act, UNC-Chapel Hill must release student disciplinary records if the students violated the school’s sexual assault policy.

Resources

• FPF published two blog posts centered around both the teacher and student experience: “Teachers’ Data Privacy While Teaching Online” and “Grad School From Home: The Consequences for Privacy and Learning.”
• North Dakota’s State Board of Higher Education passed a new policy, originally created by the North Dakota Student Association, to protect the privacy of student data.
• The Accessible Campus Action Alliance published a highly useful resource, Beyond “High Risk”: Statement on Disability and Campus Re-openings.
• USED’s Student Privacy Policy Office’s previous Acting Director published a letter to chief state school officers and district superintendents reminding them that they may review and adjust FERPA notices and policies during COVID-19.
• CITE Edu developed two model resources for school districts: Staff Guidelines for Online Learning and Parent Notice and Guidelines for Online Instruction.
• Data Quality Campaign published an update to its 2020 Education Data legislation tracker.
• EdSource created a quick guide for protecting student’s privacy online, with crowdsourced tips from privacy experts.
• The University of Wisconsin-Madison published a provisional online recording policy, drafted to address concerns arising from COVID-19 online learning.
• EducationDive published cybersecurity tips to help educators ensure student information is safe while classes are remote.
• ISTE’s Learning Keeps Going Coalition published strategy guidance for school districts to help ensure equity considerations are factored into reopening plans.

Recess

KSDK News St.Louis: Clever student nearly gets out of class, only to be busted by bad spelling:

Thanks so much for reading! Let us know if you have news or new resources we should include in future newsletters, or if we missed anything.