FPF has produced a checklist to assist parents and schools in considering the “basics” of security standards on new ed tech products and services they may be considering or using. In on-line security, there is unfortunately no “one size fits all” solution, but with so many products and services available, this checklist is designed to provide some initial key triggers of areas that either meet a basic threshold, or might serve as discussion points for further review with the company involved.
Evaluating security standards on any particular product, site, or service can be challenging, and unlike privacy policies, there’s often no “security policy” in one location to review. People who are not security specialists may have a hard time knowing where to start. This checklist is designed for those who have some familiarity with computers, but are not security or technical specialists, to be able to do some simple tests to see what protections are in place, and help guide their discussion with the company for a more in-depth understanding.
The Seven Steps include:
- Look for an Encrypted Connection
- Ensure That Applications Use TLS Between Email Servers
- Ensure That URLs Do Not Contain Sensitive Information
- Ensure Sensitive Information Is Not Stored in the Cache or Browser History
- Ensure That Passwords Are Protected
- Ensure That the Login and Password Recovery Mechanisms Do Not Reveal Unnecessary Information (e.g. the Existence of an Account)
- Be Watchful for “Information Leakage”
For each step, we’ve provided a step-by-step process to evaluate the topic area, and additional security resources are also identified for those looking for more detailed guidance. As the checklist says, it does not answer all questions for all situations. A company who complied with all these steps might still have security concerns; a company that does not do every step may still have quite sufficient security in place. We hope this checklist – which can be used as a companion to our Student Privacy Compass Quick Security Tips for Ed Tech Vendors – will simply prove to be a useful resource for schools and parents who want to make an initial review of a product or service and it’s security protections.
Cross-posted with the Future of Privacy Forum website.