The Top 10 (& Federal Actions): Student Privacy News (November 2017-February 2018)

The Future of Privacy Forum tracks student privacy news very closely, and shares relevant news stories with our newsletter subscribers.* Approximately every month, we post “The Top 10,” a blog with our top student privacy stories. This blog is cross-posted at www.fpf.org. 

The Top 10: Federal Edition

We had so many major student privacy news stories over the past two months that we decided to split our usual Top 10 into a federal vs other news edition. See the top federal student privacy stories below!

1. President Trump’s budget proposes $3 million in funding for USED’s Privacy Technical Assistance Center (PTAC), “which serves as a valuable resource center to State and local educational agencies, the postsecondary community, and other parties engaged in building and using education data systems on issues related to privacy, security, and confidentiality of student records” (page 49). The budget also proposes to eliminate federal funding for Statewide Longitudinal Data Systems and Regional Educational Laboratories (page 51). The USED budget request documentation also notes that “One of the significant challenges that ED will work to address is that the large number of ED applications & IT systems currently externally hosted at contractor managed sites across the country are fully compliant w/ Federal & ED cybersecurity and privacy policy and guidelines” (h/t Doug Levin).
2. The Department of Education (USED) released the first FERPA complaint findings letter to mention an ed tech company in January. FPF released a blog analyzing the decision, and Jim Siegl posted some very interesting thoughts about the decision at his blog. The two key takeaways:
   • Requiring a parent/eligible student to accept a third party’s Terms of Use when they sign up for a school constitutes a forced waiver of rights under FERPA if those Terms of Use are not compliant with FERPA’s school official requirements.
   • When a school requires that an ed tech service be used as a condition of enrollment, that service must either comply with FERPA’s school official exception requirements or parents must be given the right to opt out of its use.
3. In addition to the Agora letter, USED also released a findings letter that clarifies how video recordings of multiple students should be treated under FERPA (see a write-upof the findings letter from Pullman & Comley).
4. The FTC and USED held a “Student Privacy and Ed Tech” workshop on December 1^stthat examined how the FTC’s “Rule implementing the Children’s Online Privacy Protection Act (COPPA) applies to schools and intersects with the Family Educational Rights and Privacy Act (FERPA),” administered by USED. You can watch a recording of the workshop panels (at the bottom under “Video”), read write-ups via EdWeek and THE Journal, or read the comments filed before the workshop.
5. On January 30^th, the House Education and the Workforce Committee held a hearing, “Protecting Privacy, Promoting Policy: Evidence-Based Policymaking and the Future of Education” (watch the recording or read the EdWeek summary). The hearing was very similar to previous hearings in both 2016 and 2017 about protecting student privacy while allowing for ed research. It “remains up for debate whether increased protections for student data should come from updating the law, bolstering parental consent, improving technology or shaking up education policy research,” via Politico. Meanwhile, EdWeek reports that “The Tricky Dance of Researchers and Educators Gets Even More Complex,” in part due to privacy concerns.
6. After the cyber threats made to schools last fall, the “FBI is asking school districts to make cyber security a priority” and the FBI and USED issued a “warning about cyber-extortion schemes focused on public schools.” This notice shared that the DarkOverlord hackers were responsible for “‘at least 69 intrusions into schools and other businesses, the attempted sale of over 100 million records containing personally identifiable information (PII), and the release of over 200,000 records including the PII of over 7,000 students due to nonpayment of ransoms.’” Meanwhile, “Cyberattacks Increasingly Target Student Data” (GovTech) and EdWeek reports that “Schools Struggle to Keep Pace With Hackings, Other Cyber Threats.” IT leaders are “likely underestimating the dangers they face;” only 15% of school technology leaders say “they have implemented a cybersecurity plan in their own district” according to a recent CoSN survey. FPF published an op-ed in The Hill with Bill Fitzgerald of Common Sense Media noting that “Securing student data is a challenge that requires sufficient funding,” not more legislation.
7. The USED Inspector General is currently reviewing “whether Office of the Chief Privacy Officer effectively oversees and enforces compliance with selected provisions of [FERPA] and [PPRA]” (page 12).
8. The “Student Right to Know Before You Go Act” was introduced in the Senate. The bill “makes data available to prospective college students about schools’ graduation rates, debt levels, how much graduates can expect to earn and other critical education and workforce-related measures of success,” while protecting privacy by “requiring the use of privacy-enhancing technologies that encrypt and protect the data that are used to produce this consumer information for students and families” – namely secure multi-party computation. The ACLU seems to support the bill.
9. The legislation to reauthorize the Higher Education Act, known as the PROSPER Act, has been introduced. It maintains the ban on a federal student unit record, but does allow for a feasibility study to investigate whether to expand the National Student Clearinghouse to set up a third-party data system to analyze student outcomes (via Inside Higher Ed). PoliticoPro reports: “Push for better student data runs into privacy worries in higher education bill.”
10. “The Education Department isn’t doing enough to protect student data collected as part of financial aid programs, according to an audit from the Government Accountability Office,” via Politico.

The Top 10

1. Former tech company employees are “forming a coalition to fight what they built.” Among other actions (including a livestreamed event on February 7th), Common Sense Media and the coalition plan “an anti-tech addiction lobbying effort and an ad campaign at [the] 55,000 public schools in the United States [that currently use the CSM Digital Citizenship Curriculum]… It will be aimed at educating students, parents and teachers about the dangers of technology, including the depression that can come from heavy use of social media” (via NYTimes). The focus on children in schools is because they “had little agency over whether they opted into or out of a technology platform because of pressure from both peers and educators handing out assignments.” In the meantime, there were several articles over the past two months on technology and children: The Wall Street Journal reported on “New guidance on children and technology makes the distinction between passive exposure and active play and learning with screens;” The Atlantic asked “Should Children Form Emotional Bonds With Robots?”; and a couple Apple investors “called on the tech giant to take more steps to curb the ill effects of smartphones.” Axios reports that “The internet was created by adults for adults, but it has seen a sharp uptick in kid users over the past 10 years… Silicon Valley has bet its future on younger users, but has come under fire recently for building products that critics say aren’t safe for children.”
2. Awesome new resource: the Utah State Board of Education has released a video that can be used to train administrators and educators on FERPA exceptions.
3. Jim Siegl wrote a great blog about “Privacy Differences between Consumer Gmail and G Suite for Education,” and just released a creative commons document that districts can use to inform their community about the district’s G Suite for Education choices and provide information on the difference between Google’s consumer products and G Suite. In related news, some new features for G Suite for Education will “come with a fee.”
4. Amazon Web Services released a whitepaper on “FERPA Compliance on AWS.”
5. More news on privacy and personalized learning: EdWeek reports that “States [are taking] Steps to Fuel Personalized Learning,” and PoliticoPro notes that “A dozen states try out ‘personalized learning,’ but questions persist.” Inside Philanthropy asks “Is Personalized Learning the Next Big Thing in K-12 Philanthropy?” and Getting Smart discusses how “Chan Zuckerberg Backs Personalized Learning R&D Agenda” (read the blog on their approach to personalized learning). In the meantime, we have continued to see pushback against personalized learning over the past two months: Diane Ravitch, in an op-ed about “increasing misuse of technology in schools,” writes that “‘Personalized learning,’ …[is a] euphemism for computer adaptive instruction…parents want their children taught by a human being, not a computer.” The 74 shares “5 Ways to Talk (and Think) About Personalized Learning,” EdWeek reports that “Two Districts Roll Back Summit Personalized Learning Platform,” and A Long View on Education discusses “The Propaganda behind Personalised Learning,” But The Atlantic reports on “The Futile Resistance Against Classroom Tech,” noting that ed tech “is here to stay. It’s up to teachers, then, to build networks of learning, solidarity, mutual respect, and even trust.”
6. Doug Levin has published the full results of his look at the security and privacy of state and (some) district public-facing websites. The primary reported finding is that “State and District Education Websites Fail to Disclose Ad Trackers” (see Doug’s Twitter thread of findings here and coverage from EdSurge). Another security researcher reported their findings that “Website operators are in the dark about privacy violations by third-party scripts,” including at least one ed tech provider described in the article.
7. Common Sense Media announced that it will be releasing simpler “ratings” for ed tech apps on privacy in early 2018, based on large part on its previous evaluations. They explain more details about the new “roll-up score” apps will receive here. In the meantime, they released a blog on how “it’s often necessary to look in multiple places to find” privacy policies in order to evaluate software.”
8. A very interesting lawsuit: an autistic, nonverbal student wants “his school to let him wear a device that records his day, but the district says that would violate the privacy of other students.” In related news, a Virginia mom was “charged for putting recording device in daughter’s backpack to catch bullies.”
9. Virginia has introduced a few bills after a progressive political group “filed FOIA requests [last fall] seeking the publicly available student directories to get student cell phone numbers at every one of Virginia’s 39 public colleges.” The first bill would simply “remove student cell phone numbers and email addresses from publicly available directories,” but was “scrapped” by the House committee (however, its counterpart in the Senate did pass). The second bill, which has passed the House, is much broader, and could cause unintended consequences in schools: it would change how FERPA’s directory information exception currently works to require an opt-in from students for sharing of their directory information instead of an opt-out (this article provides a good overview of the issue and bills). Virginia Lawyers Weekly advocates for a “scalpel” (the first bill) instead of a “sledgehammer” (the second bill).
10. Audrey Watters, the “Cassandra of Ed Tech,” has published her end-of-year top ed-tech trends articles. I highly recommend reading them; while you might not agree with her perspective, her trend articles provide a fantastic overview of the major student privacy and ed tech stories from 2017. The most relevant to student privacy: “The Weaponization of Education Data,” “Robots Are Coming For Your Children,” and “Education Technology and the New Behaviorism.”

Image: “School days” by Rachel  is licensed under CC BY-NC-SA 2.0.