The Top 10: Student Privacy News (October-November 2017)

The Future of Privacy Forum tracks student privacy news very closely, and shares relevant news stories with our newsletter subscribers.* Approximately every month, we post “The Top 10,” a blog with our top student privacy stories. This blog is cross-posted at www.fpf.org. 

Over the past month and a half, student privacy issues have proliferated in the news. Among other big events coming up, the comments on the FTC/USED workshop on COPPA in schools are due this Friday (the workshop is December 1^st), and FPF is holding a free student privacy bootcamp for ed tech companies (register here) in DC on December 8^th.

The Top 10

1. As reported in my last newsletter, four districts (and possibly two universities) were targeted in September and October by hackers who threatened to harm students and disclose their sensitive information. After the S. Department of Education warned districts about the potential security threat, the story hit CNN, Wall Street Journal, NPR, Mother Jones, NBC News, CNBC, and the Washington Post, among many other outlets. It is worth rereading EdWeek’s report on ransomware in schools from earlier this year and this blog from PogoWasRight on the possible consequences of this breach. Policymakers at the state and federal level are planning to act – and hopefully they will provide the money and resources necessary to help districts build up their security and train educators on how to avoid cyber threats and protect privacy. However, it is noteworthy that many of the hackers’ actions are already against the law. My worry? Copycat hackers.
2. GDPR kicks in on May 25^th, 2018, and S. schools have begun to focus on how it applies to them. Every higher ed institution – and some K-12 institutions – as well as most ed tech companies with users in the EU will be impacted. (see my Storify of live-tweets from the panel). Novatia has some recent potentially useful articles on GDPR and schools as well.
3. Personalized Learning – and the data that drives it – continues to inspire articles that discuss its effectiveness and potential impacts on privacy. The latest is Ben Herold’s article on “The Case(s) Against Personalized Learning,” part of an EdWeek special report on “Personalized Learning: Vision vs. Reality.” This month, we also saw the Rand Corporation’s newest research study on personalized learning and Ben Williamson noted that “It is important for education research to engage with how some of its central concerns—learning, training, experience, behaviour, curriculum selection, teaching, instruction and pedagogy—are being reworked and applied within the tech sector.”
4. A progressive political group “filed FOIA requests seeking the publicly available student directories to get student cell phone numbers [available through FERPA’s directory information exception] at every one of Virginia’s 39 public colleges. Of those, 18 schools, including Tech and Radford, complied.” This will lead to legislation banning directory information disclosures for this purpose next spring. In related news, a great blog on how “Cell Phone Numbers are the New SSNs.”
5. Over 800 “School websites [were] hacked to show pro-Islamic State message” (more info in this Fox News article) due to a vulnerability in the company that maintains the websites. In response, Rep. Donald Payne Jr said he is “working on federal legislation to address cybersecurity threats to schools.” In related news, student security expert Doug Levin is halfway through a blog series about state education agency and district websites. So far, he’s covered whether they have secure browsing and ad tracking.
6. EdWeek reported on the education implications behind a New York City Council bill that would require that “all city agencies publish the source code behind algorithms they use to target services to city residents.” ProPublica also released a report after “A federal judge this week unsealed the source code for a software program developed by New York City’s crime lab, exposing to public scrutiny a disputed technique for analyzing complex DNA evidence,” which could have implications for schools.
7. Policymakers, pundits, and the public continue to express more skepticism about tech companies than ever before, and ed tech companies are not exception. The New York Times continued its series about how ed tech is changing education with “How Silicon Valley Plans to Conquer the Classroom,” which has already resulted in a Maryland “Legislator Target[ing] Tech Perks in Baltimore County District” and a Baltimore Sun investigation finding that “Baltimore County school leaders…were paid by tech industry group” without disclosing the payments. Mother Jones also published “Inside Silicon Valley’s Big-Money Push to Remake American Education;” “Silicon Valley Tried to Reinvent Schools. Now It’s Rebooting,” via BloombergTechnology; and EdSurge reported on AltSchool’s shutting down two of their campuses, asking “Where Does Silicon Valley’s Philanthropy End and Profits Begin?”
8. Student Privacy went viral this month! Read about the saga of Taiwan Jones in Buzzfeed. Even though this was all probably fake, it raised questions for educators as to whether grading in public violates FERPA. The answer: it depends. It would likely be a FERPA violation if the person sitting next to the teacher can see the name and grade of the student (someone suggests this is another reason to use ID numbers instead of names on homework assignments), but FERPA could also be read to mean that it doesn’t violate FERPA because the grade hasn’t been entered into the gradebook.
9. The House Committee on Government Oversight and Reform passed H.R. 4174, which implements recommendations from the Evidence-Based Policymaking Commission (see their report that was backed by EPIC and my write-up of its impact on education here). Some groups are opposing the bill on privacy grounds.
10. The annual Global Privacy Enforcement Network Privacy Sweep found that some educational apps “fall short on privacy,” via Business Insider. Part of the problem? “[W]ebsite privacy notices are too vague and generally inadequate.”

Image: “image_106” by Brad Flickinger  is licensed under CC BY 2.0.