New and emerging threats to student & teacher data privacy

On May 6, the NY Post revealed that about two million students in NY State alone may have had their privacy violated by the massive Illuminate data breach; students in CT and CO were also affected.

This is an update from reporting in  The Journal, based on FOILed records from NYSED that found at least one million students affected, across  24 school districts and 18 charter schools in New York, plus one Board of Cooperative Educational Service .

The NY State Education Dept. and the NYC DOE need to do a far better job protected personal student data and complying with the NY State Student privacy law 2D, which was passed in 2014, and to minimize the sharing of student data, ensuring strict security standards including encryption, and requiring that vendors delete it as soon as possible and at the very least when students graduate, none of which happened here.

Illuminate has reported that the hackers accessed a ” database storing some information in unencrypted format “, according to  the The Record news site, and that the data may have included student and parent names, email addresses, grades, attendance, birth dates, ID numbers, genders, race and ethnicity, languages spoken at home, Title I and disability status and more.  Data from the records of students in Colorado and Connecticut may also have breached.

Last weekend, Leonie Haimson, co-chair of the Parent Coalition for Student Privacy and Doug Levin, Co-Founder and National Director, K12 Security Information Exchange and a national expert on student data breaches,  gave  presentations at the Network for Public Education national conference in Philadelphia, in which we discussed the Illuminate Breach and the how districts and schools can better protect the privacy of their students and teachers.

Below are the videos of the this session, separated into Part I and Part II, along with questions and comments from the audience, and their power point presentations.

 

Send a letter to Congress: Support strong privacy legislation that protects children and students

Parents and students, if you are concerned about how the apps and technology you’re using in school and at home are collecting and sharing children’s data, please let your members of Congress know by sending this message.

In his March 2022 State of the Union address, President Biden specifically said we must do more to protect children from surveillance and harm of Big Tech.

“These companies know everything from where users are physically located at any moment, to how many seconds they spend reading a particular post, to intimate personal data like what medical symptoms they have been researching. Children are also subject to the platforms’ intensive and excessive data collection vacuum, which they use to deliver sensational and harmful content and troves of paid advertising to our kids. By one estimate, online advertising firms hold 72 million data points on the average child by the time they reach the age of 13. The President is calling on Congress to ban excessive data collection on and targeted advertising online for children and young people.”

We know that tech and screens are addictive, with children often caught in a loop, scrolling through sometimes harmful content. Facebook whistleblower, Frances Haugen, says teens fall into a trap of algorithms, especially on social media. In an interview with 60 Minutes, Ms. Haugen revealed that “Facebook internal studies … show 13.5% of teen girls say Instagram makes thoughts of suicide worse; 17% of teen girls say Instagram makes eating disorders worse.”

We also know that edtech programs collect massive amounts of sensitive demographic data on children, including their email, home, income, grades, disabilities, citizenship status, discipline and criminal history, religious preference, behavior and more. In many cases, we have no idea how they use and share this data with other companies.

Yet a recent study found that 60% of school apps are improperly sharing student data with third parties. The Markup, in its investigations into Naviance and PowerSchool, found that when parents and schools asked to see their students’ data, these companies refused to share that information.

The Markup also found that Naviance allowed their customers to target students and their families with ads, based on their income and race. PowerSchool, which owns Naviance, can collect as many as 7,000 data fields per student, and uses algorithms to predict a student’s risk of not graduating high school on time starting in first grade.

Please click here to send a message to your members of Congress, asking them to support strong privacy legislation that will protect all minors and students. We need to reign in Big Tech from surveilling and monetizing kids.   Thanks!

Letter to Congress from privacy, consumer & education groups in opposition to the College Transparency Act

March 14, 2022

If you’d like to send your own letter to your members of Congress, urging them to oppose this privacy-invasive data collection by the federal government, please do so now by clicking here.

With little public notice and no hearings, the US House of Representatives passed the College Transparency Act on Feb. 4, embedded in a much larger bill called the America Competes Act.  The bill will now go to conference with the Senate.  You can read the bill here, starting on p. 30.    The CTA would authorize the federal government to collect the personal information of every student enrolled in college or another higher education institution, and track them through life.

Today, the Parent Coalition for Student Privacy, along with several other prominent privacy and education groups listed below, sent the following letter to Congress, urging them not to approve this bill which would create an invasive and risky federal surveillance system, without any ability for students to opt out of the system or have their data deleted.  If you’d like to send your own letter to your members of Congress, please do so now by clicking here.

PCSP urges the US Dept. of Education to strengthen enforcement of federal student privacy laws

On February 17, the Student Privacy Policy Office (SPPO) and the Privacy Technical Assistance Center (PTAC) of the US Department of Education held a “listening session” with representatives from a few privacy advocacy groups as well as some organizations funded by the ed tech industry.  The most vocal participants urging stronger enforcement of federal student privacy laws were Cassie Creswell and I, co-chairs of the Parent Coalition for Student Privacy, and Joel Schwarz and Andrew Liddell of the Student Data Privacy Project.

Kevin Herms, Chief Privacy Officer and Director of SPPO, and Ross Lemke, Manager of PTAC, encouraged the participants to send  follow-up letters to summarize their concerns.  Our letter detailing some of them is below.  Joel Schwarz’s follow-up letter is posted on his LinkedIn page.

Hopefully the strong discontent expressed by several participants of this “listening session” will lead to stronger and more effective action by the US Department of Education, which is in charge of enforcing our critical federal student privacy laws including FERPA, PPRA, and COPPA, but too often seems to be sleeping at the wheel.

Parent Coalition for Student Privacy and Rep. Jamaal Bowman Oppose College Transparency Act to be Voted

For Immediate release: February 3, 2022

Contact: Cassie Creswell, cassie@ilfps.org, 716-536-9313;
Leonie Haimson, info@studentprivacymatters.org, 917-435-9329

Parent Coalition for Student Privacy and Congressman Jamaal Bowman Oppose College Transparency Act to be Voted  Tomorrow

Overturning Federal Ban on Student Unit Record System Endangers Privacy and Equity

The College Transparency Act, now appended to the America Competes Act, is coming to a rushed vote today or tomorrow in the US House of Representatives.  This bill would overturn the long-standing ban on the federal government amassing a comprehensive database of personal student information, and instead would require that the US Department of Education collect the personal information of every student attending a post-secondary institution and potentially track them throughout their lives. There is no allowance for students to opt out of inclusion in this massive federal data system.

“The Parent Coalition for Student Privacy strongly opposes this bill and urges Congressional Representatives to vote against it, as any attempt to authorize the collection of such data by the federal government would create an unaccountable surveillance system that would place the privacy of all higher education students at an unacceptable risk,” said Leonie Haimson, co-chair of the Parent Coalition.

As one of the Coalition’s core principles, we hold that extremely sensitive personal student data should not be shared without consent, and especially without clear evidence that this is necessary. The CTA language would allow the government to not only collect data directly from colleges and universities for all full-time and part-time students, including their enrollment status, attendance, age, gender and race, but also to potentially include information pertaining to their “status as a confined or incarcerated individual”, disabilities, and/or first-generation college student.

The bill also allows the collection of nearly any other additional personal student data elements that can be justified as “necessary to ensure that the postsecondary data system fulfills [its] purposes”. This data will then be matched to other federal data from the Department of Defense, and Veterans Administration, the Census Bureau (for earnings), and the Social Security Administration, to continue throughout their lives.

“Our number one priority should be empowering our students with the resources they need to be well-rounded members of our society and influence positive change in their communities, not collecting their data and empowering the federal government to unnecessarily track them for the rest of their lives,” said Congressman Jamaal Bowman, Ed.D. (NY-16). “We have been down this road before and know how people’s personal data can be abused. Under the Trump Administration we saw this play out in the form of ICE stakeouts in our communities that put people in danger of being deported, separated from their families, and having their lives completely destroyed from one day to the next. The College Transparency Act raises serious concerns about how the data of our students can be used and abused. If making these systems more fair and equitable for all is our goal, there are interventions that would make a material, positive difference in people’s lives starting with canceling student debt.”

In recent years it has become clear that data held by local, state and federal agencies are under increased threat of breaches and cyberattacks. Even our “best protected” national data stores have been breached, including the well-known Education Department FAFSA breach in 2017, and top-secret NSA and Army data.

According to the US Department of Education’s own Inspector General’s  2020 data security audit of the Department, there were weaknesses in 11 of the 12 areas of their operations, which “did not meet the Managed and Measurable level of maturity or an effective level of security.”  The audit also found there was insufficient progress since previous audits: “We had findings in all eight metric domains within the five security functions—Identify, Protect, Detect, Respond and Recover…findings with the same or similar conditions identified in OIG reports issued from FYs 2017 through 2019.”

In addition, the College Transparency Act says in section (H) that “nothing in this paragraph shall be construed to prohibit third-party entities from using publicly-available information in this data system for commercial purposes.” Thus, companies could not only use the aggregate data for advertising, but also could match the data with other sources of data to exploit particular students and target them with ads.  Hackers could also combine with other databases for illegal purposes.

Lisa Rudley, the Executive Director of NY State Allies for Public Education and a school board member in New York pointed out, “Any college rating system that is developed from such a federal database may not just be subject to breaches, but also have unintended consequences, by discouraging schools from accepting the highest needs students – including those with disabilities or from low-income families.  Data of this magnitude and sensitivity needs to be handled with care and integrity.  We have not seen evidence of this from the US Department of Education.”

“The focus on earnings may also dissuade colleges from promoting career paths of great value to society but that typically yield lower salaries (e.g., early childhood or K-12 education) or discourage them from accepting students who on average may be relatively lower earners: female students, students of color, and/or pregnant or parenting students,” added Jeanette Deutermann, founder of Long Island Opt Out.

There are much less intrusive options that could be used to analyze and evaluate higher ed outcomes, including data sampling and use of aggregate data. See for example the recent Brookings report which used information drawn from the College Scorecard Data and the Opportunity Insights Mobility Report Cards. The Department of Education also already has access to vast amounts of data from their federal student loan system which could be used for similar analyses, but to our knowledge has not been employed for such purposes.

“Technology and data collection far out-pace the current federal and state protections for students. Congress should be seeking to strengthen those protections before engaging in further data collection that will potentially put our students at risk. We urge our Representatives to vote no on the College Transparency Act,” said Julie Larrea Borst, Executive Director, Save Our Schools NJ Community Organizing.

Another bill reintroduced in the last Congress, called the Student Right to Know Before You Go Act, would be far more protective of students’ sensitive data by employing a system called secure multiparty computation, which would enable these sorts of analyses without giving the federal government direct access to personal student data, as the American Association of State Colleges and Universities has pointed out.

“Why is any legislation being proposed to enable the government to collect more personal data before comprehensive data protection legislation has been enacted? There are several bills in Congress to do just that, but they have been stalled for more than a decade. To see the federal government rolling back protections of student privacy instead of bolstering them is very disheartening for me as a parent and student privacy advocate,” said Cassie Creswell, co-chair of the Parent Coalition for Student Privacy and director of Illinois Families for Public Schools.

Diane Ravitch, the founder of the Network for Public Education, said, “I urge Congress to vote NO on this bill. The federal government must continue to protect the privacy of students, rather than amass giant databases, full of highly sensitive information for the purposes of ratings systems, which by their nature will be highly unreliable and may have negative consequences for our most vulnerable students.”

###

Additional Resources

Cassie Creswell’s testimony on behalf of Parent Coalition for Student Privacy and Raise your Hand before the Commission on Evidence-Based Policymaking, January 5, 2017

Cassie Creswell’s response to follow-up questions from the Commission, February 10, 2017

PCSP press release opposing the CTA, November 1, 2017

The College Transparency Act: What Are Future Use Cases of Student Data? EdTech Magazine. September 21, 2021

College Database Bill Raises Concerns About Student Privacy Inside Higher Ed. April 26, 2021

Despite Decades of Hacking Attacks, Companies Leave Vast Amounts of Sensitive Data Unprotected ProPublica January 25, 2022