All posts by admin

New info on the NYC student data breach — with some critical follow-up questions

Recently, Chalkbeat reported on a data  breach that affected over 1000 NYC students and teachers.  Chalkbeat followed up with another story that suggests this breach was caused by an insecure storage of student and teacher data on a Google drive, first discovered in January 2021 by high school students at Brooklyn Tech.  Though these students reported this  insecure leakage to an administrator at their school immediately, it was ignored until they found in March 2021 that the problem had grown worse, and  emailed three DOE officials to alert them.

I was asked to look into this matter  by NYC parent leaders, and followed up with an email to Joe Baranello, the chief privacy officer of DOE.  I asked him for copies of the letters sent to parents and staff whose data was breached, and for more information about how these breaches occurred and what data elements were accessed.

To his credit, he responded within a few days with more details and provided four breach notification letters as attachments .

All four letters were dated July 30, 2021.  Letters #1 and #2 were addressed to parents about an unspecified March 2021 breach; the second letter included reference to specific data elements that were accessed, with that information redacted.  Letter #3 was addressed to parents whose children’s data was accessed in an earlier August 2020 breach.  Letter #4  was addressed  to teachers about the March 2021 breach.  In all cases, these letters inexplicably claim that this data was seen by only a single NYC student.

Joe’s email, which follows, included more information about the specific data elements that were breached.  Below his message are several follow-up questions to him.  If and when I get replies, I will add  to update this post.  If you or your child were affected, please let us know at info@studentprivacymatters.org .  Thanks!

___

From: Baranello Joseph <JBaranello3@schools.nyc.gov>
Sent: Monday, August 16, 2021 11:15 AM
To: leoniehaimson@gmail.com
Cc: Siciliano Lauren <LSiciliano2@schools.nyc.gov>; Sharma Anuraag <ASharma6@schools.nyc.gov>; Nathan Judy <JNathan@schools.nyc.gov>; Gantz Toni <TGantz@schools.nyc.gov>
Subject: RE: Data leak affects about 3,000 NYC students and 100 employees, officials confirm – Chalkbeat New York

Hello Leonie,

Thank you for your inquiry. We have attached the template letters that were used for these notifications, which provide additional information on what occurred and what was viewed. Impacted individuals would have received the letter applicable to them. The information implicated varied by individual. To that end, the templates include variable fields that were populated based on the specific information implicated for each person. Approximately 3,000 students and 100 staff were impacted. The variable fields are listed below, and which were involved varied widely from student to student.

No social security numbers of students or parents were involved to our knowledge (the DOE does not collect parent or student SSNs for routine inclusion in its databases).  For 5 employees, full SSNs were included.

We are committed to protecting the privacy of our staff and school communities, and a DOE student should not have been able to view these files. We have no indication that anyone’s information was further shared or misused at this time, and the DOE implemented aggressive measures to prevent this from happening again. Out of an abundance of caution we are offering free credit monitoring service to impacted individuals.

Student data:

  • Student Academic
  • Student Biographic
  • Student Health
  • Student Name
  • Student ID
  • Student Date of Birth
  • Special Education
  • Parent Information

Employee data:

  • Name
  • Social Security Number
  • Social Security Number (Last 4 digits only)
  • Date of Birth
  • Employee ID

The following specific documents were viewed for fewer than ten students per document type:

  • Individualized Education Program
  • Emergency Contact Card
  • Government ID
  • Special Education Remote Learning Plan
  • Section 504 Plan
  • Birth Certificate

Sincerely,

Joseph A. Baranello
Deputy Counsel & Chief Privacy Officer
New York City Department of Education

____

From: leoniehaimson@gmail.com <leoniehaimson@gmail.com>
Sent: Monday, August 16, 2021 5:06 PM
To: ‘Baranello Joseph’ <JBaranello3@schools.nyc.gov>
Cc: ‘Siciliano Lauren’ <LSiciliano2@schools.nyc.gov>; ‘Sharma Anuraag’ <ASharma6@schools.nyc.gov>; ‘Nathan Judy’ <JNathan@schools.nyc.gov>; ‘Gantz Toni’ <TGantz@schools.nyc.gov>; Leonie Haimson <leoniehaimson@gmail.com>
Subject: RE: Data leak affects about 3,000 NYC students and 100 employees

Dear Joe:  Thank you for sharing the letters that were sent to parents and school staff about these breaches.  I have several follow-up questions:

Question 1:   In letter #3, dated July 30, 2021, DOE informed parents of the following: “In August 2020, a DOE student reported that they viewed various electronic files that contained education records and personal information about you and/or your child. The DOE immediately took steps to address it.”

Why such a long delay in notification for this breach, especially as the NY State regulations for NYS Ed Law 2-d specifically require breach notification as early as possible  and in no case more than 60 calendar days after its discovery? “  

Question 2 – This Chalkbeat article reports that a group of Brooklyn Tech students accessed personal data in January 2021 and March 2021;  why is there no notification to parents of the January 2021 breach? 

“The students unintentionally discovered they had access to these documents in January. They noticed that the Google Drive folder where they uploaded their class assignments during remote learning contained documents uploaded by students and staff at schools across the city. Those documents included second graders’ classwork, a parent-teacher conference sign up sheet, and college recommendation letters, said a Brooklyn Tech High School student who asked to remain anonymous.”

Question 3 – Why the delay in notification for the March 2021 breach referenced above,  in letters #1 and #2, especially as DOE learned about it shortly thereafter, according to the Chalkbeat article?  Again, the July 30 letter is more than 60 calendar days after the date of discovery, despite the notification requirements in the regs. 

Question 4 – Why do all four letters refer to only one student accessing this data, when the Chalkbeat article refers to a group of students accessing much personal data in January and March? 

Question 5- Has the DOE looked into the possibility that not only this group of high school students, but other individuals as well may have accessed personal data for thousands more students/teachers, given how easily this data was found?  What further investigations are being done?

Question 6 – Clearly the data was not encrypted if students were so easily able to access it.  Are you aware that the State privacy law and regs require that the sharing of personal data with any third party such as Google requires the encryption of all personal data in motion and in rest?  Does DOE intend to comply with this requirement of the law in the future?

Question 7 – Why is the New York City Department of Education sending letters to parents from a P.O. Box in Suwanee, GA?

Question 8 – Why does  the DOE tell parents in these letters that if they “want to discuss this matter or have any questions” about these breaches, they need  to create an account with  a private company called IDX, rather than the contact someone at DOE itself – especially the law required districts to appoint a Chief Privacy Officer to be the contact person for parents’  questions and concerns regarding privacy?

Moreover, the link provided in the letter requires  parents to create an account with this company that that in turn obligates them to accept onerous Terms of Service that “will indemnify, defend, and hold harmless IDX, our subsidiaries and affiliates, and each of our respective officers, directors, agents, partners and employees (individually and collectively, the “IDX Parties”) from and against any loss, liability, claim, demand, damages, expenses or costs (“Claims”) arising out of or related to (a) your access to or use of our Services or Website”?

Moreover, IDX also limits any claims of damages to binding arbitration, and in its Privacy Policy, claims it can  use their customers’ information for many purposes, including sharing with credit bureaus and/or “With vendors, consultants, and other service providers who need access to such information to carry out work on our behalf, including marketing our products and services.”

Again, thank you for your work for NYC children, and for providing these letters to me.

Hoping for a timely response,

Leonie Haimson
Co-chair, Parent Coalition for Student Privacy
www.studentprivacymatters.org
info@studentprivacymatters.org

Opposition to NY bill that would allow College Board/ACT to keep on selling student data

See our PCSP/NYSAPE memo in opposition to a new bill in the NY State Legislature , S. 6624/ A. 7421 that would amend NY State’s landmark student privacy law and create a new loophole for the College Board and ACT.  This would allow these two companies to continue to make hundreds of millions of dollars, selling the personal information of students, including their score ranges, with questionable  benefits to them.  If you agree this is wrong, please send a letter to your legislators now!

PSCP-NYSAPE memo of opposition to sale student data

Why students should be allowed to keep their cameras off during remote learning

December 2020

Endorsed by Access Living, ACLU of Illinois, Brighton Park Neighborhood Council, Chicago Lawyers’ Committee for Civil Rights, Children’s Screen Time Action Network, Civitas ChildLaw Center, Hartlieb & Horste, LLC, Illinois Families for Public Schools, Parent Coalition for Student Privacy, Raise Your Hand for Illinois Public Education  

Adapted from IFPS here; see the one-page Summary here.

Many US public schools have been operating remotely since March, either full-time or part-time as a result of the Covid pandemic.  And with infection rates steeply increasing in the US, the timing of any return to fully in-person schooling remains uncertain.

The use of technology was widespread even before this spring. Now its use is nearly universal. But tech use should not impinge on students’ right to privacy and access to schooling.

In a recent national survey, 60% of educators said students would face negative consequences for having cameras off.   However, students should never be forced to choose between maintaining their privacy and receiving an education .  Moreover, surveillance does not equal safety.

Surveillance can be especially stressful for disadvantaged students,  students of color; those with disabilities; undocumented students; students in temporary living situations and/or those from low-income families, living in crowded homes or apartments.

There are many other ways teachers can check if students are paying attention, such as calling on them verbally, asking them to use the chat function or polling function.

We have assembled a set of best practice policy recommendations on tech use during remote learning:

  • Camera-on requirements: Students should always be permitted to participate in class without turning on video. And if live-video streaming is used during synchronous learning, schools should obtain written consent from parents explaining the risks and benefits of their children opting in to having their cameras on.
  • Recording video conference sessions: Recording should never be obligatory for students, including for one-on-one sessions of a sensitive nature, e.g. counseling and therapy. Families must receive clear information about their rights to inspect, correct, receive copies of and, for children 13 and under, delete recordings.
  • Observers in the virtual classroom: Schools/districts should issue clear guidelines to allow parents, guardians or other participants, for example childcare workers or family members, to assist their child in participating and/or to observe live video-conference sessions.
  • Use of surveillance software to monitor devices: Students and families should be informed of the role of any browser in monitoring online activity and physical location, especially for the use of non-school owned devices. No third party provider of a computer hardware or software should be able to collect, use, generate or retain student data without explicit parental “opt in” permission.
  • Use of surveillance software for proctoring tests remotely: Rather than subjecting students to highly invasive monitoring in pursuit of test security, schools and teachers should implement methods of assessment during remote learning that do not require surveillance spyware.
  • Policy transparency for families: Schools should not only establish clear policies for tech use and privacy, but also make information about these policies accessible to all families (e.g. providing paper copies, translating all documents).

These recommendations are intended as a resource to assist students and families, teachers, administrators, and school board members, whether they are writing, revising or advocating for improvement of policies covering the role of tech in students’ remote learning experiences. Technology is  crucial to accessing education during remote learning, but policy makers must be thoughtful in addressing its potential risks as well.

Much thanks for Cassie Creswell of IFPS for taking the lead on drafting this guidance.

NY State Student Privacy Survey

Class Size Matters, NY Allies for Public Education, and the Parent Coalition for Student Privacy would like to know which online apps or programs are being employed by schools throughout New York state, and whether they are sufficiently protective of children’s privacy. We are asking parents and teachers to take our survey here, to let us know what apps or programs your schools are using.

Since the pandemic hit, districts across New York State have purchased many commercially-produced online apps and digital programs to implement remote learning. Even before last spring, schools had been using a large number of programs, many of which collect and use personal student information. In NYC alone, more than 75 commercially available online programs have been acquired for teachers to assign to their students, and “The DOE has informed schools that for SY 2020-21, they must have a shared, inclusive and digital curriculum in all core subject areas,” according to the UFT.

Many of these digital apps collect and use personal student data in ways we do not understand. In some cases, the publicly available privacy policies of these vendors are NOT sufficiently protective and do not comply with the NY state student privacy law, Education Law 2D, which was passed in 2014.

Among other things, this law and its regulations adopted in Jan. 2020 require that every contract with a vendor with access to personal student data must have a separate Parent Bill of Rights [PBOR], which specifies how the data will be protected and how parents can access the data and challenge it if necessary.

Each of these separate Parent Bill of Rights are supposed to be posted on the district website, along with other important information, including your district’s overall data privacy protection policy, and how you can contact the district data privacy officer in charge of ensuring these protections. Links to the Education Law 2D, the regulations, and a summary of some of their most important provisions are here and below.

Please take a few minutes to fill out our online survey to let us know what online apps and/or digital programs are being used in your schools, and whether the district has provided the necessary information about the ways in which that data is being protected from breach and abuse.

Thanks!

NYS Student Privacy Regulations Summary (Final)

NYS Student Privacy Regulations Summary (Final)

In addition, the full law and regulations are available at the following links:

Parents: Google Classroom is not your friend

The following is by Carrie McLaren, a Brooklyn parent.  If others have similar experiences with Chromebooks, please let us know at info@studentprivacymatters.org

A couple of years ago, my then-4th grade son started watching YouTube videos about Magic, a trading card game. These were snoozy, lo-tech commentaries that struck me as quasi-educational. But I soon noticed that YouTube’s algorithm would start recommending more and more “engaging” videos —  a video of white gamer known for dropping the N-word, for instance.

A close friend noticed the same thing happening with her teen. The boy watches videos about American history and started slowly being fed conspiratorial, alt.right nonsense. The racism was not intended on Google’s part. It’s simply the formula we’ve seen all over media platforms: big emotions + edgy content = more engagement. YouTube is in the center of the attention economy, after all, and YouTube’s goal is to keep users watching YouTube.

This economic imperative doesn’t end with Google Classroom. Classroom is just another piece of Google’s data-mining machine. Why school districts are so eager to jump on board the platform is hard to fathom were it not so cheap and convenient. But as anyone with a passing familiarity with Big Tech knows, you get what you pay for. When the tech is free, you are the product.

Prior to distance learning, my son had a Chromebook that he could log into via his gmail account, which we could monitor via Google’s parent controls, Family Link. Once we started distance learning, he needed to login via his school’s gmail. But these Classroom accounts are not subject to Google’s parent control. So, thanks to Google Classroom, my son could log into his Chromebook using his school account and potentially access porn sites, spend the day watching YouTube and ads hawking age-inappropriate games, or do pretty much anything else on the internet, unguarded.

Odd, yes? Chromebooks are often sold as the ideal student laptop. When I contacted Google about this (6/17/20), the customer service rep said it’s the school’s responsibility to limit adult sites and other distractions, not Google’s. But schools can only limit devices linked to their individual network; they cannot do this when students are working from home.

When I expressed concern about limitless YouTube during the home/school day, the Google customer service rep told me not to worry: “Students can’t use YouTube via their school account.”

I laughed at this because my son’s YouTube use amped up dramatically when he started relying on his school gmail account. Google’s subterfuge here runs deep. It’s true that a student cannot “like” or comment on YouTube videos via a student account. Nor can they view their watch history. But they can watch as many YouTube videos as they like. And just because they can’t view their own watch history doesn’t mean Google isn’t tracking that watch history!  Whenever my kid would open a YouTube browser, the home page would be highly tailored to his interests, luring him down a rabbit hole expertly tuned to keep him hooked.

If I want to limit my son’s internet access during distance learning, I need to get rid of the Chromebook and use a different laptop  (Apple and Microsoft have parental controls that can function with Classroom).

Or invest in expensive network-based parent controls, such as Circle. Or, I suppose, I can stop using Google Classroom and give up on school.

Is anyone at the NYC Department of Education thinking about this?  Anyone at all?

– – – Parents, one trick I’ve fallen back on is go into settings and delete my son’s Watch History,  Search History, and turn off targeted Advertising.  I then turned off Watch & Search history by putting them on Pause. These changes make the site a little less addicting and more diverse. 

—Carrie McLaren