All posts by Cheri Kiesecker

What you need to know about Zoom for Education

Zoom for Education has been adopted by thousands of schools nationwide. Zoom began marketing to K-12 schools in November 2019, prior to the  Covid pandemic.  Zoom also created a website specific for education:  https://zoom.us/education.  Zoom has referred to its education platform as a Zoom for K-12 service  but apparently rather than face data privacy and transparency requirements for contracted school service providers in Colorado law,  Zoom NOW claims they are not a school serviceMore on this below, but first we’ll focus on Zoom’s third party data sharing and cookies.

When you visit the Zoom for Education webpage, you will see a pop-up box asking if you want to opt-out of third parties using your information–DON’T IGNORE THIS WHEN YOU SEE IT; this alert doesn’t appear every time you visit the page.   Every parent and school district, education official should click More Info and review the cookies on the Zoom for Education website.    WHY?  Because Zoom allows third parties to access student data. In fact, prior to July 2020 and  Zoom’s most recent update to its K-12 privacy policy, Zoom apparently allowed third-party advertising cookies on its Zoom for Education platformCommon Sense Media actually warned about Zoom’s third party  targeted advertising in April 16, 2020.  Common Sense stated,

“…there are still privacy issue areas where Zoom falls short, including its limited, but still targeted, use of advertising and third-party tracking that may affect students in K–12. (Ads don’t appear on Zoom itself but on other sites kids visit after using it.) “

Similarly, this March 17, 2020  New York Times  article entitled  We Live in Zoom Now,  also warned about Zoom’s use of student data for advertising, quoting Jules Polenetsky, CEO of the Future of Privacy Forum, as saying,

“The standard Zoom privacy policy allows data to be shared for targeted advertising,” Mr. Polonetsky wrote in an email interview. And some of the company’s standard terms are not consistent with the Family Educational Rights and Privacy Act, or FERPA, “in addition to many of the 130+ state student privacy laws passed since 2014”

Interestingly, the next day after this NYT article,  Zoom updated its K-12 privacy policy on March 18, 2020. This March 2020 version stated that,

We only collect students’ Personal Information to provide the Zoom for K-12 service to the School Subscriber, not for marketing or advertising, and, with the limited exception of our service providers, we do not share Personal Information about K-12 students with other parties”

“… Zoom and/or our third-party service providers also automatically collect some information using methods such as cookies. Information automatically collected may include Internet protocol (IP) addresses, browser type, Internet service provider (ISP), operating system, and date/time stamp. We use this information to provide and support the Zoom for K-12 services. We do not use this information to deliver advertising or for any other purpose not related to the delivery and support of the services.”  

On April 9, 2020, Zoom again changed their K-12 privacy policy to this version, which made a few changes but kept the same quoted language above, stating that Zoom does not collect student pii for marketing or advertising.

However, Zoom changed its K-12 privacy policy AGAIN  to this July 2020 version.  This July version made substantial changes.

Students under 16 CANNOT create Zoom accounts.

The July 2020 K-12 Privacy Policy states:

“Student Users are not permitted to create K-12 Accounts but may use the Services when invited to join a meeting hosted by a K-12 Account User.  Although Zoom prohibits children and teens under the age of 16 from creating a Zoom account (and employs an online age screen to support this restriction), Student Users, even if under the age of 13, may join a meeting hosted by a K-12 Account User. School Subscribers are responsible for obtaining any parental consent necessary for use of the Services under their K-12 Accounts by Student Users, including children under the age 13.”

Hopefully K-12 schools, parents, and students are aware of this clear wording and will take heed.  Apparently in their rush to virtual learning during the Covid 19 Spring shut down,  some K-12 schools required students to download the Zoom App and create their own Zoom account- using their school email- in an effort to decrease Zoombombing.  As EdSurge reported in March of 2020, “Students should never be making an account in Zoom,”  “That’s where it can get districts into trouble.” 

No more advertising or analytics.

Another change in the July 2020 K-12 privacy policy “There are no third-party advertising or analytics cookies on Zoom’s product pages.”   That is a big change; how do we know Zoom is honoring this and what about all the months prior when advertising cookies were apparently opted-in on Zoom’s K-12 product pages?  (What’s a “product page” and is the Zoom K-12 privacy policy page a product or marketing page? See our analysis and trackers found, here.)

When you click on the More Info link on the pop-up notice, Zoom for Education now automatically opts-out advertising cookies but that was not the case previously, as you can see from this April 2020 screen capture that shows ads were opted-in.

And here is a list of the Advertising Cookies on the Zoom for Education page that apparently prior to July 2020 were automatically opted-in, ( we underlined in red), and allowed  cookies “to serve ads relevant to your interests” unless the user clicked the opt-out box.

Why all the changes to the K-12 privacy policy?

Zoom for Education has changed its privacy policy several times, which itself raises serious concerns. Here are some of the privacy and security “mistakes” and concerns with Zoom that have already been reported.  One such concern related to the fact that while Zoom’s K-12 privacy policy originally claimed that student data was not used for advertising and student data was only used for educational purposes, the automatic opt-in to advertising cookies implied the opposite.  Was sharing student information with Facebook and LinkedIn, or Twitter, Yahoo, Walmart, Microsoft Advertising, Nielsen Marketing, Google DoubleClick ads really an educational purpose?

Here are a few privacy and security Zoom issues in the news:

  • Zoom falsely claiming data is end to end encrypted, Verge link 
  • Zoom sharing user data with Facebook, link
  • Zoom sharing  user data  with LinkedIn, link 
  • Zoombombing  and FBI warning, link
  • Zoom routing data (with encryption keys) through China, link
  • Over 500,000 Zoom accounts being sold on the dark web, link
  • Zoom’s security issues were exposed over 2 years ago by Dropbox, this is not a new problem, link
  • Class action lawsuit for unlawful eavesdropping, link
  • NY, CT, FL Attorneys General investigate Zoom security practices
    • NY resolved Zoom investigation: NY created this master agreement where Zoom must adhere to certain security requirements but agreement does not require Zoom to get consent or inform parents of when third parties access their children’s data, does not prohibit re-disclosure of data. The agreement does not address use of artificial intelligence, facial recognition, nor is Zoom required to tell parents how student data are analyzed or profiled.
  • Maryland parents concerned about privacy, security of student data collected by Google and Zoom for Education, link 
  • Colorado Attorney General investigates Zoom for Education, link
  • The Electronic Privacy Information Center (EPIC) filed a complaint with the FTC against Zoom in July 2019. “Zoom intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user’s web camera without the knowledge or consent of the user.”  link

So, is Zoom “safe” now?

Common Sense Media recently wrote this July 14, 2020 piece, Privacy Risks of the Top 5 Distance Learning Apps, which evaluated privacy features of Zoom, Apple Facetime,  Microsoft Teams, Google Hangouts, and Cisco Webex.

Common Sense gave Zoom the highest overall privacy rating.

In looking at Common Sense Media’s Privacy Evaluation of  Zoom for Education,  you can see they say that Zoom is clearly being marketed as a School Purpose and intended for students,  “primarily used by, designed for, and marketed toward students in grades preK–12.”

Common Sense Media gave Zoom for Education a high rating for privacy even though  they admit to the following uncertainties:

  • User information can be transferred to a third party.
  • Unclear whether users are notified if their information is transferred to a third party.
  • Unclear whether user information can be deleted prior to its transfer to a third party
  • Unclear whether the vendor describes their deidentification process of user information.
  • Unclear whether data are shared for research and/or product improvement.
  • Unclear whether contractual limits prohibit third parties from reidentifying deidentified information.

And when they ask if there are advertisements or tracking, they say:

  • Traditional or contextual advertisements are displayed.
  • The vendor can send marketing messages.
  • The vendor does provide promotional sweepstakes, contests, or surveys.
  • Users can opt out of traditional, contextual, or behavioral advertising.  [should be opt-in for student advertising]
  • Users can opt out or unsubscribe from marketing communications.   [should be opt-in for student advertising]

What about the other Cookies and Trackers still on the Zoom for Education page?

Remember when on the Zoom for Education webpage, you will see a pop up box asking if you want to opt out of third parties using your information–we said DON’T IGNORE THIS WHEN YOU SEE IT.   These are the cookie settings you see today when you click  More Info and Advanced Settings, and View Cookies. 

Notice  (orange arrows added) that Functional Cookies are still automatically Opted-In and include third parties like Twitter and Vimeo, New Relic, Salesloft, Milward Brown Digital, Pardot, and PayPal

Google (Google ads?) and Zoom cookies are required.

Clicking on Google Inc you see:  “Google operates Google Ads, Display & Video 360, and Google Ad Manager. These services allow advertisers to plan, execute and analyze marketing programs with greater ease and efficiency, while enabling publishers to maximize their returns from online advertising. Note that you may see cookies placed by Google for advertising, including the opt out cookie, under the Google.com or  DoubleClick.net domains.  For more information, see https://policies.google.com/technologies/ads ”

Clicking on Zoom you see:  “api.zoom.us, blog.zoom.us, connectnz.zoom.us, facebook.zoom.us, google.zoom.us, imauth.zoom.us, investors.zoom.us, launcher.zoom.us, log.zoom.us, recurly-callout.zoom.us, support.zoom.us, www3.zoom.us, www.zoom.us, zoom.us, zuora-callout.zoom.us”

Functional Cookies automatically opted-in

If these screen captures above are too small for you to see, or too buried for you to find, here’s a quick little video of Zoom’s required and automatically opted-in cookies.

Final Notes

The Common Sense privacy evaluation does not mention that, as of March 31, 2020, Zoom is also a Common Sense partner in the Wide Open School initiative, as is Apple and Google.  Bill and Melinda Gates and Google also fund the initiative (no mention of Zoom funding).   As one commenter on Common Sense’s Ultimate Guide to Zoom stated, “This is a great article and covers some primary questions I have as a parent. Yet I can’t help wondering if this is a promoted post from Zoom!”  I tend to agree.  Better to be transparent and disclose any funding or endorsement or partnership when evaluating a product.

Also, the Wide Open School initiative, which is curated by Common Sense, is meant to encourage schools and parents to implement specific edtech programs during the COVID shift to remote learning. They make the following fine-print disclaimer:

A note on privacy

“While we have tried to favor sites that don’t require login, some do require registration. The provided resources include links to external websites or applications that are governed by their own privacy policies or information-collection practices, which may be substantially different from those of Common Sense. We encourage you to review the privacy policies and information-collection practices of any external websites and apps before using them with children. Many organizations have stepped up and made their resources free for kids during this critical time.”

In other words, you as an educator or a parent are on your own in trying to decipher whether the privacy protections for a specific program are strong, weak or non-existent.  It would be great if Common Sense, who does edtech privacy evaluations on a separate website,  would provide a privacy analysis  of each tool, or at least highlight the specific partners who have “privacy policies or information-collection practices, which may be substantially different from those of Common Sense“.  This would help guide the decisions of educators and parents about each of these partner tools Wide Open School is promoting.

Is Zoom for Education a K-12 School Service?

Colorado has a state law that requires contracted edtech (school service providers) to be transparent about the data elements they collect, how the data are used and to list every subcontractor who has access to the data.  Zoom doesn’t think they need to comply with this transparency law because they claim, “Zoom is not a School Service and is exempt from the requirements of the law.” The Colorado Attorney General’s privacy office is investigating whether Zoom threatens student privacy; let’s hope the Attorney General enforces Colorado law and requires Zoom to be transparent about how they and their subcontractors and third party apps (with SDKs) use student data now… and since March 2020.

It sure seems like Zoom is a school service:

  • with a dedicated K-12 Zoom for Education webpage,
  • separate Zoom K-12 privacy policy,
  • Zoom white papers, blogs and tutorials for K-12 teachers and students,
  • Common Sense gave Zoom high ranks for clearly being labeled as serving a school purpose, “primarily used by, designed for, and marketed toward students in grades preK–12.”
  • Zoom is a Wide Open School preK-12 online education resource and partner,
  • schools are requiring students to use Zoom remotely and recording video sessions and transcripts, students are answering school related questions, turning in school work (These are education records under FERPA.),
  • Zoom actually described itself as a “K-12 service” in its prior K-12 privacy policies
  • For purposes of FERPA,  Zoom is considered a “school official”

Zoom is being used as a service in thousands of schools nationwide.

It’s difficult to know if  Zoom is a threat to student privacy since Zoom keeps changing its privacy policies and cookie tracking practices, and Zoom won’t answer transparency questions about how data elements are used and shared.

What  (little things) you can do to protect your student on Zoom.

In March 2020 we wrote this piece advising parents and educators to seek alternatives to screen time, get outdoors, cover your camera when possible. If your school requires your student to use Zoom, ask your school if your student can keep their camera off. We would add to turn off (opt-out) of  non-essential cookies when possible.  If using your home computer or device, you can install free plug-ins like EFF’s privacy badger,  Lightbeam, Ghostery, uBlockOrigin that will also alert you or block third party trackers. You can also use a web browser like Brave or Firefox that will block ads and spyware.

Honestly, as a mom, I think I speak for most parents when I say that Zoom for Education (and all the virtual learning companies) should be required to tell parents how their children’s voice and video and data are used, and should be required to let parents know who else has access to our kids’ information. These companies should not be allowed to exploit students for marketing and advertising.  This pandemic is tough enough, the last thing parents need is worrying about a company profiling their student.  Parents and teachers are just trying to survive and teach our kids.

Parents question College Board’s use of student data

Is College Board allowing third party advertisers, keystroke loggers, and behavioral analytics to track students?  “Recording everything they do?”

With the move to online learning, many parents are asking edtech companies, “What are you doing with my child’s data?”  That seems a reasonable question. As a parent myself, I have wondered how the College Board uses and monetizes students’ data.  Similar to a recent investigation by Consumer Reports, I recently discovered that College Board allows third parties such as Facebook and advertisers such as Adobe Marketing, Google Ads, Bing Ads, Yahoo and more to track users on multiple College Board websites. However, in addition to these ad trackers, I documented where the College Board apparently utilized hidden analytics tools, including one that records everything a user does on a website and offers keystroke logging and “behavior tag” analysis of users.  I also discovered that College Board apparently required typing samples from students, asked students to give College Board an unlimited right to use their AP written and oral responses, and College Board changed their AP Terms of Service after students agreed to them in Fall of 2019.  I wonder how many parents or students know this about College Board.

The College Board, a signatory to the Student Privacy Pledge which promises not to sell students’ personal data for behavioral advertising and promises to only disclose data for educational purposes, is also the owner of the PSAT, SAT, and Advanced Placement (AP) exams.  The College Board appears to be a very profitable “non-profit” that also receives considerable public subsidies. This report suggests the College Board is a hedge fund which has money in multiple offshore accounts, and has assets in excess of $1.1 Billion.  According to 2018 tax records, College Board paid David Coleman, their CEO, an annual salary of over $1.5 Million, and paid multiple staff salaries in the $300-500,000 range, including Trevor Packer the VP of AP programs, whose annual salary in 2018 was $526,359. As seen in this letter to a parent, the College Board uses its non-profit status to claim exemption from California’s Consumer Privacy Act.

College Board sells licenses to access student data. Do they also sell student data for advertising purposes?

The College Board profits from selling exams but also profits from licensing students’ data. As we wrote in this 2017 Washington Post piece, the College Board profiles students’ geographic, attitudinal and behavioral information and sells licenses to institutions and researchers, allowing access to student data.

“The College Board sells licenses to access the data through a tagging service called College Board Search. The Segment Analysis Service™ is one of three featured tools of the Search, along with the Enrollment Planning Service™, and the Student Search Service®. These are “enhanced tools for smart recruitment.” The College Board’s Authorized Usage Policies states, “Student Search Service in connection with a legally valid program that takes such characteristics into account in furtherance of attaining a diverse student body.”…and allows college admission professionals to identify prospective students based on factors such as zip code and race and to Leverage profiles of College Board test-takers for all states, geomarkets, and high schools.”

In December 2019, the College Board was named in a class action lawsuit for improperly obtaining and selling student data. The lawsuit, which was recently amended, mentions selling student data to targeted advertisers such as Facebook,

“While students were made to believe the results of these tests would significantly impact their futures, to College Board the tests served a wholly different purpose – i.e., to obtain highly valuable personal student information to benefit its own business interests and increase its revenues, which exceeded $1 billion in 2018. College Board obtained the students’ personal information using unfair and deceptive practices and then unlawfully released, transferred, disclosed, disseminated and sold the information. The deceptive practices used by College Board to obtain the personal information included: (a) misrepresenting that it did not sell the information; (b) misrepresenting that it only disclosed nonidentifiable information to third-party targeted advertisers such as Facebook; (c) requiring students to create online accounts for the purported purpose of registering for exams when, in fact, the online accounts provided College Board with a mechanism to obtain massive amounts of personal information that it then unlawfully disclosed and disseminated to third parties…If only one third party were to purchase the personal information of the 2.5 million children who take the AP Exams the total price would be $1,175,000. Obviously, College Board sells data to as many customers as possible.”  [Emphasis added]

Recent changes to College Board’s AP platform: everyone must join online.

In August of 2019 the College Board changed how students and teachers use Advanced Placement (AP) curriculum and assessments by creating new online tools, the online AP Classroom / MY AP account. According to the College Board,

It all starts with joining the online system. This step unlocks new digital tools and resources that students, teachers, and coordinators can use throughout the year, including an AP question bank and Personal Progress Checks. … Students who don’t already have a College Board account must create one.” [Emphasis added]

The College Board AP Central website boasts “Everything streamlined. Everything online.” In creating the required online College Board account, AP students are asked to provide substantial personal information. Here is a non-exhaustive list: Student email address*, Student home address*, Student Date of Birth*, Student cell phone number, race, parent education level, parent name, parent email address, classes the student has taken or intends to take.  (*=required)  Note: the student MUST also agree to the privacy policy and Terms and Conditions* when creating this required account: “By submitting this information, you are accepting the Site Terms and Conditions and Privacy Policy governing the College Board’s website.”  Take it or leave it.  College Board is the only company offering high school students an exam to earn college credit.

In the fall of 2019, College Board also began requiring school AP Coordinators to register students for the AP exams and electronically submit an  AP Participation Form, with “a few final questions” and an AP Survey.  As of this writing, I was unable to find the 2019-2020 AP Participation Form, final questions, or the AP Survey mentioned in the AP Coordinator’s Manual Part 1 and Part 2.  What are schools agreeing to when they register students for AP exams? What are students agreeing to when they create an AP account,  use AP Classroom, or take AP exams? 

College Board has changed the AP Terms of Service/ Terms and Conditions since Fall 2019.

Since Fall of 2019,  we have found at least 4 different versions of AP Terms for students.  Which set of AP terms are students beholden to?  Here is a capture of the October 2019 MyAP terms thatstudents could see and were required to agree to, when they created their online AP account; here is slightly different public version of MyAP terms. Here are the APCoronavirus terms, and here is a capture of the  MyAP terms as of July 2020, that students see if they log into their MyAP account.  Which set of AP terms are students agreeing to?  Excerpts from this Fall 2019 version of  MyAP Terms and Conditions state,

  • You acknowledge that it is not the responsibility of College Board to determine whether your school is required to obtain parental consent”
  • “AP Student End Users. Any data provided about you may be used (in the aggregate and/or anonymously) for research purposes, to prepare research reports, and/or in AP Exam ordering and registration processes. Occasionally, College Board researchers and their subcontractors may contact students to invite their participation in surveys or other research. Data collected from the AP Classroom system could also be shared with researchers and partners.”
  • “College Board does not serve Ads in the Services or use Customer Data for Advertising purposes.”    See full version of these terms archived here.

To view and send their AP scores, per screen capture above, students were required to agree to these new (July 2020) Terms and Conditions which added new language, including the following:

  • “Students access AP Services as authorized users of their respective Schools. However, when Students take AP Exams, they do so in their personal capacities, and the scores they earn are their own. Accordingly, in order to take AP Exams, Students are required to enter into a separate agreement by accepting the AP Terms & Conditions prior to taking their first AP Exam.
  • Similarly, when Students access College Board services that are not AP Services, Students again do so in their personal capacities, not as Students of School. Non-AP Services may include, but are not limited to, SAT® registration, college score sends, linking a College Board account to Khan Academy®, creating a college list on BigFuture™, or applying for a scholarship.
  • AP Classroom and Pre-AP Classroom are hosted by Academic Merit, LLC, a third-party platform that is prohibited from using data collected on AP Classroom and Pre-AP Classroom for any purpose other than delivering services to College Board.
  • College Board may use Data for its internal research purposes. College Board may also disclose aggregated and/or de-identified Data with trusted third parties.” [Emphasis added]

The  new language in the July Terms says students who took the AP exam do so in their personal capacity-this is concerning.  The school had to register the students for the AP exams and the school had to agree to the Terms in the elusive Participation Form– so why do students suddenly have to agree to new Terms saying they took the exam at their personal capacity – AFTER the fact ?  What is College Board trying to avoid?

Further, I find it problematic that students had to go onto the College Board website (apparently with ad trackers and analytics trackers) to even READ the AP Terms and Conditions.  And in at least two cases, (October and July  MyAP Terms), students actually had to submit personal information: create an account and log-in to see the MyAP Terms which they were required to agree to.

It makes my head spin trying to keep all these AP Terms and Privacy Policies straight.  But imagine being a 16 or 17 year old, trying to navigate this.  Should students be agreeing to all of these Terms and Conditions just to take an exam and see their scores?

Can students opt out of sharing their personal data with subcontractors and researchers?  If College Board does not use customer data for advertising purposes, why are there several advertising companies tracking users on College Board websites?  If the data are anonymous, why are researchers and subcontractors contacting students? Selling student data and targeted advertising are prohibited by the Student Privacy Pledge and by many state laws. Interestingly, this Bulletin for AP Students and Parents states College Board will not sell or share or rent student data; however, pay attention to the exceptions.

 “Except as described in this publication, or to share with our operational partners for the purpose of administering testing services and generating score reports, the personal information you provide to College Board will not be sold, rented, loaned, or otherwise shared.” [Emphasis added]

Selling student data

This November 2019  Wall Street Journal piece,  For Sale: SAT-Takers’ Names. Colleges Buy Student Data and Boost Exclusivity, reports that College Board sells student test score ranges, names, and demographic information,

“College Board sells lists of high-school students’ names, ethnicities, parents’ education and approximate PSAT or SAT scores, at 47 cents a name. Each year, 1,900 schools and scholarship programs buy combinations from among 2 million to 2.5 million names, College Board said, declining to say how many names in total it sells. Schools target combinations of geography, socio-economic class and academic interests. A college could buy a list of, say, soccer-playing Caucasian girls from Colorado, Wyoming and Montana who scored 1,200 to 1,300 on the PSAT, are interested in engineering and whose parents didn’t attend college.”

This case study from a College Board stakeholders’ workshop clearly lists “Buy Names –> Analyze” and “Purchase Flow”; other pages of the case study list tagging and analysis of student data by ethnicity, family income-band, socioeconomic communities, marketing zones and listing student names that have not been sold on any order.

In May 2018, the U.S. Department of Education issued significant guidance that prohibits states  or districts to allow testing companies like College Board to sell or re-disclose student assessment data, including test score ranges, without parent consent.

Regarding testing companies,  their pre-test surveys, and student privacy,  the U.S. DoE guidance states,

In connection with these college admissions examinations, testing companies administer voluntary pre-test surveys asking questions about a variety of topics ranging from academic interests, to participation in extra-curricular activities, to religious affiliation. the testing companies then sell this information to colleges, universities, scholarship services, and other organizations for college recruitment and scholarship solicitation.

The administration of these tests and the associated pre-test surveys by SEAs and LEAs to students raises potential issues under the Family Educational Rights and Privacy Act (FERPA), the confidentiality of nformation provisions in the Individuals with Disabilities Education Act (IDEA), the Protection of Pupil Rights Amendment (PPRA), and several recently enacted State privacy laws, and generally raises concerns about privacy best practices.”

“contracts between testing companies and SEA, LEAs, should include provisions assuring that before PII is disclosed nonconsensually, the testing companies (when acting on behalf of the SEA, LEA, or school) will comply with the privacy protections required by Federal law, specifically FERPA and IDEA. When contracting with the testing companies, SEAs, LEAs, and schools should also specify in their contracts that there is a general prohibition under both FERPA and IDEA regarding the unauthorized use and re-disclosure of PII from students’ education records (including any biographical or demographic information about the students provided by the SEA, LEA, or school to the testing companies, and the students’ test scores or test score ranges)”. [Emphasis added]

No Contract for AP?

In this October 2019 letter, I asked the Colorado Board of Education for help with transparency about the data collected and shared via the new online 2019-20 AP format. Colorado’s Student Data Collection Use and Security law requires contracted education providers and their subcontractors to be transparent about data elements collected, their purpose, how used and shared. However, as mentioned in the letter above, I could not find a single school or district in Colorado who had posted a signed AP contract with College Board. School administrators that I spoke to alleged their AP contract negotiations with College Board had stalled for over two years, and they were unable to get College Board to sign an AP contract.

Is College Board refusing to sign AP contracts because they don’t want to be transparent about their use of student data?

AP Exams Moved Online, at Home. College Board President said students’ cameras and microphone would be turned on.

For the first time ever, College Board announced that the  2020 AP exams would be administered online and students would take the AP exams at home. When explaining what this online, at-home exam would look like for students, on April 15, 2020 EdSurge quotes the College Board president, Jeremy Singer, as saying the camera and microphone will be turned on and the exam will use the same software as the pre-test Demo.

AP testing was chaotic and fraught with technical glitches

During the first week of the online AP exams, College Board frequently posted updates on Twitter. Students responded with frantic questions including asking why the College Board required a typing sample on the test, when they did not ask for a typing sample on the Demo. Thousands of stressed-out students  reported that they were unable to submit their completed AP test because of technical glitches and problems with the online submission process. This May 20, 2020 Verge article entitled, “Students are failing AP tests because the College Board can’t handle iPhone photos” quotes a student commenting on the College Board’s  tweet tips being too late to help. OneZero writes about Fake Tweets, Broken Tests, and a Misinformation Campaign: How The College Board Botched Spring Semester. The Washington Post Answer Sheet also wrote about the botched online AP tests; author Valerie Straus questions the actual number of students unable to submit their test responses.

The botched online AP tests resulted in another lawsuit against College Board.

The Washington Post Answer Sheet and Valerie Straus followed up on the subsequent class action lawsuit. The lawsuit on behalf of students who encountered problems taking the online AP exam, claims breach of contract and discrimination against students with disabilities. (The College Board added a new submission procedure during the second week of testing; this new procedure came too late for the many students who were unable to submit their exams the first week.)  The amended complaint also alleges that College Board required students with disabilities to log into the College Board’s BigFuture website to check the status of their disability accommodations and also claims that College Board did not honor student accommodations for breaks,

“The lawsuit asks that the College Board accept any test answers from last week’s AP tests that can be shown to have been completed in time by time stamp, photo and email. It charges that the College Board ignored warnings that giving AP tests online would discriminate against students with disabilities and those who did not have access to technology or the Internet at home to take the exams. [College Board] instructed all students with disabilities who had applied for accommodations to log in to Defendants’ “Big Future” platform to find their accommodation decisions. Had M.W. not been disabled and searching for her accommodations, she would not otherwise have been required to log into Big Future. M.W.’s Defendants accommodations letter states that she is entitled to “extra breaks.” However, when changes to the AP Exam format were announced, M.W. learned that the at-home AP Exam format did not allow for any breaks whatsoever.”

It’s important to note that College Board’s BigFuture Scholarship Search collects students’ disability type, religious affiliation, citizenship status, ethnic and minority background and special conditions such as cancer or hemophilia.  At the time of this writing, I could not find a specific privacy policy or terms of service for how BigFuture uses or shares this personal and sensitive information. However, this archived College Board website states that while College Board never shares disability status or test scores, they do share (sell licenses to?) test score ranges, including AP score range, if students opt-in to Student Search Services.

Practice, Practice, Practice: College Board tells students to take the online pre-test AP Demo.

To avoid testing glitches, students were instructed multiple times to go to the College Board website and practice with the exam Demo  before their actual exam, to make sure they were familiar with the online format and to confirm their device and browser were compatible.

I took the online AP Exam Demo.  I was shocked at what I saw. 

Granting College Board Unlimited Right to Use Student Data?

This permission to allow College Board unlimited right to use student data for educational research and instructional purposes was AUTO FILLED to “Accept”.  I am told this same question,  auto filled to “Accept”, also appeared on the actual AP exams.  How many students declined this permission?

We know data can be re-identified or machine matched. (See here, here, here.) This permission notice only states that student name and school will not be used, but College Board collects a student’s date of birth, student ID, parent and student address, email address, cell phone, location, device information, etc. This permission for data use apparently includes oral responses; a person’s voice is personally identifiable (more on biometric data below).  Will the College Board tell us how many students actually agreed to grant the College Board the unlimited right to use, reproduce, and publish their free response data?  “Educational research” is very broad; can students ask to see how their data are used, shared, or profiled?  Can a student change their mind, retract their consent and ask to have any shared data deleted?

Required Typing Sample Before Every Online AP Exam? 

Many students on Twitter and Reddit said they had to submit the same online typing sample for every AP exam. Students were apparently instructed to type the same short sentences about plagiarism, cheating, and how their grandfather picks up quartz and valuable jewels.  These sentences used every letter of the alphabet, and students were told to copy them word for word, typing in their typical typing style during the 30 minute pre-test session. There was no typing sample on the AP Demo exam.  

Your typing pattern is a biometric identifier, unique to you, like a fingerprint or DNA. 

Many states have biometric privacy laws protecting voice and unique characteristics of an individual that can be used to authenticate a person’s identity (oral response data is mentioned in the consent for unlimited right to use data, above). Keystroke data are specifically protected under California Consumer Privacy Act.  If students were asked to submit typing samples, did College Board obtain informed user consent where necessary and how are College Board or third parties using this biometric data? As this PC World article states, “AI-based typing biometrics might be authentication’s next big thing”,

“Identifying or authenticating people based on how they type is not a new idea, but thanks to advances in artificial intelligence it can now be done with a very high level of accuracy, making it a viable replacement for other forms of biometrics.”

Finally, when taking the AP Demo, I had no choice but to accept the Terms and Conditions.

I couldn’t go on to complete the first question of the Demo exam, unless I checked yes. I had 3 minutes and 30 seconds to read and understand these long legal Terms and Conditions. I ran out of time; the clock expired, but the “Continue” box remained greyed-out until I clicked “I agree to the Terms and Conditions”.  I am also told that students had to click “I agree” to the Terms and Conditions in order to complete the online AP exam. This type of “forced consent” feels more like entrapment.  Will the College Board report the statistics on how many students even opened these Terms and Conditions, and how many students  just clicked agree without opening the Terms?  This Deloitte study found that in general, 97% of  young people agree to conditions without ever reading them.

Third parties,  behavioral analytics, and ad trackers on College Board websites  

To see a detailed report of trackers that Lightbeam and Ghostery found on College Board websites, click here.

I took the practice AP Demo using the Firefox browser with the Lightbeam plug-in and Ghostery add-ons, independently; these tools are free to the public, easy to use and show third party connections and traffic between your device and the internet. I was shocked at what I saw.  When I visited this College Board AP Exam Day Experience (with Coronavirus updates) webpage, I clicked on Demo which brought me to this AP2020 exam demo webpage.

I visited only these 2 College Board public facing websites, which according to Lightbeam and Ghostery, had 26 third parties including YouTube (there was a video tutorial on the AP exam day experience webpage), Google Ads (Doubleclick), Bing Ads (Microsoft), Adobe digital marketing, a Geolocation detector, 2 site analytics trackers including a first-party screen recording and analytics tool called LuckyOrange, found on the College Board’s AP Demo test page.

LuckyOrange:  Keystroke Logger and Behavior Tags

Lucky Orange claims to let you see everything a visitor did on your webpage, offers recordings, ability to see where visitors click, how they use their mouse, and offers keystroke logging and behavior tags.  The Lucky Orange website says,

“Lucky Orange will automatically create a recording of every visitor to your website.  …Filter through millions of recordings instantly and segment the data by browser, OS, referring source, location, device, behaviors, and more. …Watch how customers use their mouse …Segment by location. Segment by device.  …Similar to a DVR, you can play back everything a visitor did.”

Why didn’t College Board disclose their use of this invasive screen recording to users?  What data did College Board enable Lucky Orange to collect, and will this data be shared or licensed?  Can users ask to see their Lucky Orange data and also have it deleted?

Facebook and ad trackers were also found on the SAT registration website.

We have also seen Facebook connecting to College Board websites in the past. In February 2019 while registering for the SAT via the College Board website, this student had 36 different third parties interacting, including Facebook, and Yahoo, Google, Bing, Adobe ads. Ghostery blocked 5 Advertising Trackers: Adobe Audience Manager, Adobe Test and Target, Yahoo.DOTtag, Bing Ads [Microsoft], Facebook Custom Audience and 1 Social Media TrackerFacebook Connect and 1 Unknown Google Tracker on the College Board SAT registration website.

College Board Privacy Statement mentions sharing nonidentifiable data with Facebook & marketing companies. 

When creating your account on the College Board website, clicking on Privacy Policy takes you to this College Board Privacy Center page. Further clicking on Privacy Statement brings you here with a dizzying array of options to “Learn More”. Choose Cookies and Do Not Track Signals. You will see that College Board allows third parties to collect user information; they specifically mention third parties such as Facebook.

“We do use third parties, such as Facebook, to provide information about our educational products. Only hashed, nonidentifiable information is provided to these third parties. Only individuals that have independently created an account on our site and opted in to receive marketing communications from us may receive College Board interest-based advertising on such third-party sites. No personally identifiable information is shared with those third parties.” …“The College Board participates in the Adobe Marketing Cloud Device Co-op to better understand how you use our website across various devices.” [Emphasis added]

Google/YouTube data collection are also mentioned.  Why isn’t Lucky Orange mentioned?  What other third parties are collecting student data from the College Board websites?

Note: Hashing is not anonymous.

It’s also important to note that according to this FTC blog, hashing data fails to provide effective anonymity. As Wolfie Christl explains in this Cracked Labs report, hashed data is not really anonymous; it’s a pseudonym that companies can use to share and match data to individual users across devices and platforms. 

Did the College Board direct students to their AP website and AP Demo page, asking students to take the Demo exam, while allowing third parties to collect student information for Digital Marketing and Google ads, and also behavioral analytics, recording students’ mouse clicks and “everything they do”?  What is the educational purpose in digital marketing and recording everything a user does?

I asked the College Board about AP data collection, sharing, third parties.  They said that only ONE third party had access to student AP data.

In April 2020 I asked the College Board 8 questions about data collection and third party sharing associated with their new online AP tests.  Here are the College Board’s April 28, 2020 answers, by way of assistance from the Colorado Board and Department of Education.  See full letter and College Board’s relayed response here.  One question I asked: What third parties or subcontractors will have access to student data and for what purpose? College Board’s response listed only ONE third party  or subcontractor (ETS) had access to student data. (Remember, this version of  My AP Terms and Conditions  seemingly contradicts this College Board statement as it lists FOUR College Board AP Subcontractors: Academic Merit LLC,  Alorica Inc., Educational Testing Service, Paperscorer. The College Board response doesn’t mention additional subcontractors or website third party trackers, advertisers, analytics or cloud storage companies. They declined to answer many of my questions “in order to protect the integrity of test security”. College Board’s response also said they would not require students to have their cameras turned on to take the AP exam, which contradicts the College Board President’s statement.

U.S. Senators also asked about College Board’s third parties and collection of student data.

Valerie Straus wrote about Senators’ letters sent to both databrokers and edtech companies in her August 2019 Washington Post Answer Sheet piece, Legislators ask 50-plus firms to explain how they use the ‘vast amount of data’ they collect on students. Senators received responses from many of these companies, as mentioned in this footnote comment in the Campaign for Commercial-Free Childhood and Center for Digital Democracy’s March 2020 letter which asks the FTC to conduct studies on companies collecting data from children, including ed tech companies. The CCFC letter and footnote state,

“The Senators received responses from 37 ed tech companies and 3 data brokers. …Most companies claimed they retain the information in identifiable form until the data is no longer relevant to provide the service; at that point, they anonymize the data and retain the derivative data in aggregate form. Several stated they obtained additional data from third parties like National Student Clearinghouse or social media sites, and many stated they work with third-party contractors or vendors to provide services in connection with their software or courseware (and include contracts prohibiting personal data from being used for any purpose other than providing services specific to those programs). Many companies stated that they do not disclose data collection to parents or entertain requests to delete or correct data because they understand that to be the schools’ responsibility. Finally, many companies said they store information on cloud-based servers, and only four companies said the students’ data is encrypted.”

When I reached out to the Senate for follow up, I was unable to get a copy of the College Board’s response. The Senate Aide I spoke to said they were not releasing the response letters at this time but I was able to ask questions about the responses in general. I asked if any of these companies said they do audits to ensure their third parties are using student data only as permitted by their contractual obligations. I also asked if responding companies used geolocation or collected student IP addresses, which is important with schools shifting to online learning at home with personal devices and home internet. How do these edtech companies or their third parties track and use student data from their homes?

Student data is a predictive goldmine.

When people talk about moving assessments and curriculum to online learning, I am reminded of this 2015 quote about (paper based) state tests given at the end of the year; the author said they were “Initiated in the dark ages of data poverty” but “better, faster, cheaper data is available from other sources”. What other sources? Online assessments with embedded data collecting algorithms? Online transcripts and data badges and online tools that measure and track student strengths, weaknesses, passions and emotional patterns are being promoted. Before collecting or sharing these predictive and sensitive data, parents must have equitable options, give informed consent, and the ability to refuse sharing sensitive student data with organizations and companies.

As this Parent Toolkit for Student Privacy explains,

“When students browse the internet — whether at home or school — their information is collected by online companies, bundled as consumer profiles, and then sold in the shadowy data market. Because this data has the potential to accurately predict feelings, motivations, and behaviors, it may be purchased by colleges, employers, mortgage lenders and insurance underwriters to evaluate an individual’s suitability for those services and products.”

We live in a world where schools are pushing the boundaries of surveillance technologies, with facial recognition and data collecting digital learning platforms, where machines reading our emotions is a $20 billion dollar industry. Corporations are pushing for digital identities on blockchain for everything from immunity passports to education,  Artificial Intelligence (AI) is embedded in edtech tools and cloud platforms where machines can automatically make predictions about students, virtual tutors will provide “personalized” learning to students, and algorithms are keeping students out of college. We have teachers conducting brain scans in the classroom, a headband that measures student brain waves, and a scarf that will buzz if the student is distracted. Researchers now suggest using digital fingerprints and personality profiles from your social media posts to predict your future job.  We have K-12 online assessments that  measure students’ social emotional skills and student engagement by how fast the student answers, and infers that the “lack of test engagement is a symptom around a lot of deep-rooted problems”.

Moving testing to an online platform means increased opportunity for data collection, use of artificial intelligence and data analytics. In regards to student data and online assessments, the answer is not more data or online tests with hidden algorithms, or tests that instead measure students’ emotions, mental health, or personality. The answer is not simply a different test company. The answer is not compelling a student to agree to terms of service; privacy is not a right you can click away. College Board and other organizations, non-profit or otherwise, who are using student data must respect children’s privacy, agree to stringent data sharing contracts that require parent consent and transparency about data elements collected and shared, review algorithms for accuracy and bias before collection and processing of student data, prohibit advertising, and never sell (or license) student data. We need enforceable laws surrounding student data collection and use, with steep penalties for misuse. Privacy is a basic human right, not a luxury, and children should be protected, not profiled, stereotyped, licensed or used for profit.  Organizations collecting and using student data can and should do better.

Coalition tells the FTC: Time is up for TiKTok

 

The Parent Coalition for Student Privacy is one of twenty advocacy, consumer, and privacy groups that filed a May 14, 2020 complaint with the Federal Trade Commission (FTC), asking them to investigate and sanction TikTok, formerly Musical.ly, for continuing to violate COPPA, the Children’s Online Privacy Protection Act. The complaint argues that TikTok continues to store and collect children’s personal information without notice to and consent of parents, in violation of its 2019 order by the FTC.

If you are not familiar with TikTok, it is a very popular social media app, with 800  million worldwide users, many of them children.  TikTok allows users to record and upload videos of themselves dancing and singing and the app has more downloads than Facebook.  As this Manchester Evening News piece points out,  the recommended ages are for 12 plus, but “online safety experts say it has been designed with the young user in mind and has a very addictive appeal.”

Why this complaint is important

Because TikTok  is a popular platform for children, parents  worry that TikTok is not safe and that it puts kids at risk of sexual predation. For example, this father warned other parents after his 7 year old daughter was asked to send nude pictures of herself on TikTok. In another instance, a 35 year old Los Angeles man was allegedly targeting girls by posing as a 13 year old boy on TikTok and engaging in  “sexual and vulgar conversations with at least 21 girls, some were as young as 9”.  This February 2020 piece in Parents  says,  “TikTok allows users to contact anyone in the world, and this comes with its own host of hazards”.  The Parents piece goes on to point out that “kids can be targeted by predators, it’s easy to encounter inappropriate content”, and “Even if you set your own account to private, you may still be exposed to sexual or violent content posted to the public feed.”

There are many more concerning  examples of underage TikTok use cited in the complaint. And as the complaint notes, it is easy for a child to fake their date of birth and sign up for an adult TikTok account.

Data is money. Children’s data is valuable, predictive and can profile the user.  As the complaint states,

“TikTok collects vast amounts of personal information including videos, usage history, the content of messages sent on the platform, and geolocation.  It shares this information with third parties and uses it for targeted advertising.”

Parents want to know how TikTok is using their children’s data.  TikTok, owned by Bytedance, uses Artificial Intelligence (AI) and facial recognition.  Per this 2018 Verge article,

 “A Bytedance representative tells The Verge that TikTok makes use of the company’s AI technologies in various ways, from facial recognition for the filters through to the recommendation engine in the For You feed. “Artificial intelligence powers all of Bytedance’s content platforms,” the spokesperson says. “We build intelligent machines that are capable of understanding and analyzing text, images and videos using natural language processing and computer vision technology. This enables us to serve users with the content that they find most interesting, and empower creators to share moments that matter in everyday life to a global audience.”
TikTok also uses persistent identifiers to track kids and TikTok algorithms create profiles of children.  Per the complaint

 

“TikTok uses the device ID and app activity data to
run its video-selection algorithm. When a child scrolls away from the video they are watching, TikTok’s algorithm uses artificial intelligence to make sophisticated inferences from the data TikTok collects to present the next video. The algorithm “entirely interprets and decides what the user will watch instead of presenting a list of recommendations to the users like Netflix and YouTube.”

 

Using personal information in this manner exceeds the limited exceptions for personalization of content. The COPPA Rule is quite clear that information collected to support internal operations may, under no circumstances, be used “to amass a profile on a specific individual.”

 

Yet TikTok does, indeed, amass a profile of each user—including child users—and draws upon that profile to suggest videos of interest to the user. That profile may be based in part on users’ overt behavior, such as liking videos. However, TikTok also appears to amass user profiles based on passive tracking.  As reported in The New Yorker, “Although TikTok’s algorithm likely relies in part, as other systems do, on user history and video-engagement patterns, the app seems remarkably attuned to a person’s unarticulated interests.” Another article observed that the algorithm “goes right to the source using AI to map out interests and desires we may not even be able to articulate to ourselves.” The profiles that TikTok amasses on its users are designed to be used not only to curate which user-generated videos appear in each users’ stream, but also to assist with advertising. ” [Emphasis added]

 

It’s time the FTC uses its power to protect children and enforce COPPA.  The FTC should investigate TikTok,  ensure TikTok is in compliance with COPPA and its consent decree. If TikTok is found in violation, the FTC should take action and sanction TikTok again–with a fine that is proportionate to the degree of TikTok’s violations.

 

We are grateful to the Campaign for a Commercial-Free Childhood (CCFC), the Center for Digital Democracy (CDD), Institute for Public Representation Georgetown University Law Center  and many others for their work on this complaint.

 

Here is The Campaign for a Commercial-Free Childhood (CCFC) full press release.  Additional coverage of the TikTok complaint can be seen as reported in the New York Times, Financial Times, Politico, Morning Tech, and Reuters