Category Archives: Blog

Press Release: Parent, education and privacy groups oppose overturning the ban on a federal student database

Here is background on this issue, with instructions on how to send your own comments to the Commission on Evidence-Based Policymaking, due December 14, 2016.  Here is the letter, signed by several parent, education and privacy organizations, sent  to the Commission today.

For Immediate Release

November 14, 2016
For more information: Leonie Haimson, [email protected]; 917-435-9329

This morning a letter was sent to the federal Commission on Evidence-Based Policymaking from parent groups, education advocates, and privacy experts, urging them not to propose that the ban on a centralized federal database of student personal data be overturned.

Recently, several DC-based groups testified before the Commission, urging that this ban be lifted, which was established by Congress as part of the Higher Education Act in 2008.  The Gates Foundation has also announced that the creation of a centralized federal database to track students from preK through college, the workforce and beyond is one of their top advocacy priorities for 2017.

In the letter, parent, privacy and education organizations warned that eliminating this ban would risk that highly sensitive information would breached, as has occurred with sensitive data held by many federal agencies in recent years.  A hack into the Office of Personal Management released personnel records of about 22.1 million individuals. More recently, an audit of the US Department of Education found serious security flaws in their data systems, and a government security scorecard awarded the agency an overall grade of “D.

Moreover, K-12 student data currently collected by states that would potentially be incorporated in the federal database often include upwards of 700 specific personal data elements, including students’ immigrant status, disabilities, disciplinary records, and homelessness. Data collected ostensibly for the sole purpose of research would likely be merged with other federal agency data and could include information from their census, military service, tax returns, criminal and health records.

Said Leonie Haimson, co-chair of the Parent Coalition for Student Privacy, whose members led the fight against inBloom, designed to capture and share the personal student data of nine states and districts, “A centralized federal database containing the personal data of every public-school student would pose an even greater risk to individual privacy than inBloom.  It would allow the government to create dossiers on nearly every United States resident over time, and if breached or abused would cause immeasurable damage.”

As privacy advocates in England recently discovered, the personal information in a similar national student database that the government promised would be used only for research purposes has been secretly requested by the police and by the Home Office, in part to identify and locate undocumented children and their families.

“Our disastrous data privacy situation here in England should serve to warn Americans of the grave dangers of this sort of comprehensive student surveillance and database. The personal confidential information in our National Pupil Database was supposed to be used only for research, but we found out recently that data on thousands of students and their families has been secretly requested by the police and for the purposes of immigration control in just the last 15 months. It would be unwise and irresponsible for the United States to create a similar database, which can so easily be used for political purposes which are not in all children’s best interests,” said Jen Persson, coordinator of defenddigitalme, a privacy and digital rights group in the UK.

Chad Marlow, Advocacy & Policy Counsel of the American Civil Liberties Union, said: “Improving educational opportunities for children and protecting student privacy are not mutually exclusive goals.  In fact, it is our responsibility as parents, educators, and Americans to doggedly pursue both objectives.  Creating any type of centralized database for personally identifiable student data would pose real and significant risks to the privacy of America’s students, and that is why such databases have consistently been rejected in the past.  With education policy, as with privacy, ‘do no harm’ is a reasonable place to start, and here, doing no harm clearly requires rejecting any attempts to establish a universal database that compiles and tracks students’ most sensitive information.”

Diane Ravitch, President of the Network for Public Education and NPE Action pointed out, “Whether Democrat or Republican, the one thing parents agree on is the importance of their child’s privacy. To allow the federal government to collect personal and sensitive data on every public-school student in the nation risks that this information would be misused by the government and corporations. “

“Parents Across America opposes any effort to establish a national student record system. Ever since the federal government weakened protections for student privacy, parents have been in a crisis mode. Our children are exposed every school day to a growing mish-mash of screen devices and online programs that capture mountains of their data. We know that the threat to privacy will only get worse if there’s a national record system; education profiteers will line up to tap into an even more convenient source of private student information. But we are determined not to let that happen to our children’s data,” said Julie Woestehoff, Interim Executive Director of Parents Across America.

Lisa Rudley, Executive Director of the NY State Allies for Public Education, observed, “Data collection and sharing of our children’s personally identifiable information should require a parent’s informed consent. Just because the technology of data mining is here, it doesn’t mean children’s privacy rights should be sacrificed.”

“Our children and their families deserve protection of their data.  More importantly, we must understand that protecting our children relies upon protecting their personal information from breach or abuse,” concluded Marla Kilfoyle, Executive Director of the Badass Teachers Association.

The Commission on Evidence-Based Policymaking is accepting public comment on this matter until December 14, 2016. For more information, visit https://studentprivacymatters.org/federaldatasystem/

####

Serious privacy concerns with new Summit/Facebook platform, used in 100 schools across the nation

Our concerns about the open-ended data sharing of the  washington-post-front-page-10-12-16 Summit/Facebook software platform was featured on the front page of today’s Washington Post. This software is in 100 schools nationwide, about two thirds of them public schools. The list is here. Two of the schools are in NYC: the Bronx Writing Academy in District 9; and J.H.S. 088 Peter Rouget in District 15 in Brooklyn.

Summit is sharing the student personal data with Facebook, Google, Clever and whomever else they please – through an open-ended consent form that they have demanded parents sign.  A copy of the consent form is here.

I have never seen such a wholesale demand from any company for personal student data, and can imagine many ways it could be abused.  Among other things, Summit/Facebook claims they will have the right to use the big-eye-datapersonal data “to improve their products and services,” to “conduct surveys, studies” and “perform any otheractivities requested by the school. ”

Here is an excerpt:

Summit may collect information that you provide or your child provides directly to Summit, such as contact information, coursework, testing, and grades. Summit also may collect information automatically from browsers, computers, and devices (such as information from cookies and browser and device identifiers in order to remember your preferences)….. Summit may use your child’s information to conduct surveys and studies; develop new features, products, and services; and otherwise as requested by your school or consistent with your consent. … Summit also may disclose information to third-party service providers and partners as directed or authorized by the school. For example, Summit uses Clever, Facebook, and Google to help develop and improve the personalized learning plan software or to provide related educational services on Summit’s behalf.

They claim they won’t use the child’s personal data for targeted ads (as would be banned anyway in the CA law called SOPIPA) but this is among the only restriction. They say they can sell the data “in connection with a corporate transaction, such as the sale of our Services, a merger, consolidation, asset sale.” The one-sided Terms of Service is here; the Privacy Policy is here.

The Summit platform has never been independently vetted for security protections – or shown to yield any educational benefits, and I believe is a very radical way to outsource instruction and student data to private companies.

Other reasons that teachers as well as parents should be concerned:

The Terms of Service claims the right to use the intellectual property intellectual-property-brainof teachers in these schools, including course assignments, etc. and even student work without any recompense: “You Grant Us a non–‐exclusive, perpetual, transferable, sub–‐licensable, royalty–‐free, worldwide License to use content that you post on or in connection with the Services in any manner, media, form, and modes of uses, now known or later developed.”

–Though I’m not an attorney, the Terms of Service seems to explicitly and repeatedly waive any liability  that Summit or FB or any of its partners may have for protecting the data against breaches, complying with state or federal law,  or abiding by their own Terms of Service;

— As the Washington Post article points out, the TOS would force any school or party to the agreement (including teachers) to give up their right to sue in court if they believe their rights or the law has been violated, and limits the dispute to binding arbitration in San Mateo CA – in the midst of Silicon Valley, where Facebook and Google presumably call the shots.  This is the same sort of abuse of consumer rights that that banks and credit card companies have included in their TOS and that the federal Consumer Financial Protection Bureau is now trying to ban.

–The CEO of Summit charters, Diane Tavenner, is also the head of the board of the California Charter School Association, which has aggressively tried to get pro-privatization allies elected to California school boards and state office, and has lobbied against any real regulations or oversight to curb charter school abuses in that state.

– –  Summit says they won’t sign individual contracts with school districts or schools, for the    following ostensible reasons, and suggests a legal loophole for states and districts that require such contracts:

Summit Public Schools is unable to sign contracts, MOUs, or other legal documents from other districts, CMOs, or individual schools. Straying from our Summit Partnership contracts would add immeasurable risk to our organization as we are unable to acquire third party validation on different contracts in the way that we did for our own participation agreement. It would not be legally sound for us to enter into two legal contracts with two sets of potentially conflicting commitments for one program.

Some districts that have policies where all third party vendors need to sign one designated contract were able to bypass that requirement given the status of Summit Public Schools as an educational organization rather than a vendor and the nature of the partnership as a free exchange of ideas and services rather than a paid service relationship.

And then they add – presumably to assuage the fears of parents or school administrators:

In order to ensure that our legal agreement meets the high quality demanded by school organizations across the U.S., Summit Public Schools has gone the extra mile to work with one of the best legal teams in the country to draft this agreement. We worked with Jules Polonetsky – CEO of the Future of Privacy Forum, a Washington, D.C.-based think tank that seeks to advance responsible data practices – and his team to review our privacy policies and provide his 3rd party stamp of approval. Straying from the language in our participation agreement would add risk as we are unable to also acquire third party validation on different contracts.

What they don’t reveal is that the Future of Privacy Forum is largely funded by the technology industry and the Gates Foundation, and Polonetsky was a big supporter of inBloom.  (Nevertheless, the sample contract they apparently offered to Kentucky schools did not include the binding arbitration clause, though it limits Summit’s liability to $10,000.)

For these and other reasons, I think parents and students should be VERY concerned.  

In my view and that of many other parents, the explosion of ed tech and the outsourcing of student personal data to private corporations without restriction, like this current Summit/Facebook venture, is as risky for students and teachers as the privatization of public education through charter school expansion.  In this case, the risk is multiplied, since the data is going straight into the hands of a powerful charter school CEO – closely linked to Gates, Zuckerberg and Laurene Powell Jobs, among the three wealthiest plutocrats on the planet.

Gates has praised Summit to the skies, has given the chain $11 million, and has made special efforts to get it ensconced in his state of Washington; Zuckerberg is obviously closely entrenched in this initiative, and Laurene Powell Jobs has just granted the chain $10 million to launch a new charter school in Oakland.

I sent the following list of questions to Summit at [email protected] nine days ago, but have received no response.  Others — especially parents at these schools and/or privacy advocates — might like to send their own questions or resend mine as well.  And if you are a parent or a teacher at one of these schools, please contact me ASAP at [email protected]  Thanks! Leonie

Questions for Summit:

  1. 1. What is Summit’s definition of “reasonable and comprehensive data protection and security protocols to protect student data”?  What does that specifically include in terms of encryption, independent audits, security training, etc?  And where is that in writing?
  2. 2.   If my child’s data does breach, what rights would I have as a parent to secure damages?
  3. 3.  Does Summit claim unlimited rights to share or utilize my child’s homework and intellectual property without notice or compensation that they are claiming with teacher work in the TOS?
  4. 4. Can Summit specifically itemize the companies/organizations that they will share my child’s data with, aside from those mentioned below?
  5. 5.  Are each of these third parties barred from making further redisclosures of my child’s data?
  6. 6.  Are each of these third parties, and any other organizations or companies or individuals they redisclose to, legally required to abide by the same restrictions as listed under your TOS and PP, including being prevented from using targeted or non-targeted advertising, and/or selling of data, and using the same security protections?
  7. 7. Does Summit promise to inform parents over the course of the year all the additional third parties the company plans to disclose my child’s data to?
  8. 8. What is the comprehensive list of personal data Summit is collecting and potentially sharing from my child?  You mention a limited list below, but does it also include my child’s homework, grades, test scores, economic status, disability, English proficiency status and/or race as well?
  9. 9.  The TOS mentions survey data.  Is there any personal data from my child that Summit promises NOT to collect via a survey or otherwise?  Will parents have the right to see these surveys before they are given and opt out of them, or does signing this consent form basically mean a parent is giving up all their rights under the PPRA?
  10. Why can’t Summit simply give the software platform to schools to use if it is beneficial, along with links to instructional materials, rather than demand as “payment” in the form of all the student information as well?

1   11. Do you promise not to use the information gained to market products directly to students and/or their parents, and are all your partners and/or those they disclose the information to barred from doing so as well?

1   12. The PP says you will use my child’s personal data to develop new educational “products” – what does that mean?  Why can’t you use de-identified data for this purpose?

  1. It also says you will use this data to “communicate with students, parents, and other users.”  What does that mean? What kind of communications will you engage in with my child or with me?
  2. The PP states a parent can “review, correct or have deleted certain personal information”.  Which kind of personal information can I delete, how will I be able to do that and will that stop my child from using the platform?

1    15. The PP also says you will share the data with anyone “otherwise directed or authorized by the school.”  What does that mean? Does my signing a consent form mean that the school can authorize to share this information with ANYONE else, without specifying the sort of third party, for what reason, or without limitation, without informing me or asking for my further consent?

1   16. It says it will send notice of proposed changes to the PP ahead of time to the participating schools; why not parents if you have their contact info?  Shouldn’t they hear this directly from you and immediately if you are considering changes?

  1. Does Summit consider this parent consent form to mean that parents are waiving the privacy rights of their children under all three federal student privacy laws, including FERPA, COPPA and PPRA?

1  18. The PP says that “FERPA permits schools to share students’ information in certain circumstances, including where the school has gotten a parent’s’ consent or where the organization receiving the student data operates as a “school official.” Summit Public Schools operates as a “school official” consistent with the Department of Education’s guidance under FERPA.”  If this is true, why does Summit need to ask for parental consent?  What additional rights does my consent afford Summit that you would not have without consent in terms of the collection, use and disclosure of a student’s personal information?

  1. Summit says that “Participating schools and individual teachers own, and are responsible for, student data provided through the Summit Personalized Learning Platform.” Why don’t students own their own data?
  2. This raises another related question: the Summit Privacy Policy and Terms of Service grants schools and teachers some rights (however limited.) What rights do parents and students have under these conditions?
  3. The TOS says that if schools believe Summit has violated its promises or complied with the law, instead of suing they must submit to binding arbitration in San Mateo CA and are barred from filing class action complaints.  This type of provision has been heavily criticized when banks and credit card companies have included in their consumer agreements, and the Consumer Financial Protection Board is considering restricting their use. Why is this clause any more acceptable in your TOS?
  4. What legal recourse do schools, teachers or parents have if Summit violates the law or its TOS, for example if Summit decides to sell or give away or carelessly store the data given that the TOS  says “UNDER NO CIRCUMSTANCES, INCLUDING WITHOUT LIMITATION, NEGLIGENCE, WILL SUMMIT, ITS AFFILIATES, OR ANY PARTY INVOLVED IN CREATING, PRODUCING, OR DELIVERING THE SERVICES BE LIABLE FOR DAMAGES OR LOSSES” in any case?
  5. In yet another clause of the TOS, Summit requires schools to “agree to indemnify, hold harmless, and defend Summit, and its affiliates, licensors, and service providers, and each of their respective officers, directors, contractors, agents…etc.et. against any and all demands, claims, liabilities, judgements, fines, interest, penalties… etc. including attorneys’ fees etc.” Why the need for so many layers of self-protection and disclaimers of liability?
  6. What rights does a parent have in general if Summit violates the TOS or the PP?  Are they bound to the binding arbitration clause in the TOS that the school must agree to?
  7. In another FAQ here, Summit says that it will not sign contracts or written agreements with individual school districts, and if the state requires this under law, districts or schools should try to “bypass that requirement” by claiming that a) Summit is not subject to the law because it is not a “vendor” but an “educational organization” and b) that they should not have to sign a contract because of the “nature of the partnership as a free exchange of ideas and services rather than a paid service relationship.”  But if you are gaining potential economic and programmatic benefits from your access to student data, including using it to build new and better “products” as the TOS states, why isn’t this a commercial relationship bound by state law?  And if this relationship is truly a “partnership” with a free exchange of ideas, why is the TOS so one-sided and seems to protect Summit from any possible liability, and not the school?

Parent Coalition for Student Privacy relieved Daines/Blumenthal SAFE KIDS Act pulled

For Immediate Release: September 21, 2016

Contact: Rachael Stickland; [email protected], 303-204-1272

Parent Coalition for Student Privacy relieved Daines/Blumenthal SAFE KIDS Act pulled
Coalition members feared the bill would open up the floodgates of commercialism

 

The Parent Coalition for Student Privacy, composed of parents, advocates and educators throughout the nation, and whose members led the fight against inBloom, are relieved that the SAFE KIDS Act, co-sponsored by Senators Daine and Blumenthal, scheduled to be marked up in the Commerce Committee today was pulled at the last minute.

Rachael Stickland, co-chair of the Parent Coalition for Student Privacy said, “While we appreciate the sincere motivation of these Senators to put controls on how personal student information is used by companies and organizations, we believe that this bill would have inadvertently further eroded student privacy.  Right now, both the Student Privacy Pledge and FERPA, as well as other federal laws, actually ban the use of student data for non-educational purposes including behavioral advertising, while this bill would seem to have allowed for that possibility.  There is also much confusion and ambiguity in the bill’s language about how parents would be informed about how their children’s data was being used by companies, how to request its deletion, when this would occur, as well as what specific security protections would be required to protect against breaches.”

Josh Golin, Executive Director of Campaign for a Commercial Free Childhood, said: “The bill, though well-intentioned, had far too many loopholes to give children the protection from commercial exploitation that they deserve. It allowed unlimited targeted ads to students through the use of apps assigned by schools, as long as these ads were based on personal information gained through an individual online session.  It also exempted some of the most frequently assigned websites and apps such as YouTube.  This is unacceptable, as advertising is harmful to children and detracts from any educational benefits the program might otherwise provide.”

Leonie Haimson, the Executive Director of Class Size Matters and the co-chair of the Parent Coalition concluded, “We would like to work with Senators Daine and Blumenthal and the other members of the Commerce Committee on improving this bill to ensure that student privacy is strengthened rather than further eroded, given the push from some sectors of the ed tech industry to exploit our children’s personal information and to treat them as consumers rather than as students.  Parents are increasingly concerned about the accelerated adoption of so-called educational apps in schools; we strongly believe their use must be approached with caution and regulated with a firm hand, to ensure that they do not violate children’s privacy and safety, or undermine the learning experience. We feared that this bill would further open up the floodgates of commercialism.”

###

Note: POLITICO Morning Tech reported on our press release, found here.

Back to school tip: Take control of how your school shares your child’s “directory information”

Back to school season can be a busy or even stressful time for both parents and children. As the days grow shorter, the “to-do” list grows longer. Number one on the list – because of its importance and time sensitivity – should be to opt out your child from directory information sharing at school.

What is directory information?

According to the U.S. Department of Education, directory information is a limited set of personal “information that is generally not considered harmful or an invasion of privacy if released” and often includes a student’s name, address, telephone number, email address, photograph, date and place of birth, etc.  It does NOT include even more intimate and sensitive personal information like test scores, grades, disability or disciplinary records that schools can legally share with companies, contractors and other third parties without parental knowledge or consent for operational, evaluation, and research purposes. The federal government has allowed these growing number of exceptions through regulatory amendments over the last decade or more, described in detail here and here.

The federal law known as the Family Educational Rights and Privacy Act (FERPA) enables schools or school districts to share directory information with any person or organization outside the school/district without parental consent — but only when the school/district provides public notice to parents first. Notice must include:

  • The types of student information that the school/district has designated as directory information;
  • Details about a parent’s right to refuse to allow the school/district to designate any or all of those types of information as directory information; and
  • The amount of time the parent has to notify the school/district in writing that he or she does not want any or all of this information shared with others outside the school.

FERPA allows schools/districts to adopt their own directory information policies, but if they choose to provide students’ directory information to a limited number of third parties, their public notice to parents must specify the individuals, groups or companies who may receive directory information and/or for what purposes. Unfortunately, this public notice may not always be provided, and when it is, it is often difficult to find because it may be buried in hundreds of pages of information during registration, in a student handbook, a parent newsletter, school announcement, local newspaper, or website.

Most schools/districts give parents only ten to thirty days from the start of the school year to exercise their right with regard to directory information, and most offer parents a limited choice between two options:

1) Allow schools and districts to share students’ directory information with anyone including marketing companies and the media — often referred to as “opting in” to sharing directory information; or

2) Refuse to allow schools and districts from sharing directory information with anyone, including parent organizations for purposes of creating school phone directories, graduation brochures, or companies who publish yearbooks — often referred to “opting out” of sharing directory information.

This type of “all-or-nothing” approach presents a huge challenge for many parents. On the one hand, parents don’t want their children’s private information shared with anyone who requests it. On the other hand, most parents would like their children to be included in school-related publications like yearbooks, directories, brochures, and newsletters.

While FERPA doesn’t require schools to allow parents the option to select which types of directory information can be shared with whom, some privacy-minded school districts in Maryland, Montana, and North Carolina, for example, have abandoned the “all-or-nothing” approach for a “menu selection” which gives parents more control over their student’s directory information.

The Parent Coalition for Student Privacy and the Campaign for a Commercial-Free Childhood have prepared a model Directory Information Opt Out form for parents to submit to their schools at the start of the school year, as part of a larger privacy toolkit that we will release soon, via a grant from the Rose Foundation.  Our Directory Information Opt Out form is designed to respect the ability of parents to choose what information they would like shared for what purposes, while also protecting their children’s privacy.

Why should parents opt out?

FERPA became law in 1974 at a time when students’ directory information was used primarily in school-sponsored publications like yearbooks, and to identify student athletes for local newspaper articles. Over the last forty years, individuals, groups and companies have recognized the value of this student information – especially with the creation and growth of the Internet – for commercial and non-educational purposes. Companies who access students’ directory information can sell it to others or use it to market products directly to students, political offices can use it to build their voter tracking systems, thieves can use it to steal identities, and perpetrators can use it to stalk students or commit other crimes.

How can parents opt out?

  1. Ask the school or school district for its “directory information” policy.
  2. If the school/district has a policy, read it carefully to find out which personal details are considered directory information and with whom it can or will be shared.
  3. If the policy forces parents to choose between opting in or opting out of all sharing of directory information, parents should opt out to protect their children’s privacy. However, doing so could mean that their children’s names and pictures will not be listed in the yearbook or other school-related publications.
  4. Share the model Directory Information Opt Out form we have prepared with the school’s principal or other school officials and encourage them to adopt a new policy giving parents more control over their children’s information.
  5. If the school/district does not have a directory information policy, ask if they will be sharing student’s directory information with third parties outside of the school. If the answer is yes, explain that FERPA requires that parents must be given public notice as described above, then complete the model Directory Information Opt Out form and submit it to the school/district. Follow-up in writing to ensure that the request will be honored.

Disclaimer: This commentary does not constitute legal advice. Consult a private lawyer or call your local ACLU should you have specific questions.

Download the Directory Information Opt Out from here (.docx) or here (.pdf).

 

Parent Coalition for Student Privacy opposes dangerous “model” employee & student privacy legislation

Adapted from the EFF website.

The Parent Coalition for Student Privacy joinbig-brother fotoed the Electronic Frontier Foundation,  ACLU, and a coalition of nearly two-dozen civil liberties and advocacy organizations  to urge the Uniform Law Commission (ULC) to vote down dangerous model employee and student privacy legislation.

The bill, the Employee and Student Online Privacy Protection Act (ESOPPA), is ostensibly aimed at protecting employee and student privacy. But its broad and vaguely worded exceptions and limitations overshadow any protections the bill attempts to provide. As the letter below explains, ESOPPA will result in only further invasions of student and employee privacy.

The ULC is a nonpartisan organization dedicated to researching, drafting, and promoting the enactment of uniform state laws, which it drafts and circulates as “models.” The ULC will vote on ESOPPA on July 11 at its annual meeting, and if it passes, the ULC will circulate the bill to legislators across the country in the hope of uniform adoption in all fifty states. But ESOPPA falls far short of its goal and does not live up to the prevailing standard for protecting social media privacy currently being enacted by the states and as required by the U.S. Constitution.

Social media accounts include vast quantities of sensitive personal information. As the U.S. Supreme Court made clear in Riley v. California, searches of digital devices are grave invasions of personal privacy in ways that physical searches could never be. Yet ESOPPA does next to nothing to prevent school administrators and employers—including public school employees and state officials—from coercing or requiring students and employees to turn over private, non-publicly available information from such accounts. The bill not only fails to comport with protections afforded to such sensitive personal communication under the Constitution, but the few protections it purports to provide are ripe for abuse and without measures to ensure accountability.

Furthermore, ESOPPA applies only to students at the college level and beyond, leaving the privacy of K12 students completely exposed.

That’s why we’re asking the ULC to either address ESOPPA’s deficiencies or reject the bill outright at its upcoming meeting. Other organizations, including the Foundation for Individual Rights in Education (FIRE), have also sent their own letter to the ULC opposing the current draft of ESOPPA.

You can read the full text of the letter below.

July 6, 2016

Members of the Uniform Law Commission
111 N. Wabash Avenue, Suite 1010
Chicago, Illinois 60602

Oppose Unless Amended: Employment and Student Online Privacy Protection Act

Dear Commissioner:

As civil liberties groups, advocacy organizations, student and parent rights coalitions, and a union representative, we write to you today to express deep concern over the Employee and Student Online Privacy Protection Act (“ESOPPA”). We appreciate the ULC’s interest in protecting the privacy of employees and students alike, but the version of the bill submitted to the full ULC committee for approval at the upcoming annual meeting fails to accomplish that goal in light of its significant deficiencies. While it purports to protect both employees and students, its broad and vaguely worded exceptions and limitations overshadow any protections the bill attempts to provide—doing next to nothing to prevent school administrators and employers from coercing or requiring students and employees to turn over highly sensitive social media account information. These provisions do not comport with the Fourth or Fifth Amendment, and will result in only further invasions of student and employee privacy.

We ask that you not adopt this bill until these issues have been adequately addressed. If these issues are not addressed, we urge you to reject the proposed bill in its entirety. Three of the bill’s provisions are most problematic:

First, the bill authorizes state employers and public educational institutions to require an employee or student to turn over information related to their social media account, including login information and social media content, based merely on “specific information about the student’s protected personal online account,” in order to (i) ensure compliance with, or investigate non-compliance with, federal or state law or an educational institution policy; or (ii) “to protect against . . . a threat to health or safety[.]”

The U.S. Supreme Court made clear in Riley v. California, 134 S. Ct. 2473 (2014), that searches involving technology and electronic devices are grave invasions of personal privacy in ways that physical searches could never be. That case involved cell phones, which the court recognized as especially important due to the many kinds of information they contain: “Modern cell phones, as a category, implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse. . . . The term ‘cell phone’ is itself misleading shorthand; many of these devices are in fact minicomputers that also happen to have the capacity to be used as a telephone.” Id. at 2488–89. Social media accounts contain similarly vast amounts of personal information and implicate the very same concerns. Permitting government agents access to students’ and employees’ social media accounts under the vague terms of the current draft of ESOPPA does not comport with the level of protection afforded to such personal information under the Constitution.

Second, although the bill attempts to limit employers or educational institutions access by requiring that any such entity “reasonably attempts to limit its access to content relevant to the purpose justifying that access[,]” such a limit will prove hollow, as it is not technically or practically possible to segregate “relevant” from irrelevant content until all content is accessed. This provision, coupled with the overbroad grant of authority for employers and schools to compel or coerce employees and students to turn over social media account information, renders ESOPPA ripe for abuse by employers and education institutions alike. And the bill includes no measures to ensure accountability.

Third, the limited privacy protections that ESOPPA claims to provide for students have a glaring deficiency—the bill does not apply to most students. ESOPPA provides purported protections only to students at the college level and beyond, leaving the privacy of students at the high school level and below completely exposed. This is not a trivial concern. Students in secondary school and below use social media to learn about and discuss highly sensitive subjects, such as reproductive choices, sexual orientation, gender identity, and political perspectives. In many communities across this country, exposing a student’s perspective on such topics could not only be embarrassing, but it could also place the student’s safety—or even life—at risk. The only option ESOPPA leaves for non-college students who want privacy protection is to not use social media at all. This “option” would do tremendous damages to one of the most vibrant free speech platforms utilized by young people today. This is not acceptable.

We believe it is possible to create a bill that addresses the concerns raised in this letter, protects student and employee privacy, and grants educational institutions and employers the ability to procure social media account information when required or permitted under law, such as when investigating specific allegations of unlawful harassment in the workplace or specific allegations of unlawful bullying by a student or prospective student of another student. Indeed, the American Civil Liberties Union has worked closely with other advocacy organizations and Internet companies alike on its own model legislation, a version of which was enacted in four states this past legislative session alone. Those laws represent the prevailing standard for protecting social media privacy in 2016. ESOPPA, which is coming out of a three-year planning and drafting process, is already showing its age—and it has not even been voted on by the ULC yet. Unless it is the ULC’s objective to roll back the standard for protecting social media privacy currently being enacted by the states, ESOPPA must be significantly revised before it is adopted. The signatories of this letter fully intend to continue our successful efforts to have true social media privacy bills enacted in the states, and if that requires us to oppose ESOPPA, we certainly will.

In order to ensure that ESOPPA does not impermissibly infringe on employees’ and students’ rights, and to enable us to work with rather than against each other on this important issue, we urge the full ULC Committee to either address these concerns or to reject the bill outright.

Thank you for your time and attention to this matter.

Sincerely,

American Civil Liberties Union

American Library Association

Bill of Rights Defense Committee

Center for Democracy & Technology

Center for Digital Democracy

Common Sense Kids Action

Constitutional Alliance

Consumer Watchdog

Defending Dissent Foundation

Demand Progress

Electronic Frontier Foundation

Fight for the Future

Free Speech Coalition

Government Accountability Project

Michelle Castro, SEIU California,  Director of Government Relations

National Coalition Against Censorship

Network for Public Education

Network for Public Education Action

NYS Allies for Public Education

Parent Coalition for Student Privacy

Parents Across America

Privacy Rights Clearinghouse

Restore the Fourth

Safety Net Project of the National Network
to End Domestic Violence

Woodhull Freedom Foundation

World Privacy Forum