Category Archives: Blog

What Your Child Really Needs To Know Before Taking the SAT (or ACT)

By Rachael Stickland and Leonie Haimson, co-chairs, Parent Coalition for Student Privacy

High schoolers hate waking up early on Saturday mornings, especially to take high-stakes tests like the College Board’s SAT or the ACT. Next Saturday, January 23, 2016 marks the last time that U.S. students are able to take the current SAT before the new test comes online on March 5.

Anxiety over the “new” test has left many families scrambling to get their kids registered for the older, well-established version to be administered in just a few days. Now that the day is almost near – training courses and practice tests completed – there’s one last thing parents must do to help their children prepare for Saturday: advise them not to answer the optional pre-test questions.

Just moments before administration of the exam officially begins, or upon registering online, students may be asked to answer questions on a student questionnaire and to check off a box agreeing to participate in the Student Search Service ™ program if they want to receive information from colleges or scholarship organizations. See below or here for more information:
add this screenshot in case it goes away

According to POLITICO, “Depending on the exam, at least 65 percent — and as many as 85 percent — of test takers check that box, according to the College Board and ACT. Parents do not have to give their consent, as this is only required by federal law while collecting personal data from children under 13.”

Students will be asked their Social Security number; other questions may include their grade point average, religious affiliation, ethnicity, family income, interests, citizenship, disabilities, and more. Under immense pressure to perform well on the test, and often not aware that answering these questions is fully voluntary, students may be enticed to offer up this information, especially if they believe it will increase their opportunity to be recruited by elite colleges or offered scholarships. They may not even realize that this information may be used to help colleges decide who not to recruit or admit as well. As the College Board puts it,

As part of taking a College Board exam, students are asked to fill out a student data questionnaire…. Participating, eligible organizations can then search for groups of students who may be a good fit for their communities and programs, but only among those students who opt to participate in Student Search.

The search criteria can include any attribute you provide, except the following: disability, self-reported parental income, social security number, phone numbers and actual test scores. The most searched items are expected high school graduation date, cumulative GPA and intended college major.

And: By opting in, they give the College Board permission to share their names and limited information with colleges and scholarship programs looking for students like them.

In other words, colleges are looking not just for students to recruit but who to admit and/or reject; or as the College Board softly frames it, those “who may be a good fit for their communities and programs.”

What your weary-eyed, college-bound children may not also realize is that when they provide the College Board or ACT personal details, their “profiles” are not simply “sent” to interested parties, rather they are sold for as much as 40 cents apiece in the shadowy data market.

According to the College Board website: “During the registration process, we ask students for: name, address, date of birth, gender, Social Security Number or student ID, and address. We may also ask for phone numbers and email addresses, school name, grade level or expected graduation date, ethnicity, and a parent’s name, email address, and education level.”

And: “…we ask students for personal information to help them make choices about their future. To help students receive the most relevant and accurate information about their college options and scholarship opportunities through Student Search Service®, we also ask optional questions about academic and extracurricular interests, career and field of study interests, family income, and religious preferences. Students must opt in to participate in this service; the College Board does not include students without their consent. Students may also opt out at any time.

Note that link above, in case you or your child have already opted in upon registration that you still have the right now to opt out. The information requested varies by the exam they are taking, with the most intrusive data being asked of students when taking the SAT and PSAT, including religion, ethnicity and grades and citizenship, while less intrusive information is asked of students taking AP exams. See here for the differences.

Some parents may find this practice acceptable, especially if they perceive that their children “may” benefit when their information is passed along – or they may not. But what is also objectionable is that the College Board and ACT refuse to tell students (or parents for that matter) that they SELL the information. According to POLITICO, ACT’s profits generated from selling student profiles were approximately $15 million in 2012; the College Board wouldn’t disclose its revenue from its trademarked Student Search        Services ™ program but it surely was many millions as well.

At one place on its website, College Board falsely claims it doesn’t sell student data. On its “privacy policy” page, many parents will read the following: “The College Board does not sell student information. Students can voluntarily opt in to our Student Search Service. Qualified colleges, universities, nonprofit scholarship services, and educational organizations pay a license fee to use this information to recruit students and manage enrollment in connection with educational or scholarship programs.”

What the difference is between selling student data or selling “a license fee” to colleges and organizations to receive the data is a difference without a difference.

On another page, the company adjusts this claim by saying only that it doesn’t sell student data to test prep companies – not mentioning colleges or other organizations: “It is the College Board’s strict policy NOT to sell student information to test-preparation companies, nor are such companies affiliated with the College Board.”

On a yet a different page, meant for its institutional clients, the College Board makes clear that it does indeed sell student data, at 40 cents per name, and offers high priced subscription services for “enrollment planning”:

See the Pricing and Payment Policies here:

pricing

The Enrollment Planning Service, according to the College Board “precisely locates students — both within the United States and abroad — who meet admission criteria and are likely to succeed at a particular institution. Enrollment Planning Service also informs better and more-strategic recruitment activities based on a wide range of criteria including geography, demographics, academic preparation and educational aspirations.”

Its Segment Analysis Service™ (formerly Descriptor PLUS™) is a powerful data enrichment service that allows admission professionals to identify promising prospective students by learning more about where they live and where they go to high school. Segment Analysis’ Educational Neighborhood and High School Cluster tags leverage data on millions of students and thousands of high schools to provide a more complete picture of various student segments and help you align your recruitment efforts to the characteristics of these segments.”

College Board adds that the Segment Analysis Service allows institutions to “achieve better yields from admission through graduation,” presumably in the effort to boost their four year graduation rates.

This is not to let off the ACT off the hook. ACT subjects parents and students to an even more detailed and intrusive survey on their website, with detailed questions about a student’s disabilities, preferences, religious practices, hobbies and more.

According to POLITICO, the ACT also lets customers filter student profiles by family income, parents’ education levels and student disabilities.

As first reported by an independent educational consultant Nancy Griesemer, the ACT even sells an algorithm to colleges based upon a student’s personal data points to help them decide whom to admit – without informing parents or students how this information may be used:

“… assessments [are] provided to approximately 450 institutional participants in ACT Research Services of “Overall GPA Chances of Success” in various general categories of majors including education, business administration, liberal arts, and engineering, as well as “Specific Course Chances of Success” in broad areas such as freshman English, college algebra, history, chemistry, psychology etc.

Chances of success are made in terms of those students likely to receive a “B” or better in these areas or those students likely to receive a “C” or better. And they are nowhere to be found on the ACT report provided to students and families.”

Why the secrecy? Why the deception? If you find this outrageous, you’re not alone. As far back as 2011, the data collection and storage practices, as well as the commercialization of student information, by College Board/ACT spurred Congressional inquiry.

A lawsuit was filed against the College Board and ACT in 2013 (Spector v. ACT, Inc. et al) and another in 2015 (Silha v. ACT, Inc. and the College Board), for deceptive practices, in that they never disclosed to students that their data was being sold as opposed to freely “shared.”

Unfortunately, the first lawsuit was voluntarily dismissed by the plaintiff in 2014, and the second lawsuit was recently dismissed when the Judge ruled that the plaintiffs failed to make their case showing any harm to the students from the sale of their data.

A Parent Coalition for Student Privacy researcher, Cheri Kiesecker, recently wrote the College Board to ask if students chose to NOT complete the survey, would their college admission chances be affected. See the reply from SAT / College Board here. Their representative responded that if a student does not opt in to Student Search Service ™, ”it will not impact their chances at being accepted into colleges or scholarship programs in any way.” What the representative did not say that if they opt in, it may negatively affect their application or scholarship opportunities.

So what should you say to your children if you’re a parent concerned with their privacy?

On its website, the College Board offers a “Test Day Checklist,” including what to bring (i.e. photo ID) and what to leave at home (i.e. cell phone) on test day. The same website links to the College Board’s Student Search Services ™ data-selling program where it reminds test takers to check the box to opt in when you take the SAT. (See the screenshot below.)

Use this information to educate your children. Explain to them why it’s important to never share personal information that is not absolutely necessary to register for or take the test. Advise them not to share their Social Security number or any other information that is not required. Show them the screenshot to see what the search consent checkbox may look like and how to answer. Then use our handy checklist to get yourself ready for the big test on Saturday.

And remember … once the test is complete, encourage your children to research colleges and scholarships on their own that might be a good fit for them. Their personal information doesn’t have to be sold– and should never be offered unknowingly in a manner that could limit their opportunities.

Parent Coalition for Student Privacy’s SAT Pre- Test Day Checklist:
1. On Thursday or Friday, talk to your children about the importance of providing only the personal information necessary to take the test, and show them the SAT’s Student Search Service ™ screenshot below so they know what it might look like and which box to select (No, thanks.);
2. Encourage them to go to bed early Friday night, get plenty of rest, and set the alarm (AM, not PM!);
3. Serve a nutritious breakfast Saturday morning to your children and remind them to bring a photo ID, the “admission ticket,” NO. 2 pencils and an acceptable calculator from the College Board’s Test Day checklist;
4. Remind them NOT to volunteer any personal information other than what is required like name, address, school, date of birth, etc., and that there is no reason to offer up their Social Security number, religious affiliation, family income, or other extraneous information. They should also CHECK the “No, thanks” box if there is one in the Student Search Service ™ section.
5. Reassure them to relax and just do their best on the exam itself.

checkbox

Please support student privacy by making a tax-deductible donation in 2015

In July 2014, after helping to defeat inBloom Inc., we launched the Parent Coalition for Student Privacy because we realized how widely personal student data was being disclosed by schools, districts, states and private corporations – without parent knowledge or consent.  Since then, our organization has become the go-to source for the parent point of view on student privacy and what must be done to strengthen parent rights to protect their children’s data from breaches and abuse.

Please help support our efforts, by clicking here at the Class Size Matters website, and specifying that you would like your tax-deductible donation to go to the Parent Coalition for Student Privacy.

Our Coalition continues to make waves. We have written op-eds and have been quoted widely on the need to protect sensitive, personally identifiable student information, most recently in relation to Mark Zuckerberg’s plans to expand online learning, and Google’s data-mining of students at school.  At the same time, we are working to inform parents about how to access their children’s personal data collected by state departments of education, as well as what they should demand in terms of privacy and security protections.

Next year offers great promise for our Coalition since we were able to secure some grant funding and are now able to dedicate more time to this work.  More specifically, we plan to collaborate with the Campaign for a Commercial-Free Childhood to create and distribute a toolkit to educate parents, teachers and school officials about best practices to protect student information; and further grow our Coalition.  We will be hosting webinars and intensifying our parent outreach in the upcoming year.  More details to come soon.

In the meantime, we hope you will consider making a financial contribution to our Coalition’s efforts to help us strengthen our fight to protect student privacy.  You can make your tax-deductible donation here and specify the Parent Coalition for Student Privacy as the recipient.  Any amount helps!

By redoubling our efforts to improve school and district policies and practices, as well as improve legal protections, we are uniquely positioned to affect positive change for student privacy in the year ahead.

Again, thanks for all that you do to support student privacy. We  look forward to a wonderful New Year working with you!


Rachael Stickland and Leonie Haimson

Co-chairs, Parent Coalition for Student Privacy

email: [email protected] | website: www.parentcoalitionforstudentprivacy.org | facebook: http://tinyurl.com/PCSPfbook | twitter: @parents4privacy

VTech vs EDtech

This week we’ve seen news of a major breach of users’ data from an online service run by VTech.  What sets this one apart is that personal information was stolen from hundreds of thousands of children’s accounts, associated with some of the millions of adult accounts that were also compromised.

Troy Hunt has posted a detailed analysis of the breach and other problems with VTech’s web applications.  You can read it here on Troy’s site or here on Ars Technica.  I encourage you to read it.

Here is what Troy Hunt had to say about the severity of the breach: 

“When it’s hundreds of thousands of children including their names, genders and birthdates, that’s off the charts. When it includes their parents as well – along with their home address – and you can link the two and emphatically say “Here is 9 year old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question)”, I start to run out of superlatives to even describe how bad that is.”

When I read this paragraph, head nodding, I thought of the running list I keep of my own kids’ identifiable personal information I’ve been able to gain unauthorized access to through remote attack vulnerabilities in online services used at their schools. (A remote attack is something that does not require access to the user’s network traffic, and can be done from anywhere).

The list is below. I was able to collect all of this by exercising flaws in web pages and interfaces in the education-related services that hold my kids’ information.  It wasn’t all in one place like the VTech information but goes far beyond what was held there.

  • full name
  • gender
  • date of birth
  • in-class behavior records
  • reading level and progress assessments
  • math skill and progress assessments
  • in-class test and quiz scores
  • report cards
  • ability to send private message to a student through an app
  • voice recordings
  • usernames (some with passwords)
  • password hashes
  • school lunch assistance status
  • name and address of school
  • teacher name
  • classmate names (through class rosters)
  • class photos with students labeled by name
  • parent email addresses
  • parent names
  • home address
  • home phone number

My kids are still in elementary school.  Simply by going to school they’ve already had all of this information exposed to the possibility of unauthorized access and collection.

I don’t have knowledge that any of this information has been subject to unauthorized access — but the only difference between a responsible disclosure and a data breach is the ethics of the person who finds the vulnerability.   Most of these vulnerabilities exposed many thousands of students to potential breaches, some of them exposed millions of students to potential breaches of their personal and educational information.

This is a system-wide problem that educators, parents and technology providers must work together to address.  Things are improving but we have a long way to go.  Here are some previous posts on that topic:

Why we need standards: part one of many

A starting point: end-user web app security test plan

Edsurge: Why student data security matters

Bill Gates and the erosion of student privacy

bill gates v5

Bill Gates has had an enduring fixation on the need to expand the collection and sharing of personal student data. In 2005, the Gates Foundation organized a “data summit” among its grantees, at which launched the Data Quality Campaign, “to Improve the collection, availability and use of high-quality education data, and Implement state longitudinal data systems to improve student achievement.”

The Data Quality Campaign has received more than $13 million since 2013 from the Foundation, which they have used to advocate for the US Department of Education to weaken student privacy protections and to allow for the sharing of personal student information among state agencies, between states, and with researchers, test companies, and technology vendors.

In 2008 and 2011, The Data Quality Campaign, along with its “partners” among other Gates grantees, successfully lobbied the US Ed Dept. to relax FERPA, to allow for the creation of state longitudinal databases to link student data from preK through the workforce and beyond, and the disclosure and redisclosure of personal student data with a wide variety of third parties without parental knowledge or consent.

According to a participant in a webinar hosted by the Data Quality Campaign on April 14, 2011, Steve Winnick, a prominent DC attorney working for DQC emphasized the need to deny parents the right to consent or opt out of their children’s data being disclosed, saying, “we don’t want parents to get in the way.” You can see the 2011 fact sheet released by Steve Winnick and the Data Quality Campaign about the many ways the US Department of Education weakened this “outdated” privacy law in response to their advocacy here.

Earlier in 2009, the Foundation granted $22 million to schools, districts, and states for them to expand their data collection and disclosure efforts, and in 2011, spent $87 million to form the Shared Learning Collaborative, which in 2014 would morph into a separate corporation called inBloom Inc.

inBloom Inc. which would receive more than $100M in Gates funds before closing its doors due to parent protests in 2014, was a hydra-headed effort to collect the personal data from nine states and districts, store it on an Amazon cloud, with an operating system built by Amplify, and make it more easily accessible to ed tech vendors and other third parties without parental knowledge or consent. Here is more background on inBloom; here are a timeline and news clips.

Gates incentivized districts and states to participate in this project of data collection and sharing, with promises of big grants.  The Foundation also offered cash awards to vendors who would build their instructional products around this data, through  “interoperable” software.

inBloom was designed to help achieve Bill Gates vision of education: to mechanize instruction by plugging every child into a common curriculum, standards and tests, delivered by computers, with software that can data-mine their responses and through machine-driven algorithms, deliver “customized” lessons and adaptive learning.  By siphoning off the data into state and multi-state databases and then tracking children through life, educrats can better evaluate which teachers and software programs are effective, and also steer students towards appropriate college and careers, all in the name of improved “efficiency”. Gates has also funded multi-state student databases, which were illegal before FERPA was relaxed, including granting WICHE with more than $13 million, to enable the transfer of personal student information between fifteen Western states.

Since the demise of inBloom, the Gates Foundation has not given up their attempt to supplant real personalized learning with learning through software and machines. Recently, with the Future of Privacy, an ed tech industry group, they funded a survey that was pitched as showing that parents support schools sharing the personal data of their children, but upon further digging really showed the opposite.

Gates has also funded a new effort, in which 27 school districts along with The Consortium for School Networking, will create a “Trusted Learning Environment Seal” to reassure parents that their children’s data is safe. In this way, they appear intent on controlling the student privacy debate , and co-opting the intense parent concerns about rampant data disclosure that led to inBloom’s downfall.

SAMPLE letter to gain access to your child’s data in the state student database

Since Cheri Kiesecker and I wrote an article in the Washington Post Answer Sheet about all the data that the state is collecting on children, parents in CO, NJ, RI, and many other states have asked us for a sample letter they can use to demand to see the data that states hold for their children in their longitudinal student databases. So we have drafted one below.

In most states, this request will be made via a Freedom of Information request to your State Education Department FOIA officer, and/or the Department’s privacy officer, if there is one. Parents should also copy the State Education Chief Information Officer and/or the State Commissioner, if their contact information is available.

FYI, the state cannot force you to come to their office to see your child’s data if that would be a hardship – as it would for most parents. And while they can charge a minimal fee to make copies, they cannot charge you for the search and retrieval of these records. If they try to charge you more than a minimal fee, you can appeal that decision. If the state is being obstructive in any way, please contact us at info@studentprivacymatters; we can strategize and/or help you write a FERPA complaint. And please keep us in the loop in any case!

For more information, see the US Ed Dept. letter to the state of Nevada, referred to below.

Thanks, Leonie Haimson, co-chair, Parent Coalition for Student Privacy

To whom it may concern:

I am the parent and legal guardian of (full name of child), currently (x) years of age.

My child attended x school in grades K-x (during what years); x school in grades x-y, (during what years) and x high school (during what years) in [what] school district.

Please provide me with whatever personally identifiable information (PII) that the State Education Department has collected on my child and which of this information is included in the state’s student longitudinal database, including any and all information in the database that has been contributed by other state agencies.

To access this information, and challenge it if it is incorrect is every parent’s right under the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99), and the state cannot charge me a fee for accessing it.

This was confirmed by Dale King, Director of the U.S. Department of Education’s Family Policy Compliance Office, in a letter he wrote to the Nevada Education Department on July 28, 2014:

….educational agencies and institutions, as well as SEAs [State educational agencies] may not charge a fee for search and retrieval of education records. See § 99.ll(b)

According to the US Department of Education, you are obligated to provide me with my child’s data within 45 days of this request.

I also demand a list of any and all third parties, and/or governmental agencies, that have been provided with any of my child’s PII, which elements of PII they have received, and under what privacy and security agreements these disclosures were made.

Finally, I would like to know what governmental, citizen or advisory board exists to oversee the collection, use, distribution and eventual destruction of my child’s PII data, and their members.

Thank you for your cooperation in this matter and I look forward to hearing from you soon.

Sincerely,
(Your name)
(Address)
(Email address)
(Phone number)