Montgomery MD parents ask, is our children’s privacy safe when they use Google classroom?

Many districts are now using Google classroom and Chromebooks for remote instruction while schools are closed.  Below is a sample letter for Montgomery County (MD) Safe Tech Subcommittee of MCCPTA’s Health and Safety Committee, that they are encouraging parents  to send to their district to ensure their children’s privacy while using this program.

As MCPS diligently works on distribution of Chromebooks for remote learning should school be closed longer than two weeks, I, along with the MCCPTA Safe Technology subcommittee, urge MCPS to take important precautions to protect our children’s personally identifying information as part of the roll-out. Here’s why:

As you know, we’ve been trying for over half a year to secure verification from Google that our student’s data has been deleted in accordance with the Data Deletion Day policy we worked with MCPS to develop. Without any visibility into the contracts between MCPS and Google, we have no idea what Google’s obligations are with regard to our student’s data: whether, how, and when they share and use this data.

Further, the New Mexico Attorney General’s Office filed a lawsuit against Google for deceptive trade practices in terms of how it collects, shares and uses student’s personal data. The suit alleges that “children are being monitored by one of the largest data mining companies in the world [Google], at school, at home, on mobile devices, without their knowledge and without the permission of their parents.” The New Mexico AG finds that once Google accumulates student data, it shares it across all of its business segments “for its own commercial purposes” despite having promised to use it only for educational purposes.

Up until last week, kids currently only used Chromebooks in school for limited periods of time, thus exposing only a limited amount of information to Google. Once we allow students to use Chromebooks at home, they’re likely to use them for school work for exponentially more time — given social distancing, no teacher oversight, etc. This will turn the small spigot of information that currently flows to Google into a virtual fire hose.

Prior to rolling out the Chromebooks for home-based learning, MCPS must require a written promise from Google stating that they segregate student usage information from all of their other lines of business; do not share, or otherwise utilize this data for any other purpose other than to provide the educational services; will delete all student data collected during this national crisis at the end of the current school year.

Google is required to protect our children’s data under their current contract with MCPS. They would be negligent to deny this request, and ‘crisis capitalists,’ as well.

We look forward to working with you on this. As you know, my experience in the cybersecurity arena is long and deep. I have additional experience as a first responder and know the value of being prepared and staying ahead of potential damage and threats to communities. I feel strongly that we do this now, and offer my continued assistance.

Sincerely, [sign here]

Advice to parents on maximizing privacy & minimizing screen time while your child’s school is closed

For the millions of parents whose children’s schools are closed, here is some advice on trying to minimize the risks from your children’s overuse of screens, and to maximize their privacy if they are using ed tech apps.

Privacy

Many ed tech programs are neither private nor secure; they collect and share children’s personal data, often without your knowledge or consent.  This 2018 US Dept of Ed guidance has said that schools cannot require parents to agree to the terms of online apps or programs if they violate federal privacy law.   Ransomware, hacking, and identity theft also increase when using online programs, as the FBI has warned .  Generally,  your child’s data can only be used only for educational purposes, and the app’s privacy and terms of services should clearly say this.

For more specific advice on  what federal student privacy law requires and red flags to look for in reading a privacy policy,  check out our Parent Toolkit for Student Privacy.   Teachers should consult our Educator Toolkit .  If you sign your children up for an online program,  better to use one that does not require you to create an account or offer any personal information.  If you must, use an alternative email address  for the that you can later delete, and do not provide any personal information  that you would not like shared with others.

Many schools  and colleges are using Zoom.  Be aware that EPIC filed a privacy complaint against Zoom for intentionally allowing web cameras to be operated without users’ knowledge or consent.  You might consider keeping a band aid or other removable sticker on your computer’s web camera until you or your child intends to use it.  Its standard privacy policy, according to Future of Privacy Forum, allows targeted advertising, which violates FERPA and many state student privacy laws.  UPDATE:  Jitsi has been recommended to me to use for video conferencing; it’s free, open source and doesn’t require you make an account first .

When considering applications and tools for remote online learning, you can also check out the privacy reviews of specific apps and programs on Common Sense Media or the AppCensus, which analyzes Android apps.

Limits on screen time

World Health Organization guidelines  advise that children aged between the ages of 2 and 5 should be limited to no more than an hour of screen time per day. Older kids are not immune to health risks: myopia, sleep loss, screen addiction, ADHD and more have been linked to excessive screen use.  The more  time teenagers spend on computers and social media has also been correlated with higher rates of depression.

Some experts advise two hours of screen time maximum per day for the oldest kids, with frequent breaks; including blocks of time where they can chat online with their teacher or classmates.

In truth however, many children do not have access to devices and broadband to make online instruction a practical reality, and there is growing consensus that  it is NOT an effective educational method.  Most students enrolled in online schools actually regress in terms of learning.  More reasons why we are skeptical of online learning in general are explained in this NPE guide, What Every Parent Should Know about Online Learning.

Alternatives to online learning

In my opinion and that of some teachers I have consulted, rather than having your children sit at computers to do schoolwork would be to for their teachers to send them homework in written form, if possible.  Or you could purchase workbooks.

Personally, I have found Singapore math workbooks to be excellent.  As for reading, you could ask your children to choose a book to read for one half hour to an hour every day, depending on their age, and ask them to write something about what they’re reading or keep a diary of their time spent during this period.

As long as they maintain “social distancing”, take your children go outside every day or have them exercise inside.  Put on some music and dance! 

Try not to worry if your kids aren’t spending much time studying.  Don’t be concerned about the state tests either. The US Department of Education has issued guidance that states and districts where schools are closed for long periods can submit applications to waive or postpone their mandated tests this year.

For more screen-free ideas and updates, check out the advice from the Campaign for Commercial Free Childhood  Liat Olenick, NYC teacher, has provided valuable ideas on Twitter on how teachers and schools can support families during extended periods of closure.

Sen. Gillibrand’s press conference today about her bill to create a Data Protection Agency

This afternoon I spoke at a press conference in NYC to support Sen. Gillibrand’s new bill to create a new federal agency specifically devoted toward protecting privacy, called the Data Protection Agency.  The bill is posted here; more about it is here.   

The statement I gave is below; and below that is the press release, with quotes from Sen. Gillibrand and the other two privacy experts pictured above, Caitriona Fitzgerald of EPIC and Prof. Ezra Waldman of NY Law School.

Hi, my name is Leonie Haimson, and I’m co-founder and co-chair of the Parent Coalition for Student Privacy.  We are one of the many organizations that have  submitted complaints to the FTC about the way companies like Facebook, Google and Google Play Apps have been illegally harvesting young children’s information and potentially using it for commercial purposes without parental consent in violation of COPPA.  And yet the FTC’s response to these complaints has been silence, or at best a mere slap on the wrist, a symbolic fine that barely touches the huge profits of these companies.

In addition, the FTC has put out a series of contradictory guidance documents about how COPPA applies to the collection of personal data from children in schools that has managed to confuse nearly everyone.  As a result, each school and district interprets their responsibilities differently about whether or not they even inform parents beforehand, no less ask for their consent, . when their children are assigned programs to use that require them to upload their personal information.

For example, Google Apps for Education, also called G-suite, is used in literally tens of thousands of schools across the country; and yet many parents are concerned about the amount of personal data Google collects from their children, including their geolocation and metadata, and how this information may be abused.

More recently, the FTC has signaled that they may be rewriting regulations for COPPA regulations to further weaken student privacy, in and out of the classroom, causing us to worry that they are more interested in serving the commercial interests of the ed tech industry instead of keeping our children safe from commercial exploitation.  We are also extremely concerned about the non-transparent algorithms increasingly being used in classrooms across the country to direct children’s learning and steer their educational trajectories – algorithms that may feature inherent biases and be based on inaccurate data.

All this further reconfirms our conviction that it is absolutely necessary that an independent agency be established that has as its first priority protecting the privacy of Americans, especially our most vulnerable children, and which can look into these troubling issues with more objectivity and care.  Thank you Senator Gillibrand, for introducing the Data Protection Act,  and our Parent Coalition is committed to doing all we can to help get it passed.

From: Gillibrand, Press (Gillibrand) <[email protected]>
Sent: Sunday, February 23, 2020 1:59 PM
Subject: STANDING WITH DATA PRIVACY EXPERTS AND ADVOCATES, GILLIBRAND ANNOUNCES LANDMARK LEGISLATION TO CREATE A DATA PROTECTION AGENCY TO COMBAT NATIONAL DATA PRIVACY CRISIS

FOR IMMEDIATE RELEASE:

Sunday, February 23, 2020

Contact: Evan Lukaske, 202-224-3873

STANDING WITH DATA PRIVACY EXPERTS AND ADVOCATES, GILLIBRAND ANNOUNCES LANDMARK LEGISLATION TO CREATE A DATA PROTECTION AGENCY TO COMBAT NATIONAL DATA PRIVACY CRISIS

The Data Protection Act Would Create a Consumer Watchdog to Give Americans Control and Protection of Their Data, Promote a Competitive Digital Marketplace, and Prepare the U.S. for the Digital Age

U.S. Still One of the Only Democracies Without a Data Protection Agency

New York, NY — Alongside data privacy experts and advocates, U.S. Senator Kirsten Gillibrand today announced her landmark legislation, the Data Protection Act, which would create the Data Protection Agency (DPA), an independent federal agency that would protect Americans’ data, safeguard their privacy, and ensure data practices are fair and transparent. The push for a national agency to oversee data privacy comes as leaders from EPIC, the Parent Coalition for Student Privacy, the New York Law School’s Innovation Center for Law and Technology and Institute for CyberSafety, and more express concern for the growing data privacy crisis that looms over the everyday lives of Americans. The U.S. is one of the only democracies, and the only member of the Organization for Economic Co-operation and Development (OECD), without a federal data protection agency.

“Technology is connecting us in new significant ways, and our society must be equipped for both the challenges and opportunities of a transition to the digital age. Data privacy is becoming an urgent concern for the everyday lives of Americans and the government has a responsibility to step forward and give them meaningful protection over their data and how it’s being used,” said Senator Gillibrand. “Data has been called ‘the new oil.’ Companies are rushing to explore and refine it, ignoring regulations, putting profits above responsibility, and treating consumers as little more than dollar signs. Like the oil boom, little thought is being given to the long-term consequences. The U.S. needs a new approach to privacy and data protection. We cannot allow our freedoms to be trampled over by private companies that value profits over people, and the Data Protection Agency would do that with expertise and resources to create and meaningfully enforce data protection rules and digital rights.”

“EPIC applauds Senator Gillibrand for filing the Data Protection Act,” said Caitriona Fitzgerald, EPIC Policy Director. “The United States confronts a crisis. The Federal Trade Commission has consistently failed to protect consumers. The system is broken. A Data Protection Agency focused on privacy protection, compliance with data protection obligations, and emerging privacy challenges is needed now.”

“It is absolutely necessary that an independent agency be established that has as its first priority protecting the privacy of Americans, especially our most vulnerable children, and which can look into these troubling issues with more objectivity and care. Thank you Senator Gillibrand, for introducing the Data Protection Act, and our Parent Coalition is committed to doing all we can to help get it passed” said Founder of Parent Coalition for Student Privacy Leonie Haimson.

“Privacy is a civil right, not a good to be traded in the market. The FTC has tried, but it has overseen the erosion of personal privacy with the lightest of light regulatory touches. It is structurally incapable or unwilling to do what needs to be done to protect privacy from companies that will do anything to extract our data. Along with other proposals from Senate Democrats, Senator Gillibrand’s Data Protection Agency is necessary to empower individuals in the digital economy” said Ari Ezra Waldman, Director of the Innovation Center for Law and Technology at New York Law School and Founder and Director of the Institute for CyberSafety.

As the United States transitions into the digital age, the DPA will address America’s growing data privacy crisis. The new agency will have the authority and resources to effectively enforce data protection rules—created either by itself or congress—and would be equipped with a broad range of enforcement tools, including civil penalties, injunctive relief, and equitable remedies. The DPA would promote data protection and privacy innovation across public and private sectors, developing and providing resources such as Privacy Enhancing Technologies (PETs) that minimize or even eliminate the collection of personal data.

Massive amounts of personal information — public profiles, health data, photos, past purchases, locations, search histories, and much more — is being collected, processed, and in some cases, exploited by private companies and foreign adversaries. In some instances, the data was not given willingly, and in many others, consumers had little idea what they were signing up for. As a result, the data of everyday Americans is being parsed, split, and sold to the highest bidder, and there is little anyone — including the federal government — can do about it. Not only have these tech companies built major empires and made billions from selling Americans’ data, but they spend millions of dollars per year opposing new regulations.

In recent years, major data breaches have occurred at banks, credit rating agencies and tech firms. In 2017, Equifax failed to safeguard the sensitive credit data of hundreds of millions of Americans, allowing a foreign government to steal and expose this information. In 2018, Facebook exposed the personal information of nearly 50 million users because it reportedly ignored warnings from its own employees about a dangerous loophole in its security. Additionally, the Federal Trade Commission (FTC) has failed to enforce its own orders and has failed to act on dozens of detailed consumer privacy complaints alleging unfair practices concerning data collection, marketing to children, cross-device tracking, consumer profiling, user tracking, discriminatory business practices, and data disclosure to third-parties.

The Data Protection Agency explained:

The DPA would be an executive agency. The director would be appointed by the president and confirmed by the Senate, serves a 5-year term, and must have knowledge in technology, protection of personal data, civil rights, law, and business. The agency may investigate, subpoena for testimony or documents, and issue civil investigative demands. It may prescribe rules and issue orders and guidance as is necessary to carry out federal privacy laws. The authority of state agencies and state attorneys general are preserved in the Act.

The DPA would have three core missions:

  1. Give Americans control and protection over their own data by creating and enforcing data protection rules.
  • The agency would enforce privacy statutes and rules around data protection, either as authorized by Congress or themselves. It would use a broad range of tools to do so, including civil penalties, injunctive relief, and equitable remedies.
  • The agency would also take complaints, conduct investigations, and inform the public on data protection matters. So if it seems like a company like Tinder is doing bad things with your data, the Data Protection Agency would have the authority to launch an investigation and share findings.
  1. Maintain the most innovative, successful tech sector in the world by ensuring fair competition within the digital marketplace. 
  • The agency would promote data protection and privacy innovation across sectors, developing and providing resources such as Privacy Enhancing Technologies (PETs) that minimize or even eliminate the collection of personal data.
  • The agency would ensure equal access to privacy protection and protect against “pay-for-privacy” or “take-it-or-leave-it” provisions in service contracts—because privacy, including online privacy, is a right that should be enforced.
  1. Prepare the American government for the digital age.
  • The agency would advise Congress on emerging privacy and technology issues, like deepfakes and encryption. It would also represent the United States at international forums regarding data privacy and inform future treaty agreements regarding data.

The full text of the legislation may be found here.

###

On Data Privacy Day, please contact your state Attorney Generals and urge them to investigate the selling of student data by the College Board

Today, January 28th is Data Privacy Day, the international annual day of action and awareness to promote the privacy of our personal data.

The College Board and ACT sell personal student data at a profit.  Yet twenty one states prohibit this practice by school vendors, operators or service providers,  under any  conditions; see list   below.  Most every district or state contracts with one of these organizations to administer the PSAT, SAT, AP or ACT exams to students in school.

The College Board sells student data for 47 cents per student  to colleges and other organizations, including some for-profit companies, but have refused to make the list public. They offer them student test scores within a range, and other  personal information deceptively gathered from students via surveys administered before their exams.  As the Wall Street Journal explained, one reason colleges buy the data is to lower their acceptance rates and selectivity, by luring far more students to apply than they have any intention to accept. Most outrageously, the College Board falsely claims they don’t sell student data on their privacy policy, instead saying they “license” the data, a difference without a distinction.

This needs to stop.  Please contact your state Attorneys General today, and ask them to investigate these illegal practices, which violate state student privacy laws and the laws that most every state has that bar deceptive practices.  Thanks!

Letter from 23 organizations to the FTC about the need to strengthen rather than weaken COPPA

Submitted in response to the FTC request for Public Comment on the Implementation of the Children’s Online Privacy Protection Rule

Dec. 11, 2019

https://www.regulations.gov/comment?D=FTC-2019-0054-0001

Federal Trade Commission
Washington, DC 20580

Re: COPPA Rule Review, 16 CFR part 312, Project No. P195404

To the FTC:

The twenty-three organizations we represent, consisting primarily of parents, educators and education advocates in states and districts throughout the country, are very concerned that the FTC is prepared to weaken the Children’s Online Privacy Protection Act (COPPA)  by allowing for the expanded collection of personal data directly from children under thirteen, without prior parental notification or consent including in schools.

This would not only contradict the original intent and language of the law, in our view, but would be extremely unwise.  As parents, educators, and advocates, we believe that the expansion of digital technologies in schools, especially those that collect data directly from children, serve neither their instructional needs nor their emotional and social well-being.

We also believe that these practices seriously risk children’s privacy, given the increased number of breaches reported by schools and districts throughout the country. Since COPPA was passed in 1998, the use of technology has expanded in schools with insufficient oversight and inadequate security protections. The number of breaches and attacks by criminal hackers has increased, so that now schools are the second-largest victims of ransomware. [1] We are also concerned about the potential monetization of this personal data for marketing and advertising purposes.

In September 2018, the FBI issued a Public Service Announcement, warning that the increased collection of children’s personally identifiable data in schools “could result in social engineering, bullying, tracking, identity theft, or other means for targeting children.”[2]

And despite the protestations of the industry, there is little or no evidence to support the instructional utility of ed tech programs. As John Pane of the RAND Corporation, who has led several studies of schools using online technologies, has said, “the evidence base is very weak at this point.”[3]

Moreover, according to the nationwide surveys of teachers as reported in the Educator Toolkit for Student Privacy, released last year by the Parent Coalition for Student Privacy and the Badass Teachers Organization,[4] more than half of teachers believe that current laws do not sufficiently protect student privacy.  Among their top concerns are that too much personal student data is collected and shared with vendors with the risk that it may be monetized, and that as the use of ed tech grows, human interaction and individualism is undermined.

These findings were reinforced by recent surveys undertaken by Education Week, which show that teachers are increasingly doubtful about the use of these educational apps and programs. [5] According to the most recent Ed Week survey, only 33% of teachers said they believe that digital technologies can improve student learning either “quite a lot” or “a great deal.”

At the same time, 72% express strong concerns that “students are spending too much time on screens,”  47% say that the “technology industry is gaining too much influence over public education”, and 38% worry that companies are “collecting too much sensitive student information.”[6]

As Education Week reporter Ben Herold concludes, “Despite continued hype, K-12 educators remain skeptical that new technologies will transform public schooling or dramatically improve teaching and learning. “ [7]  Perhaps as a result, according to an earlier Ed Week survey,  33% of teachers have abandoned the classroom use of computers, and 32% have abandoned the use of online games, apps and programs.[8]

A bipartisan group of Senators recently sent a letter to the FTC, urging the Commission not to weaken the privacy protections embedded in COPPA, and to refrain from allowing “exceptions to parental consent requirements around educational technology …. Now is not the time to pull back.”[9]

We wholeheartedly agree.  We  urge you to continue to uphold the original intent of and meaning of the law and to retain the critical parental consent requirements for the direct online collection of data from children under 13.  In fact, we believe that Congress should consider raising the age of consent for the direct online collection of student personal data to age eighteen.

Yours sincerely,

Network for Public Education
Parent Coalition for Student Privacy
Pastors for Children
The Opt Out Florida Network
Public Education Partners (Ohio)
Pueblo Education Coalition
Badass Teachers Association
Arizona Educators United
Texas Kids Can’t Wait
Northwest Ohio Friends of Public Education
New Bedford Coalition to Save Our Schools (NBCSOS)
Indiana Coalition for Public Education – Monroe County
Return To Parental Rights
Gathering Families
Stand For Schools
Northeast Indiana Friends of Public Education
Parents Across America
Ohio BATs
NYS Allies for Public Education
NYC Opt Out
Raise Your Hand for Illinois Public Education
Save Our Schools Arizona
Wisconsin Alliance for Excellent Schools

______________

Endnotes

[1] Gross, Natalie. “Ed tech’s growth breeds district IT ‘management nightmare’”, Education Dive, Oct. 3, 2019. https://www.educationdive.com/news/ed-tech-growth-has-bred-district-it-management-nightmare/564280/

[2] Federal Bureau of Investigation, “Education Technologies: Data Collection and Unsecured Systems Could Pose Risks to Students,” I-091318-PSA , Feb. 13, 2018. https://www.ic3.gov/media/2018/180913.aspx

[3] Herold, Benjamin, “What Is Personalized Learning?” Education Week, November 5, 2019. https://www.edweek.org/ew/articles/2019/11/06/what-is-personalized-learning.html

[4] Parent Coalition for Student Privacy and Badass Teachers Organization, Educator Toolkit for Teacher and Student Privacy: A Practical Guide for Protecting Personal Data, Oct. 2018. https://bitly.com/PCSP_EducatorPrivacyToolkit

[5] Education Week Research Center, Teachers and Ed-Tech Innovation: Results of a National Survey, May 2019. https://www.edweek.org/media/tc survey report-final 5.9.19.pdf

[6] Klein, Alyson, “Data: Here’s What Educators Think About Personalized Learning” Education Week,

November 5, 2019. https://www.edweek.org/ew/articles/2019/11/06/data-heres-what-educators-think-about-personalized.html

[7] Herold, Benjamin, “Ed-Tech Supporters Promise Innovations That Can Transform Schools. Teachers Not Seeing Impact” Education Week, April 23, 2019. https://www.edweek.org/ew/articles/2019/04/24/ed-tech-supporters-promise-innovations-that-can-transform.html

[8] Education Week Research Center, May 2019, op.cit.

[9] Senators Markey, Blumenthal, Hawley and Blackburn, Letter to FTC Commissioners on COPPA and Children’s Privacy, Oct. 4, 2019. https://www.markey.senate.gov/imo/media/doc/COPPA%20Letter%20to%20FTC%202019.pdf