Advocates Tell FTC: Facebook is violating children’s privacy law Complaint says controversial Messenger Kids app doesn’t comply with COPPA

Parent Coalition for Student Privacy signed onto this complaint to the FCC about Facebook’s violation of children’s privacy and the federal law known as COPPA via its Messenger for Kids app.
Contact: David Monahan, CCFC: [email protected]; 617-896-9397

BOSTON – Wednesday, October 3, 2018 – Today, a coalition of 17 public health advocacy groups called on the Federal Trade Commission (“FTC”) to investigate and take action against Facebook for violations of the Children’s Online Privacy Protection Act (“COPPA”). The groups filed a complaint asserting that Messenger Kids, a controversial messaging application for children as young as five, collects kids’ personal information without obtaining verifiable parental consent or providing parents with clear and complete disclosures of Facebook’s data practices.

Messenger Kids is the first major social platform designed specifically for young children. The FTC complaint says that Facebook’s parental consent mechanism does not meet the requirements of COPPA because it’s not reasonably calculated to ensure that the person providing consent is actually the child’s parent. Any adult user can approve any Messenger Kids account, and testing confirmed that even a fictional “parent” holding a brand-new Facebook account could immediately approve a child’s account without proof of identity. The complaint also asserts that Facebook Messenger Kids’ privacy policy is incomplete and vague. The policy allows Facebook to disclose data to unnamed third parties and the “Facebook Family of Companies” for broad, undefined business purposes. The policy does not specify what companies are in the “Facebook Family.” COPPA requires that privacy policies list the name and contact information of any third parties who have access to children’s data.

The complaint was organized by the Campaign for a Commercial-Free Childhood (CCFC) and drafted by the Communications & Technology Law Clinic in the Institute for Public Representation (“IPR”) at Georgetown University Law Center. “Despite Facebook’s promises to the contrary, Messenger Kids blatantly violates COPPA’s protections for children’s privacy by collecting children’s personal information without informed, verifiable parental consent,” said Jim Graves, Staff Attorney and Clinical Teaching Fellow at IPR. “In fact, Facebook’s parental verification method is similar to one the FTC rejected in 2013. The FTC should act quickly to stop Facebook’s violation of children’s privacy.”

Earlier this year, CCFC sent Facebook CEO Mark Zuckerberg a letter signed by over 100 experts and advocates, asking him to pull the plug on Messenger Kids because it undermines children’s healthy development. CCFC also launched a petition calling on Facebook to scrap the app.

“While evidence shows that excessive social media use negatively impacts the wellbeing of children and teens, Facebook is trying to get kids hooked at the tender age of five,” said CCFC’s Executive Director Josh Golin. “They tell parents that Messenger Kids was designed to be safe for children, but they don’t even comply with the most basic privacy requirements of the law. The best choice for parents is clear: keep young kids away from Facebook.”

Organizations which signed today’s complaint along with Campaign for a Commercial-Free Childhood were Badass Teachers Association, Centre for Child Honouring, Consumer Federation of America, Defending the Early Years, EPIC Privacy, Media Education Foundation, MomsRising/MamásConPoder, New Dream, Parent Coalition for Student Privacy, Parents Across America, Peace Educators Allied for Children Everywhere (P.E.A.C.E.), Public Citizen, The Story of Stuff, TRUCE (Teachers Resisting Unhealthy Childhood Entertainment), United Opt Out National, and USPIRG.
CCFC is the home of the Children’s Screen Time Action Network, which provides resources for parents and professionals who want to reduce the time children spend on digital devices.

Read the full complaint here: https://www.commercialfreechildhood.org/sites/default/files/devel-generate/wab/FTC%20FB%20Messenger%20Kids%20Letter.pdf

###

Join us next month in Indy to discuss privacy & online learning!

Next month in Indianapolis, the Network for Public Education will be holding our annual conference on Saturday and Sunday, Oct. 20-21.  More info and how to register here.

I will be participating in two amazing panels focused on how protect students and teachers from the growing threat to data privacy and resist the  the expansion of online learning which is undermining the quality of public education.

The first workshop, to be held on Saturday Oct. 20 morning at 10:50 AM is entitled Outsourcing the classroom to ed tech & machine-learning: why parents & teachers should resist .  Presenting with me are two brilliant bloggers and thinkers whose work I never fail to learn from, Audrey Watters and Peter Greene. 

Audrey has single-handedly and fiercely taken on the ed tech industry for many years and  critiques their claims on her essential blog,  Hack Education.  If you haven’t subscribed to her newsletter, you absolutely should do so.  She is currently writing a book to be published by MIT Press called Teaching Machines.

Peter is a Pennsylvania teacher who retired last year, but even while teaching was among the most prolific and incisive education bloggers at Curmudjucation. He also now writes a regular column for Forbes.    In his writings, he deconstructs and eviscerates the agenda of the corporate reformers and faux philanthropists, whether it be the promotion of online education, Common Core, high-stakes testing or any of the other snake oil  disseminated by private interests bent on disrupting public education.  He shows how they are based neither on research, common sense, or the experience of teachers or parents.

During the second workshop, held later the same day, our panel will present A Teacher Data Privacy Toolkit: How to protect your students’ privacy and your own.  Marla Kilfoyle and Melissa Tomlinson of the Badass Teachers Association, Rachael Stickland co-chair of the Parent Coalition for Student Privacy and I will offer some of the highlights and practical tips of our yet-to-be released Toolkit, the product of  a year-long collaboration between the PCSP and the BATs, with support from the Rose Foundation, the NEA and the AFT.

From responses to an online survey and focus groups of teachers, administrators and other school staff, we heard loud and strong how educators were deeply frustrated by the lack of training and knowledge they had about how to minimize and safeguard the increasing amount of personal data being collected by schools and vendors, and how they can work to ensure it isn’t breached or improperly used.  This toolkit, like the Parent Toolkit for Student Privacy we along with Campaign for a Commercial Free Childhood released in 2017, represents an attempt to provide the support and information that teachers need to act as responsible guardians of their students’ privacy — and their own.

Please join us in Indianapolis – more amazing speakers and panels are described here. — Leonie Haimson

FBI issues PSA warning of Ed Tech risks to Student Privacy & Security

On Thursday, September 13th, the Federal Bureau of Investigation’s Internet Crime Complaint Center issued an important public service announcement (PSA) titled Education Technologies: Data Collection and Unsecured Systems Could Pose Risks to Students.

The PSA warned school districts and parents that sensitive student data collected via the rapid adoption of educational technology in U.S. schools  can threaten children’s privacy and security. The announcement also included recommendations to parents, including:

    • Research existing student and child privacy protections of the Family Educational Rights and Privacy Act (FERPA), the Protection of Pupil Rights Amendment (PPRA), the Children’s Online Privacy Protection Act (COPPA), and state laws as they apply to ed-tech services.

    • Discuss with their local districts about what and how educational technologies and programs are used in their schools.

    • Conduct research on parent coalition and information-sharing organizations which are available online for those looking for support and additional resources. [emphasis added]

Rachael Stickland, co-chair of the Parent Coalition for Student Privacy co-chair, told EdWeek, “We’re thrilled the FBI is clearly articulating the many risks association with ed-tech use in schools, and we’re especially excited to see a recommendation encouraging the public to reach out to parent organizations for information and support.”

You can read more at:

FBI Raises Alarm on Ed Tech and Student Data Privacy and Security, Ed Week, by Benjamin Herold, September 13, 2018

FBI Memo: Ed Tech Data Collection Poses Risk to Student Privacy, Security, The 74, by Mark Keierleber, September 13, 2018

Cassie Creswell: The price of a public education should not be your child’s personally-identifiable information.

Testimony from Cassie Creswell from Raise Your Hands Action IL and Parent Coalition for Student Privacy in front of the Illinois House Cybersecurity, Data Analytics, and IT Committee.  News articles about these hearings and her testimony are posted here and here.    Video of Cassie and other parents testifying is here.

For Consideration By: Cybersecurity, Data Analytics and IT Committee, in hearing, August 7, 2018, at 10 AM.

Testimony for subject matter hearing on student data privacy

Thank you to the committee and Chairman Andrade for holding this hearing. My name is Cassie Creswell, and I’m the co-director of Raise Your Hand Action. We are a grassroots parent group that advocates for policy that supports a high-quality public education system for Illinois.

RYH Action continues to hear from parents about concerns posed by ever-increasing technology use and data collection in public schools. As you heard from the parents on the previous panel, the security and privacy of educational data is lacking.

CPS has had at least six major known data breaches since spring of 2015 with tens of thousands of students’ personal data, including in some cases health conditions and Individualized Education Program information for students with disabilities, improperly disclosed, and in several cases posted publicly on the web. A national database of publicly reported K-12 cybersecurity incidents includes at least 9 other instances in Illinois outside Chicago in the last two and a half years, including ransomware incidents.

We have also heard from parents about online surveillance, where students’ web history—and that of anyone they share a computer with—outside of school hours, off school grounds and off school-owned devices is being stored and monitored.

Parents are rarely told who their child’s data is being shared with beyond school walls and almost never asked for consent for that sharing. This data collection begins as early as preschool where teachers upload detailed records of children’s behavior to a third-party for-profit software vendor, including things like whether they hit another child, have a tantrum, wet their pants, etc.

Families who inform schools that they are not willing to have their child’s data harvested via apps and software have been told that there is no alternative way to receive instruction and even been told that they should consider private school or homeschooling.

Essentially, in order to receive an education, public school students are being forced to forfeit their right to privacy and a secure digital footprint.

Our group has attempted to advise parents how to navigate the aftermath of a data breach, how to respond to the school’s surveillance of their home computer or their child’s laptop, how to get info on what data is being collected via ed tech products or via surveys administered with state-mandated assessments or even via the software that has replaced college counseling services.

But this simply is not a problem that can be solved by individual parents armed with the advice from a parent group or privacy advocates.

Childhood is a time of growth, experimentation and development. The mistakes and challenges of childhood should not be part of a record that follows a child into adulthood and hamper the chance of future success.  With the rapid pace of technological change, personal data that’s collected and shared today may have significant negative consequences in years to come.

And so, legislators must fully consider the implications of data collection, not only how data might be used in positive ways to enhance a child’s education in the present or near term, but how data might be used in negative ways in the long term. The convenience of tracking and recording every food item a fifth grader buys in the cafeteria for that child’s parent or the school or the food vendor should be balanced with the implications for that fifth grader, 20 years in the future who could be blacklisted for health insurance due to poor nutritional choices in the past. Detailed observations of behavior in preschool might be used for evaluating the effectiveness of preschool programs, but not if they risk being used for input to predictive algorithms for college admissions decisions.

Protecting student data encompasses a huge area of complex policy decisions. But there are some clear places to begin, and we think it’s imperative that the the following components are addressed in legislation next session:

  • Full transparency: Operators, whether for-profit or non-profit, and whether selling a product or providing a product for “free” without a contract with a school or district, must all be subject to the same rules. Parents should know what organizations beyond the school district have possession of their children’s data, including government agencies, researchers, non-profits and companies.
  • Freely given consent: Parents should be provided with an opportunity for informed consent before PII is transferred to any non-school officials. And this consent must be freely given: students and families must not be coerced into providing sensitive data to non-school official third-parties in exchange for a free and appropriate public education. The price of a public K-12 education should not be your personally-identifiable information.
  • Control remains with the data’s owner: Even after consent is granted for data to be shared, control of the data must remain in the hands of students over 18 or parents of students under 18. Control means that the data can be reviewed, corrected and deleted at an owner’s request. And it means that consent for holding the data can be withdrawn.
  • No Commercialization: Children should not be subjected to ads while using educational software nor have any of their online data used to target ads.  SOPPA prohibited targeting ads based on stored profiles of children, but targeting ads to children in public schools based on data they are providing on the spot—their IP address, the particular e-book they are reading—is no more acceptable and should be prohibited. The push by Hobsons and the College Board to grant exceptions to the Student Online Personal Protection Act’s ban on targeted advertising and the sale of student profiles should be resisted. It wouldn’t be acceptable for a school counselor to accept payment for promoting a particular university or scholarship provider; it shouldn’t be allowed in career and college counseling software either. Student data should not be used to train or develop predictive algorithms for commercial software or apps.
  • Security: The GA should establish detailed minimum requirements for how student data must be handled and how breaches are responded to and replace the vague “reasonable security procedures and practices” language in SOPPA. Districts should be held liable for not taking sufficient, reasonable precautions to keep data secure: encouraging the use of student ID numbers as usernames and passwords, using software that can create public webpages containing PII, storing health information on shared drives, collecting social-emotional survey data via google docs. Until districts are held responsible for negligent security practices, children will suffer the consequences.
  • Privacy: Students own devices should not be surveilled, even if in use on school networks. And outside of school hours and school grounds, there should be no tracking of students–even on school owned devices. In addition, research has shown that de-identified or anonymized data research is an inadequate to protect privacy. The exceptions made in SOPPA for de-identified data should be removed.

Technological innovation in the field of education has promise, but that promise will be squandered if there is not parallel innovation in establishing norms for regulating information privacy and encoding them statute. This is not something that should be left to technology companies or school administration. Their interests in this area are to maximize profits in the case of the former and hold down costs in the case of the latter.

Right now, this leaves the onus of protecting our children’s digital footprint on parents. In fact, the onus is on you, our elected legislators, to serve as stewards of the public good by making sure that the cost of a public education in the 21st century is not our children’s right to information privacy.