Join us next month in Indy to discuss privacy & online learning!

Next month in Indianapolis, the Network for Public Education will be holding our annual conference on Saturday and Sunday, Oct. 20-21.  More info and how to register here.

I will be participating in two amazing panels focused on how protect students and teachers from the growing threat to data privacy and resist the  the expansion of online learning which is undermining the quality of public education.

The first workshop, to be held on Saturday Oct. 20 morning at 10:50 AM is entitled Outsourcing the classroom to ed tech & machine-learning: why parents & teachers should resist .  Presenting with me are two brilliant bloggers and thinkers whose work I never fail to learn from, Audrey Watters and Peter Greene. 

Audrey has single-handedly and fiercely taken on the ed tech industry for many years and  critiques their claims on her essential blog,  Hack Education.  If you haven’t subscribed to her newsletter, you absolutely should do so.  She is currently writing a book to be published by MIT Press called Teaching Machines.

Peter is a Pennsylvania teacher who retired last year, but even while teaching was among the most prolific and incisive education bloggers at Curmudjucation. He also now writes a regular column for Forbes.    In his writings, he deconstructs and eviscerates the agenda of the corporate reformers and faux philanthropists, whether it be the promotion of online education, Common Core, high-stakes testing or any of the other snake oil  disseminated by private interests bent on disrupting public education.  He shows how they are based neither on research, common sense, or the experience of teachers or parents.

During the second workshop, held later the same day, our panel will present A Teacher Data Privacy Toolkit: How to protect your students’ privacy and your own.  Marla Kilfoyle and Melissa Tomlinson of the Badass Teachers Association, Rachael Stickland co-chair of the Parent Coalition for Student Privacy and I will offer some of the highlights and practical tips of our yet-to-be released Toolkit, the product of  a year-long collaboration between the PCSP and the BATs, with support from the Rose Foundation, the NEA and the AFT.

From responses to an online survey and focus groups of teachers, administrators and other school staff, we heard loud and strong how educators were deeply frustrated by the lack of training and knowledge they had about how to minimize and safeguard the increasing amount of personal data being collected by schools and vendors, and how they can work to ensure it isn’t breached or improperly used.  This toolkit, like the Parent Toolkit for Student Privacy we along with Campaign for a Commercial Free Childhood released in 2017, represents an attempt to provide the support and information that teachers need to act as responsible guardians of their students’ privacy — and their own.

Please join us in Indianapolis – more amazing speakers and panels are described here. — Leonie Haimson

FBI issues PSA warning of Ed Tech risks to Student Privacy & Security

On Thursday, September 13th, the Federal Bureau of Investigation’s Internet Crime Complaint Center issued an important public service announcement (PSA) titled Education Technologies: Data Collection and Unsecured Systems Could Pose Risks to Students.

The PSA warned school districts and parents that sensitive student data collected via the rapid adoption of educational technology in U.S. schools  can threaten children’s privacy and security. The announcement also included recommendations to parents, including:

    • Research existing student and child privacy protections of the Family Educational Rights and Privacy Act (FERPA), the Protection of Pupil Rights Amendment (PPRA), the Children’s Online Privacy Protection Act (COPPA), and state laws as they apply to ed-tech services.

    • Discuss with their local districts about what and how educational technologies and programs are used in their schools.

    • Conduct research on parent coalition and information-sharing organizations which are available online for those looking for support and additional resources. [emphasis added]

Rachael Stickland, co-chair of the Parent Coalition for Student Privacy co-chair, told EdWeek, “We’re thrilled the FBI is clearly articulating the many risks association with ed-tech use in schools, and we’re especially excited to see a recommendation encouraging the public to reach out to parent organizations for information and support.”

You can read more at:

FBI Raises Alarm on Ed Tech and Student Data Privacy and Security, Ed Week, by Benjamin Herold, September 13, 2018

FBI Memo: Ed Tech Data Collection Poses Risk to Student Privacy, Security, The 74, by Mark Keierleber, September 13, 2018

Cassie Creswell: The price of a public education should not be your child’s personally-identifiable information.

Testimony from Cassie Creswell from Raise Your Hands Action IL and Parent Coalition for Student Privacy in front of the Illinois House Cybersecurity, Data Analytics, and IT Committee.  News articles about these hearings and her testimony are posted here and here.    Video of Cassie and other parents testifying is here.

For Consideration By: Cybersecurity, Data Analytics and IT Committee, in hearing, August 7, 2018, at 10 AM.

Testimony for subject matter hearing on student data privacy

Thank you to the committee and Chairman Andrade for holding this hearing. My name is Cassie Creswell, and I’m the co-director of Raise Your Hand Action. We are a grassroots parent group that advocates for policy that supports a high-quality public education system for Illinois.

RYH Action continues to hear from parents about concerns posed by ever-increasing technology use and data collection in public schools. As you heard from the parents on the previous panel, the security and privacy of educational data is lacking.

CPS has had at least six major known data breaches since spring of 2015 with tens of thousands of students’ personal data, including in some cases health conditions and Individualized Education Program information for students with disabilities, improperly disclosed, and in several cases posted publicly on the web. A national database of publicly reported K-12 cybersecurity incidents includes at least 9 other instances in Illinois outside Chicago in the last two and a half years, including ransomware incidents.

We have also heard from parents about online surveillance, where students’ web history—and that of anyone they share a computer with—outside of school hours, off school grounds and off school-owned devices is being stored and monitored.

Parents are rarely told who their child’s data is being shared with beyond school walls and almost never asked for consent for that sharing. This data collection begins as early as preschool where teachers upload detailed records of children’s behavior to a third-party for-profit software vendor, including things like whether they hit another child, have a tantrum, wet their pants, etc.

Families who inform schools that they are not willing to have their child’s data harvested via apps and software have been told that there is no alternative way to receive instruction and even been told that they should consider private school or homeschooling.

Essentially, in order to receive an education, public school students are being forced to forfeit their right to privacy and a secure digital footprint.

Our group has attempted to advise parents how to navigate the aftermath of a data breach, how to respond to the school’s surveillance of their home computer or their child’s laptop, how to get info on what data is being collected via ed tech products or via surveys administered with state-mandated assessments or even via the software that has replaced college counseling services.

But this simply is not a problem that can be solved by individual parents armed with the advice from a parent group or privacy advocates.

Childhood is a time of growth, experimentation and development. The mistakes and challenges of childhood should not be part of a record that follows a child into adulthood and hamper the chance of future success.  With the rapid pace of technological change, personal data that’s collected and shared today may have significant negative consequences in years to come.

And so, legislators must fully consider the implications of data collection, not only how data might be used in positive ways to enhance a child’s education in the present or near term, but how data might be used in negative ways in the long term. The convenience of tracking and recording every food item a fifth grader buys in the cafeteria for that child’s parent or the school or the food vendor should be balanced with the implications for that fifth grader, 20 years in the future who could be blacklisted for health insurance due to poor nutritional choices in the past. Detailed observations of behavior in preschool might be used for evaluating the effectiveness of preschool programs, but not if they risk being used for input to predictive algorithms for college admissions decisions.

Protecting student data encompasses a huge area of complex policy decisions. But there are some clear places to begin, and we think it’s imperative that the the following components are addressed in legislation next session:

  • Full transparency: Operators, whether for-profit or non-profit, and whether selling a product or providing a product for “free” without a contract with a school or district, must all be subject to the same rules. Parents should know what organizations beyond the school district have possession of their children’s data, including government agencies, researchers, non-profits and companies.
  • Freely given consent: Parents should be provided with an opportunity for informed consent before PII is transferred to any non-school officials. And this consent must be freely given: students and families must not be coerced into providing sensitive data to non-school official third-parties in exchange for a free and appropriate public education. The price of a public K-12 education should not be your personally-identifiable information.
  • Control remains with the data’s owner: Even after consent is granted for data to be shared, control of the data must remain in the hands of students over 18 or parents of students under 18. Control means that the data can be reviewed, corrected and deleted at an owner’s request. And it means that consent for holding the data can be withdrawn.
  • No Commercialization: Children should not be subjected to ads while using educational software nor have any of their online data used to target ads.  SOPPA prohibited targeting ads based on stored profiles of children, but targeting ads to children in public schools based on data they are providing on the spot—their IP address, the particular e-book they are reading—is no more acceptable and should be prohibited. The push by Hobsons and the College Board to grant exceptions to the Student Online Personal Protection Act’s ban on targeted advertising and the sale of student profiles should be resisted. It wouldn’t be acceptable for a school counselor to accept payment for promoting a particular university or scholarship provider; it shouldn’t be allowed in career and college counseling software either. Student data should not be used to train or develop predictive algorithms for commercial software or apps.
  • Security: The GA should establish detailed minimum requirements for how student data must be handled and how breaches are responded to and replace the vague “reasonable security procedures and practices” language in SOPPA. Districts should be held liable for not taking sufficient, reasonable precautions to keep data secure: encouraging the use of student ID numbers as usernames and passwords, using software that can create public webpages containing PII, storing health information on shared drives, collecting social-emotional survey data via google docs. Until districts are held responsible for negligent security practices, children will suffer the consequences.
  • Privacy: Students own devices should not be surveilled, even if in use on school networks. And outside of school hours and school grounds, there should be no tracking of students–even on school owned devices. In addition, research has shown that de-identified or anonymized data research is an inadequate to protect privacy. The exceptions made in SOPPA for de-identified data should be removed.

Technological innovation in the field of education has promise, but that promise will be squandered if there is not parallel innovation in establishing norms for regulating information privacy and encoding them statute. This is not something that should be left to technology companies or school administration. Their interests in this area are to maximize profits in the case of the former and hold down costs in the case of the latter.

Right now, this leaves the onus of protecting our children’s digital footprint on parents. In fact, the onus is on you, our elected legislators, to serve as stewards of the public good by making sure that the cost of a public education in the 21st century is not our children’s right to information privacy.

Advocates say Google/YouTube Violates Federal Law and Children’s Privacy Law

Image result for kids watching youtube80% of kids aged 6-12 watch YouTube yet parents are never asked for their consent before Google collects their personal data, as required by the federal law called COPPA.

Here is the complaint filed today to the FTC, demanding that they make Google/YouTube comply with the law , led by Center for a Commercial Free Childhood and signed onto by 22 advocacy groups including the Parent Coalition for Student Privacy.  The complaint was covered by the NY Times, Wired, the Guardian, the Associated Press, USA Today, and  Consumer Reports.

The press release is below.

Monday, April 9, 2018

Contact: 

Jeff Chester, CDD ([email protected]; 202-494-7100)
David Monahan, CCFC ([email protected]; 617-896-9397)
Angela Campbell, IPR ([email protected]; 202-662-9541)
Kara Kelber, Consumers Union ([email protected]; 202-462-6262)
Lisa Cohen, Common Sense ([email protected]; 310-395-2544)

Advocates Say Google’s YouTube Violates Federal Children’s Privacy Law 
Consumer, privacy and children’s groups file complaint urging FTC to stop most popular kids’ online video service from gathering children’s data

WASHINGTON, DC—April 9, 2018—Today, a coalition of leading U.S. child advocacy, consumer, and privacy groups represented by the Institute for Public Representation filed a complaint urging the Federal Trade Commission (FTC) to investigate and sanction Google for violations of the Children’s Online Privacy Protection Act (COPPA) in operating YouTube. Google claims that YouTube is only for users 13 and up, despite being the most popular online platform for children, used by 80% of American children ages 6 to 12. The site features many programs designed and promoted for children and Google generates significant profits from kid-targeted advertising. The complaint says the FTC should subject Google to penalties, which could total in the billions of dollars.

The Center for Digital Democracy (CDD), Campaign for a Commercial-Free Childhood (CCFC), and 21 other organizations demonstrated in their filing that Google, which owns YouTube, makes substantial profits collecting many types of personal information on kids on YouTube, including geolocation, unique device identifiers, mobile telephone numbers, and persistent identifiers used to recognize a user over time and across different websites or online services. Google collects this information without first providing direct notice to parents and obtaining their consent, and Google uses it to target advertisements to kids across the internet, including across devices. COPPA bars the operator of a website directed to children, or that has knowledge of children using it, from collecting and using such information without obtaining parental consent.

CCFC’s Executive Director Josh Golin said, “For years, Google has abdicated its responsibility to kids and families by disingenuously claiming YouTube—a site rife with popular cartoons, nursery rhymes, and toy ads—is not for children under thirteen. Google profits immensely by delivering ads to kids and must comply with COPPA. It’s time for the FTC to hold Google accountable for its illegal data collection and advertising practices.”

Child directed channels such as ChuChuTV Nursery Rhymes & Kids Songs (15.9 million subscribers and over 10 billion channel views) and LittleBabyBum (14.6 million subscribers and over 14 billion channel views) are among the most popular channels on YouTube. Major advertisers pay Google a premium to place their ads in a platform known as “Google Preferred,” which includes a “Parenting and Family” lineup comprised mostly of popular channels targeted to children.

“Google has acted duplicitously by falsely claiming in its terms of service that YouTube is only for those who are age 13 or older, while it deliberately lured young people into an ad-filled digital playground,” said Jeff Chester of the Center for Digital Democracy. “Just like Facebook, Google has focused its huge resources on generating profits instead of protecting privacy.”

Angela J. Campbell, counsel for CCFC and CDD, said: “Given the large number of children affected and the extent of YouTube’s COPPA violations, the FTC needs to impose large civil penalties to show it is serious about protecting children’s privacy online.” 

James P. Steyer, CEO of Common Sense, said: “Kids have been watching videos on YouTube for years, something the company has known, and profited off of, by targeting content and ads at children under 13. It is time for Google to be completely transparent with all the facts and institute fundamentally responsible new policies moving forward to protect the privacy of kids. We fully expect Google to work closely with advocates and reach out to parents with information about parental controls, content, and collection practices on YouTube so parents can make informed choices about what content they allow their kids to access and how to protect their privacy.”

Katie McInnis, policy counsel for Consumers Union, said: “YouTube knows children are watching content on their site, and has created content channels specifically aimed at them, but does not appear to obtain the required parental consent before collecting information about them. Google has the responsibility to be COPPA-compliant and ensure that children can safely watch the programs designed and promoted for kids. These practices present serious concerns that warrant the FTC’s attention.

Groups signing on to the complaint to the FTC along with CDD and CCFC are: Berkeley Media Studies Group; Center for Media Justice; Common Sense; Consumer Action; Consumer Federation of America; Consumer Federation of California; Consumers Union, the advocacy division of Consumer Reports; Consumer Watchdog; Corporate Accountability; Defending the Early Years; Electronic Privacy Information Center (“EPIC”); New Dream; Obligation, Inc.; Parent Coalition for Student Privacy; Parents Across America; Parents Television Council; Privacy Rights Clearinghouse; Public Citizen; The Story of Stuff Project; TRUCE (Teachers Resisting Unhealthy Childhood Entertainment); and USPIRG.

The complaint was drafted by the Communications & Technology Law Clinic in the Institute for Public Representation at Georgetown University Law Center.

###