Letter to the FTC against students being targeted by Surveillance Advertising

See below letter, sent to the FTC by Fairplay, the Parent Coalition for Student Privacy, and other groups, urging them to prohibit the use of personal student data for marketing purposes through targeted ads, described here as “Surveillance Advertising.”

Recent exposes of Naviance, for example, in The Markup here and here, for example, revealed how students are assigned to take surveys and provide their personal data to this company to apply to colleges, data which is then monetized  by Naviance and used by colleges to discriminate against particular racial groups.

This violates the student privacy laws of many states, including New York’s, which bar the use of student data for commercial purposes, and arguably FERPA as well, which holds that if student data is going to be shared with third parties without parent consent it must be to further the student’s education or the district’s operations.

Naviance also uses personal student data obtained through surveys of questionable validity and legality, filtered through black-box algorithms, to steer students into certain colleges or careers.

 

New info on the NYC student data breach — with some critical follow-up questions

Recently, Chalkbeat reported on a data  breach that affected over 1000 NYC students and teachers.  Chalkbeat followed up with another story that suggests this breach was caused by an insecure storage of student and teacher data on a Google drive, first discovered in January 2021 by high school students at Brooklyn Tech.  Though these students reported this  insecure leakage to an administrator at their school immediately, it was ignored until they found in March 2021 that the problem had grown worse, and  emailed three DOE officials to alert them.

I was asked to look into this matter  by NYC parent leaders, and followed up with an email to Joe Baranello, the chief privacy officer of DOE.  I asked him for copies of the letters sent to parents and staff whose data was breached, and for more information about how these breaches occurred and what data elements were accessed.

To his credit, he responded within a few days with more details and provided four breach notification letters as attachments .

All four letters were dated July 30, 2021.  Letters #1 and #2 were addressed to parents about an unspecified March 2021 breach; the second letter included reference to specific data elements that were accessed, with that information redacted.  Letter #3 was addressed to parents whose children’s data was accessed in an earlier August 2020 breach.  Letter #4  was addressed  to teachers about the March 2021 breach.  In all cases, these letters inexplicably claim that this data was seen by only a single NYC student.

Joe’s email, which follows, included more information about the specific data elements that were breached.  Below his message are several follow-up questions to him.  If and when I get replies, I will add  to update this post.  If you or your child were affected, please let us know at info@studentprivacymatters.org .  Thanks!

___

From: Baranello Joseph <JBaranello3@schools.nyc.gov>
Sent: Monday, August 16, 2021 11:15 AM
To: leoniehaimson@gmail.com
Cc: Siciliano Lauren <LSiciliano2@schools.nyc.gov>; Sharma Anuraag <ASharma6@schools.nyc.gov>; Nathan Judy <JNathan@schools.nyc.gov>; Gantz Toni <TGantz@schools.nyc.gov>
Subject: RE: Data leak affects about 3,000 NYC students and 100 employees, officials confirm – Chalkbeat New York

Hello Leonie,

Thank you for your inquiry. We have attached the template letters that were used for these notifications, which provide additional information on what occurred and what was viewed. Impacted individuals would have received the letter applicable to them. The information implicated varied by individual. To that end, the templates include variable fields that were populated based on the specific information implicated for each person. Approximately 3,000 students and 100 staff were impacted. The variable fields are listed below, and which were involved varied widely from student to student.

No social security numbers of students or parents were involved to our knowledge (the DOE does not collect parent or student SSNs for routine inclusion in its databases).  For 5 employees, full SSNs were included.

We are committed to protecting the privacy of our staff and school communities, and a DOE student should not have been able to view these files. We have no indication that anyone’s information was further shared or misused at this time, and the DOE implemented aggressive measures to prevent this from happening again. Out of an abundance of caution we are offering free credit monitoring service to impacted individuals.

Student data:

  • Student Academic
  • Student Biographic
  • Student Health
  • Student Name
  • Student ID
  • Student Date of Birth
  • Special Education
  • Parent Information

Employee data:

  • Name
  • Social Security Number
  • Social Security Number (Last 4 digits only)
  • Date of Birth
  • Employee ID

The following specific documents were viewed for fewer than ten students per document type:

  • Individualized Education Program
  • Emergency Contact Card
  • Government ID
  • Special Education Remote Learning Plan
  • Section 504 Plan
  • Birth Certificate

Sincerely,

Joseph A. Baranello
Deputy Counsel & Chief Privacy Officer
New York City Department of Education

____

From: leoniehaimson@gmail.com <leoniehaimson@gmail.com>
Sent: Monday, August 16, 2021 5:06 PM
To: ‘Baranello Joseph’ <JBaranello3@schools.nyc.gov>
Cc: ‘Siciliano Lauren’ <LSiciliano2@schools.nyc.gov>; ‘Sharma Anuraag’ <ASharma6@schools.nyc.gov>; ‘Nathan Judy’ <JNathan@schools.nyc.gov>; ‘Gantz Toni’ <TGantz@schools.nyc.gov>; Leonie Haimson <leoniehaimson@gmail.com>
Subject: RE: Data leak affects about 3,000 NYC students and 100 employees

Dear Joe:  Thank you for sharing the letters that were sent to parents and school staff about these breaches.  I have several follow-up questions:

Question 1:   In letter #3, dated July 30, 2021, DOE informed parents of the following: “In August 2020, a DOE student reported that they viewed various electronic files that contained education records and personal information about you and/or your child. The DOE immediately took steps to address it.”

Why such a long delay in notification for this breach, especially as the NY State regulations for NYS Ed Law 2-d specifically require breach notification as early as possible  and in no case more than 60 calendar days after its discovery? “  

Question 2 – This Chalkbeat article reports that a group of Brooklyn Tech students accessed personal data in January 2021 and March 2021;  why is there no notification to parents of the January 2021 breach? 

“The students unintentionally discovered they had access to these documents in January. They noticed that the Google Drive folder where they uploaded their class assignments during remote learning contained documents uploaded by students and staff at schools across the city. Those documents included second graders’ classwork, a parent-teacher conference sign up sheet, and college recommendation letters, said a Brooklyn Tech High School student who asked to remain anonymous.”

Question 3 – Why the delay in notification for the March 2021 breach referenced above,  in letters #1 and #2, especially as DOE learned about it shortly thereafter, according to the Chalkbeat article?  Again, the July 30 letter is more than 60 calendar days after the date of discovery, despite the notification requirements in the regs. 

Question 4 – Why do all four letters refer to only one student accessing this data, when the Chalkbeat article refers to a group of students accessing much personal data in January and March? 

Question 5- Has the DOE looked into the possibility that not only this group of high school students, but other individuals as well may have accessed personal data for thousands more students/teachers, given how easily this data was found?  What further investigations are being done?

Question 6 – Clearly the data was not encrypted if students were so easily able to access it.  Are you aware that the State privacy law and regs require that the sharing of personal data with any third party such as Google requires the encryption of all personal data in motion and in rest?  Does DOE intend to comply with this requirement of the law in the future?

Question 7 – Why is the New York City Department of Education sending letters to parents from a P.O. Box in Suwanee, GA?

Question 8 – Why does  the DOE tell parents in these letters that if they “want to discuss this matter or have any questions” about these breaches, they need  to create an account with  a private company called IDX, rather than the contact someone at DOE itself – especially the law required districts to appoint a Chief Privacy Officer to be the contact person for parents’  questions and concerns regarding privacy?

Moreover, the link provided in the letter requires  parents to create an account with this company that that in turn obligates them to accept onerous Terms of Service that “will indemnify, defend, and hold harmless IDX, our subsidiaries and affiliates, and each of our respective officers, directors, agents, partners and employees (individually and collectively, the “IDX Parties”) from and against any loss, liability, claim, demand, damages, expenses or costs (“Claims”) arising out of or related to (a) your access to or use of our Services or Website”?

Moreover, IDX also limits any claims of damages to binding arbitration, and in its Privacy Policy, claims it can  use their customers’ information for many purposes, including sharing with credit bureaus and/or “With vendors, consultants, and other service providers who need access to such information to carry out work on our behalf, including marketing our products and services.”

Again, thank you for your work for NYC children, and for providing these letters to me.

Hoping for a timely response,

Leonie Haimson
Co-chair, Parent Coalition for Student Privacy
www.studentprivacymatters.org
info@studentprivacymatters.org

Opposition to NY bill that would allow College Board/ACT to keep on selling student data

See our PCSP/NYSAPE memo in opposition to a new bill in the NY State Legislature , S. 6624/ A. 7421 that would amend NY State’s landmark student privacy law and create a new loophole for the College Board and ACT.  This would allow these two companies to continue to make hundreds of millions of dollars, selling the personal information of students, including their score ranges, with questionable  benefits to them.  If you agree this is wrong, please send a letter to your legislators now!

PSCP-NYSAPE memo of opposition to sale student data

They are gutting the most important privacy law you never heard of.

These Republican lawmakers have introduced bills to weaken privacy.

You should have a choice whether a company uses photos of you or your family; you should be told when a company provides thousands of other companies and government entities access to photos of you.  There should be a law against this invasive use of your image and biometric data.  There is.  Illinois has one of the toughest biometrics laws in the country–the 2008 Biometric Information Privacy Act  (BIPA). The New York Times recently published a great piece about the importance of Illinois’ BIPA law: The best law you’ve never heard of.  The author, Shira Ovide, writes about BIPA:

The law’s text is simple but profound, Adam Schwartz, a senior staff attorney with Electronic Frontier Foundation, told me.

First, companies behind technologies like voice assistants or photo recognition services can’t use people’s biometric details without their knowledge or consent. Few American privacy laws go this far — and probably none will again. Typically we must agree to whatever companies want to do with our data, or not use the service.

Second, BIPA forces companies to limit the data they collect. Those two principles are in Europe’s landmark data privacy law, too.

And third, the law lets people — not just the state — sue companies.”

Illinois Representatives Jim Durkin Dan Caulkins Thomas M. Bennett apparently want to gut the best privacy law in the U.S.

These Representatives introduced two bills to weaken BIPA:  HB560  and HB559. Durkin, Caulkins, and Bennett’s bills would make it almost impossible for you to sue the companies who misuse your biometric information. For information on how these bills would weaken BIPA, see this coalition letter opposing these bills.

HB559 recently passed out of committee on a 10-5 vote with 5 Republicans and 5 Democrats voting yes. This article from the Capitol News Illinois says this about HB559 the bill to gut BIPA: 

Opponents are more concerned that the bill will render the existing law useless.

Sapna Khatri, advocacy and policy counsel for the ACLU of Illinois, noted that BIPA has been called the most effective and important privacy law in the country because of its simplicity.

“We are here because BIPA is working precisely as it was intended,” Khatri said. “This (new bill) is prioritizing corporate profits over personal privacy and granting companies wide latitude to collect and exchange our biometric information like currency. This is not a solution.”

Opponents to HB 559, such as Rep. Ann Williams, D-Chicago, and Rep. Jennifer Gong-Gershowitz, D-Glenview, argued that as technology advances, BIPA as it stands is imperative to protecting Illinois residents’ most personal private data.

“At a time when our neighbors and other states are modeling legislation around BIPA and issuing bans on the use of invasive biometric technology, like facial recognition, HB 559 presents a massive step back for Illinois,” Khatri said.”  [emphasis added]

What could have possibly enticed10 Illinois lawmakers to vote yes on this bill despite 266 people signing up to oppose HB559, while only 14 “people” (ie: Chamber of Commerce and the Illinois Civil Justice League-whose mission is to reduce the number of civil lawsuits) signed up in favor of HB559?

Why is this happening now? 

You may have read about companies like the facial recognition company Clearview AI who take photos shared on social media and then, without your permission, scrape up your family photos to add to their database. Clearview AI is facing several class action lawsuits  here and here and here, and this lawsuit in California that alleges:

 “The sheer volume of online photographs Clearview scrapes to capture faceprints for its database makes it a near certainty that anyone whose photographs are posted to publicly accessible portions of the internet will have been subjected to surreptitious and nonconsensual faceprinting.

The suit claims Clearview has “illicitly” and “illegally” collected more than three billion photos of “unsuspecting individuals,” giving it a database nearly seven times bigger than the FBI’s

Clearview has provided thousands of governments, government agencies, and private entities access to its database, which they can use to identify people with dissident views, monitor their associations, and track their speech,” the suit alleged. “Its mass surveillance technology disproportionately harms immigrants and communities of color.”  [emphasis added]

Clearview AI is not the only company scooping up your pictures for facial recognition. In a January 2020 class action decision, Facebook was found to have violated Illinois Biometric Information Privacy Act (BIPA) law and had to pay half a billion dollars

The Illinois suit was filed in 2015, alleging that Facebook collected facial recognition data on images of users in the state without disclosure, in contravention of the state’s 2008 Biometric Information Privacy Act (BIPA). Similar suits were filed against Shutterfly, Snapchat and Google.”

We all lose if BIPA is weakened.  

Illinois has had one of the toughest biometrics laws in the country for 13 years–and with the increase in surveillance technology, other states are patterning bills after BIPA. Now is the time to increase (not weaken) privacy legislation.  After big companies like Facebook and Clearview AI got sued for illegally scraping people’s photos, there are suddenly bills in Illinois to weaken BIPA. Will these industry folks weaken privacy bills in your state, too?  Don’t let them.   

Illinois lawmakers should not make the mistake of weakening privacy rights. HB559 and HB560 should be stopped. Laws and elected officials should protect people, not corporate interests.

What you can do

  • If you are an Illinois resident, call your state rep and your state senator, tell them you are their constituent and urge them to oppose HB559 and any bills that weaken the protections of BIPA.
  • For anyone, call the leadership in the IL House, in particular new Speaker of the House Chris Welch and Minority Leader Jim Durkin, the chief sponsor of the bill.   

Speaker Welch (217) 782-5350 and (708) 450-1000

Leader Durkin (217) 782-0494 and (630) 325-2028

You can find the list of House leaders in each party here and all of their contact info is listed in this directory. Tell them that BIPA is the most protective privacy law in the US and putting corporate profits over protecting individual’s freedom is doing a disservice not just to Illinoisans but to anyone who values the Constitutional right to privacy. 

Parents: Two ways to find out what ed tech companies are collecting your child’s personal data

Parents, help fill in this FERPA Project Map for the folks at The Student Data Privacy Project.

https://www.studentdataprivacyproject.com/ferpa-project-map

1. This FERPA Map project

is sponsored by our friends at the The Student Data Privacy ProjectTheir goal is to highlight the need for parents to know how the data for their children is being collected and protected by ed tech apps. Under FERPA, parents have that right but it is rarely being exercised or enforced. They are asking parents in all 50 states to send a letter to their District or school requesting their child’s data that is held by these private companies.  You can click on their website here to request their  FERPA template  letter.  When you send your letter to your district or school, please copy us at info@studentprivacymatters.org  on your request.

2. It’s time we KNOW what data these edtech apps are collecting and how they are being used. 

We at the Parent Coalition for Student Privacy launched our own App Survey in January, for Data Privacy Day 2021. We are researching which edtech apps schools are asking students to use and whether they are sufficiently protective of children’s privacy.  You can take our App Survey here.  

Please let us know what online apps and programs your district or school is using, and check to see if they have been transparent about their privacy policies.  Your name and district will be kept confidential. Thank you to the MANY parents and educators who have already completed this App Survey.  Please continue to share and we will let you know the results soon.  If you have any questions or concerns, please feel free to email us at info@studentprivacymatters.org