Press Release: Messer/Polis Privacy Bill Still Inadequate to Protect Children from Commercial Exploitation and Data Breaches

For immediate release: April 29, 2015

Contact: Rachael Stickland, 303-204-1272, [email protected]

Leonie Haimson, 917-435-9329, [email protected]

Messer/Polis Privacy Bill Still Inadequate to Protect Children from Commercial Exploitation and Data Breaches

The student privacy bill just introduced by Representatives Messer and Polis is an improvement from their previous draft, but still has many loopholes that make it inadequate to address many parental concerns about their children’s privacy and safety.

Leonie Haimson, co-chair of the Parent Coalition for Student Privacy said, “The bill still doesn’t require any parental notification or consent before schools share personal data with third parties.  It wouldn’t stop the surveillance of students, or the collection of huge amounts of highly sensitive student information by third parties, as inBloom was designed to do.”

“The bill still allows targeting ads to kids –as long as the ads are “contextual” or selected based on information gathered via student’s single online session. We strongly believe that there should be no advertising allowed in instructional programs assigned to students at school, as ads do not aid learning but is a huge distraction to kids. Moreover, how can a parent know if their child is subjected to an ad, whether it is based on data-mining during one session or over time?”

Rachael Stickland, Colorado co-chair of the Parent Coalition said: “We’re pleased to see some of our recommendations reflected in this draft, including enhanced transparency and some limitations on re-disclosures. This bill allows parents to delete personal information from the data collected from their children, but it doesn’t require that parents be informed by either the vendor or the school that this data is being disclosed, collected and data-mined, so how would parents know to ask to delete it? It also allows vendors to data-mine personal information to improve their products or create profiles that could severely limit student’s success by stereotyping them and limiting their opportunities.”

Other remaining weaknesses of the bill:

  • There are NO specific security protections outlined in the bill, only that procedures should be “reasonable.” We believe that any vendor collecting and using sensitive student personal information should be required to employ data encryption, undergo regular security audits, and other important measures to protect against damaging breaches.
  • Vendors would not have to inform parents or even school officials of data breaches unless they deem this “appropriate” without defining when that would be required, and there are no specific amounts required for fines.
  • Vendors could transfer the personal student data to another company if there is a merger or acquisition.
  • Vendors would be able to re-disclose students’ personal information to an unlimited number of unspecified service providers, without the knowledge or consent of schools or parents
  • Vendors would be allowed to disclose de-identified and aggregate data, while using “reasonable” methods to ensure that the data could not be re-identified. This again is inadequate protection, given how easy it has become to re-identify personal information with current methods and widely available data sets.
  • The bill’s protections would not apply to children in preschool and “K-12 Purposes” is only vaguely defined.
  • Vendors could use student information for many commercial purposes including “maintaining, developing, supporting, improving, or diagnosing the operator’s school service.”

Rachael Stickland concludes: “This bill is clearly a step in the right direction but it needs to be further improved if it is going to protect our children from commercial exploitation and devastating breaches. Our children’s privacy and safety is invaluable and should not be put at risk by being handed off carelessly for profit or for gain.”

###

Our comments to the Senate Help Committee on the reauthorization of the Higher Education Act

April 24, 2015

Dear Chairman Alexander and Ranking Member Murray,

We write on behalf of the Parent Coalition for Student Privacy to submit comments on the consumer information white paper that the Committee published on March 23, 2015. The coalition is a non-profit voluntary organization of concerned parents and educational privacy advocates across the nation. We are alarmed by the erosion of parental and student privacy rights, by the growth of longitudinal student-level data warehouses that collect and mine personally identifiable data from educational records for unspecified purposes, and by the encroachment of educational technology companies on records that have historically been entrusted only to school authorities with a legitimate educational interest in them.

As parents of current and future college students, we appreciate and applaud the Committee’s interest in producing actionable consumer information that, instead of drowning the public in incomprehensible minutiae, provides meaningful disclosures to guide the college selection process. We also recognize the legitimate data needs of the federal government for purposes of program management and institutional accountability of student aid programs authorized in Title IV of the Higher Education Act. As the Committee proceeds to identify these needs, we urge it to consider the views of parents and students, and to ensure that federal data collection and retention policies do not intrude on privacy rights of students.

We are concerned that various Washington advocacy groups may use the upcoming reauthorization of the Higher Education Act to press for the creation of a federal student tracking system to capture personally identifiable information on all students without notice, without consent, without the right to opt out or even to review their own records. As you are well aware, the feasibility of such a system was thoroughly studied some 10 years ago by the National Center for Education Statistics. Congress, having had the benefit of that extensive analysis, acted to explicitly ban the creation of any such system in the Higher Education Opportunity Act of 2008 due to privacy concerns. It is ironic that even as the privacy threats that a unit-record system would pose have grown exponentially, the pressure to lift the federal ban is greater than ever.

The enormity of the security threat posed by a massive data mart of sensitive personally identifiable information about every student is immediately obvious in light of the spectacular commercial and governmental breaches of the past several years. In fact, the original NCES assurances of security now look naive in their inadequacy. Specifically, NCES proposed (and many State Longitudinal Data Systems funded by the U.S. Department of Education apparently still believe) that the assignment of random identification numbers in lieu of social security numbers would suffice to de-identify records. This notion borders on the laughable in light of advances in computer science and statistical re-identification techniques. The second remedy offered back in 2004 was to “disconnect” the system from the Internet, which, even if it were a serious thought a decade ago, means little in light of the internal data breaches at the Department of Defense and the National Security Agency.

While safeguarding student data against unauthorized disclosures is a great concern for us, we are even more alarmed by the likely authorized disclosures that a unit-record system will inevitably accommodate. We believe that a federal data system with as much information as a unit-record system would quickly turn into a federal lending library available for interagency browsing for unspecified future purposes. Indeed, the high probability of mission-creep is quite obvious in the rhetoric of its advocates, who justify the system on its many–but unspecified–alleged edifying uses. Our coalition members insist that any such application of personally identifiable information can only be legitimated on the basis of the informed consent of the individuals themselves. It is quite unacceptable for policy elites, often in collaboration with technology firms seeking to mint fortunes, to argue that the government is entitled to gain nonconsensual access to our children’s records in pursuit of their policy priorities without so much as letting the students know, let alone soliciting and securing their agreement.

We urge you to ensure that any federal or federally funded collection, warehousing, and mining of personally identifiable information from education records honors fair information practices and provides explicit notice to, and obtains the informed consent of, the individuals involved. We appreciate the opportunity to submit our views for the Committee’s consideration and stand ready to work with you to improve consumer disclosures in a manner that is not violative of basic family educational privacy rights.

Sincerely,

Leonie Haimson and Rachael Stickland, Co-chairs

Parent Coalition for Student Privacy

www.studentprivacymatters.org

[email protected]

Messer/Polis Student Privacy Bill Protects Commercial Interests of Vendors not Kids

For immediate release: March 22, 2015
 
Contact: Rachael Stickland, 303-204-1272, [email protected]
d
Messer/Polis Student Privacy Bill Protects
Commercial Interests of Vendors not Kids
d
The bill just introduced by Representatives Messer and Polis addresses few if any of the concerns that parents have concerning the way their children’s privacy and safety have been put at risk by the widespread disclosure of their personal data by schools, districts and vendors. 
d
Leonie Haimson, co-chair of the Parent Coalition for Student Privacy said, “The bill doesn’t require any parental notification or consent before schools share personal data with third parties, or address any of the current weaknesses in FERPA.  It wouldn’t stop the surveillance of students by Pearson or other companies, or the collection and sharing of huge amounts of highly sensitive student information, as inBloom was designed to do.” 
d
“All the bill does is ban online services utilized by schools from targeting ads to kids – or selling their personal information, though companies could still advertise to kids through their services and or sell their products to parents, as long as this did not result from the personal information gathered through their services.   Even that narrow prohibition is incomplete, as vendors would still be allowed to target ads to students as long as the ads were selected based on information gathered via student’s single online session or visit – with the information not retained over time.”
d
Rachael Stickland, Colorado co-chair of the Parent Coalition: “The bill doesn’t bar many uses of personal information that parents are most concerned about, including vendor redisclosures to other third parties, or data-mining to improve their products or create profiles that could severely limit student’s success by stereotyping them and limiting their opportunities.”
d
Other critical weaknesses of the bill:
d
  • Parents would not be able to delete any of the personal information obtained by a vendor from their children, even upon request, unless the data resulted from an “optional” feature of the service chosen by the parent and not the district or school.
  • The bill creates a huge loophole that actually could weaken existing privacy law by allowing vendors to collect, use or disclose personal student information in a manner contrary to their own privacy policy or their contract with the school or district, as long as the company obtains consent from the school or district.  It is not clear in what form that consent could be given, whether in an email or phone call, but even if a parent was able to obtain the school’s contract or see the vendor’s privacy policy, it could provide false reassurance if it turns out the school or district had secretly given permission to the company to ignore it.
  • Vendors would be able to redisclose students’ personal information to an unlimited number of additional third parties, as long as these disclosures were made for undefined “K12 purposes.”
  • Vendors would be able to redisclose individual student’s de-identified or aggregate information for any reason or to anyone, without restrictions or safeguards to ensure that the child’s information could not be easily re-identified through widely available methods.

Rachael Stickland concludes: “This bill reads as though it was written to suit the purposes of for-profit vendors, and not in the interests of children.  It should be rejected by anyone committed to the goal of protecting student privacy from commercial gain and exploitation.”

###

Privacy coalition improves LearnSprout privacy policy & terms of service

On September 18, 2014 Lisa Shultz, public education advocate and member of the Parent Coalition for Student Privacy, tagged @leoniehaimson and @parents4privacy in a tweet about Pearson’s new collaborative partnership with an edtech startup called LearnSprout. Her tweet linked to a public document (link now here) that listed the data schema used for their product. At the time we knew little about the company, but their name was familiar because they had once been listed as a partner of inBloom.

Lisa’s tweet also caught the attention of Paul Smith, Marketing Director for LearnSprout. He quickly engaged in a thoughtful and productive Twitter exchange between @lisa4schools, @leoniehaimson and @parents4privacy. In 140 characters or less, we asked Paul numerous questions about the types of data his company collected, how they used the data, their data retention and deletion policies, and how they contracted with schools and school districts. Though Paul did his best to field the barrage of questions, we agreed it was best to take the conversation offline.

Paul reached out to us by email and encouraged us to provide feedback on LearnSprout’s Privacy Policy and Terms of Service.  We were happy to help but first we wanted to know more about the company ‘s services and customers. What we learned didn’t put us at ease. Paul described how, at the time, schools would setup LearnSprout with limited-access administrator account to the student information system (SIS) in order to send data to LearnSprout for analysis. This included a number of personally identifiable data fields from the system. LearnSprout would then analyze the data and present the school user with a series of graphs and charts to “identify historical trends, track college readiness and spot at-risk students.” Authorized school/district personnel could then access reports profiling individual student’s attendance, gender, free/reduced lunch status, etc. (See image below.)

Learnsprout 2

Further, to sign up for this free service, the “customer” or school employee simply accepted the “click wrap” agreement. There was no negotiated contract between LearnSprout and the school/district – a teacher or administrator merely agreed to the Terms of Service which, of course, favored LearnSprout by stating: “We reserve the right, at our discretion, to change the Terms on a going forward basis at any time. Please check the Terms periodically for changes.

Upon learning more about LearnSprout, we were clear with Paul that we disagreed with the underlying principles of their service and would we never endorse their product because we believe strongly that profiling individual students – no matter how pure the intention – stigmatizes children and can harm or limit their future chances for success. We also insisted that the “click wrap” agreement insufficiently protected schools/districts (and their students) and at the very least LearnSprout should require an electronic signature so the school employee signing up for the service would consider the gravity of his/her decision before sharing sensitive student data. Paul assured us that he understood our position about the value of the service but respectfully disagreed, and he was committed to improving their “onboarding” process. With that behind us, we started digging into their policies.

We found LearnSprout’s Privacy Policy and Terms of Service to be vague, contradictory, and full of legalese  and outdated terms for products and services that the company no longer supported. It was clear to everyone that a lot of work needed to be done. But after several months, a handful of long but congenial conference calls, and dozens of clarifying email discussions, the resulting policies are a vast improvement from where LearnSprout started in September. Paul outlines the comprehensive list in his blogpost http://blog.learnsprout.com/ but highlights include:

  • Termination of the “free” service model and an end to “click wrap” agreements. LearnSprout is now a paid service and Paul assures us the “Terms of Service and Privacy Policy are attached as a condition of each new contract.”
  • If LearnSprout should go bankrupt, all data in its possession will be deleted in 30 days.
  • When the Terms of Service are changed, customers will be notified and must accept the terms in order to continue using the service.
  • They post on their website the full data dictionary of what data they store for schools/districts.
  • Breach notification within 24 hours of a suspected incident.
  • Student’s personally identifiable information will not be used to improve or enhance LearnSprout’s products or services, and will be removed 60 days after the student is not longer enrolled in the school/district.

Paul’s collaborative nature and sincere desire to improve their policies set a great example for other ed tech companies to follow. We still don’t agree with LearnSprout’s business goals but we do believe they are a leader in forging partnerships with parents and advocates to safeguard the data entrusted to them. Our hope is that others will engage in equally civil and productive dialogue.

(Correction: The previous blogpost stated that LearnSprout would “backdoor” SISs. The term “backdoor” was an oversimplified description of the technical process, and was not intended to imply that LearnSprout was accessing student information stored in the SISs in an unauthorized manner.)

Our letter to Reps. Polis and Messer

February 11, 2015

Dear Representatives Polis and Messer:

We write on behalf of the Parent Coalition for Student Privacy, a nationwide network of parents, citizens, and privacy advocates, concerned with the widespread, rampant, and poorly regulated data collection, data-sharing, data-tracking, data-warehousing, data-mining, and commercial exploitation of personally identifiable student information. We thank you for your interest in this important topic and for your ongoing efforts to strengthen student privacy protections.

As you are well aware, parents across the country are increasingly alarmed about the everyday uses and abuses of their children’s personal data. Many parents are only recently learning how much of their children’s most sensitive information is being collected and shared via their schools with commercial vendors, private organizations, state agencies, and other third parties. Though the evidence of the benefits of this widespread collection and disclosure of children’s personal information is weak, the risks are all too evident. Families are mobilizing to counter this virtually unfettered third-party access to their children’s private data, and have demonstrated the effectiveness of their advocacy at the state level.

While we welcome federal legislation to strengthen student privacy protections, we are concerned that this effort may be incomplete, inadequate, or co-opted by special interests. As the tide of opposition to non-consensual capture, disclosure, and re-disclosure of student educational data has grown, various groups have sought to placate parents with various assurances. These assurances, however, are weak, as they fail to deal with student privacy within the framework of fair information practices. The recent voluntary corporate Student Privacy Pledge, for example, was a first step in addressing these issues; but the Pledge has deficiencies and gaps that render it ineffective in addressing our legitimate concerns.

One of our crucial concerns is the current lack of a clear affirmative obligation on the part of schools and districts to notify parents about what student data is being collected, what data is being shared with which third parties, and under what conditions. Another crucial concern is the lack of a clear legal obligation on the part of schools and districts to notify parents about which vendors the schools have authorized to collect information directly from children in class, as schools – not vendors – are the sole contact point for most parents.

Accordingly, we are writing to urge you to draft legislation that deals with educational and student privacy in a more comprehensive and effective manner. Here is a framework that we respectfully ask you to consider:

  • All personally identifiable data collected directly from students, by vendors or other third parties, whether collected in school or assigned by teachers in class or for home, should require that the school provide full notification and informed consent to parents, or to the students themselves if they are over age 18. At a minimum, parents should be informed of what data is being collected, the purpose of the data collection, how long the data will be retained and by whom and where, and the security provisions and safeguarding practices utilized by the third party. As pursuant to COPPA, parents must be afforded the right to opt out of any collection of their child’s data, at any time, if they so choose;
  • All disclosures of students’ personally identifiable information by schools, districts, and states to third-parties must require parental notification. There must be written agreements specifying the use of the data, and these agreements must be made publicly available. The agreements should also specify that only employees of the company or organization with a legitimate educational interest be allowed to access it, that adequate breach prevention and notification technologies and policies are in place, including levels and standards of encryptions for data in-motion and at-rest, that independent audits be required, and that the third party will assume financial liability for any damages caused by any breach;
  • Parents must be afforded the opportunity and ability to inspect any personal student data that is collected, shared, or warehoused, correct if it is wrong, request that it be deleted, and opt out of further collection;
  • Parental consent must be required before any school, district or state can share any student data with any third party that includes sensitive information that could harm a child’s future if breached or abused, including but not limited to their grades, test scores, disabilities, health conditions, biometric information, disciplinary or behavior records;
  • There should be an absolute ban on selling any student data, including in case of a bankruptcy, merger, or sale of a company, as well as a ban on using personal student data for advertising or marketing purposes, or for developing or refining commercial products;
  • There must be protections against schools or vendors creating “learner profiles” of students, whether through “predictive and adaptive analytics” or other measures. These profiles could lead to a student being stereotyped or their chances of future success undermined;
  • Absolutely no re-disclosures or repurposing of personally identifiable student information by third parties without informed parental consent should be allowed;
  • Tough monitoring and enforcement provisions should be required, including substantial fines to be levied on any school, state agency, nonprofit organization, or third party vendor that violates the law’s provisions;
  • A clear private right of action should be created, with parents afforded the right to sue if schools, districts, state agencies, nonprofit organizations, or third party vendors have violated the law and their children’s privacy;
  • Each state must publicly report all the data elements being collected for their state longitudinal student databases, as well as publicly report with which governmental and non-governmental third parties they plan to disclose and/or share such data;
  • State advisory boards made up of stakeholder groups, including parents, security experts, and privacy advocates, should be created to ensure that these state longitudinal databases collect the minimum amount of personal data necessary, and develop rigorous restrictions on access to such data;
  • Any new federal law should recognize the right of states to legislate more robust requirements and provide for more vigorous privacy and security protections. Federal law should therefore not preempt state laws if such state laws are stronger.

Only if these principles and provisions are adopted in a new federal student privacy law will parents be assured that the unregulated and irresponsible trafficking of personal student data will have been adequately addressed. We thank you for your leadership on this important issue and stand ready to work with you and your colleagues to ensure that a strong, workable federal student privacy law is enacted as soon as possible.

Yours sincerely,

Leonie Haimson and Rachael Stickland

Co-chairs, Parent Coalition for Student Privacy

www.studentprivacymatters.org

[email protected]

303-204-1272