The Network for Public Education hosted its second annual conference in Chicago on April 25-26, 2015. It was an awesome opportunity for education advocates from across the country to gather and learn from one another to save our schools. Parent Coalition for Student Privacy Co-chairs Leonie Haimson and Rachael Stickland were honored to sit on a panel titled “Perils of Ed Tech: Student Privacy and Corruption” along with Cynthia Liu and student Nathan Ringo. Please see below to view the panel discussion and to access Leonie and Rachael’s powerpoint presentations. Thanks to everyone who joined us in Chicago!

Network for Public Education National Conference: Perils of Ed Tech from Schoolhouse Live on Vimeo.

 

In September 2014, California passed “landmark” student privacy legislation known as SOPIPA (Student Online Personal Information Protection Act). At least 15 states have attempted to pass similar legislation this year, including Oregon. Lisa Shultz, an education advocate and member of the Parent Coalition for Student Privacy, addressed members of the Oregon House Education Committee to express her concern over proposed amendments that would significantly weaken the bill. Similar amendments were added to bills in Colorado, Maryland and Connecticut by lobbyists representing Google, Microsoft, K12 Online Inc. and others. Please read Lisa’s testimony:

d

---

Testimony in Opposition to SB 187A

Lisa A. Shultz, M.S.E.E.

18 May 2015

Dear Chair Doherty and Members of the House Education Committee:

I am writing today in opposition to SB 187A.  Please note that I had earlier submitted testimony in support of SB187-1.  However, the bill that was passed by the Senate, with little to no discussion, was the -3 amendment that significantly changes the bill and undermines the good intentions of the bill to safeguard the online privacy protections of Oregon’s students.

A glaring example of these changes is the language in the bill that initially “prohibited the service provider from disclosing any covered information provided by the operator to subsequent third parties (period)”.  SB 187A adds the troubling “except in furtherance of kindergarten through grade 12 purposes of the site, service or application or for a purpose permitted by subsection…”  while also expanding the definition of ‘kindergarten through grade 12 purposes’ and ‘operator’.  These changes effectively remove downstream restrictions and subsequent re-disclosure.

I hope that you will review the testimony submitted by James Steyer, CEO of Common Sense Media submitted on April 14, 2015.  Mr. Steyer had previously written in support of the -1 amendment and withdrew his support with the -3 amendment.   His testimony is an excellent summary of the changes and their effects that “create new loopholes and weaken OSIPA’s protections for students.”

Other states similar to Oregon that are trying to copy the California bill ,(e.g. Colorado, Connecticut, Maryland), see a similar watering down of the protections provided by California’s SB 1177 as a result of industry lobbying.  I remind you that children do not have lobbyists. I urge this Committee to act on their behalf by either restoring the protections of the -1 amendment, or rejecting this bill and working to create legislation that will restore the intent to provide the same protections granted to California’s students as a result of passage of their landmark legislation.

Sincerely,

Lisa Shultz

 

 

For immediate release: April 29, 2015

Contact: Rachael Stickland, 303-204-1272, [email protected]

Leonie Haimson, 917-435-9329, [email protected]

Messer/Polis Privacy Bill Still Inadequate to Protect Children from Commercial Exploitation and Data Breaches

The student privacy bill just introduced by Representatives Messer and Polis is an improvement from their previous draft, but still has many loopholes that make it inadequate to address many parental concerns about their children’s privacy and safety.

Leonie Haimson, co-chair of the Parent Coalition for Student Privacy said, “The bill still doesn’t require any parental notification or consent before schools share personal data with third parties.  It wouldn’t stop the surveillance of students, or the collection of huge amounts of highly sensitive student information by third parties, as inBloom was designed to do.”

“The bill still allows targeting ads to kids –as long as the ads are “contextual” or selected based on information gathered via student’s single online session. We strongly believe that there should be no advertising allowed in instructional programs assigned to students at school, as ads do not aid learning but is a huge distraction to kids. Moreover, how can a parent know if their child is subjected to an ad, whether it is based on data-mining during one session or over time?”

Rachael Stickland, Colorado co-chair of the Parent Coalition said: “We’re pleased to see some of our recommendations reflected in this draft, including enhanced transparency and some limitations on re-disclosures. This bill allows parents to delete personal information from the data collected from their children, but it doesn’t require that parents be informed by either the vendor or the school that this data is being disclosed, collected and data-mined, so how would parents know to ask to delete it? It also allows vendors to data-mine personal information to improve their products or create profiles that could severely limit student’s success by stereotyping them and limiting their opportunities.”

Other remaining weaknesses of the bill:

• There are NO specific security protections outlined in the bill, only that procedures should be “reasonable.” We believe that any vendor collecting and using sensitive student personal information should be required to employ data encryption, undergo regular security audits, and other important measures to protect against damaging breaches.
• Vendors would not have to inform parents or even school officials of data breaches unless they deem this “appropriate” without defining when that would be required, and there are no specific amounts required for fines.
• Vendors could transfer the personal student data to another company if there is a merger or acquisition.
• Vendors would be able to re-disclose students’ personal information to an unlimited number of unspecified service providers, without the knowledge or consent of schools or parents
• Vendors would be allowed to disclose de-identified and aggregate data, while using “reasonable” methods to ensure that the data could not be re-identified. This again is inadequate protection, given how easy it has become to re-identify personal information with current methods and widely available data sets.
• The bill’s protections would not apply to children in preschool and “K-12 Purposes” is only vaguely defined.
• Vendors could use student information for many commercial purposes including “maintaining, developing, supporting, improving, or diagnosing the operator’s school service.”

Rachael Stickland concludes: “This bill is clearly a step in the right direction but it needs to be further improved if it is going to protect our children from commercial exploitation and devastating breaches. Our children’s privacy and safety is invaluable and should not be put at risk by being handed off carelessly for profit or for gain.”

###

April 24, 2015

Dear Chairman Alexander and Ranking Member Murray,

We write on behalf of the Parent Coalition for Student Privacy to submit comments on the consumer information white paper that the Committee published on March 23, 2015. The coalition is a non-profit voluntary organization of concerned parents and educational privacy advocates across the nation. We are alarmed by the erosion of parental and student privacy rights, by the growth of longitudinal student-level data warehouses that collect and mine personally identifiable data from educational records for unspecified purposes, and by the encroachment of educational technology companies on records that have historically been entrusted only to school authorities with a legitimate educational interest in them.

As parents of current and future college students, we appreciate and applaud the Committee’s interest in producing actionable consumer information that, instead of drowning the public in incomprehensible minutiae, provides meaningful disclosures to guide the college selection process. We also recognize the legitimate data needs of the federal government for purposes of program management and institutional accountability of student aid programs authorized in Title IV of the Higher Education Act. As the Committee proceeds to identify these needs, we urge it to consider the views of parents and students, and to ensure that federal data collection and retention policies do not intrude on privacy rights of students.

We are concerned that various Washington advocacy groups may use the upcoming reauthorization of the Higher Education Act to press for the creation of a federal student tracking system to capture personally identifiable information on all students without notice, without consent, without the right to opt out or even to review their own records. As you are well aware, the feasibility of such a system was thoroughly studied some 10 years ago by the National Center for Education Statistics. Congress, having had the benefit of that extensive analysis, acted to explicitly ban the creation of any such system in the Higher Education Opportunity Act of 2008 due to privacy concerns. It is ironic that even as the privacy threats that a unit-record system would pose have grown exponentially, the pressure to lift the federal ban is greater than ever.

The enormity of the security threat posed by a massive data mart of sensitive personally identifiable information about every student is immediately obvious in light of the spectacular commercial and governmental breaches of the past several years. In fact, the original NCES assurances of security now look naive in their inadequacy. Specifically, NCES proposed (and many State Longitudinal Data Systems funded by the U.S. Department of Education apparently still believe) that the assignment of random identification numbers in lieu of social security numbers would suffice to de-identify records. This notion borders on the laughable in light of advances in computer science and statistical re-identification techniques. The second remedy offered back in 2004 was to “disconnect” the system from the Internet, which, even if it were a serious thought a decade ago, means little in light of the internal data breaches at the Department of Defense and the National Security Agency.

While safeguarding student data against unauthorized disclosures is a great concern for us, we are even more alarmed by the likely authorized disclosures that a unit-record system will inevitably accommodate. We believe that a federal data system with as much information as a unit-record system would quickly turn into a federal lending library available for interagency browsing for unspecified future purposes. Indeed, the high probability of mission-creep is quite obvious in the rhetoric of its advocates, who justify the system on its many–but unspecified–alleged edifying uses. Our coalition members insist that any such application of personally identifiable information can only be legitimated on the basis of the informed consent of the individuals themselves. It is quite unacceptable for policy elites, often in collaboration with technology firms seeking to mint fortunes, to argue that the government is entitled to gain nonconsensual access to our children’s records in pursuit of their policy priorities without so much as letting the students know, let alone soliciting and securing their agreement.

We urge you to ensure that any federal or federally funded collection, warehousing, and mining of personally identifiable information from education records honors fair information practices and provides explicit notice to, and obtains the informed consent of, the individuals involved. We appreciate the opportunity to submit our views for the Committee’s consideration and stand ready to work with you to improve consumer disclosures in a manner that is not violative of basic family educational privacy rights.

Sincerely,

Leonie Haimson and Rachael Stickland, Co-chairs

Parent Coalition for Student Privacy

www.studentprivacymatters.org

[email protected]

• Parents would not be able to delete any of the personal information obtained by a vendor from their children, even upon request, unless the data resulted from an “optional” feature of the service chosen by the parent and not the district or school.
• The bill creates a huge loophole that actually could weaken existing privacy law by allowing vendors to collect, use or disclose personal student information in a manner contrary to their own privacy policy or their contract with the school or district, as long as the company obtains consent from the school or district.  It is not clear in what form that consent could be given, whether in an email or phone call, but even if a parent was able to obtain the school’s contract or see the vendor’s privacy policy, it could provide false reassurance if it turns out the school or district had secretly given permission to the company to ignore it.
• Vendors would be able to redisclose students’ personal information to an unlimited number of additional third parties, as long as these disclosures were made for undefined “K12 purposes.”
• Vendors would be able to redisclose individual student’s de-identified or aggregate information for any reason or to anyone, without restrictions or safeguards to ensure that the child’s information could not be easily re-identified through widely available methods.

Rachael Stickland concludes: “This bill reads as though it was written to suit the purposes of for-profit vendors, and not in the interests of children.  It should be rejected by anyone committed to the goal of protecting student privacy from commercial gain and exploitation.”