Blog

Barmak Nassirian’s quick review of the Markey/Hatch privacy legislation 7.31.2014

This is done too quickly to be comprehensive, but is intended as a first reaction to the Markey/Hatch privacy bill’s language.  – Barmak Nassirian.

  1. The bill is very narrow and does not attempt to address the main objections raised by parents and privacy advocates about the ways in which the 2008 and 2011 FERPA regs undermined educational privacy rights. Specific topics like the 2011 regs’ definition of “education program,” or “authorized representative” are left unresolved, with authorized representative only being referenced (infelicitously at that, since a comma is missing on page 2, line 23 before “and”) as an outside party that would be subject to unspecified security requirements.
  2. On the affirmative front, the language does specifically condition receipt of federal funds on “protection” of personally identifiable information, and requires ed agencies and institutions to impose that same requirement on any “outside parties” to whom they disclose PII. The problem here is that “protection” is undefined, and more importantly, that the issue is not so much protection of records from unauthorized access, but limiting the universe of entities and individuals who may inappropriately be granted authorized access. (Page 2, new section (4)(A) lines 7-19)
  3. The language prohibits receipt of federal funds by programs that use or disclose PII “to advertise or market a product or service.” This language is incomplete and problematic at a couple of levels. First, why not, at the very least, ban all commercial uses of PII? Why only marketing and advertising, but not sale of PII to improve software, develop for-profit tests, or design products? Second, there’s no distinction made between directory and non-directory information. (Would providing a list of students to a photographer taking yearbook pictures be a violations?) Finally, no distinction is made between non-consensual and consensual disclosures. The most comprehensive solution would be to ban all commercial uses as well as non-consensual disclosures to any entity without a legitimate educational interest as that term is defined and applied to school officials. There may have to be targeted exceptions for disclosures like transcripts (involving fees and very sensitive PII) or transactional interactions like the photographer example above. (New Section 5, page 3, lines 3-10)
  4. The amendment imposes new requirements on “outside parties” that are intended to parallel the “inspection, correction, amendment” provisions of existing law, but do so in an unorthodox and problematic way. First, absent a parallel notice requirement to parents and students, how would they even know about disclosure of PII to outside parties? Second, probably inadvertently but maybe not, the rights are provided for parents but not for students themselves, which opens a huge and very messy can of worms particularly with regard to postsecondary students. (I couldn’t review my records at my age, but my parents could?) Third, the language departs from the standard “inspection, correction, or amendment” and expands the list to “challenge,correct, or delete.” While this confusing language may arguably be viewed as an expansion of privacy rights, the rest of the sentence immediately takes back what the bill giveth, by limiting the rights only to “inaccurate, misleading, or otherwise inappropriate data” which are left undefined. Current law, of course, makes no such distinctions, and imposes no such limitations or burdens on students or parents, who may amend the record—with no mandate for adjudicating the veracity of its contents—as they see fit. (Pages 3, line 11 through page 4, line 17)
  5. The new section (7) in the bill explicitly requires data minimization, but proceeds to define it in a most unconventional manner as attempting to respond to “appropriate” (i.e., Legally allowed? Legally required? Something else?) requests for PII through provision of de-identified data, if such de-identified data meet the “effective” purpose of the request. Leaving the obscurity and vagueness of the terms aside, this language is oblivious to the enormous difficulty of robust de-identification (which goes well beyond dropping names and SSNs) and the relative ease of re-identification of putatively anonymized records. Subsection (B) of this section adds a data retention rule, which would require that data be destroyed once the original purpose for their initial disclosure has been met. This is a positive improvement on current law. (Page 4, line 18 through page 5, line 6.)
Blog

Our response to the Markey/Hatch student privacy bill introduced 7.30.2014

For immediate release: July 30, 2014

 

Rachael Stickland, 303-204-1272; [email protected]

Leonie Haimson: 917-435-9329; [email protected]

 

On the Markey/Hatch student privacy bill

 

Rachael Stickland, co-chair of the Parent Coalition for Student Privacy, said: “Though we appreciate the effort that Senators Markey and Hatch have undertaken on behalf of better privacy protections for students, their proposed legislative fix falls short of what’s needed; it sets no specific security standards for the storage or transmission of children’s personal information, allows unlimited disclosures and redisclosures  to for-profit vendors and other third parties without parental consent as long as the data isn’t used for marketing purposes, and doesn’t even require that schools and districts inform parents as to what personal information is being shared with which particular vendors.  Thus the clause that requires that parents be able to amend the information held by the vendor is nonsensical as its unclear how they would even know who to contact.” 

 

Said Leonie Haimson, the other co-chair of the Parent Coalition, “Nothing in this bill would have stopped the outrageous data-grab of inBloom, or any of the other companies set to take its place. We need a far stronger bill to do the job that parents are demanding:  protecting their children’s privacy and safety from breaches and  unwarranted data-mining.”

 

###

  

The link to the “Protecting Student Privacy Act ” is here.

 

Blog

Press Release 7.24.2014 – Louisiana

FOR IMMEDIATE RELEASE
July 24, 2014
For more information contact:
Leonie Haimson: [email protected]; 401-466-2262; 917-435-9329
Rachael Stickland: [email protected]; 303-204-1272
Lee P. Barrios: [email protected]; 985-789-8304
 
New Coalition Urges Congress to Listen to Parents and Strengthen Student Privacy Protections
A new national coalition called the Parent Coalition for Student Privacy released a letter this week to the leaders of the committees of the House and Senate Education Committees, urging Congress to strengthen FERPA and involve parents in the decision-making process to ensure that their children’s privacy is protected.
Many of the groups and individuals in the Coalition were involved in the battle over inBloom, which closed its doors last spring.  They were shocked to learn during this struggle how federal privacy  protections and parental rights to protect their children’s safety through the Family Educational Rights and Privacy Act (FERPA)  had eroded over the last decade. These parents represent a broad spectrum of personal, political, and religious beliefs but are united in their concern for their parental rights and the privacy of their children.  
The letter is posted here, and calls for Congress to hold hearings and enact new privacy protections that would minimize the sharing of highly sensitive student data with vendors and among state agencies and would maximize the right of parents to notification and consent.  The letter also asks for strict security requirements, that the law be enforceable through fines, and that parents have the right to sue if their children’s privacy is violated.
Lee Barrios, teacher,  member of the Coalition for Louisiana Public Education, Information Coordinator for Save Our Schools March, and PCSP founding member said that Louisiana parents crossed only the first hurdle in protecting their children with the passage of Act 837 during the 2014 legislative session.  The legislation was precipitated by parents whose investigations revealed that State Department of Education Superintendent John White had contracted with inBloom to store personally identifiable student information including social security numbers. The bill requires that the Louisiana Department of Education develop anonymous student identification numbers and the department will also be prohibited from seeing or keeping any personally identifiable data about a child. Students’ names, addresses and other information will only be maintained at the local school district level. 
St. Tammany parent Debbie Sachs, along with her daughter Rachel, became privacy activists as a result of Rachel’s realization that her personal information was targeted.  Rachel’s testimonies before legislative committees and the State Board of Education were compelling.  Ms. Sachs says, “It is a sad day when children have to take a day off of school to travel to Baton Rouge to ask legislators to please protect their right to privacy.  it is an even sadder day to see the chilling effect of the 21st century data mining in the classroom.  Children no longer feel safe using technology to submit essays, opinions, and other assignments.  Teachers and parents are becoming wary as well.”  In Rachel’s words, “Will this data be used against me?  It all comes down to fear.” 
 
Jason France, Baton Rouge parent formerly employed by LDE as an IT expert, said, “Information is proving to be the most valuable commodity of the 21st Century. We must all fight to keep ourselves and our society safe from the information prospectors that see us and our children as little more than their next Klondike while they conspire to chain us inextricably to their Big Data mines.”
 
Louisiana attorney and parent of four Sara Wood, who understands the legal and constitutional ramifications of massive data collection, said,Privacy is a foundational principle of freedom.  Freedoms are not absolute and they can be burdened by government action, however,  the integrity of that freedom is maintained by requiring due process and consent where applicable for government action.”  
Rachael Stickland, a leader in the fight for student privacy in Colorado and co-chair of the Coalition to Protect Student Privacy points out, “inBloom’s egregious attempt to siphon off massive amounts of sensitive student information and to share it with for-profit vendors took parents by surprise.  Once we learned that recent changes to FERPA allowed non-consensual disclosure of highly personal data, parents became fierce advocates for their children’s privacy.  We’re now prepared to organize nationally to promote strong, ethical privacy protections at the state and federal levels.”
Diane Ravitch, President of the Network for Public Education said: “Since the passage of FERPA in 1974, parents expected that Congress was protecting the confidentiality of information about their children. However, in recent years, the US Department of Education has rewritten the regulations governing FERPA, eviscerating its purpose and allowing outside parties to gain access to data about children that should not be divulged to vendors and other third parties. The Network for Public Education calls on Congress to strengthen FERPA and restore the protection of families’ right to privacy.”
“The uprising against inBloom demonstrated the extent to which parents will not tolerate the misuse of their children’s sensitive personal information,” said Campaign for a Commercial-Free Childhood’s Associate Director Josh Golin. “But parents cannot be expected to mobilize against each and every threat to their children’s privacy, particularly if they’re not even aware of which vendors have access to student data. It is critical that Congress take real steps to protect schoolchildren from those who see student data as a commodity to be exploited for profit.”
“Parents Across America, a national network of public school parents , emphatically supports this call for hearings as a first step toward reversing federal actions that have eroded parental authority over student data, and including even stronger privacy protections for our children,” said Julie Woestehoff, a Chicago parent activist and PAA secretary.  She added: “PAA recommends restoring parental authority over student data that was removed from FERPA by the US Department of Education, enacting state laws that include parental opt out provisions in any statewide data sharing program, strictly regulating in-school use of electronic hardware and software that collect student information, and including significant parent representation on any advisory committees overseeing student data collection.”
Lisa Guisbond, executive director of Citizens for Public Schools, a Massachusetts public education advocacy group, said, “Citizens for Public Schools members, including many parents, are deeply concerned about threats to the privacy of student information. We support hearings and strong legislation to protect the privacy of this data. Parents are increasingly left out of important education policy discussions. In this, as in all crucial school policy discussions, they must have a voice.”
“Parents will accept nothing less than parental consent, when it comes to their child’s personally identifiable sensitive information. As a parent of a child with special needs, I understand the devastation that confidential information used without my consent could have on my child’s future.  As a long-time advocate for people with autism and other developmental disabilities, I implore the U.S. House and Senate to put the necessary language back into FERPA to protect students and uphold the right of their families to control their personally identifiable data,”   said Lisa Rudley, Director of Education Policy, Autism Action Network and Co-Founder of NYS Allies for Public Education.
Emmett McGroarty of the American Principles Project said, “Regardless of intention, the collection of an individual’s personal information is a source of discomfort and intimidation.  Government’s broad collection of such information threatens to undermine America’s founding structure:  if government intimidates the people, government cannot be by and for the people.”
Leonie Haimson, Executive Director of Class Size Matters and co-chair of the Coalition, concluded, “Since inBloom’s demise, many of the post-mortems have centered around the failure of elected officials and organizations who support more data sharing to include parents in the conversation around student privacy.   We are no longer waiting to be invited to this debate.  It is up to parents to see that we are heard , not only in statehouses but also in the nation’s capital when it comes to the critical need to safeguard our children’s most sensitive data – which if breached or misused could harm their prospects for life.  We are urging Congress to listen to our concerns, and act now.”
For more information see www.studentprivacymatters.org
 
Lee P. Barrios, M.Ed., NBCT
985-789-8304
Debbie Sachs
985-626-3595
Jason France
225-892-4410
Sara Wood
985-727-1981 
Blog

Press Release 7.23.2014

FOR IMMEDIATE RELEASE

July 23, 2014

For more information contact:

Leonie Haimson: [email protected]; 401-466-2262; 917-435-9329

Rachael Stickland: [email protected]; 303-204-1272

New Coalition Urges Congress to Listen to Parents and Strengthen Student Privacy Protections

A new coalition called the Parent Coalition for Student Privacy released a letter today to the leaders of the committees of the House and Senate Education Committees, urging Congress to strengthen FERPA and involve parents in the decision-making process to ensure that their children’s privacy is protected.

Many of the groups and individuals in the Coalition were involved in the battle over inBloom, which closed its doors last spring.  They were shocked to learn during this struggle how federal privacy  protections and parental rights to protect their children’s safety through the Family Educational Rights and Privacy Act (FERPA)  had eroded over the last decade.

The letter is posted here, and calls for Congress to hold hearings and enact new privacy protections that would minimize the sharing of highly sensitive student data with vendors and among state agencies and would maximize the right of parents to notification and consent.  The letter also asks for strict security requirements, that the law be enforceable through fines, and that parents have the right to sue if their children’s privacy is violated.

Rachael Stickland, a leader in the fight for student privacy in Colorado and co-chair of the Coalition to Protect Student Privacy points out, “inBloom’s egregious attempt to siphon off massive amounts of sensitive student information and to share it with for-profit vendors took parents by surprise.  Once we learned that recent changes to FERPA allowed non-consensual disclosure of highly personal data, parents became fierce advocates for their children’s privacy.  We’re now prepared to organize nationally to promote strong, ethical privacy protections at the state and federal levels.”

Diane Ravitch, President of the Network for Public Education said: “Since the passage of FERPA in 1974, parents expected that Congress was protecting the confidentiality of information about their children. However, in recent years, the US Department of Education has rewritten the regulations governing FERPA, eviscerating its purpose and allowing outside parties to gain access to data about children that should not be divulged to vendors and other third parties. The Network for Public Education calls on Congress to strengthen FERPA and restore the protection of families’ right to privacy.”

“The uprising against inBloom demonstrated the extent to which parents will not tolerate the misuse of their children’s sensitive personal information,” said Campaign for a Commercial-Free Childhood’s Associate Director Josh Golin. “But parents cannot be expected to mobilize against each and every threat to their children’s privacy, particularly if they’re not even aware of which vendors have access to student data. It is critical that Congress take real steps to protect schoolchildren from those who see student data as a commodity to be exploited for profit.”

“Parents Across America, a national network of public school parents, emphatically supports this call for hearings as a first step toward reversing federal actions that have eroded parental authority over student data, and including even stronger privacy protections for our children,” said Julie Woestehoff, a Chicago parent activist and PAA secretary.  She added: “PAA recommends restoring parental authority over student data that was removed from FERPA by the US Department of Education, enacting state laws that include parental opt out provisions in any statewide data sharing program, strictly regulating in-school use of electronic hardware and software that collect student information, and including significant parent representation on any advisory committees overseeing student data collection.”

Lisa Guisbond, executive director of Citizens for Public Schools, a Massachusetts public education advocacy group, said, “Citizens for Public Schools members, including many parents, are deeply concerned about threats to the privacy of student information. We support hearings and strong legislation to protect the privacy of this data. Parents are increasingly left out of important education policy discussions. In this, as in all crucial school policy discussions, they must have a voice.”

“Parents will accept nothing less than parental consent, when it comes to their child’s personally identifiable sensitive information. As a parent of a child with special needs, I understand the devastation that confidential information used without my consent could have on my child’s future.  As a long-time advocate for people with autism and other developmental disabilities, I implore the U.S. House and Senate to put the necessary language back into FERPA to protect students and uphold the right of their families to control their personally identifiable data,”   said Lisa Rudley, Director of Education Policy, Autism Action Network and Co-Founder of NYS Allies for Public Education.

Emmett McGroarty of the American Principles Project said, “Regardless of intention, the collection of an individual’s personal information is a source of discomfort and intimidation.  Government’s broad collection of such information threatens to undermine America’s founding structure:  if government intimidates the people, government cannot be by and for the people.”

Leonie Haimson, Executive Director of Class Size Matters and co-chair of the Coalition, concluded, “Since inBloom’s demise, many of the post-mortems have centered around the failure of elected officials and organizations who support more data sharing to include parents in the conversation around student privacy.   We are no longer waiting to be invited to this debate.  It is up to parents to see that we are heard , not only in statehouses but also in the nation’s capital when it comes to the critical need to safeguard our children’s most sensitive data – which if breached or misused could harm their prospects for life.  We are urging Congress to listen to our concerns, and act now.”

###

 

 

 

Blog

Our letter to Congress

Today, our Parent Coalition for Student Privacy launched.  Our letter to Congress urging them to strengthen federal student privacy protections is here (pdf) and below; our press release is here.

July 23, 2014

Dear member of Congress:

We write on behalf of a broad coalition of parents across the country to urge Congressional review of emerging threats to student privacy rights and to request legislative action to address significant shortcomings in current law. Specifically, we are alarmed about ill-thought-through federal policies that, instead of providing safeguards against non-consensual disclosure and downstream uses of children’s personally identifiable information, actually promote policies in which a child’s highly sensitive personal data is disclosed to third-parties for purposes that go well beyond reasonable educational uses and deny parents the right of notification or consent.

First, we respectfully urge Congress to hold hearings on why the U.S. Department of Education has abdicated its historic role as the guardian of educational privacy rights. In responding to interest groups that included Big Data enthusiasts, influential foundations and their grantees, and educational technology firms, the Departmenthas re-interpreted (and, in effect, unilaterally amended) the Family Educational Rights and Privacy Act of 1974 to nullify many of its most important privacy protections. This radical re-invention of FERPA is at the root of much of the data free-for-all that has resulted in massive amounts of personally identifiable student data being collected and divulged to third parties, including for-profit vendors.

As the controversy over one such third party, inBloom, has revealedthere is a wide gap between the view of most parents that they should be able to control access to their children’s personal information to protect their privacy and safety, and the perspective of various governmental agencies and private corporations that are intent on collecting and using that data without informing parents or providing them with the right to consent.

The inBloom data-mart, funded with $100 million from the Gates Foundation, sought to capture records of millions of children to enable the creation of a market in technological learning tools that would utilize and data-mine this information in name of “personalized learning.” Parents mobilized in opposition because they justly feared that the transmission and storage of their children’s most personal data on data clouds, as well as inBloom’s stated intent to provide it to a large number of for-profit vendors, was both a security and a privacy threat.

We are pleased to say that parental concerns and protests won the day over the poor judgment of state and district education officials, resulting in inBloom being driven out of business. But sadly, many other vendors seek to take inBloom’s place or to sell their wares directly to schools and districts with inadequate protections for security or privacy, and very little respect for parental rights.

Second, we respectfully urge Congress to review privacy and security practices of the multiple state longitudinal data systems created in direct response to various federal programs in recent years. These data systems are designed to collect, store and share an increasing amount of children’s personal information among a variety of state agencies and to track students over time without sufficient oversight and protections for privacy.

Finally, werespectfully urge Congress to review and strengthen both FERPA and Children’s Online Privacy Protection Act (COPPA), to roll back the harmful provisions of the 2009 and 2011 FERPA regulations, and to update both laws in light of new and unforeseen threats to privacy rights. Particularly with the growth of the educational technology industry, there has been a huge push to expand the access to personal student data with little or no federal restrictions to slow down this trend. We are dissatisfied with the recommendations of the recent White House report on privacy that evades most of the important issues and simply asserts that any student data disclosed to third parties should be used only for “educational purposes.” This generic statement is far too vague to be reassuring.

The push for greater access to educational data is motivated by the desire of the educational technology sector to develop new products and grow their market, as well as by advocates who claim that big data will revolutionize education. We believe parents—not school officials—should be in charge of deciding whether or how much of their children’s information may be shared with vendors. The benefits of big-data and data-mining software in the area of education are still highly hypothetical and cannot be used to justify the massive amount of personal data that is being collected and shared with third parties without parental knowledge or consent.

Many parents do not want their children to spend hours more each day in front of a computer and do not believe that the model of mechanized instruction that is being promoted can deliver true personalized learning. We certainly do not want our children’s disability, health and disciplinary records shared widely with third parties.

We believe that any legislation should uphold the following principles:

  • Minimize the collection by governmental agencies of highly sensitive student data and their ability to share this data with third parties;
  • Maximize the opportunities for parental notification and consent;
  • Except in very limited circumstances, restrict non-consensual access to personal student data to education authorities and roll back the 2012 “authorized representative” loophole, by which nearly anyone can be designated as an authorized representative of officials entitled to its access;
  • Mandate strict security provisions for the storage and transmission of personal student data, regular audits, and the training of education personnel about the need to maintain robust privacy and security provisions;
  • Ensure that the law is enforceable, including but not limited to the ability of the federal government to impose fines and families to sue if their children’s privacy is violated.

We urge you to open up a dialogue with parents as soon as possible. Since inBloom’s demise, much has been written about the importance of including parents in the debate over how to protect their children’s privacy yet very little has been done to involve them in the discussion. We thank you for your leadership and stand ready to work with you on this important issue.

Signed:

Leonie Haimson, Executive Director, Class Size Matters, co-chair Parent Coalition for Student Privacy 

Rachael Stickland, founder, School Belongs to the Children (CO), co-chair Parent Coalition for Student Privacy

Diane Ravitch, President, Network for Public Education

Dora Taylor, President, Parents Across America

Julie Woestehoff, Executive Director, Parents United for Responsible Education

Cassie Creswell, organizer, More Than a Score (Chicago)

Lisa Rudley, Director of Education Policy, Autism Action Network, co-founder of NY State Allies for Public Education

Josh Golin, Associate Director, Campaign for a Commercial-Free Childhood

Emmett McGroarty and Jane Robbins, American Principles Project, Washington, D.C.

SOS Oregon

Lisa Guisbond, Executive Director, Citizens for Public Schools (MA)

Robin Hiller, Executive Director, Voices for Education (AZ)

United Opt Out

Lourdes Perez, HispanEduca

Change the Stakes (NYC)

Northeast Indiana Friends of Public Education

Helen Gym, Parents United for Public Education, Philadelphia, PA.

Julia Sass Rubin, co-founder, Save Our Schools NJ

Jean Ann Guliano, Parents Across Rhode Island

Ilana Spiegel on behalf of SPEAK (Supportive Parents, Educators and Kids)for Cherry Creek (CO)

Deb Mayer, Great Schools for America

Danielle Arnold-Schwartz, Suburban Philadelphia Parents Across America

Melissa Westbrook, Seattle Schools Community Forum, Student Privacy Now

Mary Battenfeld , QUEST (Quality Education for Every Student)  Boston

Deborah Abramson Brooks, New York parent, attorney, and children’s privacy advocate

Kris Alman, privacy advocate, Oregon

Lee P. Barrios, M.Ed., NBCT, privacy activist, Louisiana

Amy DeValk and Stefanie Fuhr, founders of Voices for Public Education (CO)

Sheila Resseger, Coalition to Defend Public Education (Providence, RI)

Jose A. Soler, co-coordinator of SE Mass and RI Save Our Schools Coalition

Lisa Shultz, privacy advocate, Oregon

Colleen Doherty Wood, co-founder, 50th No More (FL)

Joy Pullmann, Managing Editor, School Reform News