PCSP urges the US Dept. of Education to strengthen enforcement of federal student privacy laws

On February 17, the Student Privacy Policy Office (SPPO) and the Privacy Technical Assistance Center (PTAC) of the US Department of Education held a “listening session” with representatives from a few privacy advocacy groups as well as some organizations funded by the ed tech industry.  The most vocal participants urging stronger enforcement of federal student privacy laws were Cassie Creswell and I, co-chairs of the Parent Coalition for Student Privacy, and Joel Schwarz and Andrew Liddell of the Student Data Privacy Project.

Kevin Herms, Chief Privacy Officer and Director of SPPO, and Ross Lemke, Manager of PTAC, encouraged the participants to send  follow-up letters to summarize their concerns.  Our letter detailing some of them is below.  Joel Schwarz’s follow-up letter is posted on his LinkedIn page.

Hopefully the strong discontent expressed by several participants of this “listening session” will lead to stronger and more effective action by the US Department of Education, which is in charge of enforcing our critical federal student privacy laws including FERPA, PPRA, and COPPA, but too often seems to be sleeping at the wheel.

Parent Coalition for Student Privacy and Rep. Jamaal Bowman Oppose College Transparency Act to be Voted

For Immediate release: February 3, 2022

Contact: Cassie Creswell, [email protected], 716-536-9313;
Leonie Haimson, [email protected], 917-435-9329

Parent Coalition for Student Privacy and Congressman Jamaal Bowman Oppose College Transparency Act to be Voted  Tomorrow

Overturning Federal Ban on Student Unit Record System Endangers Privacy and Equity

The College Transparency Act, now appended to the America Competes Act, is coming to a rushed vote today or tomorrow in the US House of Representatives.  This bill would overturn the long-standing ban on the federal government amassing a comprehensive database of personal student information, and instead would require that the US Department of Education collect the personal information of every student attending a post-secondary institution and potentially track them throughout their lives. There is no allowance for students to opt out of inclusion in this massive federal data system.

“The Parent Coalition for Student Privacy strongly opposes this bill and urges Congressional Representatives to vote against it, as any attempt to authorize the collection of such data by the federal government would create an unaccountable surveillance system that would place the privacy of all higher education students at an unacceptable risk,” said Leonie Haimson, co-chair of the Parent Coalition.

As one of the Coalition’s core principles, we hold that extremely sensitive personal student data should not be shared without consent, and especially without clear evidence that this is necessary. The CTA language would allow the government to not only collect data directly from colleges and universities for all full-time and part-time students, including their enrollment status, attendance, age, gender and race, but also to potentially include information pertaining to their “status as a confined or incarcerated individual”, disabilities, and/or first-generation college student.

The bill also allows the collection of nearly any other additional personal student data elements that can be justified as “necessary to ensure that the postsecondary data system fulfills [its] purposes”. This data will then be matched to other federal data from the Department of Defense, and Veterans Administration, the Census Bureau (for earnings), and the Social Security Administration, to continue throughout their lives.

“Our number one priority should be empowering our students with the resources they need to be well-rounded members of our society and influence positive change in their communities, not collecting their data and empowering the federal government to unnecessarily track them for the rest of their lives,” said Congressman Jamaal Bowman, Ed.D. (NY-16). “We have been down this road before and know how people’s personal data can be abused. Under the Trump Administration we saw this play out in the form of ICE stakeouts in our communities that put people in danger of being deported, separated from their families, and having their lives completely destroyed from one day to the next. The College Transparency Act raises serious concerns about how the data of our students can be used and abused. If making these systems more fair and equitable for all is our goal, there are interventions that would make a material, positive difference in people’s lives starting with canceling student debt.”

In recent years it has become clear that data held by local, state and federal agencies are under increased threat of breaches and cyberattacks. Even our “best protected” national data stores have been breached, including the well-known Education Department FAFSA breach in 2017, and top-secret NSA and Army data.

According to the US Department of Education’s own Inspector General’s  2020 data security audit of the Department, there were weaknesses in 11 of the 12 areas of their operations, which “did not meet the Managed and Measurable level of maturity or an effective level of security.”  The audit also found there was insufficient progress since previous audits: “We had findings in all eight metric domains within the five security functions—Identify, Protect, Detect, Respond and Recover…findings with the same or similar conditions identified in OIG reports issued from FYs 2017 through 2019.”

In addition, the College Transparency Act says in section (H) that “nothing in this paragraph shall be construed to prohibit third-party entities from using publicly-available information in this data system for commercial purposes.” Thus, companies could not only use the aggregate data for advertising, but also could match the data with other sources of data to exploit particular students and target them with ads.  Hackers could also combine with other databases for illegal purposes.

Lisa Rudley, the Executive Director of NY State Allies for Public Education and a school board member in New York pointed out, “Any college rating system that is developed from such a federal database may not just be subject to breaches, but also have unintended consequences, by discouraging schools from accepting the highest needs students – including those with disabilities or from low-income families.  Data of this magnitude and sensitivity needs to be handled with care and integrity.  We have not seen evidence of this from the US Department of Education.”

“The focus on earnings may also dissuade colleges from promoting career paths of great value to society but that typically yield lower salaries (e.g., early childhood or K-12 education) or discourage them from accepting students who on average may be relatively lower earners: female students, students of color, and/or pregnant or parenting students,” added Jeanette Deutermann, founder of Long Island Opt Out.

There are much less intrusive options that could be used to analyze and evaluate higher ed outcomes, including data sampling and use of aggregate data. See for example the recent Brookings report which used information drawn from the College Scorecard Data and the Opportunity Insights Mobility Report Cards. The Department of Education also already has access to vast amounts of data from their federal student loan system which could be used for similar analyses, but to our knowledge has not been employed for such purposes.

“Technology and data collection far out-pace the current federal and state protections for students. Congress should be seeking to strengthen those protections before engaging in further data collection that will potentially put our students at risk. We urge our Representatives to vote no on the College Transparency Act,” said Julie Larrea Borst, Executive Director, Save Our Schools NJ Community Organizing.

Another bill reintroduced in the last Congress, called the Student Right to Know Before You Go Act, would be far more protective of students’ sensitive data by employing a system called secure multiparty computation, which would enable these sorts of analyses without giving the federal government direct access to personal student data, as the American Association of State Colleges and Universities has pointed out.

“Why is any legislation being proposed to enable the government to collect more personal data before comprehensive data protection legislation has been enacted? There are several bills in Congress to do just that, but they have been stalled for more than a decade. To see the federal government rolling back protections of student privacy instead of bolstering them is very disheartening for me as a parent and student privacy advocate,” said Cassie Creswell, co-chair of the Parent Coalition for Student Privacy and director of Illinois Families for Public Schools.

Diane Ravitch, the founder of the Network for Public Education, said, “I urge Congress to vote NO on this bill. The federal government must continue to protect the privacy of students, rather than amass giant databases, full of highly sensitive information for the purposes of ratings systems, which by their nature will be highly unreliable and may have negative consequences for our most vulnerable students.”

###

Additional Resources

Cassie Creswell’s testimony on behalf of Parent Coalition for Student Privacy and Raise your Hand before the Commission on Evidence-Based Policymaking, January 5, 2017

Cassie Creswell’s response to follow-up questions from the Commission, February 10, 2017

PCSP press release opposing the CTA, November 1, 2017

The College Transparency Act: What Are Future Use Cases of Student Data? EdTech Magazine. September 21, 2021

College Database Bill Raises Concerns About Student Privacy Inside Higher Ed. April 26, 2021

Despite Decades of Hacking Attacks, Companies Leave Vast Amounts of Sensitive Data Unprotected ProPublica January 25, 2022

Letter to the FTC against students being targeted by Surveillance Advertising

See below letter, sent to the FTC by Fairplay, the Parent Coalition for Student Privacy, and other groups, urging them to prohibit the use of personal student data for marketing purposes through targeted ads, described here as “Surveillance Advertising.”

Recent exposes of Naviance, for example, in The Markup here and here, for example, revealed how students are assigned to take surveys and provide their personal data to this company to apply to colleges, data which is then monetized  by Naviance and used by colleges to discriminate against particular racial groups.

This violates the student privacy laws of many states, including New York’s, which bar the use of student data for commercial purposes, and arguably FERPA as well, which holds that if student data is going to be shared with third parties without parent consent it must be to further the student’s education or the district’s operations.

Naviance also uses personal student data obtained through surveys of questionable validity and legality, filtered through black-box algorithms, to steer students into certain colleges or careers.

 

New info on the NYC student data breach — with some critical follow-up questions

Recently, Chalkbeat reported on a data  breach that affected over 1000 NYC students and teachers.  Chalkbeat followed up with another story that suggests this breach was caused by an insecure storage of student and teacher data on a Google drive, first discovered in January 2021 by high school students at Brooklyn Tech.  Though these students reported this  insecure leakage to an administrator at their school immediately, it was ignored until they found in March 2021 that the problem had grown worse, and  emailed three DOE officials to alert them.

I was asked to look into this matter  by NYC parent leaders, and followed up with an email to Joe Baranello, the chief privacy officer of DOE.  I asked him for copies of the letters sent to parents and staff whose data was breached, and for more information about how these breaches occurred and what data elements were accessed.

To his credit, he responded within a few days with more details and provided four breach notification letters as attachments .

All four letters were dated July 30, 2021.  Letters #1 and #2 were addressed to parents about an unspecified March 2021 breach; the second letter included reference to specific data elements that were accessed, with that information redacted.  Letter #3 was addressed to parents whose children’s data was accessed in an earlier August 2020 breach.  Letter #4  was addressed  to teachers about the March 2021 breach.  In all cases, these letters inexplicably claim that this data was seen by only a single NYC student.

Joe’s email, which follows, included more information about the specific data elements that were breached.  Below his message are several follow-up questions to him.  If and when I get replies, I will add  to update this post.  If you or your child were affected, please let us know at [email protected] .  Thanks!

___

From: Baranello Joseph <[email protected]>
Sent: Monday, August 16, 2021 11:15 AM
To: [email protected]
Cc: Siciliano Lauren <[email protected]>; Sharma Anuraag <[email protected]>; Nathan Judy <[email protected]>; Gantz Toni <[email protected]>
Subject: RE: Data leak affects about 3,000 NYC students and 100 employees, officials confirm – Chalkbeat New York

Hello Leonie,

Thank you for your inquiry. We have attached the template letters that were used for these notifications, which provide additional information on what occurred and what was viewed. Impacted individuals would have received the letter applicable to them. The information implicated varied by individual. To that end, the templates include variable fields that were populated based on the specific information implicated for each person. Approximately 3,000 students and 100 staff were impacted. The variable fields are listed below, and which were involved varied widely from student to student.

No social security numbers of students or parents were involved to our knowledge (the DOE does not collect parent or student SSNs for routine inclusion in its databases).  For 5 employees, full SSNs were included.

We are committed to protecting the privacy of our staff and school communities, and a DOE student should not have been able to view these files. We have no indication that anyone’s information was further shared or misused at this time, and the DOE implemented aggressive measures to prevent this from happening again. Out of an abundance of caution we are offering free credit monitoring service to impacted individuals.

Student data:

  • Student Academic
  • Student Biographic
  • Student Health
  • Student Name
  • Student ID
  • Student Date of Birth
  • Special Education
  • Parent Information

Employee data:

  • Name
  • Social Security Number
  • Social Security Number (Last 4 digits only)
  • Date of Birth
  • Employee ID

The following specific documents were viewed for fewer than ten students per document type:

  • Individualized Education Program
  • Emergency Contact Card
  • Government ID
  • Special Education Remote Learning Plan
  • Section 504 Plan
  • Birth Certificate

Sincerely,

Joseph A. Baranello
Deputy Counsel & Chief Privacy Officer
New York City Department of Education

____

From: [email protected] <[email protected]>
Sent: Monday, August 16, 2021 5:06 PM
To: ‘Baranello Joseph’ <[email protected]>
Cc: ‘Siciliano Lauren’ <[email protected]>; ‘Sharma Anuraag’ <[email protected]>; ‘Nathan Judy’ <[email protected]>; ‘Gantz Toni’ <[email protected]>; Leonie Haimson <[email protected]>
Subject: RE: Data leak affects about 3,000 NYC students and 100 employees

Dear Joe:  Thank you for sharing the letters that were sent to parents and school staff about these breaches.  I have several follow-up questions:

Question 1:   In letter #3, dated July 30, 2021, DOE informed parents of the following: “In August 2020, a DOE student reported that they viewed various electronic files that contained education records and personal information about you and/or your child. The DOE immediately took steps to address it.”

Why such a long delay in notification for this breach, especially as the NY State regulations for NYS Ed Law 2-d specifically require breach notification as early as possible  and in no case more than 60 calendar days after its discovery? “  

Question 2 – This Chalkbeat article reports that a group of Brooklyn Tech students accessed personal data in January 2021 and March 2021;  why is there no notification to parents of the January 2021 breach? 

“The students unintentionally discovered they had access to these documents in January. They noticed that the Google Drive folder where they uploaded their class assignments during remote learning contained documents uploaded by students and staff at schools across the city. Those documents included second graders’ classwork, a parent-teacher conference sign up sheet, and college recommendation letters, said a Brooklyn Tech High School student who asked to remain anonymous.”

Question 3 – Why the delay in notification for the March 2021 breach referenced above,  in letters #1 and #2, especially as DOE learned about it shortly thereafter, according to the Chalkbeat article?  Again, the July 30 letter is more than 60 calendar days after the date of discovery, despite the notification requirements in the regs. 

Question 4 – Why do all four letters refer to only one student accessing this data, when the Chalkbeat article refers to a group of students accessing much personal data in January and March? 

Question 5- Has the DOE looked into the possibility that not only this group of high school students, but other individuals as well may have accessed personal data for thousands more students/teachers, given how easily this data was found?  What further investigations are being done?

Question 6 – Clearly the data was not encrypted if students were so easily able to access it.  Are you aware that the State privacy law and regs require that the sharing of personal data with any third party such as Google requires the encryption of all personal data in motion and in rest?  Does DOE intend to comply with this requirement of the law in the future?

Question 7 – Why is the New York City Department of Education sending letters to parents from a P.O. Box in Suwanee, GA?

Question 8 – Why does  the DOE tell parents in these letters that if they “want to discuss this matter or have any questions” about these breaches, they need  to create an account with  a private company called IDX, rather than the contact someone at DOE itself – especially the law required districts to appoint a Chief Privacy Officer to be the contact person for parents’  questions and concerns regarding privacy?

Moreover, the link provided in the letter requires  parents to create an account with this company that that in turn obligates them to accept onerous Terms of Service that “will indemnify, defend, and hold harmless IDX, our subsidiaries and affiliates, and each of our respective officers, directors, agents, partners and employees (individually and collectively, the “IDX Parties”) from and against any loss, liability, claim, demand, damages, expenses or costs (“Claims”) arising out of or related to (a) your access to or use of our Services or Website”?

Moreover, IDX also limits any claims of damages to binding arbitration, and in its Privacy Policy, claims it can  use their customers’ information for many purposes, including sharing with credit bureaus and/or “With vendors, consultants, and other service providers who need access to such information to carry out work on our behalf, including marketing our products and services.”

Again, thank you for your work for NYC children, and for providing these letters to me.

Hoping for a timely response,

Leonie Haimson
Co-chair, Parent Coalition for Student Privacy
www.studentprivacymatters.org
[email protected]

Opposition to NY bill that would allow College Board/ACT to keep on selling student data

See our PCSP/NYSAPE memo in opposition to a new bill in the NY State Legislature , S. 6624/ A. 7421 that would amend NY State’s landmark student privacy law and create a new loophole for the College Board and ACT.  This would allow these two companies to continue to make hundreds of millions of dollars, selling the personal information of students, including their score ranges, with questionable  benefits to them.  If you agree this is wrong, please send a letter to your legislators now!

PSCP-NYSAPE memo of opposition to sale student data