Parents: Two ways to find out what ed tech companies are collecting your child’s personal data

Parents, help fill in this FERPA Project Map for the folks at The Student Data Privacy Project.

https://www.studentdataprivacyproject.com/ferpa-project-map

1. This FERPA Map project

is sponsored by our friends at the The Student Data Privacy ProjectTheir goal is to highlight the need for parents to know how the data for their children is being collected and protected by ed tech apps. Under FERPA, parents have that right but it is rarely being exercised or enforced. They are asking parents in all 50 states to send a letter to their District or school requesting their child’s data that is held by these private companies.  You can click on their website here to request their  FERPA template  letter.  When you send your letter to your district or school, please copy us at [email protected]  on your request.

2. It’s time we KNOW what data these edtech apps are collecting and how they are being used. 

We at the Parent Coalition for Student Privacy launched our own App Survey in January, for Data Privacy Day 2021. We are researching which edtech apps schools are asking students to use and whether they are sufficiently protective of children’s privacy.  You can take our App Survey here.  

Please let us know what online apps and programs your district or school is using, and check to see if they have been transparent about their privacy policies.  Your name and district will be kept confidential. Thank you to the MANY parents and educators who have already completed this App Survey.  Please continue to share and we will let you know the results soon.  If you have any questions or concerns, please feel free to email us at [email protected]  

 

 

Did College Board change its mind about requiring cameras on this year’s online AP exams? What security software will the online AP require?


College Board’s AP Guide said the 2021 Digital AP Exams Require Computers with Cameras–but then changed their mind?

Last week the College Board announced they were making changes to this year’s Advanced Placement exam administration, offering both paper or digital versions.  While reading about the online testing options, on the College Board website, I clicked on this 2021 AP® Exam Administration Planning Guide. (I downloaded and archived the AP Guide here on Feb 5, 2021.) 

This guide said students would  be required to use a computer that has a camera and would have to use their camera to take a picture of their photo ID prior to taking the digital AP exam.  The guide also said that schools must  “push” (install) exam application software on all devices to be used for digital testing.

The AP planning guide also said,  “The exam application includes security features to detect impersonation, plagiarism, or other cheating attempts, and restricts students from returning to answered questions or moving back and forth between unanswered questions.” [emphasis added]

 

 

I asked the College Board (on twitter) if students would be required to have their camera or microphone ON during the online tests:

February 10: College Board removed the wording about the camera requirement

Although College Board has not yet answered my Feb 8 twitter questions about the camera requirement or monitoring software, it does appear they removed any mention of  camera requirements on their updated February 10, 2021 AP Exam Administration Planning Guide It looks like College Board also removed any reference to the requirement that  students should take a picture of their photo ID with their computer camera, and upload it on the day of the exam.

However, this February 10 update does not address College Board selling/licensing of the data, nor does it address the online trackers we saw on the AP websites last year. The February 10 update also does not address what surveillance/proctoring software that schools and students will be required to upload and use.  The guidance still mentions “exam application” that technology staff will have to “push” to student devices. See text below surrounded by the red box.

https://apcentral.collegeboard.org/pdf/ap-exam-administration-planning-guide.pdf

The College Board’s lack of transparency about how it uses and shares and markets the troves of student data reminds us of the epistemic coup that Dr. Shoshana Zuboff wrote about in her recent New York Times Op-ed. 

Why it matters: College Board tracking, profiling, selling access to student data.

You will remember that last year, due to Covid-19 pandemic, the College Board administered the Advanced Placement (AP) exams in an online format for the first time. The technical problems of the online AP tests were widely reported, with students unable to complete their tests, unable to submit their answers even when they did complete the tests, and many claimed the online AP tests were discriminatory to disabled students. The 2020 botched AP tests led to a class action lawsuit against the College Board.  

In addition to the glitches and technical difficulties of the test administration, many were also concerned about hidden data collected during the online AP exams. It is well known that the College Board sells licenses to students’ personal data, such as test score ranges, names, and demographic information, and this data can be shared with third parties and even sold. 

In fact, another class action lawsuit was filed against the College Board last year for its deceptive practices, including selling student data to targeted advertisers such as Facebook.  

In 2020 Consumer Reports looked at how the College Board shared students’ data when online;  they found that the College Board was “tracking students and sending information about their activity to advertising platforms at companies such as Facebook and Google”  and “These practices seem to contradict the College Board’s explicit promises to consumers. The company may be sharing students’ information without consent.”    

We also looked at the data traffic and we found 25 trackers on the College Board’s websites–sending kids’ data to companies like YouTube, Facebook, Google, Adobe Marketing etc.  We also found Lucky Orange on the AP demo page which is a first party tracker that can record every keystroke and where the mouse moved, everything a student did on the webpage.

What monitoring software will the 2021 digital AP exam require? 

We do not know what software will be required for this year’s digital AP exams, because the College Board has not released that information yet. 

Examity?

The College Board already uses the monitoring/ proctoring software Examity for its Accuplacer tests.  Examity is one of five software proctoring companies listed in a lawsuit brought forth by Electronic Privacy Information Center (EPIC), for their “collection of personal information and the use of “secret algorithms” — amount to “unfair and deceptive trade practices.”  Interestingly, Examity has a requirement for students to submit pictures of their photo ID prior to the online exam, similar to the protocol mentioned in 2021 original AP Guide

Some other secure browser in conjunction with Cambium?

The College Board has already used another company,  Cambium Assessment, Inc.™ (CAI)for this year’s online PSAT 8/9 exam delivery.  (Cambium Assessment was formerly owned by AIR, read about their 2019 purchase here.)   According this 2020-2021 College Board SAT Educator Guide, the Cambium platform was used for the first ever online PSAT online tests: 

College Board also posted this Testing System Overview description for the Cambium-based online assessments:   

Secure Browser 

The secure browser is the student testing application used for the preadministration session as well as testing. It prevents students from using other applications and from copying test information and must be installed on all test taker devices. The secure browser you install depends on the operating system your students use.”

If your school already uses the CAI test delivery system and your students take the test on Chromebooks or iPads, you’ll need to change the assessment program in SecureTestBrowser. For Windows and Mac, you’ll need to install the College Board version of the secure browser.

Install the secure browser

Digital Test Practice

For hands-on practice administering digital tests, proctors should use the TA Interface Practice Site. Students can practice navigating the test and using the available tools in the Student Digital Test Preview.

Each site can be used independently, but we recommend also using them together to hold a test day simulation and practice allowing students into the testing session.

Proctors can also click through a short simulation on their own—no sign-on required.

Learn how to practice giving digital tests.

Student Tools

When students take the test, they’ll be able to use these tools:

  • Clock: Counts down the time left for each section and gives a 5-minute warning. Can be hidden.
  • Mark for review: Allows students to flag questions for later review.
  • Embedded Desmos calculator: Available onscreen for calculator-allowed questions.
  • Reference: Allows students to view standard mathematical formulas.
  • Notes: For digital note-taking; students also receive scratch paper.
  • Highlighter: Available for making text, questions, and answer options.
  • Line focus: Uses masking to guide students as they read.
  • Strikethrough: Allows students to eliminate answer options.
  • Zoom in/zoom out: Enlarges the text and images on a test page.

Find out which additional tools are available for students approved to test with accommodations.”

— quoted from College Board digital testing overview here: https://digitaltesting.collegeboard.org/digital-preparedness/testing-system-overview

———————————

It’s interesting that this digital PSAT 8/9 testing guidance says students can flag questions and go back to review them, as opposed to the current digital AP guidance which says the exam application  restricts students from returning to answered questions or moving back and forth between unanswered questions.” 

It is also interesting that the online PSAT tests allowed students to use iPads but the 2021 online AP tests do not allow iPads. College Board also says schools should not assign the same device to multiple students for the digital AP tests. How will that work for schools who rely on students using computer labs or chromebook carts, or students at home who share a computer with a sibling? 

Remaining questions and concerns

  • Will the College Board allow third party tracking and sharing of student data during the online AP exam?  
  • What proctoring software will the digital AP exam use?
  • Will students still need to submit a photo ID? 
  • Will students’ keystrokes be logged, screens be recorded?  
  • Will the College Board allow disabled students the same approved accommodations for paper compared to digital exams?  
  • Finally, the elephant in the room: why must kids who study hard all year, have to agree to College Board’s (constantly changing) terms of service that allows the company to sell and market their data and strips students of their rights via a forced arbitration clause? 

Forced consent is not consent, and these provisions appear to be the company’s deceptive and legally dubious attempt to get around the laws in 21 states that bar school vendors from selling student data.

Google Lawsuit, COPPA, Investigating and Blocking Ad Trackers in Children’s Apps

Google cannot escape COPPA lawsuit

There was some big news last week on the children’s privacy front: A District Judge has ruled that Google and the apps they sell on their “store” cannot  dodge a lawsuit brought by the New Mexico Attorney General. Previously, a state court had said the case couldn’t proceed, but thanks to this decision, Google will face claims that apps they hosted in the “Designed for Families” section of their Google Play Store, and ad networks they employed, had actual knowledge they were targeting and marketing children’s data, in violation of COPPA, the Children’s Online Privacy Protection Act. The apps in question are owned by Tiny Lab Productions.

This court case will be significant in highlighting how apps use cookies and advertising tools to track children across the web. As explained in the decision

“Tiny Lab Productions (“Tiny Lab”), a Lithuanian company, is a developer of child-directed, mobile game apps including Fun Kid Racing, Candy Land Racing, Baby Toilet Race: Cleanup Fun, and GummyBear and Friends Speed Racing. AdMob [AdMob is owned by Google], Twitter/MoPub, InMobi/AerServ, Applovin, and ironSource (collectively, the “Ad Networks”) sold their proprietary software development kits (“SDKs”) to Tiny Lab for installation and use in its gaming apps. Id. ¶ 13. When a Tiny Lab app is downloaded onto a child’s device in New Mexico, the Ad Networks’ SDKs are also installed as app components. Id. ¶ 5. Once so embedded, while a child in New Mexico plays one of the apps, the Ad Networks’ SDK collects personal information about that child and tracks the child’s online behavior to profile the child for targeted advertising. Id. ¶¶ 43-46. This activity is invisible to the child and her parents” [emphasis added]

Think of an advertising SDK as a unique tag that identifies the user and follows him or her across the internet; an “Identifier for Advertisers” that allows advertisers to see what sites the user visits, and stays embedded on their device even after they are done using the original app.  Ad tracking tools like cookies, persistent beacons, and fingerprinting can be installed on a child’s device when they download an app or edtech platform and these are not transparent to the student, the teacher, or the parent. We know apps track us, but it is not always easy to see how or what they do with our data. 

Several parents have asked us:

  • How often do apps use children’s information for marketing purposes? 
  • Do edtech apps use ad trackers? 
  • How would you know if your child’s app is using adware or ad trackers?
  • What can parents do?

Thankfully, others including this bipartisan group of US Senators, are asking how edtech companies use children’s data.  The Federal Trade Commission (FTC), which oversees COPPA, is also asking how online platforms use children’s data. In a move led by Commissioner Christine Wilson, the FTC announced in December 2020 that it is using its 6(b) authority to investigate several big tech companies that handle children’s data. In a joint statement issued by the FTC says, “Despite their central role in our daily lives, the decisions that prominent online platforms make regarding consumers and consumer data remain shrouded in secrecy. Critical questions about business models, algorithms, and data collection and use have gone unanswered.” 

We agree with executive director of the Campaign for a Commercial-Free Childhood Josh Golin’s statement in Bloomberg News, “These 6(b) studies will provide a much-needed window into the opaque data practices that have a profound impact on young people’s well-being”.

These FTC studies come at a time when many are also calling for COPPA to be updated. Currently COPPA only covers children 12 and under and is confusingly and inconsistently applied to schools. Through advisory guidance (though not regulation), the FTC has said that schools can consent in place of parents, but only if the app is used ONLY for educational rather than marketing purposes. [You can see the joint letter we sent the FTC with 23 organizations when they threatened to weaken COPPA, and you can also read our separate PCSP comments to the FTC here.]

COPPA says that websites and online services, including apps and general audience sites that have actual knowledge they are collecting data from children under 13, must get prior parent approval before collecting, using or disclosing a child’s information. The FTC says this “includes a child’s name, address, phone number or email address; their physical whereabouts; photos, videos and audio recordings of the child, and persistent identifiers, like IP addresses, that can be used to track a child’s activities over time and across different websites and online services.” However, many agree that actual knowledge should be updated to constructive knowledge. As implied in the case of the above Google lawsuit, constructive knowledge means the company has enough information that they knew or should have reasonably known the app was directed towards children and they were allowing for the marketing of their personal data.

Why are companies allowed to use children’s data for advertising at all?  

Parents need transparency and control over how children’s data are collected and used. We believe children should be protected, not monetized or profiled by advertisers. We think that all advertising to children under the age of 18 by any app or program used in schools should be prohibited; any data gathered by these apps should be strictly used only for educational purposes.

Apple will prohibit automatic ad tracking

This idea of prohibiting ad tracking is not that novel. Last year Apple began requiring developers in its App Store to have Privacy Labels, listing which types of data the app collects and how it uses your data. Now, Apple has just announced a new transparency feature that will prevent apps from sharing your data with third parties, without opting-IN. Apple’s white paper that discusses their new policy and prevalence on embedded trackers is entitled A Day in the Life of Your Data, and is worth taking a look at.  As TechCrunch reports,

“The App Tracking Transparency feature moves from the old method where you had to opt-out of sharing your Identifier for Advertisers (IDFA) to an opt-in model. This means that every app will have to ask you up front whether it is ok for them to share your IDFA with third parties including networks or data brokers.”

“The feature’s most prominent evidence is a notification on launch of a new app that will explain what the tracker will be used for and ask you to opt-in to it. …app developers would have to ask users for permission in order to track and share their IDFA identifier for cross-property ad targeting purposes.”

This is how Apple describes the new system:

“Under Settings, users will be able to see which apps have requested permission to track, and make changes as they see fit. This requirement will roll out broadly in early spring with an upcoming release of iOS 14, iPadOS 14, and tvOS 14, and has already garnered support from privacy advocates around the world.”

Tools you can use to see trackers and block ads

There are several tools you can use to see and block trackers on your child’s device. Here are a few:   

  • Install uBlockOrigin tracker and ad blocker; it’s free and it shows you the trackers and blocks ads. We know of schools who have installed uBlockOrigin on every student Chromebook to stop ad tracking in schools.  Ask your school if they would be willing to install an ad blocker like uBlockOrigin on school issued devices. Go here to download uBlockOrigin https://github.com/gorhill/uBlock#ublock-origin or here https://ublockorigin.com/ ; either of these links will ensure you are using Origin. Read more about uBlockOrigin here. See an example (below) of the 14 trackers blocked while a student visited her College Board MyAP Classroom account.
  • MarkUp’s Blacklight lets you paste website urls into their analysis program to see what type of ads and trackers are being used. This tool gives detailed analysis and even flags trackers that evade cookie blockers.  https://themarkup.org/blacklight  See an example (below) of the different kinds of trackers found on a student’s Google Classroom account.
  • Use a web browser that blocks ads:  Brave web browser blocks ads and reportedly loads pages quicker than Chrome. Firefox also blocks ads and has many privacy and security extensions. 

Take our App Survey

In honor of World Data Privacy Day, on January 28, we launched an App Survey for parents, asking what apps your school uses and what privacy protections and transparency notifications are in place.  The response has been incredible and we encourage all parents to share and take this survey; of course your answers will remain confidential. Click here to take the survey and if you happen to install ad blockers, let us know what you find!  

uBlock and AP Classroom trackers

Blacklight and Google Classroom ad trackers

For Data Privacy Day — take our Survey: online apps used by districts and their privacy provisions

Today, January 28th is Data Privacy Day, the international annual day of action and awareness to promote the privacy of our personal data.

The Parent Coalition for Student Privacy is researching which ed tech apps schools are asking students to use and whether they are sufficiently protective of children’s privacy.

Since the pandemic hit, school districts across the nation have purchased many commercially-produced online apps and programs to implement remote learning. Even before last spring, districts had been using a large number of programs, many of which have access to personal student information. Many of these apps collect and use personal student data in ways that are not transparent and we do not understand.

More recently, this past December, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warned aboutmalicious cyber actors … targeting kindergarten through twelfth grade (K-12) educational institutions, leading to ransomware attacks, the theft of data, and the disruption of distance learning services.” This follows another warning the FBI put out in 2018 that the use of ed tech apps in schools posed a serious threat to children’s privacy and safety.

Please let us know what online apps and programs your district or school is using, and check to see if they have been transparent about their privacy policies. Your name and district will be kept confidential.

Click here to take the survey.

On Data Privacy Day and every day, it is important to protect children’s information. Below are a few resources to help.

The 2019 State Student Privacy Report Card lists and rates state laws based on Transparency, Parental and Student Rights; Limitations on Commercial Use of Data; Data Security Requirements; and Oversight, Enforcement, and Penalties for Violations. https://studentprivacymatters.org/map/map.html

Federal Laws enabling parents to protect their Children’s Privacy: FERPA, PPRA and COPPA https://studentprivacymatters.org/ferpa_ppra_coppa/ . Read how FERPA was weakened here and how to request to inspect your child’s education record maintained by your school or the state here.

Parent Toolkit for Student Privacy https://www.studentprivacymatters.org/wp-content/uploads/2017/05/Parent-Toolkit-for-Student-Privacy.pdf

Top 10 back to school privacy tips and resources https://studentprivacymatters.org/top-10-back-to-school-student-privacy-tips-and-resources-for-parents/

Washington Privacy Act, SB5062, does not go far enough to protect consumers or students

On January 14, 2021, the Washington state legislature will hold a hearing on a privacy bill, The Washington Privacy Act, SB 5062 which is weak and does not fully protect consumers’ right to privacy: 

  • SB5062 does nothing to better protect educational, teacher, or student data. 
  • SB5062 does not apply to state or local government agencies.
  • SB5062 has many limitations and exemptions that allow the selling of user data or its use for marketing purposes: 
    • SB5062  allows corporations and other third parties to sell your data or use it for marketing purposes UNLESS you  expressly opt out.
    • If you do opt out, companies can charge you a higher price for their services.
  • Even then, consumers  can only “opt out” of the collection and use of personal data for certain purposes.” 
    • Instead, companies should be required to get prior consent or “opt in” for any disclosure of your personal data, including its use for marketing or sale. 
  • Finally, SB5062 does not allow people to hold companies accountable for violating their privacy rights by suing, if they’ve violated the law or your decision to opt out.

 We agree with this Seattle Times op-ed: Washington needs a privacy law that protects people, not corporations. Oppose SB5062, Washingtonians deserve better. 

Sign up to leave a written comment or remotely testify against SB5062 HERE: https://app.leg.wa.gov/CSIRemote/Senate Senate Environment, Energy & Technology Committee,  Hearing on January 14, 2021 at 10:30 am.  You can sign up or leave comments up until 1 hour prior to the hearing.

Update: You can watch a recording from this January 14, 2021 hearing here.

*See Parent Coalition submitted testimony here:

WA “Senate Environment, Energy & Technology Committee” hearing on Jan 14, 2021

My name is Cheri Kiesecker, Co-Chair of the Parent Coalition for Student Privacy. Thank you for the opportunity to comment on The Washington Privacy Act, SB5062. In this time of increased use of technology, it is crucial that citizens control who is collecting data about them and how it is being used. Unfortunately, this bill neglects to protect some of the most vulnerable in our population: school children; for this reason and others, which we briefly highlight here, and in my testimony today, we oppose this bill.

The privacy and transparency protections in this bill do not apply to government agencies (schools) and students are exempted, defaulting instead to outdated FERPA, COPPA, and WA state student privacy law passed in 2015 HB1495—all of which have several limitations and exceptions.

(SB5062 Page 8) Sec. 102. JURISDICTIONAL SCOPE.

This chapter does not apply to:

4(a) State agencies, legislative agencies, local governments, or tribes

  1. Identifiable private information for purposes of the federal policy for the protection of human subjects, 45 C.F.R. Part 46;

(page 10)

  1. Personal data collected, processed, sold, or disclosed pursuant to the federal driver’s privacy protection act of 1994 (18 2U.S.C. Sec. 2721 et seq.), if the collection, processing, sale, or 3disclosure is in compliance with that law; (j) Personal data regulated by the federal family education rights and privacy act, 20 U.S.C. Sec. 1232g and its implementing regulations; (k) Personal data regulated by the student user privacy in education rights act,chapter 28A.604 RCW

Students are often required to submit an astonishing amount of personal data, often medical and mental health, behavioral and discipline information to schools; these data can be shared outside of the school walls, and uploaded to government databases. The data can be used to predict and profile children as criminals. Students are also required to use educational technology (edtech) platforms such as Zoom, Google products (Gsuite, Meet, and YouTube), and 100s of other apps, often with embedded hidden algorithms. As this recent report states, companies that rely on algorithms to profile students can discriminate and are often biased and wrong. Researchers have shown that 1000s of edtech apps often share senstitive data with advertisers and other third parties. There is little to no regulatory oversight of edtech, no parental consent, no way for parents to see data points collected or how their children’s data are being used, processed, profiled, and marketed by third parties, data brokers, etc. The FBI issued a warning about the risks associated with edtech apps and surveillance including tracking and targeting of children, misuse of sensitive data, social engineering, identify theft, and breach. (See King County, WA breach announced yesterday.) For more concerns about student data privacy, invasive surveillance technology, and opportunistic edtech, see EFF’s Student Privacy and the Fight to Keep Spying Out of Schools: Year in Review 2020.

FERPA

FERPA was weakened in 2008 and 2011 to allow disclosure of students’ personal information to businesses, researchers, agencies etc without parent knowledge or consent; in fact parents cannot opt out of this sharing. As recently reported by the US Dept of Ed, a 2 year study found that most districts violate federal privacy law FERPA. Additionally, FERPA has no private right of action, making it difficult for parents to enforce.

COPPA

Advocates and lawmakers agree, COPPA needs to be updated. SB502 should be updated to cover children up to 17-18 years old (California CCPA increases the coverage to 16), should include a providers’ constructive knowledge, should address behavioral advertising,

Current WA state law HB15-1495, which SB5062 relies on to protect students, does not afford parental consent, does not give adequate transparency (does not require written contracts, exempts algorithms and adaptive learning (protection from dark patterns AI SB5062 would not be afforded to students), finally your student privacy law has no enforcement mechanism or penalty. Subsequently, Washington’s student privacy law HB15-1495, earned a D+ on our state-by-state report card comparison of student privacy laws.

SB5062 has many limitations and exemptions that allow the selling of user data or its use for marketing purposes:

  • SB5062 allows corporations and other third parties to sell your data or use it for marketing purposes UNLESS you expressly opt out. SHOULD BE OPT IN consent for collection and third party sharing.
  • If you do opt out, companies can charge you a higher price for their services.
  • Even then, consumers can only “opt out” of the collection and use of personal data for certain purposes.”
  • Companies can choose to refuse consumers’ request* to see what data the company has collected about them, and can charge a fee for this service. (*If they find the request –unfounded or excessive)
  • SB5062 allows personal data from Dept of Motor Vehicles to be sold. According to a 2019 report this information is sold, often to databrokers and resold; name, address, and other personal information. States are making millions off the sale of this data. Data in this data base, including social security numbers, is also often disclosed and matched to track students.
  • Finally, SB5062 does not have a strong private right of action, as last year’s House version did.

We don’t believe citizens data, especially school children’s data, should be bought and sold, profiled, used for research, or shared without their consent. — Data collection and disclosure should be OPT IN, and those collecting and disclosing the data should be held accountable with strong enforceable penalties. We hope you agree.

Thank you.

Cheri Kiesecker

Co-Chair Parent Coalition for Student Privacy

https://www.studentprivacymatters.org