Blog

Why students should be allowed to keep their cameras off during remote learning

December 2020

Endorsed by Access Living, ACLU of Illinois, Brighton Park Neighborhood Council, Chicago Lawyers’ Committee for Civil Rights, Children’s Screen Time Action Network, Civitas ChildLaw Center, Hartlieb & Horste, LLC, Illinois Families for Public Schools, Parent Coalition for Student Privacy, Raise Your Hand for Illinois Public Education  

Adapted from IFPS here; see the one-page Summary here.

Many US public schools have been operating remotely since March, either full-time or part-time as a result of the Covid pandemic.  And with infection rates steeply increasing in the US, the timing of any return to fully in-person schooling remains uncertain.

The use of technology was widespread even before this spring. Now its use is nearly universal. But tech use should not impinge on students’ right to privacy and access to schooling.

In a recent national survey, 60% of educators said students would face negative consequences for having cameras off.   However, students should never be forced to choose between maintaining their privacy and receiving an education .  Moreover, surveillance does not equal safety.

Surveillance can be especially stressful for disadvantaged students,  students of color; those with disabilities; undocumented students; students in temporary living situations and/or those from low-income families, living in crowded homes or apartments.

There are many other ways teachers can check if students are paying attention, such as calling on them verbally, asking them to use the chat function or polling function.

We have assembled a set of best practice policy recommendations on tech use during remote learning:

  • Camera-on requirements: Students should always be permitted to participate in class without turning on video. And if live-video streaming is used during synchronous learning, schools should obtain written consent from parents explaining the risks and benefits of their children opting in to having their cameras on.
  • Recording video conference sessions: Recording should never be obligatory for students, including for one-on-one sessions of a sensitive nature, e.g. counseling and therapy. Families must receive clear information about their rights to inspect, correct, receive copies of and, for children 13 and under, delete recordings.
  • Observers in the virtual classroom: Schools/districts should issue clear guidelines to allow parents, guardians or other participants, for example childcare workers or family members, to assist their child in participating and/or to observe live video-conference sessions.
  • Use of surveillance software to monitor devices: Students and families should be informed of the role of any browser in monitoring online activity and physical location, especially for the use of non-school owned devices. No third party provider of a computer hardware or software should be able to collect, use, generate or retain student data without explicit parental “opt in” permission.
  • Use of surveillance software for proctoring tests remotely: Rather than subjecting students to highly invasive monitoring in pursuit of test security, schools and teachers should implement methods of assessment during remote learning that do not require surveillance spyware.
  • Policy transparency for families: Schools should not only establish clear policies for tech use and privacy, but also make information about these policies accessible to all families (e.g. providing paper copies, translating all documents).

These recommendations are intended as a resource to assist students and families, teachers, administrators, and school board members, whether they are writing, revising or advocating for improvement of policies covering the role of tech in students’ remote learning experiences. Technology is  crucial to accessing education during remote learning, but policy makers must be thoughtful in addressing its potential risks as well.

Much thanks for Cassie Creswell of IFPS for taking the lead on drafting this guidance.

Blog

A Privacy Blueprint for Biden

Privacy And Digital Rights For All

The weakening of The Family Educational Rights and Privacy Act (FERPA) and the Covid19 rush to usher in virtual learning and edtech in place of in-person learning, have created a perfect storm for student data collection and tracking. Students are increasingly subjected to edtech data collection, profiling, and surveillance as a condition of attending a public school. We call on the next administration to protect children and begin implementing these important recommendations within the first 100 days of office.

Leading privacy and civil rights advocates recently called on the next U.S. administration to make protecting digital privacy a top priority. The press release signed by Campaign for a Commercial-Free Childhood, Center for Digital Democracy, Color of Change, Consumer Action, Consumer Federation of America, Electronic Privacy Information Center, Privacy Rights Clearinghouse, Parent Coalition for Student Privacy, Public Citizen, and U.S. PIRG states:

“The Biden administration and the next Congress should make protecting digital privacy a top priority, and 10 leading privacy, civil rights and consumer organizations today released a memo of recommendations for executive actions on Day One, actions during the first 100 days and legislation.

“The United States is facing an unprecedented privacy and data justice crisis,” the blueprint memo reads. “We live in a world of constant data collection where companies track our every movement, monitor our most intimate and personal relationships, and create detailed, granular profiles on us. Those profiles are shared widely and used to predict and influence our future behaviors, including what we buy and how we vote. We urgently need a new approach to privacy and data protection. The time is now.”

“The U.S. urgently needs a comprehensive baseline federal privacy law. The Biden administration and Congress should not delay in setting out strong rights for internet users, meaningful obligations on businesses, and establishing a U.S. Data Protection Agency with strong enforcement powers,” said Caitriona Fitzgerald, policy director, Electronic Privacy Information Center.

“Privacy is a basic human right, and children’s personal information should not be profiled, licensed, sold, commercialized or shared with third parties as a condition of attending a public school. We hope policymakers will move to prohibit the use of student data for marketing purposes and require all public schools and education agencies to adopt strict security and privacy standards,” said Leonie Haimson, co-chair, Parent Coalition for Student Privacy.

“For far too long, companies have deceptively tracked kids and used their sensitive data to exploit their vulnerabilities and target them with marketing. Families are counting on the Biden administration and the next Congress to recognize that children and teens are vulnerable, and to put protections in place which will allow young people to use the internet more safely,” said David Monahan, campaign manager, Campaign for a Commercial-Free Childhood.

The recommendation memo, Privacy and Digital Rights for All, specifically calls for protection of children, teen, and student data, including parent consent before sharing student data:

Action item within the first year: Protect children and teens.

Action 8: Protect Children and Teens from Corporate Surveillance and Exploitative Marketing Practices Recommendations for First 100 Days
•Urge the FTC to begin 6(b) studies on ad tech and ed tech companies’ data practices and their impacts on children and teens before undertaking any rulemaking under the Children’s Online Privacy Protection Act (COPPA).
•Protect students through an executive order that requires the Department of Education (DoE) to:
o Prohibit the selling or licensing of student data;
o Issue recommendations on transparency and governance of algorithms used in education;and
o Minimize data collection on students,ensure parental consent is affirmatively obtained before disclosing student data, and issue rules enabling parents to access and also govern data on their child.
Recommendations for Legislative Action
•Ensure children and teen privacy is legislatively protected as part of a comprehensive baseline federal privacy bill that:
o Establishes the special status of children and teens as vulnerable online users; provides strong limits on collection, use, and disclosure of data, and narrowly defines permissible uses;
o Requires employing privacy policies specific to children’s data on all sites and platforms used by children; and
o Prohibits targeted marketing to children and teens under the age of 18 and profiling them for commercial purposes.
•Strengthen COPPA by raising the covered age to 17 years and under, banning behavioral and targeted ads, banning the use of student data for advertising, and requiring manufacturers and operators of connected devices and software to prominently display a privacy dashboard detailing how information on children and teens is collected, transmitted, retained, used, and protected.
See more recommended principles for protection of children and teens here.

It’s time for the U.S. to take data privacy seriously.  Citizens should have consent and control over collection and use of their data; “pay-for-privacy provisions” and “take-it-or leave it” terms of service should be prohibited.  Finally,  our most vulnerable, our children should be protected, not exploited and surveilled as a condition of attending public school.

Blog

NY State Student Privacy Survey

Class Size Matters, NY Allies for Public Education, and the Parent Coalition for Student Privacy would like to know which online apps or programs are being employed by schools throughout New York state, and whether they are sufficiently protective of children’s privacy. We are asking parents and teachers to take our survey here, to let us know what apps or programs your schools are using.

Since the pandemic hit, districts across New York State have purchased many commercially-produced online apps and digital programs to implement remote learning. Even before last spring, schools had been using a large number of programs, many of which collect and use personal student information. In NYC alone, more than 75 commercially available online programs have been acquired for teachers to assign to their students, and “The DOE has informed schools that for SY 2020-21, they must have a shared, inclusive and digital curriculum in all core subject areas,” according to the UFT.

Many of these digital apps collect and use personal student data in ways we do not understand. In some cases, the publicly available privacy policies of these vendors are NOT sufficiently protective and do not comply with the NY state student privacy law, Education Law 2D, which was passed in 2014.

Among other things, this law and its regulations adopted in Jan. 2020 require that every contract with a vendor with access to personal student data must have a separate Parent Bill of Rights [PBOR], which specifies how the data will be protected and how parents can access the data and challenge it if necessary.

Each of these separate Parent Bill of Rights are supposed to be posted on the district website, along with other important information, including your district’s overall data privacy protection policy, and how you can contact the district data privacy officer in charge of ensuring these protections. Links to the Education Law 2D, the regulations, and a summary of some of their most important provisions are here and below.

Please take a few minutes to fill out our online survey to let us know what online apps and/or digital programs are being used in your schools, and whether the district has provided the necessary information about the ways in which that data is being protected from breach and abuse.

Thanks!

NYS Student Privacy Regulations Summary (Final)

NYS Student Privacy Regulations Summary (Final)

In addition, the full law and regulations are available at the following links:

Blog

Top 10 back-to-school student privacy tips and resources for parents

Image

It’s back-to-school time for K-12 students,  which will mean for many students remote online learning, or some type of hybrid, combining in-person with screen-based instruction.   We’ve gotten lots of questions from parents and educators concerned about the opportunity for expanded student data collection and disclosure in this new regime.

Here’s a checklist of resources and tips to help protect your students’ privacy:

  1. Opt-out of Directory Information.  Schools can share Directory Information about students with third parties without parental or student consent, unless you opt-out.   FERPA,  the Family Educational Rights and Privacy Act, requires schools to notify you of your right to opt-out of Directory Information, at the beginning of the school year. (FERPA is a privacy law that applies to any educational institution that receives federal funding, which includes all public schools and many private educational institutions as well.)  See our sample Directory opt-out form and resources  here and see World Privacy Forum’s video, flyer,  more information and opt-out form here Or use this school district’s Directory opt-out form as a template to also opt-out of online recorded or video conference learning.  Why does this matter?  What can be shared without your consent, via Directory Information? .According to the US Department of Education, Directory Information can include, but is not *limited to:
    • Student’s name
    • Address
    • Telephone listing
    • Electronic mail address
    • Photograph
    • Date and place of birth
    • Major field of study
    • Dates of attendance
    • Grade level
    • Participation in officially recognized activities and sports
    • Weight and height of members of athletic teams
    • Degrees, honors, and awards received
    • The most recent educational agency or institution attended
    • Student ID number, user ID, or other unique personal identifier used to communicate in electronic systems but only if the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user’s identity, such as a PIN, password, or other factor known or possessed only by the authorized user
    • A student ID number or other unique personal identifier that is displayed on a student ID badge, but only if the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user’s identity, such as a PIN, password, or other factor known or possessed only by the authorized user. 
    • *some schools include video as Directory Information
    • Unfortunately, FERPA has been rewritten to allow other exceptions to requiring parental consent, including allowing schools to disclose student information to contractors, researchers and others – which we describe in this fact sheet. But opting out of Directory Information is a good way to start and ensure that your child’s information isn’t shared with just anyone that the school or district might like, without any restrictions on re-disclosure or how the information might be used.                                                …………………………………………………….
  2.  Many schools are using Zoom, Microsoft Teams, or Google Meet for distance learning all day long and as The Washington Post reports, kids and parents are concerned about screen time and privacy issues.  If you are using Zoom (read our What you need to know about Zoom) or other video conferencing app for distance learning, be aware of your background (ie: that poster on the wall, your little sister in the room, etc) and consider asking your teacher if you can leave your camera OFF, (and covered with a band-aid)  to protect your child’s privacy.  At the very least, when using these video conferencing tools from home, use a virtual background.   (Per this very short video: it is your civil right to turn your camera off or use a virtual background for distance learning.)  Here is a Zoom tutorial on how to do virtual backgrounds.  Remember, students under the age of 16 cannot create a Zoom account.
    • Click here to see the US Department of Education Student Privacy Policy Office information and resources regarding FERPA and Virtual Learning
    • Does FERPA prevent a parent from observing their student’s classroom, whether on Zoom or in-person?  No. 
      USDoE Privacy Office says in the (above) FERPA and Virtual Learning Related Resources
      FERPA neither requires nor prohibits individuals from observing a classroom.  Our Letter to Mamas on classroom observation is also applicable to virtual classrooms.” 
      Mamas Letter: “FERPA does not specifically prohibit a parent or professional working with the parent from observing the parent’ s child in the classroom.
    • See this FBI warning about virtual learning via video conferencing and online classroom hacking
    • Read about the class action lawsuit filed against Zoom which alleges that Zoom unlawfully shared Zoom users’ personal information with third parties. …………………………………………………………….
  3. Ask your child’s school to limit screen time, maximize hands-on learning, and use paper and pencil assignments whenever possible.  Have your child work outside in sunlight if possible. Concerns about screen time are real, as this important 2020 study states, “Over exposure to digital environments, from abuse to addiction, now concerns even the youngest (ages 0 to 2) and triggers, as argued on the basis of clear examples herein, a chain of interdependent negative and potentially long-term metabolic changes.  And this equally important 2020 JAMA analysis shows that increased screen exposure, regardless of quality, (even educational screen time) can put kids at risk for delayed development.  For a detailed list of studies and harm associated with screen time such as depression, suicide, myopia, loss of sleep, changes in brain structure and developmental delays, click here.

    ……

  4. Ask teachers what apps they are assigning your kids to use; and if they have been screened by the state or district to protect privacy and to ensure they comply with student privacy laws. Ask teachers what data is being collected by these online apps and businesses; ask to see the contracts and terms of service.  Ask whether data are encrypted and held on the district servers.  Ask your school if they allow vendors to serve ads to students–some state laws prohibit targeted advertising, and federal law COPPA, the Children’s Online Privacy Protection Act, prohibits companies from collecting certain data from children under the age of 13, without parent consent.*

  5. Ask to see the data in your child’s education record – as is your parental right under FERPA. If information in their record is wrong, you also have the right to correct it. ……………………………………………………………………….
  6. Make sure your child only enters the minimum amount of personal information necessary when creating an account or using any app (supervise them if possible if they have to create an account). Ask teachers if your child can log-in to an online tool anonymously by using anonymous credentials (ie: log-in as blue42;  and use email that does not include student name or ID). …………………………………………………………..
  7. Make sure your child isn’t signed into their school account when engaged in non-school activities online.  Clear their cookies regularly. (Cookies are a privacy risk; they collect your personal information, track you across sites, and can use and sell your information to advertisers and brokers.)  Use privacy friendly browsers like Firefox or Brave that block ads and trackers. …………………………………………………………..
  8. Location, location, location.  Turn off location tracking permissions for any app and device.  (Ask your child’s teacher to help with this.)
  9.  If your school uses Gsuite for Education (Google Classroom, gmail, Google Docs, etc.), check your student’s account settings and make sure YouTube Search/Watch History, location tracking from apps, etc are turned OFF or paused. Use a privacy friendly search engine like Duck-Duck-Go instead of Google.  (Google Search is not in the GSuite for Ed “Core Services” and as an Additional Service, if a student uses Google Search or YouTube, their data will be processed under Google’s general terms of service, where their data could be mined and used for marketing purposes.)
  10.  When signing up for College Board AP,  SAT,  PSAT or ACT remember that students do NOT have to take the questionnaire /surveys and should only fill in required information. If  students opt-out of the surveys and Student Search Services, it will NOT affect their chances of getting into a college. Opting out will only prevent ACT or College Board from selling access to your student’s score ranges and  personal and family data the student would provide on the survey.
    • The U.S. Department of Education issued significant guidance in 2018 that prohibits states or districts to allow testing companies like College Board or ACT to sell or re-disclose student assessment data, including test score ranges, without parent consent. Regarding these College Board and ACT surveys, PTAC guidance also says:

      “The survey’s multiple questions are designed to allow targeted recruitment, and students are specifically asked whether they would like to receive materials from different organizations, including colleges and scholarship organizations. For students who consent to being contacted by these organizations, the testing companies then sell this information….The administration of these tests and the associated pre-test surveys by SEAs and LEAs to students raises potential issues under the Family Educational Rights and Privacy Act (FERPA), the confidentiality of  information provisions in the Individuals with Disabilities Education Act (IDEA), the Protection of Pupil Rights Amendment (PPRA), and several recently enacted State privacy laws, and generally raises concerns about privacy best practices.”

11. We know, we said top 10, but this last one is important.  Surveillance cameras in schools sometimes have video feeds that are shared with police, such as the Highland Park Independent School District in Texas where police and also the city have access to the school’s surveillance cameras. Parents were required to agree to this surveillance and waive their student’s privacy rights before they could register their child for school.

Some school surveillance cameras are powered with AI (Artificial Intelligence)– these cameras in Greeley, Colorado schools can read expressions on people’s faces and their mannerisms and be able to tell if they look violent.  Privacy experts warn about faulty facial recognition and predictive profiling.

Surveillance apps like Bark or Gaggle collect everything a student types and flag it for risk,  alerting teachers, administrators and sometimes warranting a visit from police.

As this Washington Post article details, some schools are using invasive online proctoring apps like Proctorio, ProctorU, and Examity, requiring students to agree to  let these apps monitor their webcams, their microphones, access their computers, and give the app companies “reams of sensitive student data such as their home addresses; details about their work, parental and citizenship status; medical records, including their weight, health conditions and physical or mental disabilities; and biometric data, including fingerprints, facial images, voice recordings and “iris or retina scans.”   As CNN reports, the AI and predictive algorithms  used in proctoring programs can be biased and inaccurate; wrongly flagging a student as suspicious can cause real life harm,  and these programs raise ethical and privacy concerns.  Parents and students are feeling pressured into giving up their rights as a condition of attending school. As this EdSurge article states, privacy leaders question whether school surveillance has gone too far:

“A growing chorus of education and privacy leaders are speaking out about the role of surveillance technology and whether it belongs in America’s schools or raises more issues than it solves. “

Parents have been told that students  cannot opt out of either the surveillance cameras or proctoring apps.   We challenge schools to do better.  We encourage parents to ask for copies of these data sharing agreements, contracts, MOUs.   Talk to your school boards, talk to your legislators and let them know that students should not have to pay the price of an education at the expense of their privacy.

Check out our Parent Toolkit for Student Privacy,  for more tips on how to protect your child’s personal data.  Read this open letter from our friends at Commercial-Free Childhood and Defend digital me,  signed by the Parent Coalition for Student Privacy and over 30 advocacy groups worldwide,  asking policy makers, data protection authorities, and providers to protect kids’ rights, privacy, and well-being when they are engaged on edtech platforms.  Join us.  If you have questions about your student’s privacy, we’d love to hear from you.

 

Blog

What you need to know about Zoom for Education

Zoom for Education has been adopted by thousands of schools nationwide. Zoom began marketing to K-12 schools in November 2019, prior to the  Covid pandemic.  Zoom also created a website specific for education:  https://zoom.us/education.  Zoom has referred to its education platform as a Zoom for K-12 service  but apparently rather than face data privacy and transparency requirements for contracted school service providers in Colorado law,  Zoom NOW claims they are not a school serviceMore on this below, but first we’ll focus on Zoom’s third party data sharing and cookies.

When you visit the Zoom for Education webpage, you will see a pop-up box asking if you want to opt-out of third parties using your information–DON’T IGNORE THIS WHEN YOU SEE IT; this alert doesn’t appear every time you visit the page.   Every parent and school district, education official should click More Info and review the cookies on the Zoom for Education website.    WHY?  Because Zoom allows third parties to access student data. In fact, prior to July 2020 and  Zoom’s most recent update to its K-12 privacy policy, Zoom apparently allowed third-party advertising cookies on its Zoom for Education platformCommon Sense Media actually warned about Zoom’s third party  targeted advertising in April 16, 2020.  Common Sense stated,

“…there are still privacy issue areas where Zoom falls short, including its limited, but still targeted, use of advertising and third-party tracking that may affect students in K–12. (Ads don’t appear on Zoom itself but on other sites kids visit after using it.) “

Similarly, this March 17, 2020  New York Times  article entitled  We Live in Zoom Now,  also warned about Zoom’s use of student data for advertising, quoting Jules Polenetsky, CEO of the Future of Privacy Forum, as saying,

“The standard Zoom privacy policy allows data to be shared for targeted advertising,” Mr. Polonetsky wrote in an email interview. And some of the company’s standard terms are not consistent with the Family Educational Rights and Privacy Act, or FERPA, “in addition to many of the 130+ state student privacy laws passed since 2014”

Interestingly, the next day after this NYT article,  Zoom updated its K-12 privacy policy on March 18, 2020. This March 2020 version stated that,

We only collect students’ Personal Information to provide the Zoom for K-12 service to the School Subscriber, not for marketing or advertising, and, with the limited exception of our service providers, we do not share Personal Information about K-12 students with other parties”

“… Zoom and/or our third-party service providers also automatically collect some information using methods such as cookies. Information automatically collected may include Internet protocol (IP) addresses, browser type, Internet service provider (ISP), operating system, and date/time stamp. We use this information to provide and support the Zoom for K-12 services. We do not use this information to deliver advertising or for any other purpose not related to the delivery and support of the services.”  

On April 9, 2020, Zoom again changed their K-12 privacy policy to this version, which made a few changes but kept the same quoted language above, stating that Zoom does not collect student pii for marketing or advertising.

However, Zoom changed its K-12 privacy policy AGAIN  to this July 2020 version.  This July version made substantial changes.

Students under 16 CANNOT create Zoom accounts.

The July 2020 K-12 Privacy Policy states:

“Student Users are not permitted to create K-12 Accounts but may use the Services when invited to join a meeting hosted by a K-12 Account User.  Although Zoom prohibits children and teens under the age of 16 from creating a Zoom account (and employs an online age screen to support this restriction), Student Users, even if under the age of 13, may join a meeting hosted by a K-12 Account User. School Subscribers are responsible for obtaining any parental consent necessary for use of the Services under their K-12 Accounts by Student Users, including children under the age 13.”

Hopefully K-12 schools, parents, and students are aware of this clear wording and will take heed.  Apparently in their rush to virtual learning during the Covid 19 Spring shut down,  some K-12 schools required students to download the Zoom App and create their own Zoom account- using their school email- in an effort to decrease Zoombombing.  As EdSurge reported in March of 2020, “Students should never be making an account in Zoom,”  “That’s where it can get districts into trouble.” 

No more advertising or analytics.

Another change in the July 2020 K-12 privacy policy “There are no third-party advertising or analytics cookies on Zoom’s product pages.”   That is a big change; how do we know Zoom is honoring this and what about all the months prior when advertising cookies were apparently opted-in on Zoom’s K-12 product pages?  (What’s a “product page” and is the Zoom K-12 privacy policy page a product or marketing page? See our analysis and trackers found, here.)

When you click on the More Info link on the pop-up notice, Zoom for Education now automatically opts-out advertising cookies but that was not the case previously, as you can see from this April 2020 screen capture that shows ads were opted-in.

And here is a list of the Advertising Cookies on the Zoom for Education page that apparently prior to July 2020 were automatically opted-in, ( we underlined in red), and allowed  cookies “to serve ads relevant to your interests” unless the user clicked the opt-out box.

Why all the changes to the K-12 privacy policy?

Zoom for Education has changed its privacy policy several times, which itself raises serious concerns. Here are some of the privacy and security “mistakes” and concerns with Zoom that have already been reported.  One such concern related to the fact that while Zoom’s K-12 privacy policy originally claimed that student data was not used for advertising and student data was only used for educational purposes, the automatic opt-in to advertising cookies implied the opposite.  Was sharing student information with Facebook and LinkedIn, or Twitter, Yahoo, Walmart, Microsoft Advertising, Nielsen Marketing, Google DoubleClick ads really an educational purpose?

Here are a few privacy and security Zoom issues in the news:

  • Zoom falsely claiming data is end to end encrypted, Verge link 
  • Zoom sharing user data with Facebook, link
  • Zoom sharing  user data  with LinkedIn, link 
  • Zoombombing  and FBI warning, link
  • Zoom routing data (with encryption keys) through China, link
  • Over 500,000 Zoom accounts being sold on the dark web, link
  • Zoom’s security issues were exposed over 2 years ago by Dropbox, this is not a new problem, link
  • Class action lawsuit for unlawful eavesdropping, link
  • NY, CT, FL Attorneys General investigate Zoom security practices
    • NY resolved Zoom investigation: NY created this master agreement where Zoom must adhere to certain security requirements but agreement does not require Zoom to get consent or inform parents of when third parties access their children’s data, does not prohibit re-disclosure of data. The agreement does not address use of artificial intelligence, facial recognition, nor is Zoom required to tell parents how student data are analyzed or profiled.
  • Maryland parents concerned about privacy, security of student data collected by Google and Zoom for Education, link 
  • Colorado Attorney General investigates Zoom for Education, link
  • The Electronic Privacy Information Center (EPIC) filed a complaint with the FTC against Zoom in July 2019. “Zoom intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user’s web camera without the knowledge or consent of the user.”  link

So, is Zoom “safe” now?

Common Sense Media recently wrote this July 14, 2020 piece, Privacy Risks of the Top 5 Distance Learning Apps, which evaluated privacy features of Zoom, Apple Facetime,  Microsoft Teams, Google Hangouts, and Cisco Webex.

Common Sense gave Zoom the highest overall privacy rating.

In looking at Common Sense Media’s Privacy Evaluation of  Zoom for Education,  you can see they say that Zoom is clearly being marketed as a School Purpose and intended for students,  “primarily used by, designed for, and marketed toward students in grades preK–12.”

Common Sense Media gave Zoom for Education a high rating for privacy even though  they admit to the following uncertainties:

  • User information can be transferred to a third party.
  • Unclear whether users are notified if their information is transferred to a third party.
  • Unclear whether user information can be deleted prior to its transfer to a third party
  • Unclear whether the vendor describes their deidentification process of user information.
  • Unclear whether data are shared for research and/or product improvement.
  • Unclear whether contractual limits prohibit third parties from reidentifying deidentified information.

And when they ask if there are advertisements or tracking, they say:

  • Traditional or contextual advertisements are displayed.
  • The vendor can send marketing messages.
  • The vendor does provide promotional sweepstakes, contests, or surveys.
  • Users can opt out of traditional, contextual, or behavioral advertising.  [should be opt-in for student advertising]
  • Users can opt out or unsubscribe from marketing communications.   [should be opt-in for student advertising]

What about the other Cookies and Trackers still on the Zoom for Education page?

Remember when on the Zoom for Education webpage, you will see a pop up box asking if you want to opt out of third parties using your information–we said DON’T IGNORE THIS WHEN YOU SEE IT.   These are the cookie settings you see today when you click  More Info and Advanced Settings, and View Cookies. 

Notice  (orange arrows added) that Functional Cookies are still automatically Opted-In and include third parties like Twitter and Vimeo, New Relic, Salesloft, Milward Brown Digital, Pardot, and PayPal

Google (Google ads?) and Zoom cookies are required.

Clicking on Google Inc you see:  “Google operates Google Ads, Display & Video 360, and Google Ad Manager. These services allow advertisers to plan, execute and analyze marketing programs with greater ease and efficiency, while enabling publishers to maximize their returns from online advertising. Note that you may see cookies placed by Google for advertising, including the opt out cookie, under the Google.com or  DoubleClick.net domains.  For more information, see https://policies.google.com/technologies/ads ”

Clicking on Zoom you see:  “api.zoom.us, blog.zoom.us, connectnz.zoom.us, facebook.zoom.us, google.zoom.us, imauth.zoom.us, investors.zoom.us, launcher.zoom.us, log.zoom.us, recurly-callout.zoom.us, support.zoom.us, www3.zoom.us, www.zoom.us, zoom.us, zuora-callout.zoom.us”

Functional Cookies automatically opted-in

If these screen captures above are too small for you to see, or too buried for you to find, here’s a quick little video of Zoom’s required and automatically opted-in cookies.

Final Notes

The Common Sense privacy evaluation does not mention that, as of March 31, 2020, Zoom is also a Common Sense partner in the Wide Open School initiative, as is Apple and Google.  Bill and Melinda Gates and Google also fund the initiative (no mention of Zoom funding).   As one commenter on Common Sense’s Ultimate Guide to Zoom stated, “This is a great article and covers some primary questions I have as a parent. Yet I can’t help wondering if this is a promoted post from Zoom!”  I tend to agree.  Better to be transparent and disclose any funding or endorsement or partnership when evaluating a product.

Also, the Wide Open School initiative, which is curated by Common Sense, is meant to encourage schools and parents to implement specific edtech programs during the COVID shift to remote learning. They make the following fine-print disclaimer:

A note on privacy

“While we have tried to favor sites that don’t require login, some do require registration. The provided resources include links to external websites or applications that are governed by their own privacy policies or information-collection practices, which may be substantially different from those of Common Sense. We encourage you to review the privacy policies and information-collection practices of any external websites and apps before using them with children. Many organizations have stepped up and made their resources free for kids during this critical time.”

In other words, you as an educator or a parent are on your own in trying to decipher whether the privacy protections for a specific program are strong, weak or non-existent.  It would be great if Common Sense, who does edtech privacy evaluations on a separate website,  would provide a privacy analysis  of each tool, or at least highlight the specific partners who have “privacy policies or information-collection practices, which may be substantially different from those of Common Sense“.  This would help guide the decisions of educators and parents about each of these partner tools Wide Open School is promoting.

Is Zoom for Education a K-12 School Service?

Colorado has a state law that requires contracted edtech (school service providers) to be transparent about the data elements they collect, how the data are used and to list every subcontractor who has access to the data.  Zoom doesn’t think they need to comply with this transparency law because they claim, “Zoom is not a School Service and is exempt from the requirements of the law.” The Colorado Attorney General’s privacy office is investigating whether Zoom threatens student privacy; let’s hope the Attorney General enforces Colorado law and requires Zoom to be transparent about how they and their subcontractors and third party apps (with SDKs) use student data now… and since March 2020.

It sure seems like Zoom is a school service:

  • with a dedicated K-12 Zoom for Education webpage,
  • separate Zoom K-12 privacy policy,
  • Zoom white papers, blogs and tutorials for K-12 teachers and students,
  • Common Sense gave Zoom high ranks for clearly being labeled as serving a school purpose, “primarily used by, designed for, and marketed toward students in grades preK–12.”
  • Zoom is a Wide Open School preK-12 online education resource and partner,
  • schools are requiring students to use Zoom remotely and recording video sessions and transcripts, students are answering school related questions, turning in school work (These are education records under FERPA.),
  • Zoom actually described itself as a “K-12 service” in its prior K-12 privacy policies
  • For purposes of FERPA,  Zoom is considered a “school official”

Zoom is being used as a service in thousands of schools nationwide.

It’s difficult to know if  Zoom is a threat to student privacy since Zoom keeps changing its privacy policies and cookie tracking practices, and Zoom won’t answer transparency questions about how data elements are used and shared.

What  (little things) you can do to protect your student on Zoom.

In March 2020 we wrote this piece advising parents and educators to seek alternatives to screen time, get outdoors, cover your camera when possible. If your school requires your student to use Zoom, ask your school if your student can keep their camera off. We would add to turn off (opt-out) of  non-essential cookies when possible.  If using your home computer or device, you can install free plug-ins like EFF’s privacy badger,  Lightbeam, Ghostery, uBlockOrigin that will also alert you or block third party trackers. You can also use a web browser like Brave or Firefox that will block ads and spyware.

Honestly, as a mom, I think I speak for most parents when I say that Zoom for Education (and all the virtual learning companies) should be required to tell parents how their children’s voice and video and data are used, and should be required to let parents know who else has access to our kids’ information. These companies should not be allowed to exploit students for marketing and advertising.  This pandemic is tough enough, the last thing parents need is worrying about a company profiling their student.  Parents and teachers are just trying to survive and teach our kids.