Montgomery County, MD Parents Concerned About the Privacy and Security of Children’s Data Shared with Zoom and Google

The below post expresses concerns that are widely shared by parents throughout the country whose children are using programs like Zoom and Google Classroom that have not been thoroughly vetted for privacy and security protections.

by Joel Schwarz, Esq., CIPP

To say that 2020 has proven to be a challenging time for everyone would be an understatement.  Nowhere is this more true than in the education space where, with little time to plan , school systems around the country were required to convert in-person programs into remote educational programs, all the while wrestling with ensuring that children who rely on in-school meals still receive them, children’s special needs requirements are still met, etc.

Overall, school administrators, parents, and students alike have risen to the occasion in admirable fashion and deserve our gratitude and appreciation. That said, as the parents of students in the Montgomery County Public School (MCPS) (Montgomery County, Maryland), we’ve grown increasingly concerned about some of the technologies deployed to assist in remote learning. Two (2) companies in-particular stand out: Zoom and Google.

Our concern with Zoom stems from the fact that Zoom was never designed for the student/school setting, where there are special sensitivities relating to student privacy and data sharing, as well as FERPA and COPPA requirements.  While Zoom bombing (hijacking Zoom’s virtual meetings) has certainly been the most prominent issue in the press, other significant security and privacy concerns with Zoom include:

  • Zoom misrepresenting the encryption it uses, claiming to use “end-to-end” encryption, which Zoom later conceded was untrue (in an April 4 interview in the Wall Street Journal, Zoom’s CEO conceded that he’d “messed up on security,” but would begin working on true end-to-end encryption). Notably, in May 2020 Zoom announced its purchase of Keybase, a company that specializes in encryption solutions. This doesn’t solve Zoom’s lack of end-to-end encryption, however, as it’ll take time to integrate Keybase’s technology, during which time Zoom will still lack end to end encryption;
  • Zoom’s custom encryption is predictable, weak, and is vulnerable to cracking by hackers;
  • Zoom’s encryption keys may be retrieved from servers in China, giving rise to a risk that the Chinese government can (and may already have) forced Zoom to share all Zoom communications;
  • Zoom’s collection of information from students in excess of what is needed for purely educational purposes, potentially in violation of FERPA.

Interestingly, upon discovering problems with Zoom, a number of school systems walked back plans to utilize Zoom, including New York City public schools, Clark County Public Schools in Nevada, and schools in Utah, Washington state and beyond.  These actions were later followed by investigations into Zoom by Attorneys General offices of New York, Florida and Connecticut, to name a few.

Naturally, as parents of MCPS students, we raised similar concerns with MCPS.  Despite our requests, however, MCPS did not take action, nor were we provided with a look at the contract between Zoom and MCPS, or Google and MCPS (although we were given the option of opting out Zoom calls for our children).

We later learned that school districts in upstate New York had obtained more favorable terms and conditions from Zoom for their students, which any school district in New York can choose to opt into, including an agreement by Zoom to “delete any student, teacher and principal data it had collected or stored when the contract expires later this year.”

It seemed reasonable to us that Maryland students deserved the same protections.

Google also presents significant concerns for us as MCPS parents, because Google has been completely unresponsive to privacy requests made by MCPS regarding our children’s data. Specifically, last year the Montgomery County Council of PTA’s Safe Technology Subcommittee and MCPS initiated a “Data Deletion Week,” which required, among other things, that ed tech providers certify the deletion/purge of certain student data at the completion of the school year. Several other ed tech providers promptly complied, but Google failed to do so, and has continued in this failure for almost nine months now.

But Maryland parents are not alone in concerns about Google’s handling of students’ personal information.  The New Mexico Attorney General’s Office filed a lawsuit against Google in February 2020 for deceptive trade practices, alleging that once Google collects student data, it shares that data across all of its business segments “for its own commercial purposes” despite having promised to use it only for educational purposes. Likewise, privacy-focused Internet browser Brave filed a lawsuit with the Irish Data Protection Authority on March 16, 2020, alleging that Google fails to fence off data collected by its different services, sharing data widely across all business lines in what Brave refers to as “Google’s internal data free-for-all.” This is eerily reminiscent of the concerns raised by the New Mexico Attorney General.

Our concerns escalated further when, due to COVID-19, student use of, and reliance on, Google Chromebooks and Google Classroom increased exponentially, turning the small spigot of information that previously flowed to Google into a virtual fire hose, compromising the privacy of hundreds of thousands of Maryland students.

As a result of our concerns with Zoom and Google, we wrote to Maryland State Attorney General Brian Frosh, seeking his help and intervention.  Specifically, we requested that Attorney General Frosh’s Office take immediate action to ensure robust protections for student data acquired by Zoom and Google, including:

  • Publicly posting the Zoom and Google contracts with MCPS so that we have greater transparency into the privacy and security protections (or lack of them thereof) for our children;
  • Securing binding public assurances that Zoom and Google will secure and protect our children’s data, by:
    • segregating personal information and usage information from all of their other lines of business;
    • ensuring that all student data, communications and encryption keys remain inside the U.S.;
    • committing to not sharing or otherwise using student data for any purpose other than purely educational purposes; and
    • purging all student data and related information at the end of the current school year, or the end of the pandemic, whichever comes first, and then certifying this in writing, under oath.

To date, we have yet to receive a response from Attorney General Frosh’s office (our letter was sent on April 17 and was received on April 20). We nonetheless remain hopeful that progress is being made behind the scenes, as we’ve heard from individuals inside MCPS that the Maryland Attorney General’s office has engaged with them.

So as the old saying goes, hope springs eternal. In this case, we’re hopeful that Attorney General Frosh will eventually revert to us with positive news regarding our requests, because it’s only through AG Frosh’s intervention that we will ensure greater protection of our children’s data, and greater transparency for us, as parents, allowing us to make informed choices about our children’s education and personal information.

If you’re interested in staying abreast of our progress on this and other related issues and you live in Montgomery County, Maryland, please join the Montgomery County PTA’s Safe Tech Listserv by emailing [email protected].

And if you’re interested in hosting an online meeting, webinar or virtual coffee on this topic or related Ed Tech topic, contact your PTA President and then contact us  at [email protected], as we’d be happy to arrange a guest speaker(s) from the Safe Tech Committee to discuss these topics.

Tell Congress to protect your family’s privacy

HR 6172, the USA FREEDOM Reauthorization Act, would reauthorize portions of the Foreign Intelligence Surveillance Act governing the intelligence agencies’ search and surveillance activities. A critical privacy amendment introduced by Senators Wyden and Daines failed by only one vote in the Senate last week that would have prohibited the government from spying on private citizens’ internet searches without a warrant, as well as their phone and computer histories.

Please send a letter to your Representatives in Congress today, asking them to support an amendment to FISA with similar language, to protect your privacy and that of your children under the Fourth Amendment against the government surveilling your family’s internet searches and phone and computer histories without a warrant.

Since the Wyden-Daine amendment failed, a bipartisan coalition of more than 60 groups wrote a letter to Congress saying that the FBI should not be allowed to to spy on Americans’ internet activity without a warrant.   More on this in Roll Call.

Especially in these times of students being required to use the internet for remote learning, let your House members know that the protecting privacy and civil rights of your family and all Americans are important to you.

thanks!

Cheri Kiesecker and Leonie Haimson

Co-chairs, Parent Coalition for Student Privacy

Coalition tells the FTC: Time is up for TiKTok

 

The Parent Coalition for Student Privacy is one of twenty advocacy, consumer, and privacy groups that filed a May 14, 2020 complaint with the Federal Trade Commission (FTC), asking them to investigate and sanction TikTok, formerly Musical.ly, for continuing to violate COPPA, the Children’s Online Privacy Protection Act. The complaint argues that TikTok continues to store and collect children’s personal information without notice to and consent of parents, in violation of its 2019 order by the FTC.

If you are not familiar with TikTok, it is a very popular social media app, with 800  million worldwide users, many of them children.  TikTok allows users to record and upload videos of themselves dancing and singing and the app has more downloads than Facebook.  As this Manchester Evening News piece points out,  the recommended ages are for 12 plus, but “online safety experts say it has been designed with the young user in mind and has a very addictive appeal.”

Why this complaint is important

Because TikTok  is a popular platform for children, parents  worry that TikTok is not safe and that it puts kids at risk of sexual predation. For example, this father warned other parents after his 7 year old daughter was asked to send nude pictures of herself on TikTok. In another instance, a 35 year old Los Angeles man was allegedly targeting girls by posing as a 13 year old boy on TikTok and engaging in  “sexual and vulgar conversations with at least 21 girls, some were as young as 9”.  This February 2020 piece in Parents  says,  “TikTok allows users to contact anyone in the world, and this comes with its own host of hazards”.  The Parents piece goes on to point out that “kids can be targeted by predators, it’s easy to encounter inappropriate content”, and “Even if you set your own account to private, you may still be exposed to sexual or violent content posted to the public feed.”

There are many more concerning  examples of underage TikTok use cited in the complaint. And as the complaint notes, it is easy for a child to fake their date of birth and sign up for an adult TikTok account.

Data is money. Children’s data is valuable, predictive and can profile the user.  As the complaint states,

“TikTok collects vast amounts of personal information including videos, usage history, the content of messages sent on the platform, and geolocation.  It shares this information with third parties and uses it for targeted advertising.”

Parents want to know how TikTok is using their children’s data.  TikTok, owned by Bytedance, uses Artificial Intelligence (AI) and facial recognition.  Per this 2018 Verge article,

 “A Bytedance representative tells The Verge that TikTok makes use of the company’s AI technologies in various ways, from facial recognition for the filters through to the recommendation engine in the For You feed. “Artificial intelligence powers all of Bytedance’s content platforms,” the spokesperson says. “We build intelligent machines that are capable of understanding and analyzing text, images and videos using natural language processing and computer vision technology. This enables us to serve users with the content that they find most interesting, and empower creators to share moments that matter in everyday life to a global audience.”
TikTok also uses persistent identifiers to track kids and TikTok algorithms create profiles of children.  Per the complaint

 

“TikTok uses the device ID and app activity data to
run its video-selection algorithm. When a child scrolls away from the video they are watching, TikTok’s algorithm uses artificial intelligence to make sophisticated inferences from the data TikTok collects to present the next video. The algorithm “entirely interprets and decides what the user will watch instead of presenting a list of recommendations to the users like Netflix and YouTube.”

 

Using personal information in this manner exceeds the limited exceptions for personalization of content. The COPPA Rule is quite clear that information collected to support internal operations may, under no circumstances, be used “to amass a profile on a specific individual.”

 

Yet TikTok does, indeed, amass a profile of each user—including child users—and draws upon that profile to suggest videos of interest to the user. That profile may be based in part on users’ overt behavior, such as liking videos. However, TikTok also appears to amass user profiles based on passive tracking.  As reported in The New Yorker, “Although TikTok’s algorithm likely relies in part, as other systems do, on user history and video-engagement patterns, the app seems remarkably attuned to a person’s unarticulated interests.” Another article observed that the algorithm “goes right to the source using AI to map out interests and desires we may not even be able to articulate to ourselves.” The profiles that TikTok amasses on its users are designed to be used not only to curate which user-generated videos appear in each users’ stream, but also to assist with advertising. ” [Emphasis added]

 

It’s time the FTC uses its power to protect children and enforce COPPA.  The FTC should investigate TikTok,  ensure TikTok is in compliance with COPPA and its consent decree. If TikTok is found in violation, the FTC should take action and sanction TikTok again–with a fine that is proportionate to the degree of TikTok’s violations.

 

We are grateful to the Campaign for a Commercial-Free Childhood (CCFC), the Center for Digital Democracy (CDD), Institute for Public Representation Georgetown University Law Center  and many others for their work on this complaint.

 

Here is The Campaign for a Commercial-Free Childhood (CCFC) full press release.  Additional coverage of the TikTok complaint can be seen as reported in the New York Times, Financial Times, Politico, Morning Tech, and Reuters

Eva Moskowitz and Success Academy charters found guilty of violating NY State student privacy Law

For immediate release: May 14, 2020

More information: Fatima Geidi, [email protected]  (646) 373-1344
Leonie Haimson, [email protected]; 917-435-9329

 

Eva Moskowitz and Success Academy found guilty of violating NY State student privacy Law

 

The Chief Privacy Officer of the NY State Education Department issued a ruling on Tuesday May 12 that Eva Moskowitz and Success Academy had violated Education Law 2d, the state student privacy law, that prohibits the disclosure of personal student information without parental consent except under specific conditions required to provide a student’s education.

In 2015 and thereafter, Success Academy officials published exaggerated details from the education records of Fatima Geidi’s son when he was attending Upper West Success Academy, and shared them with reporters nationwide.  They did this under Eva Moskowitz’ direction to retaliate against Ms. Geidi and her son, when they were interviewed on the PBS News Hour in 2015, about his repeated suspensions and the abusive treatment he suffered at the hands of school staff from first through third grade.

Ms. Geidi filed a student privacy complaint to the State Education Department in June of last year.  In response to her complaint, Success Academy attorneys made a number of claims, including that the statute of limitations had lapsed, that charter schools were not subject to Education Law 2D,  and that school officials have a First Amendment right to speak out about her child’s behavior.  All those claims were dismissed in the decision released yesterday by the NYSED Chief Privacy Officer, Temitope Akinyemi.

The State Education Department has now ordered Success Academy to take a number of affirmative steps, including that administrators, staff and teachers must receive annual training in data privacy, security and the federal and state laws on student privacy, that they must develop a data privacy and security policy to be submitted to the State Education Department no later than July 1, 2020, and that after that policy is approved, it must be posted on the charter school’s website and notice be provided to all officers and employees.

As Fatima Geidi said, “ I am happy that my son’s rights to privacy and hopefully all students at Success Academy from now on will be protected, and that Eva Moskowitz will be forced to stop using threats of disclosure as a weapon against any parent who dares speak out about the ways in which their children have been abused by her schools.  However, I am disappointed that the Chief Privacy Officer did not order Ms. Moskowitz to take out the section of her memoirs, The Education of Eva Moskowitz, that allegedly describes the behavior of my son.  I plan to ask my attorney to send a letter to Harper Collins, the book’s publishers, demanding that they delete that section of the book both because it contains lies and has now been found to violate both state and federal privacy law.  If they refuse, we will then go to the Attorney General’s office for relief.”

Last year, the US Department of Education also found Ms. Moskowitz and Success Academy guilty of violating FERPA, the federal student privacy law.  The official FERPA findings letter to Ms. Moskowitz is here.  Yet Ms. Moskowitz launched an appeal of that ruling on similar First Amendment grounds, with the help of Jay Lefkowitz of Kirkland and Ellis to represent her in the appeal.  Lefkowitz is the same attorney who negotiated a reduced sentence for Jeffrey Epstein, the notorious child sex abuser, in a controversial plea deal in Palm Beach County in 2007. Though Ms. Geidi has repeatedly asked the U.S. Department of Education about the outcome of this appeal, she has heard nothing in response.

As Leonie Haimson, co-chair of the Parent Coalition for Student Privacy, pointed out: “Fatima’s son is not the only child whose privacy has been violated by Success Academy.  Last year, Success shared details from the private education files of Lisa Vasquez’ daughter with reporters from  Chalkbeat without her consent, after Ms. Vasquez spoke about how her daughter had been unfairly treated at Success Academy Prospect Heights.  The SUNY Charter Institute also noted unspecified violations of FERPA by SAC Cobble Hill, SAC Crown Heights, SAC Fort Greene, SAC Harlem 2, and SAC Harlem 5 during site visits, noted in their Renewal reports.  The time for Eva Moskowitz to comply with the law and stop violating the privacy of innocent children whose parents dare to reveal her schools’ cruel policies has long passed.”

###

A model Google contract that has strong student privacy protections

We have received many questions from parents and teachers  over the last few weeks concerned about the privacy practices and policies of the various ed tech tools and programs being adopted hurriedly by schools and districts in the wake of the coronavirus crisis.  One of the most widely used programs, even before many schools were shut down, was Google classroom or G-suite.

We just received a copy of the model G-suite contract that upstate NY administrators negotiated this fall with Google that complies with NY State’s student privacy law, Education § 2-d.  Because of the relative strength of this law, New York state received a B-, the second highest grade of any state in our state privacy report card, .

Parents in NY and elsewhere should ask their districts for a copy of their contract with Google Suite to see if it includes the same or similar privacy-protective provisions.  If not, ask why, and whether their district could negotiate a similar contract, or if in NY State, simply opt into this one.  If your NY district refuses to make available the contract upon request, you should remind them that they are required to post all contracts online that allow for the disclosure of student data, according the regulations promulgated by NY State Education Department in January.

BOCES model contract with Google – G Suite 19-20

BOCES district Opt-In – Erie1 9.3.19