Tag Archives: privacy

Blog

Our follow-up letter to the City, reaffirming our concerns with Teenspace violations of student privacy

Oct. 17, 2024

On Sept. 10, along with NYCLU and AI for Families, we wrote the Mayor, the DOE Chancellor, and the Commissioner of  Health about our deep concerns with the way in which the online mental health company Teenspace allows for the sharing of personal information with unnamed third parties for marketing purposes in a manner that would be illegal if the contract was signed by the DOE rather than the Dept. of Health. Their parent company, Talkspace, is being paid $26 million over three years by the city to provide free counseling to students, and the Mayor, the Commissioner of Health and the DOE have all been aggressively encouraging NYC students to sign up for these services, with no mention of how their personal data may be used for predatory marketing and other commercial purposes which could further undermine their mental health.   More on this here.

On Sept. 23,  Dept. of Health responded, arguing that they did not have to abide by the state student privacy law since they were not an education agency, but assuring us that their contract was no less  protective.  On Oct. 8,  we received the Talkspace contract via a Freedom of Information Law request.

The contract did not dispel our concerns.  Since we sent our initial letter, we had discovered that when a NYC student visits the Teenspace website on their phone, their personally identifiable information is shared with 15 ad trackers and 34 cookies, as well as Facebook, Amazon, Meta, Google, and Microsoft among other companies, which we saw from using the Blacklight  privacy audit tool. These findings were later confirmed by a security company that does privacy analyses.  These findings are particularly concerning, given how the city is suing many of these companies for undermining children’s mental health and designing their platforms to be addictive  in order to maximize their revenues via targeted advertising.

Our follow-up letter to the Dept. of Health is  here and below, copied to  other city officials.  If you’d like to hear more about Teenspace and other threats to student privacy, please attend our privacy briefing on Wed. October  23 at 7 PM EST; you can register here.

NYCLU PCSP & AIF response to DOHMH regarding Teenspace privacy violations 2024.10.16
Blog

They are gutting the most important privacy law you never heard of.

These Republican lawmakers have introduced bills to weaken privacy.

You should have a choice whether a company uses photos of you or your family; you should be told when a company provides thousands of other companies and government entities access to photos of you.  There should be a law against this invasive use of your image and biometric data.  There is.  Illinois has one of the toughest biometrics laws in the country–the 2008 Biometric Information Privacy Act  (BIPA). The New York Times recently published a great piece about the importance of Illinois’ BIPA law: The best law you’ve never heard of.  The author, Shira Ovide, writes about BIPA:

The law’s text is simple but profound, Adam Schwartz, a senior staff attorney with Electronic Frontier Foundation, told me.

First, companies behind technologies like voice assistants or photo recognition services can’t use people’s biometric details without their knowledge or consent. Few American privacy laws go this far — and probably none will again. Typically we must agree to whatever companies want to do with our data, or not use the service.

Second, BIPA forces companies to limit the data they collect. Those two principles are in Europe’s landmark data privacy law, too.

And third, the law lets people — not just the state — sue companies.”

Illinois Representatives Jim Durkin Dan Caulkins Thomas M. Bennett apparently want to gut the best privacy law in the U.S.

These Representatives introduced two bills to weaken BIPA:  HB560  and HB559. Durkin, Caulkins, and Bennett’s bills would make it almost impossible for you to sue the companies who misuse your biometric information. For information on how these bills would weaken BIPA, see this coalition letter opposing these bills.

HB559 recently passed out of committee on a 10-5 vote with 5 Republicans and 5 Democrats voting yes. This article from the Capitol News Illinois says this about HB559 the bill to gut BIPA: 

Opponents are more concerned that the bill will render the existing law useless.

Sapna Khatri, advocacy and policy counsel for the ACLU of Illinois, noted that BIPA has been called the most effective and important privacy law in the country because of its simplicity.

“We are here because BIPA is working precisely as it was intended,” Khatri said. “This (new bill) is prioritizing corporate profits over personal privacy and granting companies wide latitude to collect and exchange our biometric information like currency. This is not a solution.”

Opponents to HB 559, such as Rep. Ann Williams, D-Chicago, and Rep. Jennifer Gong-Gershowitz, D-Glenview, argued that as technology advances, BIPA as it stands is imperative to protecting Illinois residents’ most personal private data.

“At a time when our neighbors and other states are modeling legislation around BIPA and issuing bans on the use of invasive biometric technology, like facial recognition, HB 559 presents a massive step back for Illinois,” Khatri said.”  [emphasis added]

What could have possibly enticed10 Illinois lawmakers to vote yes on this bill despite 266 people signing up to oppose HB559, while only 14 “people” (ie: Chamber of Commerce and the Illinois Civil Justice League-whose mission is to reduce the number of civil lawsuits) signed up in favor of HB559?

Why is this happening now? 

You may have read about companies like the facial recognition company Clearview AI who take photos shared on social media and then, without your permission, scrape up your family photos to add to their database. Clearview AI is facing several class action lawsuits  here and here and here, and this lawsuit in California that alleges:

 “The sheer volume of online photographs Clearview scrapes to capture faceprints for its database makes it a near certainty that anyone whose photographs are posted to publicly accessible portions of the internet will have been subjected to surreptitious and nonconsensual faceprinting.

The suit claims Clearview has “illicitly” and “illegally” collected more than three billion photos of “unsuspecting individuals,” giving it a database nearly seven times bigger than the FBI’s

Clearview has provided thousands of governments, government agencies, and private entities access to its database, which they can use to identify people with dissident views, monitor their associations, and track their speech,” the suit alleged. “Its mass surveillance technology disproportionately harms immigrants and communities of color.”  [emphasis added]

Clearview AI is not the only company scooping up your pictures for facial recognition. In a January 2020 class action decision, Facebook was found to have violated Illinois Biometric Information Privacy Act (BIPA) law and had to pay half a billion dollars

The Illinois suit was filed in 2015, alleging that Facebook collected facial recognition data on images of users in the state without disclosure, in contravention of the state’s 2008 Biometric Information Privacy Act (BIPA). Similar suits were filed against Shutterfly, Snapchat and Google.”

We all lose if BIPA is weakened.  

Illinois has had one of the toughest biometrics laws in the country for 13 years–and with the increase in surveillance technology, other states are patterning bills after BIPA. Now is the time to increase (not weaken) privacy legislation.  After big companies like Facebook and Clearview AI got sued for illegally scraping people’s photos, there are suddenly bills in Illinois to weaken BIPA. Will these industry folks weaken privacy bills in your state, too?  Don’t let them.   

Illinois lawmakers should not make the mistake of weakening privacy rights. HB559 and HB560 should be stopped. Laws and elected officials should protect people, not corporate interests.

What you can do

  • If you are an Illinois resident, call your state rep and your state senator, tell them you are their constituent and urge them to oppose HB559 and any bills that weaken the protections of BIPA.
  • For anyone, call the leadership in the IL House, in particular new Speaker of the House Chris Welch and Minority Leader Jim Durkin, the chief sponsor of the bill.   

Speaker Welch (217) 782-5350 and (708) 450-1000

Leader Durkin (217) 782-0494 and (630) 325-2028

You can find the list of House leaders in each party here and all of their contact info is listed in this directory. Tell them that BIPA is the most protective privacy law in the US and putting corporate profits over protecting individual’s freedom is doing a disservice not just to Illinoisans but to anyone who values the Constitutional right to privacy. 

Blog

Google Lawsuit, COPPA, Investigating and Blocking Ad Trackers in Children’s Apps

Google cannot escape COPPA lawsuit

There was some big news last week on the children’s privacy front: A District Judge has ruled that Google and the apps they sell on their “store” cannot  dodge a lawsuit brought by the New Mexico Attorney General. Previously, a state court had said the case couldn’t proceed, but thanks to this decision, Google will face claims that apps they hosted in the “Designed for Families” section of their Google Play Store, and ad networks they employed, had actual knowledge they were targeting and marketing children’s data, in violation of COPPA, the Children’s Online Privacy Protection Act. The apps in question are owned by Tiny Lab Productions.

This court case will be significant in highlighting how apps use cookies and advertising tools to track children across the web. As explained in the decision

“Tiny Lab Productions (“Tiny Lab”), a Lithuanian company, is a developer of child-directed, mobile game apps including Fun Kid Racing, Candy Land Racing, Baby Toilet Race: Cleanup Fun, and GummyBear and Friends Speed Racing. AdMob [AdMob is owned by Google], Twitter/MoPub, InMobi/AerServ, Applovin, and ironSource (collectively, the “Ad Networks”) sold their proprietary software development kits (“SDKs”) to Tiny Lab for installation and use in its gaming apps. Id. ¶ 13. When a Tiny Lab app is downloaded onto a child’s device in New Mexico, the Ad Networks’ SDKs are also installed as app components. Id. ¶ 5. Once so embedded, while a child in New Mexico plays one of the apps, the Ad Networks’ SDK collects personal information about that child and tracks the child’s online behavior to profile the child for targeted advertising. Id. ¶¶ 43-46. This activity is invisible to the child and her parents” [emphasis added]

Think of an advertising SDK as a unique tag that identifies the user and follows him or her across the internet; an “Identifier for Advertisers” that allows advertisers to see what sites the user visits, and stays embedded on their device even after they are done using the original app.  Ad tracking tools like cookies, persistent beacons, and fingerprinting can be installed on a child’s device when they download an app or edtech platform and these are not transparent to the student, the teacher, or the parent. We know apps track us, but it is not always easy to see how or what they do with our data. 

Several parents have asked us:

  • How often do apps use children’s information for marketing purposes? 
  • Do edtech apps use ad trackers? 
  • How would you know if your child’s app is using adware or ad trackers?
  • What can parents do?

Thankfully, others including this bipartisan group of US Senators, are asking how edtech companies use children’s data.  The Federal Trade Commission (FTC), which oversees COPPA, is also asking how online platforms use children’s data. In a move led by Commissioner Christine Wilson, the FTC announced in December 2020 that it is using its 6(b) authority to investigate several big tech companies that handle children’s data. In a joint statement issued by the FTC says, “Despite their central role in our daily lives, the decisions that prominent online platforms make regarding consumers and consumer data remain shrouded in secrecy. Critical questions about business models, algorithms, and data collection and use have gone unanswered.” 

We agree with executive director of the Campaign for a Commercial-Free Childhood Josh Golin’s statement in Bloomberg News, “These 6(b) studies will provide a much-needed window into the opaque data practices that have a profound impact on young people’s well-being”.

These FTC studies come at a time when many are also calling for COPPA to be updated. Currently COPPA only covers children 12 and under and is confusingly and inconsistently applied to schools. Through advisory guidance (though not regulation), the FTC has said that schools can consent in place of parents, but only if the app is used ONLY for educational rather than marketing purposes. [You can see the joint letter we sent the FTC with 23 organizations when they threatened to weaken COPPA, and you can also read our separate PCSP comments to the FTC here.]

COPPA says that websites and online services, including apps and general audience sites that have actual knowledge they are collecting data from children under 13, must get prior parent approval before collecting, using or disclosing a child’s information. The FTC says this “includes a child’s name, address, phone number or email address; their physical whereabouts; photos, videos and audio recordings of the child, and persistent identifiers, like IP addresses, that can be used to track a child’s activities over time and across different websites and online services.” However, many agree that actual knowledge should be updated to constructive knowledge. As implied in the case of the above Google lawsuit, constructive knowledge means the company has enough information that they knew or should have reasonably known the app was directed towards children and they were allowing for the marketing of their personal data.

Why are companies allowed to use children’s data for advertising at all?  

Parents need transparency and control over how children’s data are collected and used. We believe children should be protected, not monetized or profiled by advertisers. We think that all advertising to children under the age of 18 by any app or program used in schools should be prohibited; any data gathered by these apps should be strictly used only for educational purposes.

Apple will prohibit automatic ad tracking

This idea of prohibiting ad tracking is not that novel. Last year Apple began requiring developers in its App Store to have Privacy Labels, listing which types of data the app collects and how it uses your data. Now, Apple has just announced a new transparency feature that will prevent apps from sharing your data with third parties, without opting-IN. Apple’s white paper that discusses their new policy and prevalence on embedded trackers is entitled A Day in the Life of Your Data, and is worth taking a look at.  As TechCrunch reports,

“The App Tracking Transparency feature moves from the old method where you had to opt-out of sharing your Identifier for Advertisers (IDFA) to an opt-in model. This means that every app will have to ask you up front whether it is ok for them to share your IDFA with third parties including networks or data brokers.”

“The feature’s most prominent evidence is a notification on launch of a new app that will explain what the tracker will be used for and ask you to opt-in to it. …app developers would have to ask users for permission in order to track and share their IDFA identifier for cross-property ad targeting purposes.”

This is how Apple describes the new system:

“Under Settings, users will be able to see which apps have requested permission to track, and make changes as they see fit. This requirement will roll out broadly in early spring with an upcoming release of iOS 14, iPadOS 14, and tvOS 14, and has already garnered support from privacy advocates around the world.”

Tools you can use to see trackers and block ads

There are several tools you can use to see and block trackers on your child’s device. Here are a few:   

  • Install uBlockOrigin tracker and ad blocker; it’s free and it shows you the trackers and blocks ads. We know of schools who have installed uBlockOrigin on every student Chromebook to stop ad tracking in schools.  Ask your school if they would be willing to install an ad blocker like uBlockOrigin on school issued devices. Go here to download uBlockOrigin https://github.com/gorhill/uBlock#ublock-origin or here https://ublockorigin.com/ ; either of these links will ensure you are using Origin. Read more about uBlockOrigin here. See an example (below) of the 14 trackers blocked while a student visited her College Board MyAP Classroom account.
  • MarkUp’s Blacklight lets you paste website urls into their analysis program to see what type of ads and trackers are being used. This tool gives detailed analysis and even flags trackers that evade cookie blockers.  https://themarkup.org/blacklight  See an example (below) of the different kinds of trackers found on a student’s Google Classroom account.
  • Use a web browser that blocks ads:  Brave web browser blocks ads and reportedly loads pages quicker than Chrome. Firefox also blocks ads and has many privacy and security extensions. 

Take our App Survey

In honor of World Data Privacy Day, on January 28, we launched an App Survey for parents, asking what apps your school uses and what privacy protections and transparency notifications are in place.  The response has been incredible and we encourage all parents to share and take this survey; of course your answers will remain confidential. Click here to take the survey and if you happen to install ad blockers, let us know what you find!  

uBlock and AP Classroom trackers

Blacklight and Google Classroom ad trackers

Blog

Parents of Disabled Students: Do NOT Grant College Board Unlimited Access to Your Child’s Sensitive Information

We recently received a query from a Chicago parent whose child has a disability, and was seeking an accommodation when taking a College Board test. Her child’s high school asked her to sign a SSD Accommodation Consent form allowing her school to disclose her child’s disability records, as well as any other information in the school’s custody that the College Board requests for the purpose of determining my eligibility for testing accommodations on College Board tests“.  The form also grants the “College Board permission “to discuss my disability and needs with school personnel and other professionals.” 

The Chicago parent was concerned with these overly broad permissions and crossed out portions that she disagreed with. Unfortunately for this parent, she subsequently discovered that her child’s previous high school had apparently already released confidential information to the College Board without asking for her consent.  

We wonder if this has happened to other parents. Have parents been asked to sign this form authorizing the school to release their children’s highly sensitive disability information, or worse, have their schools disclosed this personal information without obtaining parent consent?  If so, please email us at [email protected]  .

We would like all parents to know that you do NOT have to consent to the school providing College Board unlimited access to your child’s sensitive disability information for the purpose of accommodations. College Board says this is only a sample SSD consent form.

I recently emailed the College Board Services for Students with Disabilities (via their general SSD email) to ask if parents cross out the overly board permissions they don’t agree with, would the form still be valid? The College Board SSD  replied and verified that this is the current SSD Parent Consent Form, reiterated that the College Board does require schools to obtain written consent from the parent before sharing student disability data, and that schools must keep this signed form on file. However,  the College Board SSD email (erroneously) said parents cannot modify the consent form; I knew this to be incorrect because in 2018, I had previously questioned the Colorado Department of Education and College Board about the broad permissions and was told that parents could modify the form.

So, I again reached out to the Colorado Department of Education this past week and asked for their help in contacting the College Board privacy department to verify that parents can in fact modify the form. The complete response from the Colorado Department of Education and College Board can be seen here; relevant excerpts are posted below.  First, the College Board apologized for their earlier, incorrect response: 

“Thank you for sharing the inquiry you received. I apologize that the parent received some misleading information. The Accommodations Consent form shared by the parent is the standard template College Board makes available on the SSD website to all schools. As you know, in Colorado, we have developed an alternate template which is shared through trainings with SSD Coordinators…

The purpose of the consent form is to give schools a sample consent form in order to request testing accommodations on behalf of a student and share relevant information with College Board about their disability and requested accommodation(s). College Board requires schools to agree that they have a “signed consent form or equivalent signed consent on file.” Schools are instructed to keep the parent consent on file for their records. It is not submitted to College Board. Once a student is approved for an accommodation, this accommodation may be used for all College Board assessments throughout the student’s high school career.”–College Board

Then the Colorado Department of Education confirmed that parents could delete the overly broad language in the consent form:

“…if there are any parts to the form to which you do not want to provide your consent, you can cross those portions off, or you can add additional language to meet your needs.  Note that the required information needed by College Board to process any accommodations request is listed at the top of p.2 of the enclosed form. “

(See Required Data listed on page 2 of Colorado Accommodations Consent form but applicable to all requests.) 

We thank the the Colorado Department of Education for their clarification and for confirming that if a parent crosses out the overly intrusive portions (labeled A and B below), this signed consent form would still be valid; one would hope that the right to privacy afforded Colorado students with disabilities would be afforded to all disabled students. We encourage parents to ask your school and the College Board ( [email protected] ) if you can cross out this overly broad language and only provide the minimum required information for accommodations. 

2019: College Board says it changed its disability accommodation review procedures

The College Board said that it had changed its policies and now relies on schools to verify student disabilities and accommodations, according to a May 2019 Wall Street Journal article:

“The College Board said it has to balance the large number of students who really need a special accommodation against a small number who are exploiting the system.

The College Board used to do more checking, the organization said, but found that responding to special-accommodation requests was taking more than a month. The College Board said it relies on schools because they are closer to the medical professionals and teachers who know the students.”

If it is true that since 2019, the College Board is no longer checking into and reviewing accommodation requests and is instead relying on schools to verify these requests,  why are schools still asking parents to sign consent forms from 2017 which give College Board access to any information in the school’s custody? (You can see this form sent to Chicago parents, still posted on the internet, which is dated 2017 on the bottom right.)

Time to Update Consent Form.

Since the College Board confirmed this consent form is just a template and can be modified, we urge the College Board to update the template and remove the overly broad request for any information in the school’s custody and remove consent to discuss with other professionals. 

Additional concerns with how the College Board and ACT share data

We know that the testing company ACT was sued and recently had to pay a $16 million dollar settlement for allegedly disclosing student disability information to colleges. We also know the College Board has been sued for selling licenses to a range of personal student data to colleges and other companies including score ranges — though they insist that a student’s disability status is not included. The company admits sharing access to student disability data with the third parties listed at the end of the consent form.  By requiring that parents give their consent for the release of this data to these companies as well as others unspecified in the consent form, in granting this unlimited access, disabled students are singled out and discriminated against, while their non-accommodated peers do not face this medical scrutiny and do not have to provide College Board access to any other information in the school’s custody.  Concerns about sharing this sensitive information are echoed in this 2016 Education Week article,  regarding the U.S. Department of Justice Civil Rights Division scrutiny of College Board and ACT refusals to allow accommodations in college admission tests. 

Schools must also record disclosures and obtain written parent consent

Schools should never disclose student disability records or evaluations unless specifically required by the College Board and schools must obtain prior written parent consent. Per federal IDEA law part B, in addition to written consent, schools must keep a record of disclosures. They must tell a parent: what information was disclosed, the purpose of for the disclosure, to whom it was revealed, and when this occurred.

Finally, many states are now requiring students take a College Board exam as their federally-mandated high school assessment.  If so, schools must ensure that College Board adheres to specific federal privacy restrictions as specified in both FERPA and IDEA.  See this May 2018 guidance from the US Department of Education regarding privacy and College Entrance exams:

IDEA is a Federal law that protects the rights of students with disabilities…These IDEA provisions also prohibit the unauthorized disclosure and use of PII from the education records of students with disabilities, consistent with FERPA. Thus, if parent consent is required under FERPA to disclose PII from students’ education records, and if a student is covered under IDEA, parent consent would also be required under IDEA to disclose PII in education records collected, maintained, or used under Part B of the IDEA.

Please let us know if you have privacy questions about College Board or ACT admissions tests, or the optional surveys associated with these tests. Also reach out to us if your school asks you to consent to providing College Board unlimited access to any information in the school’s custody to verify your child’s disability accommodations for College Board tests.  If your school did NOT get your written consent before sharing your child’s disability information with the College Board or ACT, let us know that as well. 

In general, parents should be cautious before sharing their children’s personal and sensitive information with companies; only share what is absolutely necessary. For College Board privacy related questions, parents can email the College Board at [email protected] .  Parents can also email us at [email protected] .

 

 

Blog

NY State Student Privacy Survey

Class Size Matters, NY Allies for Public Education, and the Parent Coalition for Student Privacy would like to know which online apps or programs are being employed by schools throughout New York state, and whether they are sufficiently protective of children’s privacy. We are asking parents and teachers to take our survey here, to let us know what apps or programs your schools are using.

Since the pandemic hit, districts across New York State have purchased many commercially-produced online apps and digital programs to implement remote learning. Even before last spring, schools had been using a large number of programs, many of which collect and use personal student information. In NYC alone, more than 75 commercially available online programs have been acquired for teachers to assign to their students, and “The DOE has informed schools that for SY 2020-21, they must have a shared, inclusive and digital curriculum in all core subject areas,” according to the UFT.

Many of these digital apps collect and use personal student data in ways we do not understand. In some cases, the publicly available privacy policies of these vendors are NOT sufficiently protective and do not comply with the NY state student privacy law, Education Law 2D, which was passed in 2014.

Among other things, this law and its regulations adopted in Jan. 2020 require that every contract with a vendor with access to personal student data must have a separate Parent Bill of Rights [PBOR], which specifies how the data will be protected and how parents can access the data and challenge it if necessary.

Each of these separate Parent Bill of Rights are supposed to be posted on the district website, along with other important information, including your district’s overall data privacy protection policy, and how you can contact the district data privacy officer in charge of ensuring these protections. Links to the Education Law 2D, the regulations, and a summary of some of their most important provisions are here and below.

Please take a few minutes to fill out our online survey to let us know what online apps and/or digital programs are being used in your schools, and whether the district has provided the necessary information about the ways in which that data is being protected from breach and abuse.

Thanks!

NYS Student Privacy Regulations Summary (Final)

NYS Student Privacy Regulations Summary (Final)

In addition, the full law and regulations are available at the following links: