Tag Archives: privacy

Parents of Disabled Students: Do NOT Grant College Board Unlimited Access to Your Child’s Sensitive Information

We recently received a query from a Chicago parent whose child has a disability, and was seeking an accommodation when taking a College Board test. Her child’s high school asked her to sign a SSD Accommodation Consent form allowing her school to disclose her child’s disability records, as well as any other information in the school’s custody that the College Board requests for the purpose of determining my eligibility for testing accommodations on College Board tests“.  The form also grants the “College Board permission “to discuss my disability and needs with school personnel and other professionals.” 

The Chicago parent was concerned with these overly broad permissions and crossed out portions that she disagreed with. Unfortunately for this parent, she subsequently discovered that her child’s previous high school had apparently already released confidential information to the College Board without asking for her consent.  

We wonder if this has happened to other parents. Have parents been asked to sign this form authorizing the school to release their children’s highly sensitive disability information, or worse, have their schools disclosed this personal information without obtaining parent consent?  If so, please email us at info@studentprivacymatters.org  .

We would like all parents to know that you do NOT have to consent to the school providing College Board unlimited access to your child’s sensitive disability information for the purpose of accommodations. College Board says this is only a sample SSD consent form.

I recently emailed the College Board Services for Students with Disabilities (via their general SSD email) to ask if parents cross out the overly board permissions they don’t agree with, would the form still be valid? The College Board SSD  replied and verified that this is the current SSD Parent Consent Form, reiterated that the College Board does require schools to obtain written consent from the parent before sharing student disability data, and that schools must keep this signed form on file. However,  the College Board SSD email (erroneously) said parents cannot modify the consent form; I knew this to be incorrect because in 2018, I had previously questioned the Colorado Department of Education and College Board about the broad permissions and was told that parents could modify the form.

So, I again reached out to the Colorado Department of Education this past week and asked for their help in contacting the College Board privacy department to verify that parents can in fact modify the form. The complete response from the Colorado Department of Education and College Board can be seen here; relevant excerpts are posted below.  First, the College Board apologized for their earlier, incorrect response: 

“Thank you for sharing the inquiry you received. I apologize that the parent received some misleading information. The Accommodations Consent form shared by the parent is the standard template College Board makes available on the SSD website to all schools. As you know, in Colorado, we have developed an alternate template which is shared through trainings with SSD Coordinators…

The purpose of the consent form is to give schools a sample consent form in order to request testing accommodations on behalf of a student and share relevant information with College Board about their disability and requested accommodation(s). College Board requires schools to agree that they have a “signed consent form or equivalent signed consent on file.” Schools are instructed to keep the parent consent on file for their records. It is not submitted to College Board. Once a student is approved for an accommodation, this accommodation may be used for all College Board assessments throughout the student’s high school career.”–College Board

Then the Colorado Department of Education confirmed that parents could delete the overly broad language in the consent form:

“…if there are any parts to the form to which you do not want to provide your consent, you can cross those portions off, or you can add additional language to meet your needs.  Note that the required information needed by College Board to process any accommodations request is listed at the top of p.2 of the enclosed form. “

(See Required Data listed on page 2 of Colorado Accommodations Consent form but applicable to all requests.) 

We thank the the Colorado Department of Education for their clarification and for confirming that if a parent crosses out the overly intrusive portions (labeled A and B below), this signed consent form would still be valid; one would hope that the right to privacy afforded Colorado students with disabilities would be afforded to all disabled students. We encourage parents to ask your school and the College Board ( privacy@collegeboard.org ) if you can cross out this overly broad language and only provide the minimum required information for accommodations. 

2019: College Board says it changed its disability accommodation review procedures

The College Board said that it had changed its policies and now relies on schools to verify student disabilities and accommodations, according to a May 2019 Wall Street Journal article:

“The College Board said it has to balance the large number of students who really need a special accommodation against a small number who are exploiting the system.

The College Board used to do more checking, the organization said, but found that responding to special-accommodation requests was taking more than a month. The College Board said it relies on schools because they are closer to the medical professionals and teachers who know the students.”

If it is true that since 2019, the College Board is no longer checking into and reviewing accommodation requests and is instead relying on schools to verify these requests,  why are schools still asking parents to sign consent forms from 2017 which give College Board access to any information in the school’s custody? (You can see this form sent to Chicago parents, still posted on the internet, which is dated 2017 on the bottom right.)

Time to Update Consent Form.

Since the College Board confirmed this consent form is just a template and can be modified, we urge the College Board to update the template and remove the overly broad request for any information in the school’s custody and remove consent to discuss with other professionals. 

Additional concerns with how the College Board and ACT share data

We know that the testing company ACT was sued and recently had to pay a $16 million dollar settlement for allegedly disclosing student disability information to colleges. We also know the College Board has been sued for selling licenses to a range of personal student data to colleges and other companies including score ranges — though they insist that a student’s disability status is not included. The company admits sharing access to student disability data with the third parties listed at the end of the consent form.  By requiring that parents give their consent for the release of this data to these companies as well as others unspecified in the consent form, in granting this unlimited access, disabled students are singled out and discriminated against, while their non-accommodated peers do not face this medical scrutiny and do not have to provide College Board access to any other information in the school’s custody.  Concerns about sharing this sensitive information are echoed in this 2016 Education Week article,  regarding the U.S. Department of Justice Civil Rights Division scrutiny of College Board and ACT refusals to allow accommodations in college admission tests. 

Schools must also record disclosures and obtain written parent consent

Schools should never disclose student disability records or evaluations unless specifically required by the College Board and schools must obtain prior written parent consent. Per federal IDEA law part B, in addition to written consent, schools must keep a record of disclosures. They must tell a parent: what information was disclosed, the purpose of for the disclosure, to whom it was revealed, and when this occurred.

Finally, many states are now requiring students take a College Board exam as their federally-mandated high school assessment.  If so, schools must ensure that College Board adheres to specific federal privacy restrictions as specified in both FERPA and IDEA.  See this May 2018 guidance from the US Department of Education regarding privacy and College Entrance exams:

IDEA is a Federal law that protects the rights of students with disabilities…These IDEA provisions also prohibit the unauthorized disclosure and use of PII from the education records of students with disabilities, consistent with FERPA. Thus, if parent consent is required under FERPA to disclose PII from students’ education records, and if a student is covered under IDEA, parent consent would also be required under IDEA to disclose PII in education records collected, maintained, or used under Part B of the IDEA.

Please let us know if you have privacy questions about College Board or ACT admissions tests, or the optional surveys associated with these tests. Also reach out to us if your school asks you to consent to providing College Board unlimited access to any information in the school’s custody to verify your child’s disability accommodations for College Board tests.  If your school did NOT get your written consent before sharing your child’s disability information with the College Board or ACT, let us know that as well. 

In general, parents should be cautious before sharing their children’s personal and sensitive information with companies; only share what is absolutely necessary. For College Board privacy related questions, parents can email the College Board at privacy@collegeboard.org .  Parents can also email us at info@studentprivacymatters.org .

 

 

NY State Student Privacy Survey

Class Size Matters, NY Allies for Public Education, and the Parent Coalition for Student Privacy would like to know which online apps or programs are being employed by schools throughout New York state, and whether they are sufficiently protective of children’s privacy. We are asking parents and teachers to take our survey here, to let us know what apps or programs your schools are using.

Since the pandemic hit, districts across New York State have purchased many commercially-produced online apps and digital programs to implement remote learning. Even before last spring, schools had been using a large number of programs, many of which collect and use personal student information. In NYC alone, more than 75 commercially available online programs have been acquired for teachers to assign to their students, and “The DOE has informed schools that for SY 2020-21, they must have a shared, inclusive and digital curriculum in all core subject areas,” according to the UFT.

Many of these digital apps collect and use personal student data in ways we do not understand. In some cases, the publicly available privacy policies of these vendors are NOT sufficiently protective and do not comply with the NY state student privacy law, Education Law 2D, which was passed in 2014.

Among other things, this law and its regulations adopted in Jan. 2020 require that every contract with a vendor with access to personal student data must have a separate Parent Bill of Rights [PBOR], which specifies how the data will be protected and how parents can access the data and challenge it if necessary.

Each of these separate Parent Bill of Rights are supposed to be posted on the district website, along with other important information, including your district’s overall data privacy protection policy, and how you can contact the district data privacy officer in charge of ensuring these protections. Links to the Education Law 2D, the regulations, and a summary of some of their most important provisions are here and below.

Please take a few minutes to fill out our online survey to let us know what online apps and/or digital programs are being used in your schools, and whether the district has provided the necessary information about the ways in which that data is being protected from breach and abuse.

Thanks!

NYS Student Privacy Regulations Summary (Final)

NYS Student Privacy Regulations Summary (Final)

In addition, the full law and regulations are available at the following links:

What you need to know about Zoom for Education

Zoom for Education has been adopted by thousands of schools nationwide. Zoom began marketing to K-12 schools in November 2019, prior to the  Covid pandemic.  Zoom also created a website specific for education:  https://zoom.us/education.  Zoom has referred to its education platform as a Zoom for K-12 service  but apparently rather than face data privacy and transparency requirements for contracted school service providers in Colorado law,  Zoom NOW claims they are not a school serviceMore on this below, but first we’ll focus on Zoom’s third party data sharing and cookies.

When you visit the Zoom for Education webpage, you will see a pop-up box asking if you want to opt-out of third parties using your information–DON’T IGNORE THIS WHEN YOU SEE IT; this alert doesn’t appear every time you visit the page.   Every parent and school district, education official should click More Info and review the cookies on the Zoom for Education website.    WHY?  Because Zoom allows third parties to access student data. In fact, prior to July 2020 and  Zoom’s most recent update to its K-12 privacy policy, Zoom apparently allowed third-party advertising cookies on its Zoom for Education platformCommon Sense Media actually warned about Zoom’s third party  targeted advertising in April 16, 2020.  Common Sense stated,

“…there are still privacy issue areas where Zoom falls short, including its limited, but still targeted, use of advertising and third-party tracking that may affect students in K–12. (Ads don’t appear on Zoom itself but on other sites kids visit after using it.) “

Similarly, this March 17, 2020  New York Times  article entitled  We Live in Zoom Now,  also warned about Zoom’s use of student data for advertising, quoting Jules Polenetsky, CEO of the Future of Privacy Forum, as saying,

“The standard Zoom privacy policy allows data to be shared for targeted advertising,” Mr. Polonetsky wrote in an email interview. And some of the company’s standard terms are not consistent with the Family Educational Rights and Privacy Act, or FERPA, “in addition to many of the 130+ state student privacy laws passed since 2014”

Interestingly, the next day after this NYT article,  Zoom updated its K-12 privacy policy on March 18, 2020. This March 2020 version stated that,

We only collect students’ Personal Information to provide the Zoom for K-12 service to the School Subscriber, not for marketing or advertising, and, with the limited exception of our service providers, we do not share Personal Information about K-12 students with other parties”

“… Zoom and/or our third-party service providers also automatically collect some information using methods such as cookies. Information automatically collected may include Internet protocol (IP) addresses, browser type, Internet service provider (ISP), operating system, and date/time stamp. We use this information to provide and support the Zoom for K-12 services. We do not use this information to deliver advertising or for any other purpose not related to the delivery and support of the services.”  

On April 9, 2020, Zoom again changed their K-12 privacy policy to this version, which made a few changes but kept the same quoted language above, stating that Zoom does not collect student pii for marketing or advertising.

However, Zoom changed its K-12 privacy policy AGAIN  to this July 2020 version.  This July version made substantial changes.

Students under 16 CANNOT create Zoom accounts.

The July 2020 K-12 Privacy Policy states:

“Student Users are not permitted to create K-12 Accounts but may use the Services when invited to join a meeting hosted by a K-12 Account User.  Although Zoom prohibits children and teens under the age of 16 from creating a Zoom account (and employs an online age screen to support this restriction), Student Users, even if under the age of 13, may join a meeting hosted by a K-12 Account User. School Subscribers are responsible for obtaining any parental consent necessary for use of the Services under their K-12 Accounts by Student Users, including children under the age 13.”

Hopefully K-12 schools, parents, and students are aware of this clear wording and will take heed.  Apparently in their rush to virtual learning during the Covid 19 Spring shut down,  some K-12 schools required students to download the Zoom App and create their own Zoom account- using their school email- in an effort to decrease Zoombombing.  As EdSurge reported in March of 2020, “Students should never be making an account in Zoom,”  “That’s where it can get districts into trouble.” 

No more advertising or analytics.

Another change in the July 2020 K-12 privacy policy “There are no third-party advertising or analytics cookies on Zoom’s product pages.”   That is a big change; how do we know Zoom is honoring this and what about all the months prior when advertising cookies were apparently opted-in on Zoom’s K-12 product pages?  (What’s a “product page” and is the Zoom K-12 privacy policy page a product or marketing page? See our analysis and trackers found, here.)

When you click on the More Info link on the pop-up notice, Zoom for Education now automatically opts-out advertising cookies but that was not the case previously, as you can see from this April 2020 screen capture that shows ads were opted-in.

And here is a list of the Advertising Cookies on the Zoom for Education page that apparently prior to July 2020 were automatically opted-in, ( we underlined in red), and allowed  cookies “to serve ads relevant to your interests” unless the user clicked the opt-out box.

Why all the changes to the K-12 privacy policy?

Zoom for Education has changed its privacy policy several times, which itself raises serious concerns. Here are some of the privacy and security “mistakes” and concerns with Zoom that have already been reported.  One such concern related to the fact that while Zoom’s K-12 privacy policy originally claimed that student data was not used for advertising and student data was only used for educational purposes, the automatic opt-in to advertising cookies implied the opposite.  Was sharing student information with Facebook and LinkedIn, or Twitter, Yahoo, Walmart, Microsoft Advertising, Nielsen Marketing, Google DoubleClick ads really an educational purpose?

Here are a few privacy and security Zoom issues in the news:

  • Zoom falsely claiming data is end to end encrypted, Verge link 
  • Zoom sharing user data with Facebook, link
  • Zoom sharing  user data  with LinkedIn, link 
  • Zoombombing  and FBI warning, link
  • Zoom routing data (with encryption keys) through China, link
  • Over 500,000 Zoom accounts being sold on the dark web, link
  • Zoom’s security issues were exposed over 2 years ago by Dropbox, this is not a new problem, link
  • Class action lawsuit for unlawful eavesdropping, link
  • NY, CT, FL Attorneys General investigate Zoom security practices
    • NY resolved Zoom investigation: NY created this master agreement where Zoom must adhere to certain security requirements but agreement does not require Zoom to get consent or inform parents of when third parties access their children’s data, does not prohibit re-disclosure of data. The agreement does not address use of artificial intelligence, facial recognition, nor is Zoom required to tell parents how student data are analyzed or profiled.
  • Maryland parents concerned about privacy, security of student data collected by Google and Zoom for Education, link 
  • Colorado Attorney General investigates Zoom for Education, link
  • The Electronic Privacy Information Center (EPIC) filed a complaint with the FTC against Zoom in July 2019. “Zoom intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user’s web camera without the knowledge or consent of the user.”  link

So, is Zoom “safe” now?

Common Sense Media recently wrote this July 14, 2020 piece, Privacy Risks of the Top 5 Distance Learning Apps, which evaluated privacy features of Zoom, Apple Facetime,  Microsoft Teams, Google Hangouts, and Cisco Webex.

Common Sense gave Zoom the highest overall privacy rating.

In looking at Common Sense Media’s Privacy Evaluation of  Zoom for Education,  you can see they say that Zoom is clearly being marketed as a School Purpose and intended for students,  “primarily used by, designed for, and marketed toward students in grades preK–12.”

Common Sense Media gave Zoom for Education a high rating for privacy even though  they admit to the following uncertainties:

  • User information can be transferred to a third party.
  • Unclear whether users are notified if their information is transferred to a third party.
  • Unclear whether user information can be deleted prior to its transfer to a third party
  • Unclear whether the vendor describes their deidentification process of user information.
  • Unclear whether data are shared for research and/or product improvement.
  • Unclear whether contractual limits prohibit third parties from reidentifying deidentified information.

And when they ask if there are advertisements or tracking, they say:

  • Traditional or contextual advertisements are displayed.
  • The vendor can send marketing messages.
  • The vendor does provide promotional sweepstakes, contests, or surveys.
  • Users can opt out of traditional, contextual, or behavioral advertising.  [should be opt-in for student advertising]
  • Users can opt out or unsubscribe from marketing communications.   [should be opt-in for student advertising]

What about the other Cookies and Trackers still on the Zoom for Education page?

Remember when on the Zoom for Education webpage, you will see a pop up box asking if you want to opt out of third parties using your information–we said DON’T IGNORE THIS WHEN YOU SEE IT.   These are the cookie settings you see today when you click  More Info and Advanced Settings, and View Cookies. 

Notice  (orange arrows added) that Functional Cookies are still automatically Opted-In and include third parties like Twitter and Vimeo, New Relic, Salesloft, Milward Brown Digital, Pardot, and PayPal

Google (Google ads?) and Zoom cookies are required.

Clicking on Google Inc you see:  “Google operates Google Ads, Display & Video 360, and Google Ad Manager. These services allow advertisers to plan, execute and analyze marketing programs with greater ease and efficiency, while enabling publishers to maximize their returns from online advertising. Note that you may see cookies placed by Google for advertising, including the opt out cookie, under the Google.com or  DoubleClick.net domains.  For more information, see https://policies.google.com/technologies/ads ”

Clicking on Zoom you see:  “api.zoom.us, blog.zoom.us, connectnz.zoom.us, facebook.zoom.us, google.zoom.us, imauth.zoom.us, investors.zoom.us, launcher.zoom.us, log.zoom.us, recurly-callout.zoom.us, support.zoom.us, www3.zoom.us, www.zoom.us, zoom.us, zuora-callout.zoom.us”

Functional Cookies automatically opted-in

If these screen captures above are too small for you to see, or too buried for you to find, here’s a quick little video of Zoom’s required and automatically opted-in cookies.

Final Notes

The Common Sense privacy evaluation does not mention that, as of March 31, 2020, Zoom is also a Common Sense partner in the Wide Open School initiative, as is Apple and Google.  Bill and Melinda Gates and Google also fund the initiative (no mention of Zoom funding).   As one commenter on Common Sense’s Ultimate Guide to Zoom stated, “This is a great article and covers some primary questions I have as a parent. Yet I can’t help wondering if this is a promoted post from Zoom!”  I tend to agree.  Better to be transparent and disclose any funding or endorsement or partnership when evaluating a product.

Also, the Wide Open School initiative, which is curated by Common Sense, is meant to encourage schools and parents to implement specific edtech programs during the COVID shift to remote learning. They make the following fine-print disclaimer:

A note on privacy

“While we have tried to favor sites that don’t require login, some do require registration. The provided resources include links to external websites or applications that are governed by their own privacy policies or information-collection practices, which may be substantially different from those of Common Sense. We encourage you to review the privacy policies and information-collection practices of any external websites and apps before using them with children. Many organizations have stepped up and made their resources free for kids during this critical time.”

In other words, you as an educator or a parent are on your own in trying to decipher whether the privacy protections for a specific program are strong, weak or non-existent.  It would be great if Common Sense, who does edtech privacy evaluations on a separate website,  would provide a privacy analysis  of each tool, or at least highlight the specific partners who have “privacy policies or information-collection practices, which may be substantially different from those of Common Sense“.  This would help guide the decisions of educators and parents about each of these partner tools Wide Open School is promoting.

Is Zoom for Education a K-12 School Service?

Colorado has a state law that requires contracted edtech (school service providers) to be transparent about the data elements they collect, how the data are used and to list every subcontractor who has access to the data.  Zoom doesn’t think they need to comply with this transparency law because they claim, “Zoom is not a School Service and is exempt from the requirements of the law.” The Colorado Attorney General’s privacy office is investigating whether Zoom threatens student privacy; let’s hope the Attorney General enforces Colorado law and requires Zoom to be transparent about how they and their subcontractors and third party apps (with SDKs) use student data now… and since March 2020.

It sure seems like Zoom is a school service:

  • with a dedicated K-12 Zoom for Education webpage,
  • separate Zoom K-12 privacy policy,
  • Zoom white papers, blogs and tutorials for K-12 teachers and students,
  • Common Sense gave Zoom high ranks for clearly being labeled as serving a school purpose, “primarily used by, designed for, and marketed toward students in grades preK–12.”
  • Zoom is a Wide Open School preK-12 online education resource and partner,
  • schools are requiring students to use Zoom remotely and recording video sessions and transcripts, students are answering school related questions, turning in school work (These are education records under FERPA.),
  • Zoom actually described itself as a “K-12 service” in its prior K-12 privacy policies
  • For purposes of FERPA,  Zoom is considered a “school official”

Zoom is being used as a service in thousands of schools nationwide.

It’s difficult to know if  Zoom is a threat to student privacy since Zoom keeps changing its privacy policies and cookie tracking practices, and Zoom won’t answer transparency questions about how data elements are used and shared.

What  (little things) you can do to protect your student on Zoom.

In March 2020 we wrote this piece advising parents and educators to seek alternatives to screen time, get outdoors, cover your camera when possible. If your school requires your student to use Zoom, ask your school if your student can keep their camera off. We would add to turn off (opt-out) of  non-essential cookies when possible.  If using your home computer or device, you can install free plug-ins like EFF’s privacy badger,  Lightbeam, Ghostery, UBlock that will also alert you or block third party trackers. You can also use a web browser like Brave or Firefox that will block ads and spyware.

Honestly, as a mom, I think I speak for most parents when I say that Zoom for Education (and all the virtual learning companies) should be required to tell parents how their children’s voice and video and data are used, and should be required to let parents know who else has access to our kids’ information. These companies should not be allowed to exploit students for marketing and advertising.  This pandemic is tough enough, the last thing parents need is worrying about a company profiling their student.  Parents and teachers are just trying to survive and teach our kids.