Prominent Ed-Tech
Players' Data-Privacy Policies Attract Scrutiny
Growing public concern about
student-data privacy is prompting fresh scrutiny of the ways technology vendors
handle children's educational information—and opening the gates for a flood of
new questions and worries from advocates and school officials.
Take
prominent ed-tech players Edmodo, Khan Academy, and Pearson.
Each
already has access to the information of tens of millions of U.S.
schoolchildren.
But
a review of each group's privacy policies by two leading experts, conducted at
the request of Education Week,
yielded concerns about the use of tracking and surveillance technologies that
allow third parties to gather information on students; questions about the
collection, use, and sharing of massive amounts of student
"metadata"; and criticism of the growing burden on students and
families, who experts maintain are being forced to navigate an ever-shifting
maze of dense vendor policies on their own.
Story Package: Student-Data Privacy
"We're
just scratching the surface with our understanding of how the education sector
is gathering and looking to monetize student information," said Joel R. Reidenberg,
a law professor at Fordham University, in New York, and Princeton University.
"We as a society need to have a very clear discussion about how we want to
protect the privacy of our children in this environment."
Education
Week
selected the three online education service providers whose privacy policies
were reviewed by Mr. Reidenberg and Khaliah Barnes, a lawyer
for the Electronic Privacy Information Center, or EPIC, a Washington-based
advocacy group. Each provider was chosen for its size and popularity with K-12
students and teachers. Each of the three organizations also offers a type of
digital product or service that is used by the vast majority of school
districts in the United States.
Responding
to Criticism
The
concerns raised extend far beyond the direct serving of advertisements to
students, which Mr. Reidenberg described as "just one piece of the commercialization
of children."
Khan Academy, which provides
open instructional resources to 10 million unique users per month, came under
the sharpest criticism. Ms. Barnes, for example, said the Mountain View,
Calif.-based nonprofit's privacy policy
allows for "almost limitless" sharing of student information with
third parties. Khan Academy officials disputed that contention as not
reflective of their organization's mission or actual practices and said their
organization is "adamantly opposed to the idea of commercializing student
information, particularly through third parties."
Pearson's
PowerSchool
student information system, which currently contains data on roughly 13 million
students in K-12 schools in the United States, raised the fewest concerns, in
large part because students do not interact directly with the product.
Officials
from Edmodo, meanwhile, vigorously
defended the company from the experts' questions about its use of
"cookies," relationships with third-party partners, and handling of
the metadata generated by students as they use the company's "social
learning platform," which currently has more than 33 million users,
including children and teachers in more than 100,000 schools.
"The
bottom line is that Edmodo is not going to use anyone's information in ways
they don't know about," said Aden Fine, the general counsel and chief privacy
officer for the Mateo, Calif.-based company, founded in 2008 to provide a safe
educational alternative to consumer social media platforms, such as Facebook.
The
back-and-forth is part of the growing public debate surrounding the rapid
growth in the use of educational data, hailed by proponents as the key to
building more-personalized learning opportunities for students.
More
than 80 student-data-privacy bills have been considered in 32 states this year
alone, according to the Data
Quality Campaign, a nonprofit based in Washington. Advocacy
organizations, industry
groups, and professional
associations have also in recent months initiated new campaigns and
released guidelines and toolkits on the topic. In February, the federal
government issued
guidance intended to help schools and districts interpret and apply
federal privacy laws, and U.S. Secretary of Education Arne Duncan has publicly
supported the principle that student data should not be used for
commercial purposes.
But
many are concerned that the horse is already out of the barn.
Last
month, for example, Education Week reported on concerns about
online-services giant Google, which acknowledged as part of an ongoing federal
lawsuit that student emails sent and received using the popular Apps for
Education tool suite are "scanned and indexed" for purposes that
remain murky. The product, provided for free to thousands of schools and
universities, already has 30 million users.
"In
the education space, privacy has unfortunately been an afterthought," Ms.
Barnes said.
Creating a Dialogue
Advocates
and industry representatives agree that in an age where the methods used to
collect, analyze, and share digital data are highly sophisticated and constantly
evolving, companies' publicly posted privacy policies are critical to better
informing parents.
But
the policies themselves are often confusing, even to experts.
That
complexity is creating big challenges for the nascent
efforts to develop industry-wide standards to guide the creation,
implementation, and enforcement of such policies.
Related Blog
Just
last month, for example, the 210,000-student Houston Independent School
District unveiled a new
system for rating the security and privacy practices of its software
vendors. Of the five providers initially evaluated, the most highly rated was
Edmodo—the same company that came under question by the experts consulted by Education
Week.
Lenny
Schad, the Houston district's chief technology officer who is spearheading the
new rating system, did not disagree with the more critical take on the company
provided by the experts consulted by Education Week, saying his
district's efforts are in an "early stage." Mr. Schad said the most
important development is that people are finally starting to pay attention to
what companies are doing with students' information.
"This
is exactly what we want to start happening," he said. "Now there is a
dialogue between the user side and the software side."
•
Mateo, Calif.
• Social learning platform/learning management system
• 33 million registered users
• Social learning platform/learning management system
• 33 million registered users
Mr.
Reidenberg saw several positive signs from Edmodo, including a recent move to
make encryption of student information a default, rather than an optional,
policy, and a clear disclosure of the active role parents and guardians can
play in monitoring student accounts.
Edmodo
also recently received a thumbs-up from the Houston Independent School
District, which is initiating an effort to rate the privacy and security
practices of software vendors doing business with its schools.
"We
don't rent or sell anyone's personal information to anyone, period," said
Aden Fine, the company's general counsel and chief privacy officer, in an
interview.
But
Mr. Reidenberg and Ms. Barnes questioned what Edmodo's privacy policy has to
say about how the company collects, uses, and shares the "metadata"
generated by students as they use the platform, which can include server-log
data, users' Internet Protocol addresses, clickstream data, and more. Such
information has not traditionally been considered as "personally
identifiable" as name, date of birth, or email address, but most
computer-science experts contend those types of metadata can now easily be tied
to individual users, even without a name.
Even
after several readings of Edmodo's policy, Mr. Reidenberg said, he remained
unsure exactly how different types of student information are categorized and
protected by the company.
Both
experts also raised questions about Edmodo's use of its own "cookies"
(small data files that track users' website activity) and those of the third
parties with which the company partners.
Mr.
Fine, Edmodo's chief privacy officer, acknowledged the general concerns in the
ed-tech field about the handling of student metadata, but said his company's
privacy policy explicitly states that such information is protected, and he
stressed that Edmodo does not collect geo-location data on its users. He also
said that users' metadata is only combined with their personal information for
internal Edmodo use, and that the company would only share with third parties
aggregate metadata that it does not consider to be personally identifiable.
And
while Mr. Fine acknowledged that Edmodo's privacy policy states that the use of
cookies by third parties is not covered by the policy, he also pointed
Education Week to another section of that policy, as well as a separate
publisher's agreement, which indicate that those partners are prohibited from
collecting or using any information beyond what Edmodo is permitted to collect.
"Privacy
policies are never perfect," Mr. Fine said. "It's important that
users read them, and that companies answer questions about them if they're not
clear enough. Edmodo does that."
•
Mountain View, Calif.
• Open education resources
• 10 million unique users per month
• Open education resources
• 10 million unique users per month
Both
the experts consulted by Education Week blasted the privacy policy of
Khan Academy, a nonprofit organization that has made a big push to expand its
reach in recent months via new partnerships and new math resources tied to the
contentious Common Core State Standards.
"They
are essentially enabling third parties to gather unlimited information about
users and disclaiming any responsibility for that," Mr. Reidenberg said of
the organization.
Ms.
Barnes pointed to Khan Academy's integrations with Facebook and
Google—"businesses that are founded on the idea of commercializing
information"—and liberal approach to granting third-party advertisers and
app developers access to student information as particularly problematic.
Worse, she said, the organization explicitly says that its privacy policy
"does not apply to, and we cannot control the activities of" those
third-party partners.
Plus,
Khan Academy users who want to know how their information will be utilized are
advised to review the privacy policies of all the third parties with whom the
organization partners—none of whom are identified by name, and most of whom
likely reserve the right to change their policies at any time, with limited or
no notice, she said.
Khan
Academy officials declined to be interviewed on the record about such concerns,
instead issuing a statement to Education Week via email.
Users
can and do access the Khan Academy site anonymously, a spokeswoman wrote. The
organization's origins, which include using YouTube as a platform for
distributing free instructional videos to users, account for some of the
language in the privacy policy, she wrote, but "we do not provide
[YouTube] with broad access to student information, and we turn off all
advertising on our videos on YouTube."
The
spokeswoman also wrote that Khan Academy is "adamantly opposed to the idea
of commercializing student information, particularly through third
parties" and that explicit consent beyond user registration has been
procured in instances where students' user information has been shared with
third parties.
Mr.
Reidenberg said the latter claim is "directly contradicted" by the
terms of Khan Academy's own privacy policy, which clearly indicates that
advertisers may use tracking and surveillance technologies that
"automatically route user information to the third party."
On
the positive side, Mr. Reidenberg and Ms. Barnes praised Khan Academy for the
detail in its privacy policy, as well as the data-security practices it
describes.
•
London and New York City
• Student information system
• 13.5 million students
• Student information system
• 13.5 million students
Among
the numerous products and services offered to K-12 schools by publishing giant
Pearson is the PowerSchool student information system, currently used by about
4,500 school districts, according to Bryan McDonald, the managing director of
the company's school systems group.
While
the system contains thousands of pieces of data--everything from academic
performance to disciplinary and health records to course rosters--on millions
of U.S. school children, the privacy and security issues surrounding
PowerSchool are somewhat different than for products with interfaces that are
accessible to students, Mr. McDonald said.
"One
fundamental difference is that we don't have any right at all to the
data," he said.
Furthermore,
in many cases, Pearson does not even store the student data itself: About half
of PowerSchool users, covering about 9 million students, host the data on their
own servers.
And
the security and privacy of the data stored in PowerSchool is governed not by
the company's privacy policy, Mr. McDonald said, but by a combination of
contracts with clients (usually districts or states) and those entities' own
privacy policies.
As
a result, Ms. Barnes and Mr. Reidenberg spoke primarily in generalities about
potential areas of concern related to PowerSchool, saying parents and educators
should be mindful of both how the company safeguards data and should scrutinize
the various contracts that govern its individual relationships with districts
and states.
"There
are universal issues [in the education arena] involving data security, and from
an administrative perspective, there are always issues about how other entities
can gain access to student information," Ms. Barnes said.
One
of Pearson's highest-profile PowerSchool clients, the North Carolina Department
of Public Instruction, offers a window into those concerns.
The
department has spent much of this school year dealing with an extensive series
of implementation problems associated with its quick rollout of PowerSchool
across the state's 115 school districts and 253 charter and special schools.
But
Philip Price, the chief financial officer for the department, said security
concerns have been limited to a few hours last fall, when the system was
briefly shut down after being hit with a distributed denial of service attack
by hackers.
The
student data contained in PowerSchool, Mr. Price said, "is totally ours,
not Pearson's."
And
third-party access to that information, Mr. Price said, can only occur when local
districts have authorized those other vendors to access student data and
specified exactly what data should be shared.
Mr.
McDonald of Pearson said the company has upgraded its technical processes for
enabling such sharing of data and now uses an application programming
interface, or API, to make third-party integrations "more efficient and
seamless." The new technology is far more secure than the old practice of
"putting data on a floppy disk or attaching it to an email," he maintained.
Mr.
Reidenberg also urged skepticism of claims about high-tech security practices
from ed-tech vendors.
"Every
adult American has likely had his or her financial information stolen in the
last three years from banks, credit card companies, and retailers that have
spent millions of dollars on data security," he said. "Does Pearson
really think it's doing a better job than the entire financial-services
industry?"
No comments:
Post a Comment