Are Schools Putting Your Child's Information at Risk?
Kids' heads may be in the clouds. But so is their data.
It is fast becoming the norm for public school districts to hire private online data companies to manage huge volumes of sensitive student information -- everything from birthdates and home addresses to homework records and medical histories. The use of remote servers to store and process data, known as cloud computing, for information about school children has parents and children's advocates sounding alarms about student data privacy.
"A child's personal information should be protected at least as strongly as any financial information that a parent has, if not more," said Leonie Haimson, executive director for Class Size Matters, an organization that advocates for smaller classes and related issues. "And right now that doesn't seem to be the case."
Haimson's concerns, partnered with many others from New York State, were strong enough to shut down inBloom Inc., a cloud computing company created to house and manage the personal information of students around the country. Advocates worried that there was no guarantee the information would be safe from commercial marketing or data breaches.
Without sufficient security measures and collection regulations, cloud computing could put sensitive student information at risk for unwanted marketing uses and public disclosure, and may put children at a higher risk of fraud, Haimson said.
In a farewell message posted online, inBloom CEO Iwan Streichenberger said critics misunderstood the company, which had "world-class security and privacy protections."
Along with the shutdown of inBloom, Florida and New York have passed groundbreaking student information privacy laws, and Google Apps has revised its privacy policy.
At the federal government level, a working group called Big Data and Privacy presented recommendations for action to President Barack Obama on May 1. It's requesting increased data security and collection transparency to protect students who could be inadvertently affected by the cloud computing resources used by school districts all over the United States.
A Rush to the Cloud
Until the last decade, schools primarily managed their own data, using whatever in-house methods they saw fit: paper files, private servers or software programs. Today, schools are quickly moving a trove of student information to the cloud.
A 2013 study by CDW found 42% of K-12 schools had implemented or maintained cloud computing in 2012, up from 27% in 2011.
Research released in December 2013 by Fordham Law School's Center on Law and Information Policy found that of 20 schools that complied with its request for detailed information, a full 95% rely on cloud services for some sort of data storage or program function.
Despite the rush to the cloud, the authors of the Fordham study concluded cloud services are "poorly understood, nontransparent and weakly governed" and districts frequently surrender control of student data, with little parental notice.
Small Kids, Big Data
The type of data collected for cloud services is just as overarching, including everything from student educational records, to personal identifying information such as names and birthdates, to detailed disciplinary records.
InBloom, for example, was set up to collect almost 400 data points from the nearly 2.7 million children within New York State's 700 public school districts, according to Carl Korn, a spokesman for New York State United Teachers.
"They were going to collect things like disciplinary records, parental income, grades and more," he said. "Basically they would have information about every little thing that would happen to a student from the time they enter school as a 5-year-old to the time they leave school as an 18-year-old. And all of this sensitive data would be stored in one place."
All of this accumulated data partnered with cloud services could be used for a number of school services, including standardized test score reporting or school website hosting for email and online homework programs. By storing all the information in one place, schools are streamlining the operation of those tools.
But some people are questioning whether the ends justify those means. "I would challenge the assertion that vendors need to collect quite so much data," Korn said. "For example, New York schools already have services in place to gather the information they needed to run their programs, so what inBloom was trying to offer was duplicative and not as explicitly safe."
(Story continues below.)
Biometric data Until recently, some public school districts in Florida were collecting even more detailed data sets from students by scanning their palms to identify them and allow them to do things such as buy lunches and check out library books, according to Florida State Sen. Dorothy Hukill. She sponsored a bill that, when it was signed into law in May, became the first in the nation to ban the collection of student biometric information.
Many parents don't know just how much data is being collected, Hukill said. "Lots of people didn't even know it was happening," she said. "And even around the country, it's not like this is something schools are releasing or putting on their websites."
See: Protecting your child's privacy at school: 5 tips
Fordham's study found that only 25% of the surveyed districts using cloud-based services informed parents about the use of such third-party services. Many of the service contracts also did not address parental consent or access to information collected for the designated cloud services.
Existing federal law provides only broad protection. The Family Educational Rights and Privacy Act, for example, lets parents approve or deny the release of their child's information and outlines their information management rights regarding their child's personal data and academic records. FERPA, signed into law in 1974 by President Gerald Ford, did not envision cloud data storage.
A fear of the unknownIn addition to the absence of clear federal regulations, Fordham researchers found that a majority of the service partnerships between cloud service companies and public schools lack sufficient oversight, specifically regarding what happens to data after a third-party company receives it.
In fact, districts that use cloud computing may be surrendering control of their students' information by entering into service contracts. Less than 25% of the contracts studied by Fordham specified the purposes for sharing student information and less than 7% restricted the sale or marketing of shared information by vendors. Many agreements allow vendors to change the terms without notice.
Breach worries Hacking is another major concern. Lisa Schifferle, a privacy and identity attorney with the Federal Trade Commission, says there is legitimate cause for worry, even though there haven't been any data breaches impacting cloud-based school information storage systems so far.
"People know if they hack into them they can get several schools' information instead of what they would get if they just went after a single institution," she said. "They are more of a target because you can get more."
It's hard to know for sure what would happen if masses of student data got into the wrong hands, but it's not worth waiting to find out, according to Hukill. Children are already at a high risk of becoming victims of identity theft.
"For instance, let's say that biometric information was breached," she said. "If it was a credit card, hopefully you find out really quickly and change your card number and move on, but it's not that easy when your biometrics are stolen. Those are unchangeable, very personal pieces of information and if someone takes those and uses them against you, the ramifications could impact you for years to come."
Lastly, it's unclear what could happen to all the collected student information stored by a cloud service company after a service contract ends or the company is bought out or shut down. Would the sensitive information be destroyed?
A case involving education technology company ConnectEdu suggests it should be, at least if the federal government gets its way. The company filed for bankruptcy and the proposed sale of its assets included personally identifiable student data. ConnectEdu's privacy policy said consumers would be notified of a company sale and would have the option of deleting their held data beforehand -- but this protection did not extend to bankruptcy sale situations.
In a May 22 letter, the Federal Trade Commission warned ConnectEdu that a sale of such private information would violate the federal bankruptcy code and the FTC's ban on deceptive practices.
Efforts to Take Control
Since there aren't federal laws requiring the relationships between public school districts and cloud-based services to be more secure or transparent, concerned individuals and groups are taking security measures into their own hands.
For example:
- Protests against inBloom not only shut the service provider, but also aided in the passing of two data privacy laws in New York, one of which prohibits third-party sharing of personally identifiable student information without parental consent. The other enables parents to opt out of sharing student data with vendors.
- Florida is now the first state to ban student biometric data collection. Hukill's Senate Bill 188, Education Data Privacy, was signed into law on May 12, 2014, banning the collection and storage of such information and ensuring that parents and students will be notified of their information disclosure rights each year.
- Google announced April 30 that it has removed all scanning for ad purposes of the free email accounts used by more than 30 million individuals through Google Apps for Education. This comes as a response to public concerns regarding Google's previous student data collection practices revealed by an Education Week report earlier this year.
More federal action could be in the offing, too. President Obama earlier this year requested a comprehensive review of policy issues regarding the use of big data and its effect on privacy in all sectors. The findings report includes policy revision recommendations that closely parallel those expressed in the education sector.
Finding solutions won't be easy, according to the U.S. Department of Education's Chief Privacy Officer Kathleen Styles. Hurdles include adapting existing regulations to rapid technology growth and satisfying diverse schools districts, without limiting growth or innovation.
"We have provided resources and best practice recommendations through the Privacy Technical Assistance Center," she said. "At a minimum, we recommend that schools know what data they have, that they regularly review their information policies, updating them when appropriate and, above all, that they be transparent about their information practices with parents."
And that's where the call to action ends -- with parents. Even those who think they have a handle on everything school districts are doing with their children's information should take action, according to Haimson.
"It's an issue that parents across the country should be concerned about," she said. "You can be reimbursed if you lose money through a credit card scam but you can't get back your child's identity information once it's out on the Internet."
See related: How to stop sending mixed money messages to your kids, Familiar fraud: When family and friends steal your identity