With the first generation of children to grow up learning and playing with digital devices in the era of big data, protecting their privacy is a new concern for parents and school districts.
The School of the Osage School District notified district parents in August of 2019 about a data security incident by Pearson AIMSweb, an outside vendor used by the school district to provide support and educational services to individual students.
According to information on the district website, Pearson reported that it discovered some student data stored on their servers may have been disclosed to an unauthorized party, including student first and last names, as well as birth dates.
Pearson said no grade or assessment information was affected by the incident, and the district says the company was not provided with—and did not maintain any—social security numbers, credit card data, or other financial information of students.
According to School of the Osage Deputy Superintendent Laura Nelson, 13,000 schools were impacted by this Pearson data breach. “Many of the schools did not inform their parents of the breach, but we wanted to inform our parents, because we want to continue to elevate the conversation on how important we believe data security is.”
However, in light of the incident, the district said they would no longer be using Pearson AIMSweb for services provided to their students.
The Department of Education has been a major proponent of gathering student data. It can be collected by student online usage, or provided by parents, teachers or other staff. This information can include a student’s education record, demographic information—including race, ethnicity, religion, a parent’s political preferences and income level—discipline records, grades, test scores, mental, physical and social health, disabilities, individual education plans and much more.
Student data has largely moved online in just the past few years. This information is being collected and distributed at unprecedented scale, from the time a toddler enters preschool, all the way to college and into the workforce.
The ease and automatic ability to “click and allow” the storage and processing of information on remote servers in the cloud enables even bigger data sharing. States and schools for the first time can centralize, organize, search and analyze information on millions of students, in the same ways that corporations have been for decades. And, many for-profit companies, like Google, rushed in to help them do this, providing software to collect and crunch this information.
As new technologies evolve, cyber security and legal safeguards have evolved. Unfortunately, security has not kept pace with emerging technologies. As a result, information that was once legally mandated to be stored under lock and key is now open game on the Internet. At first, data thieves were tech savvy hackers. Today, this private information is legally, deliberately and lucratively being mined and sold by big name, international data broker business for marketing and political purposes.
The Washington Post reported about one student-data collection operation that was shut down in 2014. The $100 million project was funded by the Gates Foundation and operated by a specially created nonprofit organization called inBloom.
The Electronic Frontier Foundation (EFF) point out Google is putting low-cost Chromebooks in U.S. schools, which allows data to be collected, sometimes without parents or school administrators even realizing what's happening.
There have also been educational apps caught tracking private behavioral data on students. Some of the apps that have allegedly tracked private information include; Class Dojo, Remind, Edmodo, Quizlet, Google Classroom, Khan Academy, PBS Kids, Lego, Schoology, McDonalds, ABC Spelling, BrainPOP and Sesame.
Parents need to be aware that their student’s sensitive mental and physical health information can also be legally be shared outside of the school, without parental consent, under the Family Educational Rights and Privacy Act, due to loopholes in how the federal law is written.
A Multi-Billion Dollar Business
The list of data breach lawsuits currently in U.S. courts are too numerous to list. One example occurred in Vermont, according to edu-cyberg.com, ALC Inc., a Princeton-based company, failed to acknowledge the possession of data on minors as required to comply with a Vermont law, the first of its kind in the country. ALC Inc. advertised a mailing list of more than a million high school students and their parents’ information for sale on its website.
“It is not okay to just to pretend this is not happening,” Camdenton R-III School District parent Stacy Shore said. “How will our children be harmed by the collection of this data about them now, or in the future? No one knows...yet. We don’t know who is collecting all of the data, where, for how long, and for what purposes, and that is a huge concern that no one knows how to address.” According to Shore, parents, teachers, administrators and school boards all need to start asking questions to become more aware of how to protect themselves and their students.
The Unbridled Internet?
Scott Shackelford, associate professor of Business Law and Ethics at Indiana University’s Kelley School of Business, and Cybersecurity Program Chair, at IU-Bloomington reports, “Tech companies are simply not doing enough to comply with the regulatory requirements Congress has put into place to help protect vulnerable, and impressionable, kids. It’s not a case here of not following the spirit of the law,” he continued, “they don’t seem to be following even its letter.”
According to The Children’s Online Privacy and Protection Act (COPPA) students have rights to their data privacy. However, when a parent signs their student’s technology use agreement, they are giving Google and other App builders the rights to their children’s privacy. Google clearly states that they “will” share personal information with corporations, organizations and individuals with “proper consent.”
A Call to Action
“School of the Osage wants parents and students to believe all is well because student phone numbers and addresses are protected,” Shore said. “That is not what needs to be monitored. All of the front-loaded apps on Chromebooks have their own permissions that are granted when parents consent to use the device. These devices are collecting untold volumes of metadata on kids every day. These unknown app permissions have the ability to track keystrokes and searches, and in some cases can use GPS services that include location and activity data which can expose our children to real harm from predators.”
“Parents need to be aware. When the FBI is issuing warnings to parents of school aged kids about the dangers of school technology, everyone should take it very seriously.”
If a parent feels they or their children’s rights have been violated under FERPA, they can file a complaint at FERPA.Complaints@ed.gov. Also, parents need to be aware that schools must obtain parental consent before requiring students to fill out surveys that ask about sensitive issues such as their home life, political affiliation, income, or sexual behavior. Parents should check to see whether or not their school district has a policy about disclosing student information.
School of the Osage Going Forward
According to the district website, Pearson has been actively working with law enforcement to determine the source of the August data breach incident and to take all steps necessary to protect the student information it maintains as part of its services.
In an interview updating parents on this incident, Nelson said, “We have continued to monitor our network and we continue to see no evidence that any access has been made. We work very hard to monitor all of our data systems and we are very transparent about this. We have data governance plans and we utilize a variety of software applications, which allow us to filter our content, as well as monitor incoming and outgoing traffic.”
The District will continue to monitor this situation closely, and they will provide updates as they learn any additional information.
As a precautionary measure, Pearson has offered complimentary credit monitoring services from Experian to each affected individual. For additional information visit schooloftheosage.org.