As America's kids become the latest target of online data miners, parents are starting to wake up to this troubling threat and assert their rightful parental agency as protectors to their children. The Pittsburgh Pennsylvania Post-Gazette asks a cogent question we should be asking of our own Emery Unified School District: Assuming Superintendent Rubio is correct that Infosnap will forever be able to resist the temptation to sell this valuable information and that it assiduously and effectively protects its information from hackers, can Infosnap sell Emery children's dossiers in the event of a merger, sale or a bankruptcy? As the article shows, children's information is a very valuable asset; in fact their information the only asset these for-profit edutech corporations have.
From the Pittsburg Post-Gazette:
August 20, 2015
What kid wouldn’t want to be able to create an electronic science fair poster, with photos and embedded video, using their smartphone — all on the morning bus ride on the day it’s due?
Glogster EDU lets kids do that and, according to its website, it’s setting up “2,000 new teacher accounts daily,” each with, presumably, a classroom full of kids attached.
According to its public statements, though, the Czech Republic-based firm may be assembling more than photos of vinegar-and-baking-soda volcanoes.
It may share information about users with “consumer products, telecom, financial, military, market research, entertainmen, and educational services companies,” according to its website.
“That’s a ‘just trust me,’ ” said Khaliah Barnes, director of the student privacy project at the Electronic Privacy Information Center. “Like they have a bridge to sell you in Brooklyn.”
The growing education technology sector is selling the promise of improved student achievement through websites, apps and tools that analyze each child’s strengths and weaknesses. In doing so, though, ed tech companies are lapping up unprecedented amounts of information about students, while laws provide little protection and privacy policies vary wildly.
Some companies reveal what they learn about students and who sees that information. But a Post-Gazette study of 143 ed tech providers that serve Pennsylvania schools found that most don’t say how long they keep student data or whether it can change hands in a merger or bankruptcy, and the vast majority say nothing about how they’d handle a data breach.
“Parents are very nervous, and rightfully so, when third parties are empowered to build dossiers on their children,” said Joel Reidenberg, a Fordham Law School professor who wrote a 2013 study on data privacy in public schools. “Unless they have a means of learning what data is being collected, they have no way to independently assess the risks to their children, and whether this is a good product or a bad product.”
To India and back
Debbie Schwartzberg Levy, a parent of two Upper St. Clair students who consults for ed tech companies, said she trusts the judgment of most of the tech-savvy teachers she’s encountered. But she added that one son was instructed by a teacher to sign up for a website only to find that “his whole school email box was full of emails” from the company from then on.
“How do we know that these are legit apps, legit websites?” she asked.
That question is bedeviling parents, teachers and school administrators nationally, because the flow of student data collected by some ed tech products is loosely regulated and convoluted.
In a rare glimpse into the student data currents, Virginia-based cyber education firm K12 Inc. sued Socratic Learning Inc., of Texas, in 2009, saying the latter had shipped student data to India, only to see it leaked to an Arizona blogger.
The lawsuit was settled. Since then, “K12 has reviewed its procedures for providing access to student information and has restricted access to a limited number of persons having a valid need for the information,” wrote K12 spokesman Frank Giancamilli, in an email response to questions.
K12 provides online courses to around 125,000 students, according to its website. The company powers 22 cyber schools in Pennsylvania alone, including some that it runs for conventional school districts.
In its policies, K12 says it “may collect information regarding you and your children ... [to] include: first and last name; billing address; the names and ages of your children; the services you request; registration and enrollment information about your children; and an e-mail address.”
K12 “may share your information with companies that are not affiliated with K12 but who are interested in sending you information about their products and services.“ You can tell K12 not to share your student’s information, but almost no one does that. Mr. Giancamilli wrote that in the past year, the number of the company’s registered students who opted out of having their information shared with other companies for marketing purposes was 12.
“What that really means is that maybe 20 people saw the [do-not-share] option, 14 people understood it and 12 people chose it,” surmised Bill Fitzgerald, who directs the privacy initiative at Common Sense Media, a nonprofit advocate for children, families and schools. He said that on most websites, opting out is done through “a checkbox which you often need to uncheck to opt out, buried at the bottom of a long page that most people never get to.”
Most ed tech companies publicly reveal something about the data they collect, and who gets to see it. But the majority say little or nothing about data breaches, data deletion, or the fate of student information in the event of a merger or bankruptcy.
Of 143 ed tech vendors serving 31 Pennsylvania school systems included in a Post-Gazette analysis, just 10 pledged to notify districts if their students’ data was stolen. Another four indicated they “may” do that.
Fewer than half said anything about ever deleting the student data they collect — a key means of reducing the scope of any data theft.
“If you’re sitting on a data trove for years, it increases security risks, because it can be hacked or lost” or even sold, said Mr. Reidenberg. “The default [policy],” he said, “should be destruction.”
Fewer than half of the vendors addressed the likelihood that data could be passed to another company, with different privacy rules, in one of the many ed tech mergers or in bankruptcy.
Some companies, like Glogster, gave themselves license to do virtually anything with student data. Fox Chapel School District stopped using Glogster in part because of privacy concerns, even though students there were told to input only their names, according to Donna Beley, executive assistant to the assistant superintendent.
Other firms put no publicly available constraints on their use of student data, but still got district contracts
Should parents worry more about vendors that openly share student data, or those, like Access411 and Virginia-based Big Universe Inc., that keep their practices close to the vest?
“I would be equally worried,” said Mr. Reidenberg. “There’s no reason to assume it’s all innocuous.”
Data is power
Some companies claim that to guide schools, teachers and students, they need a lot of data.
An ACT spokesman, who refused to talk but responded to questions via email, wrote that “much of that information is optional,” and the questions are designed “to help students with their future plans and to help colleges identify individuals for recruitment and scholarships.”
If someone wants ACT to delete their profile, it “will seek to meet” that request, he wrote.
“It is disconcerting when you see that laundry list of data points,” said Mr. Fitzgerald. Companies shouldn’t use their privacy policies just to reserve their rights to collect information they don’t need, he said. “If you don’t collect it, don’t list it.”
Ed tech and social media are beginning to converge, with potential implications for students’ future, as colleges, prospective employers and marketers increasingly judge people based on their data dossiers.
The firm, whose products have been used by the Norwin School District, will also share student information with Facebook and Twitter, “with your permission,” according to its policy.
NoRedInk did not respond to a request for an interview.
When an app allows a user to sign in through Google, Facebook or Twitter, it “will grab your identification information, but it will also often go a step further and grab your friends list, and then will often go a step further and grab their friends lists,” said Mr. Fitzgerald.
Companies that sell communications or security products to school districts are expanding into areas that let them track kids’ offline movements.
York-based Access411 provides the Pittsburgh Public Schools with student ID cards they use to scan in every morning. Scott Gutowski, chief of information and technology for the district, said that the company doesn’t get any personal information about Pittsburgh students.
On its website, Access411 bills itself as “the one-stop shop for school safety products and services” including radio frequency ID cards, “weapons detection, biometrics,” and tracking of attendance, visitors, meals and discipline.
Rich Lord: email@example.com or 412-263-1542. Twitter @richelord. Megan Henney, a former Post-Gazette summer intern, is a senior at Penn State University.