Are schools putting your child’s information at risk?
Sensitive student data rushes to computing cloud; privacy rules foggy
Kids' heads may be in the clouds. But so is their data.
It is fast becoming the norm for public school districts to hire private online
data companies to manage huge volumes of sensitive student information -- everything from birthdates and home addresses to homework records and medical
histories. The use of remote servers to store and process data, known as cloud computing, for information about school children has parents and children's advocates sounding alarms about student data privacy.
"A child's personal information should be
protected at least as strongly as any financial information that a parent has,
if not more," said Leonie Haimson, executive director for Class Size
Matters, an organization that advocates for smaller classes and related issues.
"And right now that doesn't seem to be the case."
Haimson's concerns, partnered with many others from New
York State, were strong enough to shut down inBloom Inc., a cloud computing
company created to house and manage the personal information of students around
the country. Advocates worried that there was no guarantee the information
would be safe from commercial marketing or data breaches.
Without sufficient security measures and collection
regulations, cloud computing could put sensitive student information at risk
for unwanted marketing uses and public disclosure, and may put children at a
higher risk of fraud, Haimson said.
In a farewell message posted online, inBloom CEO Iwan Streichenberger
said critics misunderstood the company, which had "world-class security
and privacy protections."
Along with the shutdown of inBloom, Florida and New
York have passed groundbreaking student information privacy laws, and Google
At the federal government level, a working group
called Big Data and Privacy presented recommendations for action to President Barack
Obama on May 1. It's requesting increased data security and collection transparency
to protect students who could be inadvertently affected by the cloud computing
resources used by school districts all over the United States.
A rush to the cloud
Until the last decade, schools primarily managed their own data, using whatever
in-house methods they saw fit: paper files, private servers or software
programs. Today, schools are quickly moving a trove of student information to the cloud.
A 2013 study by CDW found 42 percent of K-12 schools had implemented or maintained cloud computing in 2012, up from 27 percent in 2011.
Research released in December 2013 by Fordham Law School's Center on Law and Information
Policy found that of 20 schools that complied with its request for detailed information, a full 95 percent rely
on cloud services for some sort of data storage or program function.
Despite the rush to the cloud, the authors of the Fordham study concluded cloud services are "poorly understood, nontransparent and weakly governed" and districts frequently surrender control of student data, with little parental notice.
Small kids, big data
The type of data collected for cloud services is
just as overarching, including everything from student educational records, to
personal identifying information such as names and birthdates, to detailed disciplinary
InBloom, for example, was set up to collect almost 400
data points from the nearly 2.7 million children within New York State's 700 public
school districts, according to Carl Korn, a spokesman for New York State United
"They were going to collect things like
disciplinary records, parental income, grades and more," he said.
"Basically they would have information about every little thing that would
happen to a student from the time they enter school as a 5-year-old to the time
they leave school as an 18-year-old. And all of this sensitive data would be stored
in one place."
All of this accumulated data partnered with cloud
services could be used for a number of school services, including standardized
test score reporting or school website hosting for email and online homework programs.
By storing all the information in one place, schools are streamlining the
operation of those tools.
But some people are questioning whether the ends justify
those means. "I would challenge the assertion that vendors need to collect
quite so much data," Korn said. "For example, New York schools
already have services in place to gather the information they needed to run
their programs, so what inBloom was trying to offer was duplicative and not as
(Story continues below.)
Until recently, some public school districts in
Florida were collecting even more detailed data sets from students by scanning
their palms to identify them and allow them to do things such as buy lunches and check out library books, according to Florida State Sen. Dorothy Hukill. She sponsored a bill that, when it was signed into law in May, became the first in the nation to ban the collection of student biometric information.
Many parents don't know just how
much data is being collected, Hukill said. "Lots of
people didn't even know it was happening," she said. "And even
around the country, it's not like this is something schools are releasing or
putting on their websites."
See: Protecting your child's privacy at school: 5 tips
Fordham's study found that only 25 percent of the surveyed
districts using cloud-based services informed parents about the use of such
third-party services. Many of the service contracts also did not address
parental consent or access to information collected for the designated cloud
Existing federal law provides only broad protection. The Family Educational Rights and
Privacy Act, for example, lets parents approve or deny the release of their child's information
and outlines their information management rights regarding their child's
personal data and academic records. FERPA, signed into law in 1974 by President Gerald Ford, did not envision cloud data storage.
fear of the unknown
addition to the absence of clear federal regulations, Fordham researchers found
that a majority of the service partnerships between cloud service companies and
public schools lack sufficient oversight, specifically regarding what happens
to data after a third-party company receives it.
In fact, districts that use cloud computing may be
surrendering control of their students' information by entering into service
contracts. Less than 25 percent of the contracts studied by Fordham specified
the purposes for sharing student information and less than 7 percent restricted
the sale or marketing of shared information by vendors. Many agreements allow
vendors to change the terms without notice.
Hacking is another
major concern. Lisa Schifferle, a privacy and identity attorney with the Federal
Trade Commission, says there is legitimate cause for worry, even though there haven't been any data breaches impacting
cloud-based school information storage systems so far.
"People know if they hack into them they can
get several schools' information instead of what they would get if they just
went after a single institution," she said. "They are more of a
target because you can get more."
It's hard to know for sure what would happen if masses
of student data got into the wrong hands, but it's not worth waiting to find
out, according to Hukill. Children are already at a high risk of becoming victims
of identity theft.
"For instance, let's say that biometric
information was breached," she said. "If it was a credit card,
hopefully you find out really quickly and change your card number and move on,
but it's not that easy when your biometrics are stolen. Those are unchangeable,
very personal pieces of information and if someone takes those and uses them
against you, the ramifications could impact you for years to come."
Lastly, it's unclear what could happen to all the
collected student information stored by a cloud service company after a service
contract ends or the company is bought out or shut down. Would the sensitive
information be destroyed?
A child's personal information should be protected at least as strongly as any financial information that a parent has, if not more.
Executive Director for Class Size Matters
A case involving education technology company
ConnectEdu suggests it should be, at least if the federal government gets its
way. The company filed for bankruptcy and the proposed sale of its assets
consumers would be notified of a company sale and would have the option of
deleting their held data beforehand -- but this protection did not extend to
bankruptcy sale situations.
In a May 22 letter, the Federal Trade Commission warned ConnectEdu that a sale of such private information would violate the federal bankruptcy code and the FTC's ban on deceptive practices.
to take control
Since there aren't federal laws requiring the relationships between public
school districts and cloud-based services to be more secure or transparent, concerned
individuals and groups are taking security measures into their own hands.
Protests against inBloom helped shut
Florida is now the first state to ban
student biometric data collection. Hukill's Senate Bill 188, Education Data Privacy,
was signed into law on May 12, 2014, banning the collection and storage of such
information and ensuring that parents and students will be notified of their information
disclosure rights each year.
Google announced April 30 that it has
removed all scanning for ad purposes of the free email accounts used by more
than 30 million individuals through Google Apps for Education. This comes as a
response to public concerns regarding Google's previous student data collection
practices revealed by an Education
report earlier this year.
More federal action could be in the offing, too. President
Obama earlier this year requested a comprehensive review of policy issues
regarding the use of big data and its effect on privacy in all sectors. The
includes policy revision recommendations that closely parallel those expressed
in the education sector.
Finding solutions won't be easy, according to the U.S. Department of Education's Chief
Privacy Officer Kathleen Styles. Hurdles include adapting existing regulations to rapid
technology growth and satisfying diverse schools districts, without limiting
growth or innovation.
"We have provided resources and best practice
recommendations through the Privacy
Technical Assistance Center," she said. "At a minimum, we
recommend that schools know what data they have, that they regularly review
their information policies, updating them when appropriate and, above all, that
they be transparent about their information practices with parents."
And that's where the call to action ends -- with
parents. Even those who think they have a handle on everything school districts
are doing with their children's information should take action, according to
"It's an issue that parents across the country
should be concerned about," she said. "You can be reimbursed if you
lose money through a credit card scam but you can't get back your child's
identity information once it's out on the Internet."
See related: How to stop sending mixed money messages to your kids, Familiar fraud: When family and friends steal your identity
Published: June 10, 2014
Three most recent Legal, regulatory, privacy issues stories: