Inappropriate Content and Transparency in Public Schools

How many parents have time to take note of the inroads perversion is making in public schools?  Here are a few examples from the State of Florida over the last two years.

  • April 2018: First Coast News reported on a highly inappropriate question in an 11th grade Duval County Anatomy class.
  • January 2018: Tampa Bay Times reported that a “Matchomatics” survey, used as a fundraiser, was handed out to Pasco County students asking about their “sexual orientation” apparently without parental permission. The same Canadian based company that runs “Matchomatics” also appears to have a sister survey titled “Friendomatics”.
  • April 2018: High school reading material in Florida that some describe as pornographic (note: the quotes from student reading material are explicit). No teenager should be encouraged to read this trash.  If that isn’t porn in a book then I don’t know what would be!  How is that material legal for schools to peddle?  Some of these books are in Hillsborough County High School libraries.
  • April 2017: ABC Action News reported on a Hernando County teacher who surveyed middle school students with inappropriate questions on a survey titled “How Comfortable Am I?”
  • May 2016: Tampa Bay Times reported that School Board Member April Griffin proposed including a question about sexual behavior in a student survey, and that the motion passed.

How many of these surveys become part of a students’ permanent digital record, available for hackers to sell off or for “researchers” to siphon out of the state longitudinal surveydatabase or other systems like Edsby?  In case you missed it, I have already presented concerns about how well the privacy of student data is protected.

How do citizens and parents review or object to instructional materials when they cannot readily see what is required reading on the county or school websites?  Shouldn’t student surveys be published on the district website for parents and citizens to review? Citizens should not feel pushed into submitting a public records request to get complete information about instructional materials.

Some parents do make huge efforts to protect their children from access to crude and age-inappropriate topics on television, radio, and the internet.  Those considerable efforts and the desire of parents to raise children in a wholesome way should not be devalued programmatically by the state or county through “educational” materials or programs.  It is not the duty of schools to query student feelings on such deeply personal and sensitive topics.

School curriculum, required reading lists, surveys, and student handbooks should be openly published.  It appears some information, like the Hillsborough County Student Handbook, is hidden in online platforms like MySpot that require citizens or parents to create user accounts.

It doesn’t help that even when laws are passed, Hillsborough County Public Schools (HCPS) doesn’t always know about the law.  According the Auditor General’s March 2018 Report, Hillsborough County School District didn’t perform the required background checks “regarding sexual predators and sexual offenders” on over 42,000 school volunteers as required by law.  The auditor general report also explains Hillsborough Schools didn’t always perform “Required background screenings…for…instructional and non-instructional employees”.

What was the consequence of that colossal failure – an auditor general report, an unflattering news report, and the possibility of harm to a child? Meanwhile, A.P. Dillon has been reporting on this quiet epidemic in schools.

Hillsborough County School District has its’ own history with sexual misconduct: Continue reading

Posted in Uncategorized

How Many Schools Leave Their Digital Doors Open and Expose Private Data or Get Data Duped?

pexels-photo-331990.jpeg

According to a Politico article from March 2018, there was a major data breach of personal information at Florida Virtual School (FLVS).  While Florida Virtual School claimed they were hacked, the article notes two different people who explained that FLVS left their server open – in general that means anyone could access the server without having a password.  An analogy would be leaving for work with your front door wide open.  One of those people who insisted FLVS left the server open included Chris Petley, Leon County Schools spokesman.

Was that a FERPA violation? Does FERPA matter?

FERPA is the Family Educational Rights and Privacy Act (FERPA) and is a Federal law that protects the privacy of student education records.  But how well does it protect student privacy?

According to a blogger from Louisiana, Crazy Crawfish, FERPA is very outdated and was originally created in 1974.  This blogger’s post from 2013 is titled “FERPA does not protect student privacy, and never did.  The post provides a history of FERPA, changes to FERPA made by the U.S. Department of Education (not approved by Congress), and presents the most disturbing concern of all – the consequences or lack thereof for FERPA violations.  According to this blog:

FERPA has no defined penalties for folks who willfully and/or negligently and repetitively violate it

and

This means any vendor that obtains personally identifiable data is largely immune to any repercussions or restrictions on its use or misuse. This is a matter of settled law and an opinion issued by US ED…

Has FERPA been improved in the four years since this blog was published?  If there are not consequences that are ever materially enforced, then who cares about violations?

While schools and school districts may find it safer (for them) to outsource data storage and analytics to data collectors like Edsby or data stewards like Microsoft Azure, the more parties you introduce, the more third parties might have a way to misuse data.  Outsourcing may circumvent a school from accidentally having an “open door” on their district owned servers but it opens up another can of worms – third parties.

What Can Happen with Third Parties? 

The following is an example of how a third party seemed to manipulate an administrator into providing “directory” information.  FERPA requires parental notification prior to disclosing directory information, as the National Association of Colleges and Employers (NACE) explains in an April 2015 article “FERPA Primer: The Basics and Beyond”:

Directory information can be disclosed provided that the educational institution has given public notice of the type of information to be disclosed, the right of every student to forbid disclosure, and the time period within which the student or parent must act to forbid the disclosure.

In 2016, A Florida Voluntary Prekindergarten (VPK) provider and preschool was reportedly contacted and heavily encouraged to install an add-on into the preschool’s purchased software program, Procare, which manages student and family information.  Procare also offers programs to manage accounting, employees, and a corporate organizer.

When the preschool administrator was contacted, she originally thought the caller was Procare.  Only later in the call did she “understand” the caller was from “ABCmouse”.  The preschool reported that “they acted like it wasn’t even an option not to install”.   The caller had the preschool access an ABCmouse add-on file through the Procare software to install.  The add-on transmits student data to ABCmouse, supposedly at the initiation of the preschool.

That sounds like another win for big data at the expense of a child’s data privacy.

chess-checkmated-chess-pieces-black-white-957312.jpeg

Then the marketing of ABCmouse services began. A parent was alarmed to receive Continue reading

Posted in Data Privacy, PII, Uncategorized

Are You Breaking the Law When You Post Student Photos Online Without Parental Consent?

In May 2016, Education Law Insights published an article discussing student photos taken at school titled “Before You Upload That Student Photo, Ask: What Would FERPA (Have Me) Do?” The article covers a litany of questions and scenarios to think about before posting school photos online, even when those photos are taken by a parent volunteer. FERPA is the Family Educational Rights and Privacy Act and is a Federal law that protects the privacy of student education records.

While this article was written from the perspective of Illinois, and states have different laws (in addition to FERPA), one should question whether any photos taken in school should ever be posted online without parental permission.  Why is this important?  Here are some common sense reasons:

  • When someone is in protective custody or in witness protection, it matters.
  • When families are trying to avoid a stalker, it matters.
  • When families want privacy, and a student is required to go to school and doesn’t want their photos plastered all over the internet, it matters.
  • When that child gets a little older (middle school) and photos are easily available online, it doesn’t make it hard for peers to photoshop and bully the child.

A child cannot escape the school, a child doesn’t have a choice to be there, the sanctity of their privacy in school should not be abused by other students, parents, and schools who don’t have the foresight to consider a student’s privacy.  How will you feel if it was a photo YOU posted that was clipped and edited to bully someone else’s kid?  How would you feel if it was your kid?

For the parent and child it isn’t just about what the law says, it is about what is actually happening.

After reading the Education Law Insights article I have a few questions about what schools do:

1) Does loading photos or videos into third party platforms or into school district owned platforms that spread the data around into more platforms count as “online”?  Because it is “online”, it just might or might not be public. 

My point here is that there are so many ifs and buts that in the end I don’t actually know when something I don’t want collected about my child can or can’t or is or isn’t loaded into a third party system.  A third party system that I might or might not even know exists.  The problem is Continue reading

Posted in Data Privacy, Hillsborough Schools, Social Media Privacy, Uncategorized

Will Your Kid’s School Data be the Next Privacy Breach?

disc-reader-reading-arm-hard-drive.jpg

The Facebook Data Privacy problem is bad, but it didn’t necessarily include very personal information collected by your child’s school district.  One product heavily engaged in student data collection that includes social networking and learning analytics is Edsby.  Edsby is a cloud-based software application developed by CoreFour Inc., based in Canada.

What Does Edsby Collect?

Two years ago, Hillsborough County Public Schools (HCPS) started collecting 1.3 million records every day in Edsby, according to an article in The Journal:

Hillsborough County Public Schools in Tampa, FL was a beta test site for Edsby’s learning analytics and has been capturing data about its 206,000 students for the entire 2015-16 school year, with 1.3 million records entering the district’s Edsby analytics system every school day.

Hillsborough County Schools is the eighth largest school district in the country and has been a customer of Edsby since 2013.  How many records are being stored daily in Edsby now, more than two years after becoming the beta test site for Edsby’s learning analytics?

In January 2018, Tech & Learning described just what kind of qualitative data might be stored on children in Edsby without parental consent.  It appears to include arguably non-academic data:

Edsby’s new…features enable teachers to easily take pictures or record videos, tag them by standards or learning goals, share them with parents and organize them to document growth and streamline reporting on student progress.

The new features’ strong performance on mobile devices enable teachers to capture digital artifacts in the classroom from phones and tablets.

What exactly does the author mean by “digital artifacts”? Is this designed to collect video and audio recordings of student and teacher interactions?  What are the Terms of Use and Privacy Policies of the mobile applications being used to capture “digital artifacts”? If a child is not tagged in the “digital artifact” or the teacher doesn’t share the media, does that mean the parent won’t even know the media exists?  What studies show that this type of invasion of privacy is significantly improving student education?

What personal data could be stored in Edsby? Does it include a student’s medical conditions? Does it include personal information about Exceptional Student Education (ESE) or pexels-photo-236215.jpegIndividual Education Plans (IEP)? Does it include disciplinary actions, student surveys, or psychological test results? What data will districts collect under Social-Emotional Learning  programs? Does it include private messages between parents and teachers? Grades? What are all the fields and media this platform stores?  How is Edsby data accessed when one doesn’t want a user account (FERPA)?  Are parents notified before personal information is included in any Edsby directory (FERPA)?

Five Data Privacy Concerns

Does Hillsborough County Public Schools (HCPS) require contractors like Edsby to follow the U.S. Department of Education’s (USDOE) Protecting Student Privacy While Using Online Educational Services: Model Terms of Service?  Citizens Lighthouse asked about the data privacy policies on Twitter.  While the tweet was directed at Hillsborough County Schools, only Edsby replied.  Based on the information provided in that reply, Citizens Lighthouse has at least five concerns with the district’s use of Edsby:

First, the terms of service (TOS) 1 or terms of use (TOU) provided in the reply from Edsby states:

By posting that content on the Site or through the Services you grant CoreFour Inc. a limited royalty-free, perpetual, world-wide non-exclusive license to store, use, reproduce, publish, translate, distribute, and display the content in any media or medium, or any form, format, or forum now known or hereafter developed subject to the restrictions of our privacy policy.

The U.S. Department of Education’s Student privacy model terms of service CLEARLY provides a “WARNING!” that the phraseology below should NOT be included in the TOS (see here):

Providing Data or user content grants Provider an irrevocable right to license, distribute, transmit, or publicly display Data or user content.

Those two TOUs (TOS) sound similar, should we be concerned?

Second, the USDOE’s student privacy model terms of service also warns here that the school district should maintain control over changes in the TOU.  Edsby explains:

CoreFour Inc. may make changes to these Terms of Use from time to time. We suggest you check these Terms of Use periodically for changes. Any modifications will take effect one month after being posted on the Site and in the Services. By your continuing use of the Site and/or Services after changes are posted, you will be deemed to have accepted such changes.

Third, and even more alarming, there is no explanation in Edsby’s TOU1 or its Privacy Policy1 detailing how well personally identifiable information (PII) is de-identified.  The purpose of de-identification is so that when your data is shared with someone else or analytics are performed, they cannot identify who you are and associate it with your private data; it is supposed to be anonymous.  The problem it seems is that when an entity really wants to figure out who you are, they can try to merge their database with another database acquired elsewhere or use other methods to attempt re-identification of those who were loosely de-identified.  The USDOE explains the challenges of de-identification here:

De-­identification typically requires more than just removing any obvious individual identifiers, as other demographic or contextual information can often be used to re-identify specific individuals. Retaining location and school information can also greatly increase the risk of re‐identification.

As a result, the USDOE specifies some details that should be included in agreements:

…because it can be difficult to fully de-­identify [PII] data, as a best practice, the agreement should prohibit re-identification and any future data transfers unless the transferee also agrees not to attempt re-identification.

There is no mention in Edsby’s TOU1 or Privacy Policy1 how it de-identifies student data.  As it was understood from a conversation with one representative at Hillsborough typography-white-door-fence.jpgSchools, there is not any requirement in their contract or data sharing agreement detailing how the data should be de-identified, or what fields should be removed, and that part of a data-sharing agreement is “trust”. What degree of trust did Facebook assume in its agreements with third parties?  

According to the Tampa Bay Times, HCPS blew through almost half ($146 million) of its financial reserves in three years and purportedly without the school board’s knowledge – given that, some feel trust is long gone.

Edsby seems to have no problem letting you know that they know your geographic location when asking probing questions on their website chat tool.  It makes one wonder what could happen to your child’s data?  Are they trustworthy? Was Facebook trustworthy?

Edsby does have this clause in their policy1:

You may have other agreements with CoreFour Inc. Those agreements are separate and in addition to these Terms of Use. These Terms of Use do not modify, revise or amend the terms of any other agreements you may have with CoreFour Inc.

But then again based on the conversation with HCPS it is understood that de-identification and re-identification clauses do not exist in separate agreements between the Hillsborough County School District and Edsby.

Fourth, what about “educational” researchers? According to The Washington Post that is how Cambridge Analytica “broke Facebook’s rules”— it was “under the pretense of academic use”. What is Hillsborough County Schools Policy on allowing access to student data for “academic use”?

And Last, The Washington Post reported that developers were encouraged to “build their businesses off Facebook’s data” via the Facebook feature “log-in through Facebook”.

What happens when HCPS integrates Edsby with Google G Suite or Microsoft Office 365 for HCPS students and HCPS staff and one logs into Edsby using those Google or Microsoft credentials? According to Edsby’s Privacy Policy1:

When Edsby integrates with these systems it provides a way for you to log in to Edsby by using your Microsoft or Google authentication credentials.

Does that integration give Microsoft or Google access to student data?

In June 2017, Microsoft updated the OneNote Class Notebook add-in to include “Assignment and grade integration with Edsby”.  OneNote is available to HCPS teachers and students for free under the district’s enterprise agreement with Microsoft. OneNote’s list of education partners is long.

The student data in the Edsby platform is stored in Microsoft’s Azure Cloud.  Aside from the risk hackers pose, like this recent example at Bay District Schools, data might be accessible by not only the district but also by Edsby and Microsoft Azure.  Having more parties managing and engaging with the data creates more opportunity for mistakes and subversive behavior.

Getting Answers?

If Hillsborough Schools has a different TOU under its contract or data sharing policy with Edsby then HCPS should publish the Edsby contract and data sharing policy online for transparency and trust.  Those whose personal data is being collected, the students and their parents, have a vested interest in knowing if their data is safe and follows the USDOE’s student privacy model terms of service guidance.

There should be public oversight and total confidence that our data is safe from mining, profiling, and sharing.  There should be transparency about what the district is doing, how they are doing it, and what they are collecting.  Why should citizens have to jump through time-consuming hoops to get complete answers about the privacy of student data?

One district representative suggested speaking with IT Security regarding Edsby privacy questions but refused to provide a single name or contact number for that department, instead the phone call was forwarded to an “IT Security” line that rang endlessly with no voicemail.  Why has the district not published a single contact for the IT Security and Privacy department?

Conclusion

Unfortunately this isn’t the only student data collection engine in the state, there is also Florida’s Statewide Longitudinal Data System (SLDS) or Education Data Warehouse (EDW).  At least the FLDOE tells you what fields or data elements they collect on students, see here if you want to peruse that list, they even include a field for “Teenage Parent Program: Birth Weight of Child”.  Should we be asking the FLDOE similar questions about student data privacy?

According to the Florida Department of Education (FLDOE) the SLDS has “multiple initiatives…to support…federal long-term goals” and is jointly funded by a Race to the Top (RTTT) grant, Federal SLDS grants, and the Florida Legislature.

How much is Hillsborough County School District paying Edsby annually for all services, licensing, training, etc. for the creation of a major data mining and analytics opportunity that might one day risk the privacy of student personal information?

Have all the possible loopholes been dutifully plugged with indecipherable legal jargon?  Or is this just a data breach time bomb waiting to go off?

There are too many questions left unanswered about our children’s data privacy and it seemed safer when we had grades in a teacher (pen and paper) grade book and got paper report cards from a district printer with data likely pulled from a local mainframe every quarter.  It would probably be a lot cheaper if we eliminated some of the district’s software and licensing, maybe even get the district out of their reported deficit.  But the state and federal government want access to all that data, some highly invasive, for research on our children without parental consent.  We should get back to the basics and reclaim local control of education and your children’s personal data.

In the meantime, who is really protecting your child’s data?

pexels-photo-696407.jpeg

1Edsby’s Privacy Policy and Terms of Service (TOS) dated 1/5/2018

 

Posted in Data Privacy, Hillsborough Schools, PII

Kids Need Better Books: How Did Mabry Elementary’s Library Perform Against Four Other Hillsborough Schools?

Public School Library books should exude quality content with morals and ethics; after all schools are for educating students.  Should children’s desires be what guides the books procured for school libraries? Is that what guides the classroom?

Mabry Elementary is considered one of the best schools in Florida’s Hillsborough County and is used here to discuss unabridged elementary library (physical) holdings.  The findings from a review of Mabry’s unabridged holdings in Fall 2017 were not good.

books-reading-series-narnia-159778.jpeg

Continue reading

Posted in Uncategorized

Kids Need Better Books: When Schools Fail What Can You Do?

Why aren’t more schools consistently providing quality literature from a young age? Encouraging children to read excellent books might help address some of society’s problems.

Children should be guided onto a path where they can eventually take on works by Fyodor Dostoyevsky, Alexandre Dumas, and Victor Hugo. Offering pointless and culturally void novels for leisure reading at school does not serve the purpose for which they are schooled, to be educated.  Books written with shock value are often bad models and do not help children learn how to write well, or understand nuance and complex sentence structure.

19-2571a

Source: NARA

In 1870 ten to thirteen-year-old students were assigned reading material including Longfellow, Tennyson, and Hawthorne. How do these readings compare to in-class readers, Scholastic News, or other materials used as informational texts? How does an engaging story by Nathaniel Hawthorne compare to the messages of Captain Underpants, which is sometimes read in school during independent reading? How do thought provoking pieces like “I-Have and O-Had-I” get tossed aside?

Rather than handing out classroom magazines (sometimes containing age-inappropriate and unbalanced agenda-driven material), schools should select readings from high quality literature including historical events and poetry.  When did the goal become to teach language arts with selected agendas (e.g. starving polar bears or Occupy Wall Street) in place of unbiased excerpts from great literature? Does deep thinking occur when children are told what to think about controversial topics without balanced views being presented? Continue reading

Posted in Uncategorized

Books Promoted by a Hillsborough County Public Library

Are these books, pictured below, the best recommendations to promote on a children’s bookshelf in a Hillsborough County Public Library?

BookPromoHC

Let’s consider the Timmy Failure series by Stephan Pastis.  The first book in this series, Timmy Failure: Mistakes Were Made has a Lexile Score of 520 and is recommended for ages 8-10.

A Lexile Score is a measurement that should represent the complexity of the material, the higher the number the more complex the material.

The third book in the series is titled Timmy Failure: Sanitized for Your Protection, picturing a cover graphic of a young child in a toilet.  The title of chapter three is “Let’s Do the Timmy Warp Again”, is that intended to be a reference to Rocky Horror?  Its Lexile Measure is lower, 500L, and for ages 8-12.

By the time a child reaches third grade, typically 8-years-old, a 520 Lexile is already at the very bottom of the recommended Lexile Range (520-820L) for College and Career Readiness.  A 12-year-old is typically in grades 6-7, with a recommended Lexile Range spanning 925-1120L.  Part of that range is double this book’s Lexile.  So does that mean once a child is mature enough for the content, the material is way too easy?

I am beginning to wonder if authors are writing graphic novels with little prose or depth so that readers will fly through the books.  That strategy could increase sales.

There are so many better books out there to recommend.  Sideways Stories from Wayside School would be one better option for children that need or want easier books.

Lexile Measures should not be relied on too heavily for a number of reasons.  However, for the purposes of this post it gives you the gist of one problem with these books — the complexity is not impressive, especially for its suggested reading age.  And that doesn’t even address the quality of the material in general. 

Posted in Uncategorized