A Florida Controversy over Intelligence-Led Policing or is it Childhood Social Credit Scoring?

A model is described where children are scored for having been a victim of emotional or physical abuse—a score that increases the chance they will be identified and targeted by deputies; twice victimized.

One Florida county has created its own version of Chinese Social Credit Scoring—a rating system for American children.  Florida government agencies collect data on children such as abuse histories, intelligence, grades, GPA, health information, attendance records, etc.  Then a local government agency uses its data in a scoring model to identify, target, and reportedly harass its young citizens.  

The Pasco County Florida Sheriff’s Office intelligence-led policing (ILP) manual explains how they identify youth at-risk of falling into a “life of crime”.  A model is described where children are scored for having been a victim of emotional or physical abuse—a score that increases the chance they will be identified and targeted by deputies; twice victimized.  This sounds eerily like the dystopian Chinese Social Credit Scoring (SCS) system.  

Who is in This Law Enforcement System?

Children who are not “at risk” appear to have their identity fed into a law-enforcement system.  The ILP manual states:

“…we take the active rosters for each school in the county and match each student with data from the schoolboard’s early warning system (EWS), our records management system (RMS), and DCF’s Florida Safe Families Network (FSFN). Students who are on-track across all categories are removed from the analysis” [emphasis added]

If a student is not at risk is their data still fed into a law-enforcement database, and then only removed from the analysis? Does the “on track” child’s identity remain in a law-enforcement system? Does this mean every child in that public school system has a profile with law enforcement? Continue reading

Posted in Uncategorized | Leave a comment

FortifyFL: Florida’s Misguided Communist-Style Student Reporting Tool

In 2018 Florida passed legislation requiring the rollout of a reporting app called FortifyFL.  This software was developed by AppArmor, a Canadian company.  The app promotes communist-style snitching on your neighbor but in this case students on students.  In communist Cuba and the former East Germany (DDR), reporting on your neighbor for activities like “participating in opposition movements” was encouraged and used against citizens.  

There is no way to know how data submitted about your children in FortifyFL or other Education Technology (EdTech) apps at school will be put to use by BigTech or authorities now or in the future.  The data entered into student reporting apps can be very personal and private.  This app can record what someone else claims you said.  “Your” words are stored in an online system and disseminated, without you ever knowing. 

The possibilities stemming from the collection of data are abundant, as evidenced in this report about children being harassed in Pasco County, FL.  The Sheriff’s Office claimed “its program was designed to reduce bias in policing by using objective data”.  Was there a statistically significant reduction in bias? How was bias defined? Does harassment qualify as bias?

In a Spiegel International article from 2015, the un-neighborly reporting that occurred in East Germany is discussed:

“No matter where one shared information, the state would put it to use. The East German reporting system kept track of the country’s citizens from kindergarten, throughout their working lives and even into retirement…Files were even kept on schoolchildren: “Wears Western clothes,” “exhibits affinity for punk music,” “demonstrates pacifist attitudes.”, and

“…they were totally normal citizens of East Germany who betrayed others: neighbors reporting on neighbors, schoolchildren informing on classmates, university students passing along information on other students, managers spying on employees…”

The East German reporting system sounds eerily like a combination of FortifyFL and Florida’s integrated database that collects and stores student (and family) data from multiple sources.  Many EdTech products, like the Canvas software, aim to store student data from kindergarten through post-graduate education.  If that isn’t enough, then companies track their employees with monitoring and surveillance software. 

Where does this end—in an Orwellian state, a Stasi-like state?

The Spiegel International article explains that many East Germans who felt their lives had been “de-railed” later learned that documents from factories and universities revealed that “making an ill-considered comment at the student union” or even simply lacking certain viewpoints could lead to one’s removal from university.    

This kind of report on your neighbor’s activity can be subjective, and officials encouraging its use might mislead the public into believing they are contributing to the good of society.  Reporting unverified suspicions into systems that can permanently document your behaviors, actions, beliefs, or hasty statements can get out of hand; as evidenced by the multitude of examples (e.g. revenge reports) in the Spiegel article.  Like data compiled in the East German system, FortifyFL likely does not produce positive data about Florida’s schoolchildren, and the data compiled is not even necessarily legitimate.   

Those who naively assume data amassed by EdTech and government is safe underestimate risks like hacking or transmission abroad to foreign enemies.  The security of collected data and where it all gets transferred is a mystery. 

Do not trust EdTech companies any more than a pickpocket with your purse.  I will take a missing wallet over propagation of private data any day—I can cancel credit cards and get a new driver’s license, but I cannot make private very personal information once it has been made public or shared with “trusted partners”.  One might read policies like the data is stored in a secured location in the U.S., but who believes that given the trustworthiness of tech companies and the lies they have told about our privacy

Often EdTech policies don’t even offer claims data is totally secure.  Here is one example from AppArmor’s privacy policy for FortifyFL.

security

Hacking and ransomware events creep through our data like kudzu; but it seems we are not always told about those events and I put the blame squarely with Florida law (another related topic).

Here is my common sense interpretation of the frenzied collection and use of data: Politicians and government agencies are hungry to rely on data, statistics, and modeling because it offers a refuge from responsibility.  Politicians could say the data told me to do it!  It becomes an out for every bad decision made.  The data was wrong, the model was wrong, hackers infiltrated the database—there are a myriad of possible responses for legislators and local politicians to point fingers at to avoid being responsible for making their own common sense decisions. Pointing to inanimate objects (computer models and data) is a fitting escape when no one wants to be held responsible for bad outcomes.

Florida Republicans supported the deployment of FortifyFL.  Are Florida Republicans aligning with communist reporting methods?  Florida legislators need to take a deeper look at the privacy and ethical problems with the public safety act they enacted.  The privacy invasive aspects of the law are not in the best interests of Florida citizens. Encouraging citizens to spy on each other, especially in such an overt way, is an anti-American activity.  

Aside from the ethical implications of having student on student reporting and the schism and suspicion that can drive between fellow citizens, the app is reportedly problematic and has been misused by students (that’s a shocker).  The FortifyFl app was attributed by “the St. Petersburg police commander“ as a driver for an increase in the Baker acting of students in Pinellas County, FL.  If you don’t know what Florida’s Baker Act is and how dangerous it can be for children, you should read about it in this bombshell article. 

I objected to the use of FortifyFL the day after it was announced in 2018, especially given it was being pushed to students under 13.  My questions directed to then Attorney General Pam Bondi about FortifyFL’s compliance with the Children’s Online Privacy Protection Act Rule (COPPA) went unaddressed on Twitter.  I posted a copy of the FTC’s COPPA FAQ that states:

“…it is not sufficient to provide such notification and choice to the child user of a website or service. If the operator intends to collect geolocation information, the operator will be responsible for notifying parents and obtaining their consent prior to such collection.” 

Weeks later, a news report by Elizabeth Djinis revealed that although FortifyFL was marketed as an anonymous reporting app during its rollout, it was not automatically anonymous upon installation.  It required the user to enable/disable the app’s location services.  The initial requirement that a user (e.g. child under 13) disable location services is contrary to the COPPA FAQ quoted above.

According to the Djinis article, Florida Attorney General’s Office spokesperson Whitney Ray stated: “As an added precaution, this feature has been turned off and responding agencies will no longer receive this information”.  Whitney Ray’s quote was not specific about which feature: the collection of location information or the dissemination (after collection) of a child’s location information to responding agencies.  Djinis did not clarify the statement from the Attorney General’s Office spokesperson, but the headline is “Florida school security reporting app will no longer track location”—is the reporter’s headline correct?

COPPA’s FAQ states operators are required to get parental consent if location information is intended to be collected from anyone under the age of 13.  In general, location information can be collected from an individual and not sent to responding agencies.  It remains unclear to me if geo-location functionality has been deactivated in the application or if verifiable parental consent (see linked item 4) is obtained before location data is collected. After downloading and attempting to turn on/off location functions (without submitting a tip) it appears FortifyFL will allow a user to turn on/off location services in the tool and consent to submit a tip without verifiable parental consent. Despite the non-specific comments quoted from the former Florida Attorney General’s office, FortifyFL permissions in Google Play currently include location services.  

GooglePlayFortifyFLPermissions

Florida Statute 943.082 states: “That if the reporting party chooses to disclose his or her identity, that information shall be shared with the appropriate law enforcement agency and school officials…”  There is no explanation for how children under 13 will be handled in order to comply with the COPPA Rule, enforced by the FTC. In 2019 Google and YouTube faced a $170M penalty for violating COPPA.  The FTC explains that operators who violate the Rule can be held liable for civil penalties of up to $43,280 per violation.

The  FTC’s COPPA Rule FAQ (B.6) holds federal agencies accountable to the rule: “…all websites and online services operated by the Federal Government and contractors operating on behalf of federal agencies must comply with the standards set forth in COPPA.”

But is the State of Florida and/or AppArmor violating COPPA? The FTC explains in a Business Blog from 2015 that “While we encourage all types of entities to respect children’s privacy, the FTC’s enforcement authority doesn’t extend to information collection by state governments or most nonprofits.” So who is protecting children’s privacy without the loopholes—if not Florida, if not laws like COPPA and FERPA, if not non-profits, then who?  Schools get exemptions from FERPA and COPPA, state and local governments apparently get exemptions from COPPA, and all these government agencies can contract to share data with third party small, medium, and big tech companies. 

Regardless of what laws are passed, it seems existing laws are blatantly violated or contain loopholes and exemptions.  What hope do children have for any modicum of privacy? 

There is more bad news on FortifyFL—an alarming Twitter post indicates there was prior knowledge that FortifyFL lacked anonymity, contrary to what is required in the Florida law.

Who else but citizens are checking that government follows its own rules?

As of this publication the FortifyFL download at Google Play contains a privacy policy link directing you to AppArmor’s concerning privacy policy:

IntlTransfer

Let me summarize what it says: Your personal Information may be transferred to and maintained on computers outside your country where the laws that protect your data may be different, and your consent…followed by your submission of information, represents your agreement to that transfer. This was backed by Pam Bondi, Florida’s former Attorney General!  Did she even read the privacy policy?

Stunningly the FortifyFL website does not even link to an app terms of service or privacy policy or information clarifying if any reported data is ever transmitted or stored out of country.  Keep in mind the bottom of the website notes: “Copyright © Florida Attorney General, Department of Education, Department of Law Enforcement. All Rights Reserved.”  Florida Attorney General, Ashley Moody’s website also has no reference to FortifyFL’s privacy policy.

The AppArmor privacy policy suggests this data can leave the U.S., so where is this data going? Do laws outside the U.S. prevent the selling or licensing or sharing of data about your children? 

While you are not forced to download the product, you cannot prevent another person from entering data (true or not) about you into the app.  This is the schism being massaged into society. This could be a student reporting a friend’s suicidal thoughts that were shared in confidence.  That data could be released in a poorly redacted state (containing still-discernible identifying information like a full name) and then used by an award-winning reporter in an internet article.  This actually happened; ultimately, the sensitive personal information shared by a child in confidence was made public.  That data could also apparently be transferred to another country where U.S. laws and protections do not apply. 

Who knows what happens to personal information about your child.  This personal information should not be propagated to servers, in the U.S. or around the world.  These children—our citizens, brothers, and sisters—deserve more decency from their fellow man than this impersonal approach attempting to program a response out of a disconnected government.

The disregard for student privacy and the problems that exist in securing student data points to the ignorance surrounding technologies by those that have held and currently hold positions of power in our state. 

Florida politicians need to get their hands out of their pockets and protect our children from invasive, prying technologies. 

We the people want to protect our kids.  Where are our legislators? If the Department of Defense agency DISA, Microsoft, NASA, and others can be hacked, how secure is student data?  Do you think student data is secured better than data held by these companies and agencies? Is it not vital to the future of our country and our national security to protect private information about our young citizens?  These young citizens will soon be adults and by then it will be too late: the data will already be there to use against them, even if the data is wrong. 

It seems Pandora’s Box of data privacy is already open—we are so far down the road there might be no return. Is Hope still at the bottom of Pandora’s box or is it gone?  Money is involved—entire industries (e.g. EdTech) have developed on the basis of collecting data. Going forward, what are we doing to protect our children from how the data could be used against them?

Here’s a thought– quit legislating the collection and aggregation of so much personal data about our citizens!

code projected over woman

Posted in Data Privacy, PII, Public Schools, Social Media Privacy, Uncategorized | Leave a comment

Congratulations Hillsborough Schools: Your Skills in Stonewalling Parents are Superb!

closeup photo of brown brick wall

My jaw dropped when I came across School Board Member Cindy Stuart’s comments from the July 30, 2019 Hillsborough County Public Schools (HCPS) board meeting.  Given what I know from years of research on student data security, her comment swirled around in the back of my thoughts for a few weeks after reading the meeting transcripts.  Then I remembered something that sent chills down my spine.  But before I mention that something here is a little background.

During that school board meeting, Cindy Stuart brought up the district’s mainframe computer in the midst of a brief discussion on data security and stated: “We were about to shut the whole thing down for the RNC”.  The assumption here is that there was a security problem in our own school district server that was problematic for the Republican National Committee (RNC).

The Republican National Convention was held in Tampa in 2012 when Ms. Stuart was running as a candidate for Hillsborough County School Board.  In 2016 the nation was in a tizzy over Russian interference in the U.S. elections.

Did Ms. Stuart mean the Republicans were concerned about the security of the school district server in 2012 or in 2016? Not sure, but she did sound concerned about the security of the mainframe (which presumably held significant amounts of personal student data) even though she does not provide details.  Why would the security of a school district server be relevant to the RNC? Confused? I’ll explain my thoughts.

The something that I remembered was an article about “Russian” Florida hacking that wasn’t actually by Russia.  The hacking came from Continue reading

Posted in Data Privacy, Hillsborough School Board, Hillsborough Schools, PII, Public Schools, Uncategorized | Leave a comment

Who Holds Florida School Districts Accountable?

cyclone fence in shallow photography

How useful is it to put a lock on an open gate?

On May 12 Boca News Now reported that a second grader hacked Palm Beach County School District’s student password system.  This isn’t the first time a Florida school system has had problems with security.  In 2018 Florida Virtual Schools “left the door open”, resulting in a breach of sensitive student and teacher information.

How useful is it to put a lock on an open gate or leave a key hanging in a locked door?

I warned Florida’s Department of Education about password problems in 2018. What action was taken to protect our children? Below is an excerpt from the document I sent in 2018 to the Florida Department of Education (both Commissioner Stewart and Commissioner Corcoran later in 2019), the Governor’s office (under Governor Rick Scott), and Hillsborough County Public School’s (HCPS) Superintendent Eakins.  The excerpt includes concerns about security and authentication practices.  In the fifth point I expressed concerns that this “…means young children’s [personally identifiable information] PII stored by the district in these systems is vulnerable to hacking”.

DocumentExcerpt_redactedThe bottom line: some Florida school districts have been creating and/or encouraging easily hackable passwords for very young children, and then impairing parents’ ability to create more secure passwords.

My experience with Hillsborough School’s default passwords and the recent limitations I faced to make passwords secure is shockingly similar to what Boca News Now reported about their district.  This year I was prohibited from changing an insecure password for a young child without Continue reading

Posted in Data Privacy, Hillsborough Schools, PII, Public Schools | Comments Off on Who Holds Florida School Districts Accountable?

Your Kid’s Educational Data: A Rich Target?

accomplishment accuracy accurate aim

Just before the end of the 2018-2019 school year a Tampa middle school cafeteria was bursting with parents attending a new student orientation. Rising sixth grade parents were told to use an online tool called Edsby for communicating with teachers.  They were repeatedly advised how vital it would be to check Edsby for student grades and assignments.  The presentation did not include material on student data privacy.

Edsby is a Canadian owned K-12 learning management system (LMS) and has been in use by Hillsborough Schools since 2013.

FERPA (a federal privacy law) is supposed to protect the privacy of student data, but does the existence of law actually create real protections or mean that the law is understood and followed?

Some parents in Ontario’s York Region School District were not passive about the implementation of Edsby in their district.  Dina Al-Shibeeb reported in “Stouffville parents fear potential breach, want kids’ information off education app” that parents who were informed of a “patched” security vulnerability in Edsby also “…fear it [Edsby] puts their children at risk of privacy violations.”

Why weren’t parents in Tampa’s Hillsborough County School District notified of this known vulnerability in Edsby? Should Hillsborough Schools regularly post its patched vulnerabilities and cybersecurity incidents that might compromise student (and parent) data?  Companies like Cisco do this; why should parents not be informed of the security issues related to their own personal student data?

If parents are not notified of security issues how will they know to take proactive steps to protect children, their identities, and their private information?  Some Hillsborough County Public School parents were not allowed to opt-out of student data collection in Edsby, nor have those parents been provided access to their student’s complete education data held by Education Technology (EdTech) applications like Edsby.

The Edsby product was selected by the district as an “online gradebook system”, but the cloud-based software is more than just an online gradebook. Hillsborough Schools uses Edsby for grades, report cards, parent/teacher communications, analytics, and possibly much more information on students.  According to a January 2018 Tech&Learning article, Edsby offers the capability to “capture pictures, conversations, audio clips and written observations”, tagging, etc.  Do parents get to access written observations if they are stored in Edsby?

Hillsborough Schools was an early adopter of Edsby and a beta test1 site for Edsby learning analytics. Was our district and student data the guinea pig for a new EdTech product in return for reduced pricing? A March 2018 letter indicates the district did receive reduced pricing (a 74% discount) for being an “early adopter” of Edsby.  Were any software vulnerabilities discovered during beta testing, putting student and parent data at risk?

In that same March 2018 letter, Aptiris (the service provider that implements Edsby for the school district) wrote: “One requirement that evolved over the initial contract period is the encryption of all data at rest.”  Remember, the initial Edsby contract was from 2013 and according to this document it apparently didn’t require that all data be encrypted2 at rest (stored). How many years was student data stored unencrypted?  Was sensitive school personnel data (social security numbers, credit card numbers, PINs, bank routing numbers, etc.) stored unencrypted?

The 2013 Hillsborough Schools RFP (request for proposal) evaluation criteria for selecting an “online gradebook system” did not include direct reference to the security of student data or vendor software.

The school district begins collecting student data from the point of registration and continues throughout their education.  That data is passed to the Edsby platform (including parent and family data). Does Edsby have access to student medical conditions, IEPs, behavioral records, attendance, etc.?  The Edsby privacy policy and terms of use raised concerns.

Data collected by software applications might include tracking your mouse clicks, what your mouse hovered over, time logged into reading a book, books accessed, assessment data, etc.

When K-12 student and teacher data for a district of over 200,000 students, is collected, aggregated, and stored online with little oversight or transparency, a responsible parent will have questions about data security and whether EdTech companies or their partners (or their partners…) are monetizing shared student data.

 

1beta test: The final stage in the testing of a new software or hardware product before its commercial release, conducted by testers other than its developers. (The American Heritage® Dictionary of the English Language, 5th Edition)

2encrypt: To alter (data)…to make the data unintelligible to unauthorized users while allowing a user with a key or password to convert the altered data back to its original state. (The American Heritage® Dictionary of the English Language, 5th Edition)

Posted in Uncategorized | Comments Off on Your Kid’s Educational Data: A Rich Target?

Was Angelina Jolie Elected To Hillsborough County School Board?

weird search results hcps0

A Hillsborough County Public Schools (HCPS) website posted a picture of Jolie as one of its school board members!  Maybe we can get an autograph if we attend a school board meeting!

Is this a joke? Was the website hacked?

This HCPS website was discovered by a citizen who performed an internet search for a list of current Hillsborough County School Board members and found Jolie gazing back.

Below is just one example (of many) where a search engine query returns a link to the HCPS staging website:

hcsb yahoo search result

This staging website for HCPS has clearly been indexed with search engines.  A staging website is a test environment that is not supposed to be public facing (published live on the internet) and if configured properly will not be indexed by search engines.  HCPS has nearly a $3B budget and does not appear to manage its website professionally.

How does the IT department have the time to play what has the appearance of a discourteous prank on a school board member?

The apparent ineptitude (the indexed live staging website) and lack of professionalism (posting a photo of Jolie for Dr. Hahn) is disappointing and it raises an important question.  The district IT department is responsible for managing seriously personal data about children, families, and personnel.  The school district is enabled by the Family Educational Rights and Privacy Act (FERPA) to make decisions about who they share that personal (and protected) information with – third parties like Edsby, Clever, i-Ready, etc.  School districts are enabled to do this without parental consent under FERPA (given certain requirements are met).  The question is: are those requirements actually being met by the school district and each third party (how would any parent know), and is it enough to protect the personal student data?

Students and parents are forced to trust that the district knows how to ensure and validate data is properly protected.  How do parents trust a school district that reportedly waited a year to tell parents that drinking water was contaminated with lead?

Examples like this website mess are concerning because of the picture it paints about the school district’s attention to detail and professionalism.  How well does the school district understand the complex world of information security and best practices for protecting student data (like prohibiting PII re-identification)?  The district is responsible for signing agreements with third parties that dictate what student data is shared and how the data is to be protected.

Managing a budget of nearly $3B of other people’s money (taxpayer money) is one thing – it is just money.  Managing and protecting (from harm and misuse) a child’s very personal information, that is collected and shared without consent, is an entirely different and complex matter dealing with your identity, safety, and privacy – and that data is something you can likely never delete or hide if it is revealed and propagated.

Posted in Hillsborough School Board, Hillsborough Schools, PII, Uncategorized | Comments Off on Was Angelina Jolie Elected To Hillsborough County School Board?

Teachers, Parents, Countrymen: How Much of Your Personal Data Does the School District Share?

I wondered how much data Hillsborough County Public Schools (HCPS) shares. What I found was the below excerpt in an agreement that HCPS has with a third party. The document was obtained through a public records request.

AptirisExcerptHCPShighlight

“Recipient” is a third party software services company. The above paragraph seems to provide no limitations on what could be disclosed from personnel records.

What about student records? The agreement seems to contradict itself.  It says: “No other personally identifiable student information [PII] will be disclosed to Recipient.” But it also says disclosure is “not limited to” the confidential student information it lists.  “No other” of an unlimited list is still unlimited.

We can safely assume the vendor stores more student information than what is itemized in that list; for example: teacher name.  The U.S. Department of Education’s Privacy Technical Assistance Center (PTAC) explains in a 2013 document that student PII can include:

“…sensitive and non-sensitive information that, alone or combined with other information that is linked or linkable to a specific individual, would allow identification.”

Given that, it seems likely that teacher name is also personally identifiable student information (and parent name, parent phone number, etc.)

The school district has not provided any way for parents to opt their children out of data collection and aggregation products or services, and has refused to allow parents to opt out children when requested.

Hillsborough County School District must reconsider its agreement that allows a 3rd party’s bi-directional tool from having direct access to the school district’s system of record, especially if independent security experts have not inspected and validated the security and activities of that bi-directional tool.  This bi-directional tool seems to be described in a 2014 EdSurge article as a company secret.

If hackers or other malicious actors access a tool through potential vulnerabilities, they can continue probing for more software vulnerabilities and potentially gain access to even more data.  Should a bi-directional tool from an out of country vendor have access to “take data” from and write data to a U.S. school district’s system of record?  How secure is it?

Teachers, have you discussed this with your union?

Parents, ask the district exactly what specific data this bi-directional tool can access once in the district’s system(s) of record.  If this tool contains security vulnerabilities, then how secure is student data in the various systems of record against bad actors?  Is the privacy of your child’s sensitive information protected now, what about 15 years from now?

Posted in Data Privacy, Hillsborough Schools, PII, Uncategorized | Comments Off on Teachers, Parents, Countrymen: How Much of Your Personal Data Does the School District Share?

Who Has Your Kid’s Data?

Below is a story written by a mom in central Florida about an under-reported and growing problem in public schools.  She is sharing this story to bring attention to the lack of control parents have over protecting their children’s privacy in public schools, magnified by the rapid and seemingly uncontrolled deployment of education technologies (EdTech). 

Two years ago we discovered our Florida public school district had shared our family’s personal data with a third party private company based in another country.  We were shocked our school district had done this without our knowledge or consent.  The district refused to allow us to opt out and also emailed that they did not believe the third party private company would remove the student data in their application.

And so began a long journey that revealed the full extent of our public school system’s monopolistic and self-serving behavior.  We became increasingly alarmed as we realized the school district:

  • Collects and shares personal and protected information on students, parents, and sometimes school personnel with for-profit third parties. At least one third party has a privacy policy that explicitly states they can transfer the information as an asset in a sale or merger.
  • Allows for-profit third parties to collect personal data on students.
  • Allows a for-profit private company based in another country to write to the school district’s system of record.
  • Creates student accounts with third party companies using easily hackable passwords and does not always tell parents the accounts exist.
  • Does not tell parents with whom these third parties share student data or whether the data is correct or if vendor software contains security vulnerabilities.
  • Has not been able to keep school district employees from posting what is apparently sensitive personal student information on social media and the internet.
  • Does not appear to monitor school app use for compliance with COPPA (a federal law).
  • Performs health screenings and records results without directly notifying parents.

We were not surprised to read the scary details in an FBI alert that recommended parents discuss with school districts the types of questions we have been asking.

When we formally insisted on a full accounting of data collected and shared on our children, our right under FERPA (another federal law), we were ignored.  We asked for this accounting of our student data repeatedly and eventually the school escalated our request to the district, involving the school district attorneys.  The unfortunate result of escalation was that our request was ignored and our children were forced, against their will and ours, onto yet another third party technology that collected even more data on our children.

I could get into the details of what has transpired and the poor behavior displayed by the school district but I will stop here and spare you dozens of pages of reading material and a year’s worth of research on the failures of school districts to protect or honor student and family privacy.

We were advised to go to the media or hire an attorney but we were also told an attorney might run us five figures.  We wondered: If the school district can hide behind unresponsive tax-payer funded lawyers—where are ours?

-A mom from central Florida

Posted in Data Privacy, PII, Public Schools, Social Media Privacy, Uncategorized | Comments Off on Who Has Your Kid’s Data?

Hillsborough County Schools: Why Are Buses Still Late?

back bus education school

This year reports of late buses began the first week of school: frustrated, upset, and expect late buses.  Now some parents are fed up with continued problems of late or no-show buses into the seventh week of school, according to an ABC Actions News report.

History tells us one reason Hillsborough County school buses are late is driver shortages, yet in 2017 school district leaders were discussing how bell times were causing late buses.

On August 30, 2018 Candace Aviles reported that Tanya Arja, HCPS spokesperson, explained the district needed more drivers and was also trying to increase their pool of substitute drivers; that a driver shortage “could be adding to [bus] delays…”

On February 22, 2016 Sarah Rosario reported on late buses and Tanya Arja explained when drivers are on extended leave or call out sick and there are not enough drivers, then buses can be late.

In 2013, Danielle Hauser, Tampa Bay Times, reported what she was told about late buses:

A woman explained to me that they were short 10 bus drivers in our area, and until they could hire those drivers, some buses would do double runs.

Nothing seems to be different except bell times–buses have continued to be late or missing. Why isn’t the district reporting weekly late bus statistics compared to last year; is it better, the same, or worse?

CitizensLighthouse questioned the validity of changing bell times to fix late buses in April 2017, noting the causes for late buses summarized by Gibson Consulting Group did not appear to be fixed.  Are those problems fixed?  

Gibson Consulting Group (Gibson) made six recommendations “to achieve cost savings in Transportation” in their 2016 audit.  One of those six recommendations was “Increasing the staggering of bell schedules”.

Gibson Consulting Group (Gibson) also explains how changing bell schedules “to allow at least one hour between bell times” will cut costs:

…the Transportation Department could schedule more bus drivers and buses for three tiers [one driver serving three schools during the day], reducing the total number of bus drivers and buses required.  (145)

Then Gibson quantifies savings in bus drivers and attendants for staggering bell times, estimating savings of $2.7M annually (146).

While this could reduce the gap between the number of drivers needed and the number they have, the school district was still short drivers as of August 30.  Did changing bell times solve that problem?

According to Cindy Stewart, increasing the time between bells (elapsed time) is also a recommendation by the Council of the Great City Schools (CGCS), a national organization.  Their tagline is The Nation’s Voice for Urban Education.  Where is the report from CGCS that explains the reasons for that recommendation?

Susan Valdes, also on the Hillsborough County School Board, is listed as a 2017-2018 CGCS Executive Committee Member.

Cindy Stewart seemed to turn to CGCS in the School Board meeting on April 25, 2017 (time marker 2:16:47) before voting to approve the change in bell times:

I don’t believe the Gibson Report, Ms. Snively, is the first time that we’ve heard this…Council of Great City Schools brought this to us…the School Transportation Improvement plan had it in there as well…we will still have 10,000+ students late, next year [2017-2018], every day…

The problem with that statement is the Gibson Report recommended bell changes to cut costs.  Did some school board and district leaders conflate cost issues with late bus issues when this decision was made?  Melissa Snively was the only vote against changing bell times at this meeting.

Cindy Stewart also stated at that meeting “…bell times is not a transportation conversation.  This is an administrative conversation…”  

Bell schedule optimization is an operations problem because of its intimate relationship with bus routing.  In operations research these are commonly known as routing and scheduling problems.

When the district turns to state or national organizations (CGCS) for answers, the first question should be: Why can’t our staff solve the problem?

Has the bus driver absentee rate of 10% that Chris Farkas referenced in the April 25, 2017 board meeting been reduced?  How many students does that absenteeism rate impact if the district is still short both drivers and substitutes?

In April 2017 Superintendent Eakins posted a video implying the late bus problem was because certain bell times were too close together, referencing that we lack the standard number of minutes for drop-off and pick-up.

Eakins stated “across the State of Florida the standard is at least 55-75 minutes between bell times…”.  While some districts have instituted this hour-long (55-75 minute) elapsed time recommendation, not all districts have adopted this standard.

One size does not fit all.  We need winning solutions for getting students safely to and from school on time, and at a reasonable hour.

When the school district makes a change impacting all of its customers (change in bell schedule) they should provide the reports and statistics regarding the outcome of the communicated purpose. The purpose for the bell time change stated by Eakins: “At the heart of this decision is the need to secure appropriate instructional minutes for all our students”.  The concern is that students lose instructional minutes when buses are late.  Did the district establish a measurable target when they implemented this change? What are the results and have they met their stated goal?

Posted in HCPS Bell Schedules, Hillsborough School Board, Hillsborough Schools, Uncategorized | Comments Off on Hillsborough County Schools: Why Are Buses Still Late?

FBI Alert Encourages Increased Awareness of Student Data Collection and Cybersecurity Risks: Hillsborough Schools – Let’s Talk About It

StudentDataPrivacy

On September 13, 2018 the FBI released a public service announcement (PSA) and noted:

US school systems’ rapid growth of education technologies (EdTech) and widespread collection of student data could have privacy and safety implications if compromised or exploited.

The FBI lists the personal data that is at risk from data collection—and it isn’t just grades (it can include “…behavioral, disciplinary, and medical information…”).  They then provide several examples of actual malicious events and explain how the data was used:

…in late 2017, cyber actors exploited school information technology (IT) systems by hacking into multiple school district servers across the United States. They accessed student contact information, education plans, homework assignments, medical records, and counselor reports, and then used that information to contact, extort, and threaten students with physical violence and release of their personal information. The actors sent text messages to parents and local law enforcement, publicized students’ private information, posted student PII on social media, and stated how the release of such information could help child predators identify new targets.

In another example the FBI states “Cybersecurity issues were discovered in 2017 for two large EdTech companies, resulting in public access to millions of students’ data.”  One company “…suffered a breach and student data was posted for sale on the Dark Web.

Please read the PSA in its entirety, every parent should be made aware of this important information.  The FBI provides a list of recommendations for parents and families in the alert.

Aside from what was included in this alert, the data breaches and privacy concerns continue into 2018, here are two more events:

In March 2018 Politico reported a data breach at Florida Virtual Schools.  This breach was discussed in a post in which I also presented issues regarding how a third party obtained preschooler data to market a product.  Another question posed in that post was:  What independent studies exist that show data collection efforts are providing a statistically significant improvement in education outcomes?

Then there is this Google G-Suite (for education) privacy concern, posted by Missouri Education Watchdog.  This apparent invasion of privacy is very alarming.  In this post Cheri Kiesecker explains that:

School-issued student Google accounts connect to Google Drive which can allow for the ability to Auto-Sync devices to Auto-Save passwords, browsing history and other digital data points from numerous devices used by a single user…this could include digital data from non-school related accounts.

In our own district, Hillsborough County Public Schools collects student data in a variety of ways including: Continue reading

Posted in Data Privacy, Hillsborough Schools, PII, Social Media Privacy, Uncategorized | Comments Off on FBI Alert Encourages Increased Awareness of Student Data Collection and Cybersecurity Risks: Hillsborough Schools – Let’s Talk About It