Congratulations Hillsborough Schools: Your Skills in Stonewalling Parents are Superb!

closeup photo of brown brick wall

My jaw dropped when I came across School Board Member Cindy Stuart’s comments from the July 30, 2019 Hillsborough County Public Schools (HCPS) board meeting.  Given what I know from years of research on student data security, her comment swirled around in the back of my thoughts for a few weeks after reading the meeting transcripts.  Then I remembered something that sent chills down my spine.  But before I mention that something here is a little background.

During that school board meeting, Cindy Stuart brought up the district’s mainframe computer in the midst of a brief discussion on data security and stated: “We were about to shut the whole thing down for the RNC”.  The assumption here is that there was a security problem in our own school district server that was problematic for the Republican National Committee (RNC).

The Republican National Convention was held in Tampa in 2012 when Ms. Stuart was running as a candidate for Hillsborough County School Board.  In 2016 the nation was in a tizzy over Russian interference in the U.S. elections.

Did Ms. Stuart mean the Republicans were concerned about the security of the school district server in 2012 or in 2016? Not sure, but she did sound concerned about the security of the mainframe (which presumably held significant amounts of personal student data) even though she does not provide details.  Why would the security of a school district server be relevant to the RNC? Confused? I’ll explain my thoughts.

The something that I remembered was an article about “Russian” Florida hacking that wasn’t actually by Russia.  The hacking came from Morocco.

In 2017 the Miami Herald published an article that EVERY SINGLE PARENT in Florida needs to read.  It provides insight into the massive edu-hacking problem and explains why school districts are targeted by groups like the Moroccan hacker group MoRo.  That group hacked “at least” four Florida school districts two months before the 2016 U.S. presidential election.  Three of those at least “four” school districts remain unnamed.   The Miami Herald article explains:

“That appears to have been one of the principal motivations for the hackers who sent malware to Florida school districts last fall — the promise of thousands of untarnished Social Security numbers.”

But here is the connection to why political parties would be concerned: “The hackers were also searching for some way to slip into other sensitive government systems, including state voting systems.”

“The hackers had been able to turn off the logs recording who entered certain computer systems and what they did while logged on. That made it difficult for the UDT analysts to know, with total certainty, what the hackers had done. It was a sophisticated maneuver that Sanchez and his team had never seen before.” [Emphasis added]

The statement that this was a “sophisticated maneuver” is questioned in this CSO article that seems to rightly challenge that assertion: “Silly me, I thought disabling logging was fairly common if a hacker doesn’t wanted busted immediately.”

Even more importantly the author “Ms. Smith” elaborates:

“Yet, if the hackers remained inside the systems for at least three months, that seems to be more than an “attempted” hack. Attempted, perhaps, pertains to stealing the personal information of hundreds of thousands of students and then selling the Social Security numbers on the dark web.”

Your child’s student data might include sensitive information (behavioral records, medical records, psychological evaluations, etc.).  You do not see all the data (and metadata) collected on your children by third party companies the district has contracted with to do their job by digitally assessing, testing, recording student data often without your consent.  How much data? One Learning Management System (LMS), Canvas, reportedly held more than this college student could have “ever imagined”:

When the file did arrive, it contained more information than he had ever imagined.

It was something like 400,301,000 individual data points about me,” said Short.

The information that was gathered on Short went well beyond test scores and basic analytics. It included details about how he used his mouse, how he interacted with the learning system and when he did it.” [Emphasis added]

Even if the security of this private information is not important to the parent, it will be to the child who grows up to discover his pristine credit records were tarnished because of edu-hacking well before he had a bank account.  And that doesn’t even begin to address all the other potential issues that could arise from the hacking or sharing of data from childrens’ EdTech accounts: threats, records getting changed, pranks, exposure of sensitive records, and adversity scoring for college admissions.  Some private student information, if released (accurate or not) or maliciously altered, might impact the acceptance of students to their college or employer of choice.

Don’t fool yourselves.  Student data isn’t stored in an impenetrable box in the sky protected by some magic dust.  People make mistakes (securing the data, developing software, and assigning kids bad passwords).  Vulnerabilities are found and data gets breached, hacked, or ransomed in a private server or in the cloud – it is as simple as that.  I think the Miami Herald articulates this point well.

What does this have to do with Hillsborough Schools: maybe nothing, but maybe not nothing.

On July 30, 2019 our school board (HCPS) voted to adopt the EdTech platform Canvas.  Canvas replaces Edsby and is a cloud platform.  Canvas touts the sheer size of student data they hold.  Below are two quotes from Dan Goldsmith, the former CEO of Instructure (Canvas’s parent company), in an investor’s conference from March 2019.  The first was found in the Washington Post:

We have the most comprehensive database on the educational experience in the globe. So given that information that we have, no one else has those data assets at their fingertips to be able to develop those algorithms and predictive models.” [Emphasis added]

And another quote from that investor meeting found here:

“Our DIG initiative, it is first and foremost a platform for ML [Machine Learning] and AI [Artificial Intelligence], and we will deliver and monetize it by offering different functional domains of predictive algorithms and insights…” [Emphasis added]

Machine learning can attempt to do things like predict future performance of students based on existing data.  What happened to the resilience of the human spirit and mind that often result in very unpredictably successful outcomes after a bumpy start? Will documented outcomes from machine learning results stigmatize and mark an early underachiever? The point is there is a lot of student data being collected and analyzed and potentially subjected to ML or AI in order to create new data on students.  The FBI even warned in 2018 about how much and what kind of student data, when collected electronically, is at risk.

Cindy Stuart, now running for Hillsborough County’s Clerk of Courts, did make that strange and curious statement in the July 30, 2019 board meeting that should raise questions and disturb every parent in the district who has kids in the school system.  Here are her comments:

“…I’ve been here seven and a half years and I remember touring the main frame room and practically got hives when you told me what was going on in there because that is my background.  And it wasn’t goodWe were about to shut the whole thing down for the RNC.  It was not pretty.” [Emphasis added]

She didn’t stop at “…it wasn’t good” or even that it practically gave her hives, she went on “It was not pretty”. What did Cindy Stuart mean with this alarming commentary?  What “RNC” was she referring to?

The timing of the 2016 Republican National Convention was pretty darn close to “Two months before the U.S. presidential election” when “international hackers slipped into the computer systems of at least four Florida school district networks” (Miami Herald)

Was our district one of the “at least” four? It is hard to know when the school district’s answers to my questions about data security have on more than one occasion left me concerns and questions when I wasn’t provided clear answers, hence, the stonewalling reference.

On July 18, 2020 I emailed Cindy Stuart for a statement regarding her comments above.  I have not received a reply at the time of this posting.  I also asked Ms. Stuart:

“Please clarify who or what you are referring to as the “RNC”? 

 Was this comment referring to the 2012 or 2016 Republican National Committee or Convention? 

Can you please elaborate specifically on what “was going on in there” [in the mainframe room] and why it was so concerning?”

In another case I requested emails from the school district regarding data breaches, public records, and the response was:

“preliminary estimated cost for information technology resources for your request of email communications between the dates you specified is $2,514.59.” 

And that, my friends, did not include the cost to redact the emails.  In a simpler request this is what happened when I asked the district about data breaches:

“Can you please confirm if Hillsborough County District Schools or any of its vendors have ever experienced a data breach of HCPS student or employee data?” [Emphasis added]

The answer from Tanja Arja, now Hillsborough Schools’ Chief Officer of Communications:

“The district cannot attest to the history of all vendor’s security incidents.  Florida law however requires organizations to report data breaches (See Florida Information Protection Act of 2014) [FIPA].  Since the law was enacted the district has not been officially notified of a data breach of district provided data nor is the district aware of an internal student or employee data breach requiring notification. [Hyperlinks and emphasis added]

Oh, my stomach turned at all the qualifying phrases in this statement and here is why:

Problem 1: Federal Student Privacy law (a.k.a FERPA) has no breach reporting requirement, the U.S. Student Privacy office only recommends reporting a breach of student data.  Florida’s privacy law, FIPA, does not require an institution “provide notice to the department of any breach of security” unless it affects “500 or more individuals in this state”.   How many student and medical data breaches are hiding behind that number (especially with the plethora of ransomware attacks on schools and medical clinics)?

Problem 2: They “cannot attest to …vendor’s security incidents” is shocking.  Under the federal student privacy law 99.31(a)(1)(B)(2) district vendors holding student data (as “school officials”) are required to be “under the direct control of the agency or institution with respect to the use and maintenance of education records”.  HCPS cannot attest…even when they hand over student data to vendors without parental consent?!

Problem 3: They did not answer the question.  My question used the wording “ever”.  It appears they are hiding behind a weak law that was not passed until 2014 (woefully late).   Further, state law says a breach “means unauthorized access of data in electronic form containing personal information.” If a hacker covered his tracks, as noted in the Miami Herald article, and one cannot validate if student data or “personal information” was accessed then is it a “breach”?  I think if a hacker was in the system and covered their tracks, you should not be assuming nothing was compromised. 

Problem 4: Even after 2014, they are not aware of “…student or employee data breach REQUIRING notification.” [emphasis added]   Were there any breaches of systems that did not require notification?

Problem 5: “Officially” notified.  Does this mean they get unofficial notifications of breaches that they don’t report?

I asked EVER and I got “since 2014” with a multitude of qualifiers.  Why can’t I get a straight answer when I ask the district IT questions dealing with security and data privacy?  I am a mom in this district who cares and has serious concerns about the safety and security of children.  This includes their identities, personal and private information, and future opportunities.  I am asking sincere questions.

Either HCPS is particularly adept at avoiding the clear intent of my question, as displayed in their answer reminiscent of Animal Farm’s Squealer, or they are really bad at communicating clearly.  If it is the latter, then the district might want to look closely at that situation and the confusion it creates for their concerned citizen and parent-customers:

I am tired of playing semantics and delayed response games with the district.  So now I will publicly ASK that district leaders please allay our concern with a clear answer to the following questions:

Has there EVER been a breach of HCPS district systems that affected any number of employees or students, regardless of whether it was determined by the district or authorities to have resulted in data being “access”ed?  Were all students and families notified in every case? Was Hillsborough County School District one of the Florida school districts hacked or infiltrated by the Moroccan hacking group MoRo?

Why are three of the “at least” four hacked school districts still unnamed?  My guess is that it comes down to Florida’s data privacy law.  If they cannot prove that data “containing personal information” was accessed or stolen because “hackers covered their tracks” then did the event qualify for the definition of a breach under the law?

The law is one thing, ethics is another.  Would it not be ethical to alert students and families of a possible student data hack if there is certainty someone did breach a system?  The escalating number of hacks and ransomware attacks on student and medical data where it is not always clear what data was accessed should concern everyone.

People are not infallible; they do make mistakes securing data.  People can be resourceful and determined, ingenuity isn’t limited to people with good intentions and unfortunately this is probably a characteristic that makes hackers successful in finding vulnerabilities.  The best way to protect your kids’ sensitive data is to push for limits regarding what schools collect and what school districts will allow (knowingly or unknowingly) their third party EdTech vendors to collect.  Once it is stored online, it becomes at risk for hacking or leaking.

I have called for action in a letter to several US Senators that was quoted in The National Pulse. The recommendations in that letter would help improve data security and student privacy.  One of which is to require all districts to have a “full time credentialed CyberSecurity and Student Privacy Expert”.  The other is to improve the state law that currently only requires reporting a breach when it affects 500 or more victims.  Another is to require training in state and federal privacy laws for all employees of a school district. The most important recommendation is to bring back the requirement to first obtain “student or parental consent”.  That requirement was removed from FERPA (Family and Educational Rights and Privacy Act of 1974) by the U.S. Department of Education in 2011.

I have reported more than one instance of apparent data breaches that affected several students, but according to the current 2014 state law, the victims do not have to be informed.  I have no knowledge about whether parents were told or if any investigation determined it was a verified data breach.  In one case I reported that very personal and identifiable student information was posted by a school district employee on a publicly available website.  The website was finally taken down.  In another case a tremendous amount of achievement and test data on an entire classroom appeared to have been posted on social media in a spreadsheet, and again, I reported and the tweet was removed.  Both of these events were discovered incidental to other research I was performing.  So, I wonder, how much more could actually be out there?

Under current law, it appears that if 499 student social security numbers were stolen then no legal requirement exists that students or parents be informed.  This, Florida lawmakers, is unacceptable.

Posted in Data Privacy, Hillsborough School Board, Hillsborough Schools, PII, Public Schools, Uncategorized | Leave a comment

Who Holds Florida School Districts Accountable?

cyclone fence in shallow photography

How useful is it to put a lock on an open gate?

On May 12 Boca News Now reported that a second grader hacked Palm Beach County School District’s student password system.  This isn’t the first time a Florida school system has had problems with security.  In 2018 Florida Virtual Schools “left the door open”, resulting in a breach of sensitive student and teacher information.

How useful is it to put a lock on an open gate or leave a key hanging in a locked door?

I warned Florida’s Department of Education about password problems in 2018. What action was taken to protect our children? Below is an excerpt from the document I sent in 2018 to the Florida Department of Education (both Commissioner Stewart and Commissioner Corcoran later in 2019), the Governor’s office (under Governor Rick Scott), and Hillsborough County Public School’s (HCPS) Superintendent Eakins.  The excerpt includes concerns about security and authentication practices.  In the fifth point I expressed concerns that this “…means young children’s [personally identifiable information] PII stored by the district in these systems is vulnerable to hacking”.

DocumentExcerpt_redactedThe bottom line: some Florida school districts have been creating and/or encouraging easily hackable passwords for very young children, and then impairing parents’ ability to create more secure passwords.

My experience with Hillsborough School’s default passwords and the recent limitations I faced to make passwords secure is shockingly similar to what Boca News Now reported about their district.  This year I was prohibited from changing an insecure password for a young child without Continue reading

Posted in Data Privacy, Hillsborough Schools, PII, Public Schools | Leave a comment

Your Kid’s Educational Data: A Rich Target?

accomplishment accuracy accurate aim

Just before the end of the 2018-2019 school year a Tampa middle school cafeteria was bursting with parents attending a new student orientation. Rising sixth grade parents were told to use an online tool called Edsby for communicating with teachers.  They were repeatedly advised how vital it would be to check Edsby for student grades and assignments.  The presentation did not include material on student data privacy.

Edsby is a Canadian owned K-12 learning management system (LMS) and has been in use by Hillsborough Schools since 2013.

FERPA (a federal privacy law) is supposed to protect the privacy of student data, but does the existence of law actually create real protections or mean that the law is understood and followed?

Some parents in Ontario’s York Region School District were not passive about the implementation of Edsby in their district.  Dina Al-Shibeeb reported in “Stouffville parents fear potential breach, want kids’ information off education app” that parents who were informed of a “patched” security vulnerability in Edsby also “…fear it [Edsby] puts their children at risk of privacy violations.”

Why weren’t parents in Tampa’s Hillsborough County School District notified of this known vulnerability in Edsby? Should Hillsborough Schools regularly post its patched vulnerabilities and cybersecurity incidents that might compromise student (and parent) data?  Companies like Cisco do this; why should parents not be informed of the security issues related to their own personal student data?

If parents are not notified of security issues how will they know to take proactive steps to protect children, their identities, and their private information?  Some Hillsborough County Public School parents were not allowed to opt-out of student data collection in Edsby, nor have those parents been provided access to their student’s complete education data held by Education Technology (EdTech) applications like Edsby.

The Edsby product was selected by the district as an “online gradebook system”, but the cloud-based software is more than just an online gradebook. Hillsborough Schools uses Edsby for grades, report cards, parent/teacher communications, analytics, and possibly much more information on students.  According to a January 2018 Tech&Learning article, Edsby offers the capability to “capture pictures, conversations, audio clips and written observations”, tagging, etc.  Do parents get to access written observations if they are stored in Edsby?

Hillsborough Schools was an early adopter of Edsby and a beta test1 site for Edsby learning analytics. Was our district and student data the guinea pig for a new EdTech product in return for reduced pricing? A March 2018 letter indicates the district did receive reduced pricing (a 74% discount) for being an “early adopter” of Edsby.  Were any software vulnerabilities discovered during beta testing, putting student and parent data at risk?

In that same March 2018 letter, Aptiris (the service provider that implements Edsby for the school district) wrote: “One requirement that evolved over the initial contract period is the encryption of all data at rest.”  Remember, the initial Edsby contract was from 2013 and according to this document it apparently didn’t require that all data be encrypted2 at rest (stored). How many years was student data stored unencrypted?  Was sensitive school personnel data (social security numbers, credit card numbers, PINs, bank routing numbers, etc.) stored unencrypted?

The 2013 Hillsborough Schools RFP (request for proposal) evaluation criteria for selecting an “online gradebook system” did not include direct reference to the security of student data or vendor software.

The school district begins collecting student data from the point of registration and continues throughout their education.  That data is passed to the Edsby platform (including parent and family data). Does Edsby have access to student medical conditions, IEPs, behavioral records, attendance, etc.?  The Edsby privacy policy and terms of use raised concerns.

Data collected by software applications might include tracking your mouse clicks, what your mouse hovered over, time logged into reading a book, books accessed, assessment data, etc.

When K-12 student and teacher data for a district of over 200,000 students, is collected, aggregated, and stored online with little oversight or transparency, a responsible parent will have questions about data security and whether EdTech companies or their partners (or their partners…) are monetizing shared student data.

 

1beta test: The final stage in the testing of a new software or hardware product before its commercial release, conducted by testers other than its developers. (The American Heritage® Dictionary of the English Language, 5th Edition)

2encrypt: To alter (data)…to make the data unintelligible to unauthorized users while allowing a user with a key or password to convert the altered data back to its original state. (The American Heritage® Dictionary of the English Language, 5th Edition)

Posted in Uncategorized

Was Angelina Jolie Elected To Hillsborough County School Board?

weird search results hcps0

A Hillsborough County Public Schools (HCPS) website posted a picture of Jolie as one of its school board members!  Maybe we can get an autograph if we attend a school board meeting!

Is this a joke? Was the website hacked?

This HCPS website was discovered by a citizen who performed an internet search for a list of current Hillsborough County School Board members and found Jolie gazing back.

Below is just one example (of many) where a search engine query returns a link to the HCPS staging website:

hcsb yahoo search result

This staging website for HCPS has clearly been indexed with search engines.  A staging website is a test environment that is not supposed to be public facing (published live on the internet) and if configured properly will not be indexed by search engines.  HCPS has nearly a $3B budget and does not appear to manage its website professionally.

How does the IT department have the time to play what has the appearance of a discourteous prank on a school board member?

The apparent ineptitude (the indexed live staging website) and lack of professionalism (posting a photo of Jolie for Dr. Hahn) is disappointing and it raises an important question.  The district IT department is responsible for managing seriously personal data about children, families, and personnel.  The school district is enabled by the Family Educational Rights and Privacy Act (FERPA) to make decisions about who they share that personal (and protected) information with – third parties like Edsby, Clever, i-Ready, etc.  School districts are enabled to do this without parental consent under FERPA (given certain requirements are met).  The question is: are those requirements actually being met by the school district and each third party (how would any parent know), and is it enough to protect the personal student data?

Students and parents are forced to trust that the district knows how to ensure and validate data is properly protected.  How do parents trust a school district that reportedly waited a year to tell parents that drinking water was contaminated with lead?

Examples like this website mess are concerning because of the picture it paints about the school district’s attention to detail and professionalism.  How well does the school district understand the complex world of information security and best practices for protecting student data (like prohibiting PII re-identification)?  The district is responsible for signing agreements with third parties that dictate what student data is shared and how the data is to be protected.

Managing a budget of nearly $3B of other people’s money (taxpayer money) is one thing – it is just money.  Managing and protecting (from harm and misuse) a child’s very personal information, that is collected and shared without consent, is an entirely different and complex matter dealing with your identity, safety, and privacy – and that data is something you can likely never delete or hide if it is revealed and propagated.

Posted in Hillsborough School Board, Hillsborough Schools, PII, Uncategorized

Teachers, Parents, Countrymen: How Much of Your Personal Data Does the School District Share?

I wondered how much data Hillsborough County Public Schools (HCPS) shares. What I found was the below excerpt in an agreement that HCPS has with a third party. The document was obtained through a public records request.

AptirisExcerptHCPShighlight

“Recipient” is a third party software services company. The above paragraph seems to provide no limitations on what could be disclosed from personnel records.

What about student records? The agreement seems to contradict itself.  It says: “No other personally identifiable student information [PII] will be disclosed to Recipient.” But it also says disclosure is “not limited to” the confidential student information it lists.  “No other” of an unlimited list is still unlimited.

We can safely assume the vendor stores more student information than what is itemized in that list; for example: teacher name.  The U.S. Department of Education’s Privacy Technical Assistance Center (PTAC) explains in a 2013 document that student PII can include:

“…sensitive and non-sensitive information that, alone or combined with other information that is linked or linkable to a specific individual, would allow identification.”

Given that, it seems likely that teacher name is also personally identifiable student information (and parent name, parent phone number, etc.)

The school district has not provided any way for parents to opt their children out of data collection and aggregation products or services, and has refused to allow parents to opt out children when requested.

Hillsborough County School District must reconsider its agreement that allows a 3rd party’s bi-directional tool from having direct access to the school district’s system of record, especially if independent security experts have not inspected and validated the security and activities of that bi-directional tool.  This bi-directional tool seems to be described in a 2014 EdSurge article as a company secret.

If hackers or other malicious actors access a tool through potential vulnerabilities, they can continue probing for more software vulnerabilities and potentially gain access to even more data.  Should a bi-directional tool from an out of country vendor have access to “take data” from and write data to a U.S. school district’s system of record?  How secure is it?

Teachers, have you discussed this with your union?

Parents, ask the district exactly what specific data this bi-directional tool can access once in the district’s system(s) of record.  If this tool contains security vulnerabilities, then how secure is student data in the various systems of record against bad actors?  Is the privacy of your child’s sensitive information protected now, what about 15 years from now?

Posted in Data Privacy, Hillsborough Schools, PII, Uncategorized

Who Has Your Kid’s Data?

Below is a story written by a mom in central Florida about an under-reported and growing problem in public schools.  She is sharing this story to bring attention to the lack of control parents have over protecting their children’s privacy in public schools, magnified by the rapid and seemingly uncontrolled deployment of education technologies (EdTech). 

Two years ago we discovered our Florida public school district had shared our family’s personal data with a third party private company based in another country.  We were shocked our school district had done this without our knowledge or consent.  The district refused to allow us to opt out and also emailed that they did not believe the third party private company would remove the student data in their application.

And so began a long journey that revealed the full extent of our public school system’s monopolistic and self-serving behavior.  We became increasingly alarmed as we realized the school district:

  • Collects and shares personal and protected information on students, parents, and sometimes school personnel with for-profit third parties. At least one third party has a privacy policy that explicitly states they can transfer the information as an asset in a sale or merger.
  • Allows for-profit third parties to collect personal data on students.
  • Allows a for-profit private company based in another country to write to the school district’s system of record.
  • Creates student accounts with third party companies using easily hackable passwords and does not always tell parents the accounts exist.
  • Does not tell parents with whom these third parties share student data or whether the data is correct or if vendor software contains security vulnerabilities.
  • Has not been able to keep school district employees from posting what is apparently sensitive personal student information on social media and the internet.
  • Does not appear to monitor school app use for compliance with COPPA (a federal law).
  • Performs health screenings and records results without directly notifying parents.

We were not surprised to read the scary details in an FBI alert that recommended parents discuss with school districts the types of questions we have been asking.

When we formally insisted on a full accounting of data collected and shared on our children, our right under FERPA (another federal law), we were ignored.  We asked for this accounting of our student data repeatedly and eventually the school escalated our request to the district, involving the school district attorneys.  The unfortunate result of escalation was that our request was ignored and our children were forced, against their will and ours, onto yet another third party technology that collected even more data on our children.

I could get into the details of what has transpired and the poor behavior displayed by the school district but I will stop here and spare you dozens of pages of reading material and a year’s worth of research on the failures of school districts to protect or honor student and family privacy.

We were advised to go to the media or hire an attorney but we were also told an attorney might run us five figures.  We wondered: If the school district can hide behind unresponsive tax-payer funded lawyers—where are ours?

-A mom from central Florida

Posted in Data Privacy, PII, Public Schools, Social Media Privacy, Uncategorized

Hillsborough County Schools: Why Are Buses Still Late?

back bus education school

This year reports of late buses began the first week of school: frustrated, upset, and expect late buses.  Now some parents are fed up with continued problems of late or no-show buses into the seventh week of school, according to an ABC Actions News report.

History tells us one reason Hillsborough County school buses are late is driver shortages, yet in 2017 school district leaders were discussing how bell times were causing late buses.

On August 30, 2018 Candace Aviles reported that Tanya Arja, HCPS spokesperson, explained the district needed more drivers and was also trying to increase their pool of substitute drivers; that a driver shortage “could be adding to [bus] delays…”

On February 22, 2016 Sarah Rosario reported on late buses and Tanya Arja explained when drivers are on extended leave or call out sick and there are not enough drivers, then buses can be late.

In 2013, Danielle Hauser, Tampa Bay Times, reported what she was told about late buses:

A woman explained to me that they were short 10 bus drivers in our area, and until they could hire those drivers, some buses would do double runs.

Nothing seems to be different except bell times–buses have continued to be late or missing. Why isn’t the district reporting weekly late bus statistics compared to last year; is it better, the same, or worse?

CitizensLighthouse questioned the validity of changing bell times to fix late buses in April 2017, noting the causes for late buses summarized by Gibson Consulting Group did not appear to be fixed.  Are those problems fixed?  

Gibson Consulting Group (Gibson) made six recommendations “to achieve cost savings in Transportation” in their 2016 audit.  One of those six recommendations was “Increasing the staggering of bell schedules”.

Gibson Consulting Group (Gibson) also explains how changing bell schedules “to allow at least one hour between bell times” will cut costs:

…the Transportation Department could schedule more bus drivers and buses for three tiers [one driver serving three schools during the day], reducing the total number of bus drivers and buses required.  (145)

Then Gibson quantifies savings in bus drivers and attendants for staggering bell times, estimating savings of $2.7M annually (146).

While this could reduce the gap between the number of drivers needed and the number they have, the school district was still short drivers as of August 30.  Did changing bell times solve that problem?

According to Cindy Stewart, increasing the time between bells (elapsed time) is also a recommendation by the Council of the Great City Schools (CGCS), a national organization.  Their tagline is The Nation’s Voice for Urban Education.  Where is the report from CGCS that explains the reasons for that recommendation?

Susan Valdes, also on the Hillsborough County School Board, is listed as a 2017-2018 CGCS Executive Committee Member.

Cindy Stewart seemed to turn to CGCS in the School Board meeting on April 25, 2017 (time marker 2:16:47) before voting to approve the change in bell times:

I don’t believe the Gibson Report, Ms. Snively, is the first time that we’ve heard this…Council of Great City Schools brought this to us…the School Transportation Improvement plan had it in there as well…we will still have 10,000+ students late, next year [2017-2018], every day…

The problem with that statement is the Gibson Report recommended bell changes to cut costs.  Did some school board and district leaders conflate cost issues with late bus issues when this decision was made?  Melissa Snively was the only vote against changing bell times at this meeting.

Cindy Stewart also stated at that meeting “…bell times is not a transportation conversation.  This is an administrative conversation…”  

Bell schedule optimization is an operations problem because of its intimate relationship with bus routing.  In operations research these are commonly known as routing and scheduling problems.

When the district turns to state or national organizations (CGCS) for answers, the first question should be: Why can’t our staff solve the problem?

Has the bus driver absentee rate of 10% that Chris Farkas referenced in the April 25, 2017 board meeting been reduced?  How many students does that absenteeism rate impact if the district is still short both drivers and substitutes?

In April 2017 Superintendent Eakins posted a video implying the late bus problem was because certain bell times were too close together, referencing that we lack the standard number of minutes for drop-off and pick-up.

Eakins stated “across the State of Florida the standard is at least 55-75 minutes between bell times…”.  While some districts have instituted this hour-long (55-75 minute) elapsed time recommendation, not all districts have adopted this standard.

One size does not fit all.  We need winning solutions for getting students safely to and from school on time, and at a reasonable hour.

When the school district makes a change impacting all of its customers (change in bell schedule) they should provide the reports and statistics regarding the outcome of the communicated purpose. The purpose for the bell time change stated by Eakins: “At the heart of this decision is the need to secure appropriate instructional minutes for all our students”.  The concern is that students lose instructional minutes when buses are late.  Did the district establish a measurable target when they implemented this change? What are the results and have they met their stated goal?

Posted in HCPS Bell Schedules, Hillsborough School Board, Hillsborough Schools, Uncategorized

FBI Alert Encourages Increased Awareness of Student Data Collection and Cybersecurity Risks: Hillsborough Schools – Let’s Talk About It

StudentDataPrivacy

On September 13, 2018 the FBI released a public service announcement (PSA) and noted:

US school systems’ rapid growth of education technologies (EdTech) and widespread collection of student data could have privacy and safety implications if compromised or exploited.

The FBI lists the personal data that is at risk from data collection—and it isn’t just grades (it can include “…behavioral, disciplinary, and medical information…”).  They then provide several examples of actual malicious events and explain how the data was used:

…in late 2017, cyber actors exploited school information technology (IT) systems by hacking into multiple school district servers across the United States. They accessed student contact information, education plans, homework assignments, medical records, and counselor reports, and then used that information to contact, extort, and threaten students with physical violence and release of their personal information. The actors sent text messages to parents and local law enforcement, publicized students’ private information, posted student PII on social media, and stated how the release of such information could help child predators identify new targets.

In another example the FBI states “Cybersecurity issues were discovered in 2017 for two large EdTech companies, resulting in public access to millions of students’ data.”  One company “…suffered a breach and student data was posted for sale on the Dark Web.

Please read the PSA in its entirety, every parent should be made aware of this important information.  The FBI provides a list of recommendations for parents and families in the alert.

Aside from what was included in this alert, the data breaches and privacy concerns continue into 2018, here are two more events:

In March 2018 Politico reported a data breach at Florida Virtual Schools.  This breach was discussed in a post in which I also presented issues regarding how a third party obtained preschooler data to market a product.  Another question posed in that post was:  What independent studies exist that show data collection efforts are providing a statistically significant improvement in education outcomes?

Then there is this Google G-Suite (for education) privacy concern, posted by Missouri Education Watchdog.  This apparent invasion of privacy is very alarming.  In this post Cheri Kiesecker explains that:

School-issued student Google accounts connect to Google Drive which can allow for the ability to Auto-Sync devices to Auto-Save passwords, browsing history and other digital data points from numerous devices used by a single user…this could include digital data from non-school related accounts.

In our own district, Hillsborough County Public Schools collects student data in a variety of ways including: Continue reading

Posted in Data Privacy, Hillsborough Schools, PII, Social Media Privacy, Uncategorized

Hillsborough Schools Operational Problems Running Rampant

A new Tampa Bay Times article has shocking revelations about the state of our public school facilities.  The article summarizes the conditions and repercussions that failing AC units have had on students, classrooms, food, technology, instruments, and even band uniforms.

Could anyone have imagined the AC problems at Hillsborough Schools ran this deep?  Is this an extension of what appears to be operational mismanagement of district transportation?

What happened to school district reserves, routine maintenance, busing service, and safe drinking water? It is mind-boggling.  Did operations leaders see this coming?  Is school district leadership incompetent?  Why has facilities maintenance become backlogged so severely over the years (“nearly $1 billion” in deferred maintenance) when money was being spent reprehensibly?

Over $180 million of our district reserves was gone in 2015, triggering a potential downgrade with ratings agencies.  Bond ratings are like a credit score for the district.  When a downgrade occurs borrowing becomes more difficult and the cost to borrow can increase – meaning more interest expense.  Most of that $180 million was reportedly spent on the failed Gates-backed Empowering Effective Teachers (EET) project. Former district superintendent Elia was fired by the Hillsborough County School Board, but the school board should have known how and where money was spent: month over month, year over year, and actuals to budget on a monthly basis.   Now the school district wants to tax us after showing us their poor money management skills.

That is a lot of money reportedly wasted on the failed Gates Foundation project.  That money would have better served children by repairing and maintaining facilities.  Instead, the district pandered to the Gates Foundation’s latest education fad.  What is next?  Is Social Emotional Learning (SEL) a similar fad?

Questions about SEL spending have gone unanswered.  CitizensLighthouse questioned SEL spending in these tweets: materials and trainingdistrict time, and funding.  Many articles have been written criticizing SEL.

How much money is wasted on non-vital programs when this is the state of our facilities?  As usual, there is no response to questions on twitter.

CitizensLighthouse also asked if certain accounting problems reported in Gibson Consulting Group’s 2016 Operational Efficiency Audit have been fixed – there was no response.

Gibson summarized three problems with account codes in that audit: Continue reading

Posted in Hillsborough School Board, Hillsborough Schools, Uncategorized

HCPS Operations Keeps Missing the Bus

bus stop printed on asphalt road

Hillsborough County Public Schools (HCPS) issues are stacking up: lead in the drinking water, non-functioning air conditioners, mold in schools, radon testing, late buses, and a first grader dropped 20 miles from home.  Is this because the state is underfunding school maintenance, as has been suggested by Superintendent Eakins, or is it mismanagement?

Accountability needs to sit with those responsible – local school district leaders (i.e. the School Board and leaders in Hillsborough County School District).  Would you continue to employ anyone whose actions lacked expertise, professionalism, or transparency?  How well would your family physician perform duties if you only required the physician to have a degree in biology? Likewise, you don’t hire a physician to be your auto mechanic.

Was the lack of transparency that occurred when the district started testing for lead without notifying parents due to a lack of state funding?  Parents should have been notified as soon as lead testing began, and as soon as any lead was found, so parents could consult their pediatricians in a timely manner with concerns.  Telling parents what is going on does not require money.  HCPS Operations seems to be in damage control mode.

In 2014 Chris Farkas was selected as the Chief of Facilities, heading the transportation, maintenance, custodian, and facilities departments.  The position was renamed Chief Operating Officer in 2015.  According to the Tampa Tribune, this position paid $137,248.  The operations department should be responsible for fixing transportation, a/c problems, mold remediation, and lead and radon testing.

An expensive audit in 2016 by Gibson Consulting Group (Gibson) identified a lack of credentials required for certain jobs in the school district.  The report noted that “operational leadership positions” needed upgraded job descriptions and that operational job descriptions were “generic” and lacked “technical requirements”.

In my opinion operational leadership positions (especially when logistics related) call for a degree in Operations Research, Industrial Engineering, or Industrial Management; an MBA would be an additional plus for this type of position.

What qualifications did the Chief of Facilities have in 2014? In 2014 the Tampa Tribune reported Chris Farkas has a “…secondary education bachelor’s degree in comprehensive social sciences. He has a master’s degree in educational leadership from National Louis University.”  Educational Leadership is also HCPS’s preferred degree for the General Manager, Transportation position—which is not a technical degree.  That job description specifies its preferred certification: “Certifications in appropriate technical field preferred” – which is not the name of any certification.  Can anyone in the HCPS Operations Department discuss queuing theory, game theory, or develop linear programming models?

In 2017 the district said they needed to change school start and release times to increase the time between bells (elapsed time), because that elapsed time was the root cause for late buses.  Where is the data-driven evidence to support that root cause?  Several other known and documented causes for late buses were identified in Gibson’s audit.  The district decided to go with a one-size-fits-all (standard) recommendation for all urban school districts (that does not consider local traffic patterns or area needs).  What happened to the clearly identified problems causing late buses—were they rectified?

While HCPS was deciding on new bell times in 2017, MIT’s Operations Research Center won a challenge to provide solutions to the busing and bell time problems at Boston Public Schools.  If this is a challenge for operations research (OR) experts, how should anyone expect leader(s) who apparently do not have a degree related to this field to solve or even fully understand the problem and effectively communicate the problem with the public?  If this is the scope of the problem in our district, then do we have OR expertise on staff?

A successful industry example on a larger scale is ORION, built by UPS.  According to UPS, it began a prototype in 2008 and didn’t launch until 2013, completing in 2016.  While student riders are not “packages”, the concept is similar; it is a classic optimization in operations research problem.  A case study by Business for Social Responsibility (BSR) explains who UPS had on their original team:

The development took place within the Operations Research and Advanced Analytics groups, starting with a small, diverse team: a PhD in operations research, an industrial engineer, a UPS business manager, and several software engineers. – BSR, March 2016

It is not coincidental that the composition of that UPS team reflects my recommendations for certain operational leadership positions.

Has the District Superintendent or Deputy Superintendent, Operations considered developing a partnership with the local INFORMS Chapter at USF or USF’s IMSE department?

If HCPS’s job description only requires an educational leadership degree, how should anyone expect the problem to be solved given the complexity?

The problem is not limited to late buses, fewer students being served can contribute to traffic problems and unsafe conditions, and the list of facilities concerns now includes a/c reliability, mold, lead, and radon.

In mid-2018 Chris Farkas was promoted to Deputy Superintendent, Operations, arguably the most important position in the school district.  The HCPS Operations Department now includes Transportation, Maintenance, Human Resources, Information Technology, Business Services, Growth Management and Planning, Student Nutrition, and Security and Emergency Management.

After rearranging school start times to fix late buses, are buses still late?  Check out one of Hillsborough School District’s tweets setting expectations for buses to be late up to 2.5 hours for two weeks; how is that acceptable?  Was this a poor solution that might not even work, placed on the backs of students and the families the district serves?

Are parents aware of the HCPS courtesy busing survey? How many buses are currently over-crowded? How many students have been picked-up or dropped-off late so far this year?  How much instructional time have students missed?  How many parents have been late to work because a bus was late picking-up?  Why aren’t bus statistics reported on the district website (transparency)?

The decisions that impact the success of student transportation and facilities conditions are impacted by the financial, business, and operational acumen of those managing district operations.  HCPS is the 8th largest school district in the nation. Its general fund exceeds $1.5 billion and the tentative budget recommended on August 1, 2018 exceeds $3 billion.  The qualifications of our leaders, responsible for managing the district operations for over 200,000 students, should be top-notch.

Remember—you don’t hire a physician to be your auto mechanic.  It is easier to blame money than to fix political, operational, and leadership problems.  It is time for a new approach to running the school district. Parents need to objectively study the issues, and rally together to hold the school district leaders accountable for their actions and decisions.

Posted in HCPS Bell Schedules, Hillsborough School Board, Hillsborough Schools, Uncategorized | 3 Comments