The Facebook Data Privacy problem is bad, but it didn’t necessarily include very personal information collected by your child’s school district. One product heavily engaged in student data collection that includes social networking and learning analytics is Edsby. Edsby is a cloud-based software application developed by CoreFour Inc., based in Canada.
What Does Edsby Collect?
Two years ago, Hillsborough County Public Schools (HCPS) started collecting 1.3 million records every day in Edsby, according to an article in The Journal:
Hillsborough County Public Schools in Tampa, FL was a beta test site for Edsby’s learning analytics and has been capturing data about its 206,000 students for the entire 2015-16 school year, with 1.3 million records entering the district’s Edsby analytics system every school day.
Hillsborough County Schools is the eighth largest school district in the country and has been a customer of Edsby since 2013. How many records are being stored daily in Edsby now, more than two years after becoming the beta test site for Edsby’s learning analytics?
In January 2018, Tech & Learning described just what kind of qualitative data might be stored on children in Edsby without parental consent. It appears to include arguably non-academic data:
Edsby’s new…features enable teachers to easily take pictures or record videos, tag them by standards or learning goals, share them with parents and organize them to document growth and streamline reporting on student progress.
The new features’ strong performance on mobile devices enable teachers to capture digital artifacts in the classroom from phones and tablets.
What personal data could be stored in Edsby? Does it include a student’s medical conditions? Does it include personal information about Exceptional Student Education (ESE) or Individual Education Plans (IEP)? Does it include disciplinary actions, student surveys, or psychological test results? What data will districts collect under Social-Emotional Learning programs? Does it include private messages between parents and teachers? Grades? What are all the fields and media this platform stores? How is Edsby data accessed when one doesn’t want a user account (FERPA)? Are parents notified before personal information is included in any Edsby directory (FERPA)?
Five Data Privacy Concerns
Does Hillsborough County Public Schools (HCPS) require contractors like Edsby to follow the U.S. Department of Education’s (USDOE) Protecting Student Privacy While Using Online Educational Services: Model Terms of Service? Citizens Lighthouse asked about the data privacy policies on Twitter. While the tweet was directed at Hillsborough County Schools, only Edsby replied. Based on the information provided in that reply, Citizens Lighthouse has at least five concerns with the district’s use of Edsby:
The U.S. Department of Education’s Student privacy model terms of service CLEARLY provides a “WARNING!” that the phraseology below should NOT be included in the TOS (see here):
Providing Data or user content grants Provider an irrevocable right to license, distribute, transmit, or publicly display Data or user content.
Those two TOUs (TOS) sound similar, should we be concerned?
Second, the USDOE’s student privacy model terms of service also warns here that the school district should maintain control over changes in the TOU. Edsby explains:
De-identification typically requires more than just removing any obvious individual identifiers, as other demographic or contextual information can often be used to re-identify specific individuals. Retaining location and school information can also greatly increase the risk of re‐identification.
As a result, the USDOE specifies some details that should be included in agreements:
…because it can be difficult to fully de-identify [PII] data, as a best practice, the agreement should prohibit re-identification and any future data transfers unless the transferee also agrees not to attempt re-identification.
According to the Tampa Bay Times, HCPS blew through almost half ($146 million) of its financial reserves in three years and purportedly without the school board’s knowledge – given that, some feel trust is long gone.
Edsby seems to have no problem letting you know that they know your geographic location when asking probing questions on their website chat tool. It makes one wonder what could happen to your child’s data? Are they trustworthy? Was Facebook trustworthy?
Edsby does have this clause in their policy1:
But then again based on the conversation with HCPS it is understood that de-identification and re-identification clauses do not exist in separate agreements between the Hillsborough County School District and Edsby.
Fourth, what about “educational” researchers? According to The Washington Post that is how Cambridge Analytica “broke Facebook’s rules”— it was “under the pretense of academic use”. What is Hillsborough County Schools Policy on allowing access to student data for “academic use”?
And Last, The Washington Post reported that developers were encouraged to “build their businesses off Facebook’s data” via the Facebook feature “log-in through Facebook”.
When Edsby integrates with these systems it provides a way for you to log in to Edsby by using your Microsoft or Google authentication credentials.
Does that integration give Microsoft or Google access to student data?
In June 2017, Microsoft updated the OneNote Class Notebook add-in to include “Assignment and grade integration with Edsby”. OneNote is available to HCPS teachers and students for free under the district’s enterprise agreement with Microsoft. OneNote’s list of education partners is long.
The student data in the Edsby platform is stored in Microsoft’s Azure Cloud. Aside from the risk hackers pose, like this recent example at Bay District Schools, data might be accessible by not only the district but also by Edsby and Microsoft Azure. Having more parties managing and engaging with the data creates more opportunity for mistakes and subversive behavior.
If Hillsborough Schools has a different TOU under its contract or data sharing policy with Edsby then HCPS should publish the Edsby contract and data sharing policy online for transparency and trust. Those whose personal data is being collected, the students and their parents, have a vested interest in knowing if their data is safe and follows the USDOE’s student privacy model terms of service guidance.
There should be public oversight and total confidence that our data is safe from mining, profiling, and sharing. There should be transparency about what the district is doing, how they are doing it, and what they are collecting. Why should citizens have to jump through time-consuming hoops to get complete answers about the privacy of student data?
One district representative suggested speaking with IT Security regarding Edsby privacy questions but refused to provide a single name or contact number for that department, instead the phone call was forwarded to an “IT Security” line that rang endlessly with no voicemail. Why has the district not published a single contact for the IT Security and Privacy department?
Unfortunately this isn’t the only student data collection engine in the state, there is also Florida’s Statewide Longitudinal Data System (SLDS) or Education Data Warehouse (EDW). At least the FLDOE tells you what fields or data elements they collect on students, see here if you want to peruse that list, they even include a field for “Teenage Parent Program: Birth Weight of Child”. Should we be asking the FLDOE similar questions about student data privacy?
According to the Florida Department of Education (FLDOE) the SLDS has “multiple initiatives…to support…federal long-term goals” and is jointly funded by a Race to the Top (RTTT) grant, Federal SLDS grants, and the Florida Legislature.
How much is Hillsborough County School District paying Edsby annually for all services, licensing, training, etc. for the creation of a major data mining and analytics opportunity that might one day risk the privacy of student personal information?
Have all the possible loopholes been dutifully plugged with indecipherable legal jargon? Or is this just a data breach time bomb waiting to go off?
There are too many questions left unanswered about our children’s data privacy and it seemed safer when we had grades in a teacher (pen and paper) grade book and got paper report cards from a district printer with data likely pulled from a local mainframe every quarter. It would probably be a lot cheaper if we eliminated some of the district’s software and licensing, maybe even get the district out of their reported deficit. But the state and federal government want access to all that data, some highly invasive, for research on our children without parental consent. We should get back to the basics and reclaim local control of education and your children’s personal data.
In the meantime, who is really protecting your child’s data?