Will Your Kid’s School Data be the Next Privacy Breach?

disc-reader-reading-arm-hard-drive.jpg

The Facebook Data Privacy problem is bad, but it didn’t necessarily include very personal information collected by your child’s school district.  One product heavily engaged in student data collection that includes social networking and learning analytics is Edsby.  Edsby is a cloud-based software application developed by CoreFour Inc., based in Canada.

What Does Edsby Collect?

Two years ago, Hillsborough County Public Schools (HCPS) started collecting 1.3 million records every day in Edsby, according to an article in The Journal:

Hillsborough County Public Schools in Tampa, FL was a beta test site for Edsby’s learning analytics and has been capturing data about its 206,000 students for the entire 2015-16 school year, with 1.3 million records entering the district’s Edsby analytics system every school day.

Hillsborough County Schools is the eighth largest school district in the country and has been a customer of Edsby since 2013.  How many records are being stored daily in Edsby now, more than two years after becoming the beta test site for Edsby’s learning analytics?

In January 2018, Tech & Learning described just what kind of qualitative data might be stored on children in Edsby without parental consent.  It appears to include arguably non-academic data:

Edsby’s new…features enable teachers to easily take pictures or record videos, tag them by standards or learning goals, share them with parents and organize them to document growth and streamline reporting on student progress.

The new features’ strong performance on mobile devices enable teachers to capture digital artifacts in the classroom from phones and tablets.

What exactly does the author mean by “digital artifacts”? Is this designed to collect video and audio recordings of student and teacher interactions?  What are the Terms of Use and Privacy Policies of the mobile applications being used to capture “digital artifacts”? If a child is not tagged in the “digital artifact” or the teacher doesn’t share the media, does that mean the parent won’t even know the media exists?  What studies show that this type of invasion of privacy is significantly improving student education?

What personal data could be stored in Edsby? Does it include a student’s medical conditions? Does it include personal information about Exceptional Student Education (ESE) or pexels-photo-236215.jpegIndividual Education Plans (IEP)? Does it include disciplinary actions, student surveys, or psychological test results? What data will districts collect under Social-Emotional Learning  programs? Does it include private messages between parents and teachers? Grades? What are all the fields and media this platform stores?  How is Edsby data accessed when one doesn’t want a user account (FERPA)?  Are parents notified before personal information is included in any Edsby directory (FERPA)?

Five Data Privacy Concerns

Does Hillsborough County Public Schools (HCPS) require contractors like Edsby to follow the U.S. Department of Education’s (USDOE) Protecting Student Privacy While Using Online Educational Services: Model Terms of Service?  Citizens Lighthouse asked about the data privacy policies on Twitter.  While the tweet was directed at Hillsborough County Schools, only Edsby replied.  Based on the information provided in that reply, Citizens Lighthouse has at least five concerns with the district’s use of Edsby:

First, the terms of service (TOS) 1 or terms of use (TOU) provided in the reply from Edsby states:

By posting that content on the Site or through the Services you grant CoreFour Inc. a limited royalty-free, perpetual, world-wide non-exclusive license to store, use, reproduce, publish, translate, distribute, and display the content in any media or medium, or any form, format, or forum now known or hereafter developed subject to the restrictions of our privacy policy.

The U.S. Department of Education’s Student privacy model terms of service CLEARLY provides a “WARNING!” that the phraseology below should NOT be included in the TOS (see here):

Providing Data or user content grants Provider an irrevocable right to license, distribute, transmit, or publicly display Data or user content.

Those two TOUs (TOS) sound similar, should we be concerned?

Second, the USDOE’s student privacy model terms of service also warns here that the school district should maintain control over changes in the TOU.  Edsby explains:

CoreFour Inc. may make changes to these Terms of Use from time to time. We suggest you check these Terms of Use periodically for changes. Any modifications will take effect one month after being posted on the Site and in the Services. By your continuing use of the Site and/or Services after changes are posted, you will be deemed to have accepted such changes.

Third, and even more alarming, there is no explanation in Edsby’s TOU1 or its Privacy Policy1 detailing how well personally identifiable information (PII) is de-identified.  The purpose of de-identification is so that when your data is shared with someone else or analytics are performed, they cannot identify who you are and associate it with your private data; it is supposed to be anonymous.  The problem it seems is that when an entity really wants to figure out who you are, they can try to merge their database with another database acquired elsewhere or use other methods to attempt re-identification of those who were loosely de-identified.  The USDOE explains the challenges of de-identification here:

De-­identification typically requires more than just removing any obvious individual identifiers, as other demographic or contextual information can often be used to re-identify specific individuals. Retaining location and school information can also greatly increase the risk of re‐identification.

As a result, the USDOE specifies some details that should be included in agreements:

…because it can be difficult to fully de-­identify [PII] data, as a best practice, the agreement should prohibit re-identification and any future data transfers unless the transferee also agrees not to attempt re-identification.

There is no mention in Edsby’s TOU1 or Privacy Policy1 how it de-identifies student data.  As it was understood from a conversation with one representative at Hillsborough typography-white-door-fence.jpgSchools, there is not any requirement in their contract or data sharing agreement detailing how the data should be de-identified, or what fields should be removed, and that part of a data-sharing agreement is “trust”. What degree of trust did Facebook assume in its agreements with third parties?  

According to the Tampa Bay Times, HCPS blew through almost half ($146 million) of its financial reserves in three years and purportedly without the school board’s knowledge – given that, some feel trust is long gone.

Edsby seems to have no problem letting you know that they know your geographic location when asking probing questions on their website chat tool.  It makes one wonder what could happen to your child’s data?  Are they trustworthy? Was Facebook trustworthy?

Edsby does have this clause in their policy1:

You may have other agreements with CoreFour Inc. Those agreements are separate and in addition to these Terms of Use. These Terms of Use do not modify, revise or amend the terms of any other agreements you may have with CoreFour Inc.

But then again based on the conversation with HCPS it is understood that de-identification and re-identification clauses do not exist in separate agreements between the Hillsborough County School District and Edsby.

Fourth, what about “educational” researchers? According to The Washington Post that is how Cambridge Analytica “broke Facebook’s rules”— it was “under the pretense of academic use”. What is Hillsborough County Schools Policy on allowing access to student data for “academic use”?

And Last, The Washington Post reported that developers were encouraged to “build their businesses off Facebook’s data” via the Facebook feature “log-in through Facebook”.

What happens when HCPS integrates Edsby with Google G Suite or Microsoft Office 365 for HCPS students and HCPS staff and one logs into Edsby using those Google or Microsoft credentials? According to Edsby’s Privacy Policy1:

When Edsby integrates with these systems it provides a way for you to log in to Edsby by using your Microsoft or Google authentication credentials.

Does that integration give Microsoft or Google access to student data?

In June 2017, Microsoft updated the OneNote Class Notebook add-in to include “Assignment and grade integration with Edsby”.  OneNote is available to HCPS teachers and students for free under the district’s enterprise agreement with Microsoft. OneNote’s list of education partners is long.

The student data in the Edsby platform is stored in Microsoft’s Azure Cloud.  Aside from the risk hackers pose, like this recent example at Bay District Schools, data might be accessible by not only the district but also by Edsby and Microsoft Azure.  Having more parties managing and engaging with the data creates more opportunity for mistakes and subversive behavior.

Getting Answers?

If Hillsborough Schools has a different TOU under its contract or data sharing policy with Edsby then HCPS should publish the Edsby contract and data sharing policy online for transparency and trust.  Those whose personal data is being collected, the students and their parents, have a vested interest in knowing if their data is safe and follows the USDOE’s student privacy model terms of service guidance.

There should be public oversight and total confidence that our data is safe from mining, profiling, and sharing.  There should be transparency about what the district is doing, how they are doing it, and what they are collecting.  Why should citizens have to jump through time-consuming hoops to get complete answers about the privacy of student data?

One district representative suggested speaking with IT Security regarding Edsby privacy questions but refused to provide a single name or contact number for that department, instead the phone call was forwarded to an “IT Security” line that rang endlessly with no voicemail.  Why has the district not published a single contact for the IT Security and Privacy department?

Conclusion

Unfortunately this isn’t the only student data collection engine in the state, there is also Florida’s Statewide Longitudinal Data System (SLDS) or Education Data Warehouse (EDW).  At least the FLDOE tells you what fields or data elements they collect on students, see here if you want to peruse that list, they even include a field for “Teenage Parent Program: Birth Weight of Child”.  Should we be asking the FLDOE similar questions about student data privacy?

According to the Florida Department of Education (FLDOE) the SLDS has “multiple initiatives…to support…federal long-term goals” and is jointly funded by a Race to the Top (RTTT) grant, Federal SLDS grants, and the Florida Legislature.

How much is Hillsborough County School District paying Edsby annually for all services, licensing, training, etc. for the creation of a major data mining and analytics opportunity that might one day risk the privacy of student personal information?

Have all the possible loopholes been dutifully plugged with indecipherable legal jargon?  Or is this just a data breach time bomb waiting to go off?

There are too many questions left unanswered about our children’s data privacy and it seemed safer when we had grades in a teacher (pen and paper) grade book and got paper report cards from a district printer with data likely pulled from a local mainframe every quarter.  It would probably be a lot cheaper if we eliminated some of the district’s software and licensing, maybe even get the district out of their reported deficit.  But the state and federal government want access to all that data, some highly invasive, for research on our children without parental consent.  We should get back to the basics and reclaim local control of education and your children’s personal data.

In the meantime, who is really protecting your child’s data?

pexels-photo-696407.jpeg

1Edsby’s Privacy Policy and Terms of Service (TOS) dated 1/5/2018

 

This entry was posted in Data Privacy, Hillsborough Schools, PII. Bookmark the permalink.