How Many Schools Leave Their Digital Doors Open and Expose Private Data or Get Data Duped?

Posted on April 26, 2018 by Harmonica

pexels-photo-331990.jpeg

According to a Politico article from March 2018, there was a major data breach of personal information at Florida Virtual School (FLVS).  While Florida Virtual School claimed they were hacked, the article notes two different people who explained that FLVS left their server open – in general that means anyone could access the server without having a password.  An analogy would be leaving for work with your front door wide open.  One of those people who insisted FLVS left the server open included Chris Petley, Leon County Schools spokesman.

Was that a FERPA violation? Does FERPA matter?

FERPA is the Family Educational Rights and Privacy Act (FERPA) and is a Federal law that protects the privacy of student education records.  But how well does it protect student privacy?

According to a blogger from Louisiana, Crazy Crawfish, FERPA is very outdated and was originally created in 1974.  This blogger’s post from 2013 is titled “FERPA does not protect student privacy, and never did.  The post provides a history of FERPA, changes to FERPA made by the U.S. Department of Education (not approved by Congress), and presents the most disturbing concern of all – the consequences or lack thereof for FERPA violations.  According to this blog:

FERPA has no defined penalties for folks who willfully and/or negligently and repetitively violate it

and

This means any vendor that obtains personally identifiable data is largely immune to any repercussions or restrictions on its use or misuse. This is a matter of settled law and an opinion issued by US ED…

Has FERPA been improved in the four years since this blog was published?  If there are not consequences that are ever materially enforced, then who cares about violations?

While schools and school districts may find it safer (for them) to outsource data storage and analytics to data collectors like Edsby or data stewards like Microsoft Azure, the more parties you introduce, the more third parties might have a way to misuse data.  Outsourcing may circumvent a school from accidentally having an “open door” on their district owned servers but it opens up another can of worms – third parties.

What Can Happen with Third Parties? 

The following is an example of how a third party seemed to manipulate an administrator into providing “directory” information.  FERPA requires parental notification prior to disclosing directory information, as the National Association of Colleges and Employers (NACE) explains in an April 2015 article “FERPA Primer: The Basics and Beyond”:

Directory information can be disclosed provided that the educational institution has given public notice of the type of information to be disclosed, the right of every student to forbid disclosure, and the time period within which the student or parent must act to forbid the disclosure.

In 2016, A Florida Voluntary Prekindergarten (VPK) provider and preschool was reportedly contacted and heavily encouraged to install an add-on into the preschool’s purchased software program, Procare, which manages student and family information.  Procare also offers programs to manage accounting, employees, and a corporate organizer.

When the preschool administrator was contacted, she originally thought the caller was Procare.  Only later in the call did she “understand” the caller was from “ABCmouse”.  The preschool reported that “they acted like it wasn’t even an option not to install”.   The caller had the preschool access an ABCmouse add-on file through the Procare software to install.  The add-on transmits student data to ABCmouse, supposedly at the initiation of the preschool.

That sounds like another win for big data at the expense of a child’s data privacy.

chess-checkmated-chess-pieces-black-white-957312.jpeg

Then the marketing of ABCmouse services began. A parent was alarmed to receive what appeared to be an email from the preschool encouraging parents to create an ABCmouse account to “be sure that what your child is learning at home is supporting what is being taught at school”.  It was alarming because the school had never mentioned ABCmouse to the parent and online learning did not align with the spirit of the school.  It wasn’t until this parent received the email solicitation containing the child’s personal information that it was discovered it was not ABCmouse or Procare who contacted the school.  The caller who encouraged the installation of the ABCmouse add-on was yet another third party, Kid Orange Tech.  Kid Orange Tech’s Facebook page says:

Our Educational Advisors help schools set up, use, and promote ABCmouse.com to build a connection between the classroom and home.

And that,

Kid Orange Tech is the exclusive distributor of ABCmouse.com for preschools and early learning centers.

Are these really educational advisors or are they third party representatives applying pressure and manipulative tactics to encourage the transmission of preschooler data for financial gain and the benefit of ABCmouse?

The email solicitation was not sent or written by the preschool, yet the verbiage in the email clearly misrepresented itself as the school with phrases like “our students” indicating the sender was the school, even signing the letter in a way that represented the school.

The parent was informed by Kid Orange Tech that “The only child data shared with ABCmouse.com is a child’s name, age, gender, school and the Parent/Guardian email on record”.  Unfortunately, that did not explain how ABCmouse got the classroom information used in the email.

Kid Orange Tech was somehow connected to ABCmouse who, in turn, has a relationship with ProcareProcare’s website indicates that the ABCmouse add-on is “Free”. It wasn’t free for the parent or child because it cost the parent and child their valued personal information that cannot be returned.

How much personal information was actually transmitted is unknown, maybe the only way to really know would be a forensic analysis of the software add-on’s code.  It also appears the preschool never notified parents of the apparent data transfer of “directory information”.  How many VPK providers have transmitted data to ABCmouse without parental notification?

Once ABCmouse has that student data, what does their privacy policy say they can do with the information?  ABCmouse is owned by Age of Learning.  Did Kid Orange Tech receive the data too?  Who developed the software add-on, was it Age of Learning or Procare?

When schools and VPK providers store private information they have an ethical responsibility to protect personally identifiable information.  Unfortunately for students and their parents, FERPA is outdated and because of the data scavengers out there, people can get duped.

Schools or VPK providers might or might not completely comply with FERPA, third party agreements might contain legal loopholes, and smaller educational facilities are not always technologically savvy.

All this data collection feels more like a ravenous mob trying to grab whatever data they can, while the parent is unable to retain control over their own child’s personal and sensitive data while in schools they are required to attend.

Many of the data collectors, like school districts, might claim using these third parties will save them money or provide some substantial benefit to education.  If so, I would like to see the independent studies that show data collection efforts are providing a statistically significant improvement in education outcomes.  What about those of us who value individual privacy and don’t care for the asserted “benefits”?

P.S. I would REALLY like to know how Facebook got my children’s names and auto-loaded them into a Facebook account – because it was NOT me.

This entry was posted in Data Privacy, PII, Uncategorized. Bookmark the permalink.