FBI Alert Encourages Increased Awareness of Student Data Collection and Cybersecurity Risks: Hillsborough Schools – Let’s Talk About It


On September 13, 2018 the FBI released a public service announcement (PSA) and noted:

US school systems’ rapid growth of education technologies (EdTech) and widespread collection of student data could have privacy and safety implications if compromised or exploited.

The FBI lists the personal data that is at risk from data collection—and it isn’t just grades (it can include “…behavioral, disciplinary, and medical information…”).  They then provide several examples of actual malicious events and explain how the data was used:

…in late 2017, cyber actors exploited school information technology (IT) systems by hacking into multiple school district servers across the United States. They accessed student contact information, education plans, homework assignments, medical records, and counselor reports, and then used that information to contact, extort, and threaten students with physical violence and release of their personal information. The actors sent text messages to parents and local law enforcement, publicized students’ private information, posted student PII on social media, and stated how the release of such information could help child predators identify new targets.

In another example the FBI states “Cybersecurity issues were discovered in 2017 for two large EdTech companies, resulting in public access to millions of students’ data.”  One company “…suffered a breach and student data was posted for sale on the Dark Web.

Please read the PSA in its entirety, every parent should be made aware of this important information.  The FBI provides a list of recommendations for parents and families in the alert.

Aside from what was included in this alert, the data breaches and privacy concerns continue into 2018, here are two more events:

In March 2018 Politico reported a data breach at Florida Virtual Schools.  This breach was discussed in a post in which I also presented issues regarding how a third party obtained preschooler data to market a product.  Another question posed in that post was:  What independent studies exist that show data collection efforts are providing a statistically significant improvement in education outcomes?

Then there is this Google G-Suite (for education) privacy concern, posted by Missouri Education Watchdog.  This apparent invasion of privacy is very alarming.  In this post Cheri Kiesecker explains that:

School-issued student Google accounts connect to Google Drive which can allow for the ability to Auto-Sync devices to Auto-Save passwords, browsing history and other digital data points from numerous devices used by a single user…this could include digital data from non-school related accounts.

In our own district, Hillsborough County Public Schools collects student data in a variety of ways including: Edsby, iReady online learning and assessments, and other platforms or mobile apps.  Under certain circumstances data can be provided to third parties without parental consent.

What restrictions are placed on those who sub-license data from third party apps that collect student data at Hillsborough schools?

Is the district proactively distributing privacy policies or terms of service (TOS) for those third parties at the time of registration (when personal data is first provided)?  Is the district providing their own interpretation, for parents, of what those policies could mean?

There is no place (found) where Hillsborough County Public Schools (HCPS) lists all the contracted third parties with access to student data, all the fields of data collected in all platforms, or communicates how or where data on medical, behavioral, psychological, or special education services are stored.

I asked the district on Twitter about what is included in Edsby in July and whether apps are vetted and if algorithms are open for inspection in August.  I also asked how well the school district protects Personally Identifiable Information (PII) in February.  The district has not yet responded to any of the questions.

Aggregating student data probably makes the data more interesting to hackers because of the number of profiles available. Is that data stored in a disparate manner so that if someone hacked the system they would not get the whole education file on hundreds of thousands of children?  Does HCPS tell parents what independent agencies audit the security of student data held by each contracted third party?

All the future uses and ramifications of student data collection are not known.  What uses are we not yet able to imagine? What possibilities are too far-fetched knowing students (somewhere in the U.S.) have already been threatened with this data?  Read what China is doing with their data, it is disturbing.  We have come a long way with technology in twenty years, where will we be in twenty more years?

Aside from the local school district, the Florida Department of Education manages a database called the Educational Data Warehouse (EDW).  This system contains student data collected from Florida’s school districts.  Recently, the Florida Department of Education’s (FLDOE) Office of Inspector General published a status report in regard to student data, and noted this finding “EIAS does not have internal controls to view user or system activity” does not have an anticipated completion date until “June 2021”.

In another post, I explained five data privacy concerns, the third concern focused on data de-identification (making private data anonymous) and how it doesn’t appear that Hillsborough County Schools follows the USDOE’s best practices in its data-sharing agreements, but as I understand it, they don’t have to follow best practices!

How will parents know what has been collected through all the different platforms used by the district (iReady, Edsby,…)? What other websites and apps are used by individual teachers and schools?

How do parents access Edsby student records when parents do not agree to the Edsby TOS or privacy policy? That question was directed at the Hillsborough County School Board and Superintendent Jeff Eakins on Twitter in June, but there was no answer.

Given the large amount of personal information collected on students, what is the district doing to limit the amount and type of private information being collected on students?  Knowing that EdTech companies are not always safe from those with malicious intent, the best way to protect student data is to limit its collection.

I would not be surprised if collecting all this data had little effect on education outcomes.

Parents should have a right to know everything that has been collected on their children, how well it is safeguarded, where it is stored, and how it is being used.

This feels like a modern age version of the wild-west. It feels like a dystopian state where parents—who want to protect the privacy and security of their children’s school data—are bypassed as the judge of what they determine is private and secure.

This entry was posted in Data Privacy, Hillsborough Schools, PII, Social Media Privacy, Uncategorized. Bookmark the permalink.