Just before the end of the 2018-2019 school year a Tampa middle school cafeteria was bursting with parents attending a new student orientation. Rising sixth grade parents were told to use an online tool called Edsby for communicating with teachers.  They were repeatedly advised how vital it would be to check Edsby for student grades and assignments.  The presentation did not include material on student data privacy.

Edsby is a Canadian owned K-12 learning management system (LMS) and has been in use by Hillsborough Schools since 2013.

FERPA (a federal privacy law) is supposed to protect the privacy of student data, but does the existence of law actually create real protections or mean that the law is understood and followed?

Some parents in Ontario’s York Region School District were not passive about the implementation of Edsby in their district.  Dina Al-Shibeeb reported in “Stouffville parents fear potential breach, want kids’ information off education app” that parents who were informed of a “patched” security vulnerability in Edsby also “…fear it [Edsby] puts their children at risk of privacy violations.”

Why weren’t parents in Tampa’s Hillsborough County School District notified of this known vulnerability in Edsby? Should Hillsborough Schools regularly post its patched vulnerabilities and cybersecurity incidents that might compromise student (and parent) data?  Companies like Cisco do this; why should parents not be informed of the security issues related to their own personal student data?

If parents are not notified of security issues how will they know to take proactive steps to protect children, their identities, and their private information?  Some Hillsborough County Public School parents were not allowed to opt-out of student data collection in Edsby, nor have those parents been provided access to their student’s complete education data held by Education Technology (EdTech) applications like Edsby.

The Edsby product was selected by the district as an “online gradebook system”, but the cloud-based software is more than just an online gradebook. Hillsborough Schools uses Edsby for grades, report cards, parent/teacher communications, analytics, and possibly much more information on students.  According to a January 2018 Tech&Learning article, Edsby offers the capability to “capture pictures, conversations, audio clips and written observations”, tagging, etc.  Do parents get to access written observations if they are stored in Edsby?

Hillsborough Schools was an early adopter of Edsby and a beta test¹ site for Edsby learning analytics. Was our district and student data the guinea pig for a new EdTech product in return for reduced pricing? A March 2018 letter indicates the district did receive reduced pricing (a 74% discount) for being an “early adopter” of Edsby.  Were any software vulnerabilities discovered during beta testing, putting student and parent data at risk?

In that same March 2018 letter, Aptiris (the service provider that implements Edsby for the school district) wrote: “One requirement that evolved over the initial contract period is the encryption of all data at rest.”  Remember, the initial Edsby contract was from 2013 and according to this document it apparently didn’t require that all data be encrypted² at rest (stored). How many years was student data stored unencrypted?  Was sensitive school personnel data (social security numbers, credit card numbers, PINs, bank routing numbers, etc.) stored unencrypted?

The 2013 Hillsborough Schools RFP (request for proposal) evaluation criteria for selecting an “online gradebook system” did not include direct reference to the security of student data or vendor software.

The school district begins collecting student data from the point of registration and continues throughout their education.  That data is passed to the Edsby platform (including parent and family data). Does Edsby have access to student medical conditions, IEPs, behavioral records, attendance, etc.?  The Edsby privacy policy and terms of use raised concerns.

Data collected by software applications might include tracking your mouse clicks, what your mouse hovered over, time logged into reading a book, books accessed, assessment data, etc.

When K-12 student and teacher data for a district of over 200,000 students, is collected, aggregated, and stored online with little oversight or transparency, a responsible parent will have questions about data security and whether EdTech companies or their partners (or their partners…) are monetizing shared student data.

¹beta test: The final stage in the testing of a new software or hardware product before its commercial release, conducted by testers other than its developers. (The American Heritage® Dictionary of the English Language, 5th Edition)

²encrypt: To alter (data)…to make the data unintelligible to unauthorized users while allowing a user with a key or password to convert the altered data back to its original state. (The American Heritage® Dictionary of the English Language, 5th Edition)