In the current digital age, where chalk dust mingles with pixels, classrooms across the nation are experiencing a profound transformation. From personal information and test scores to online behavior patterns, schools can amass an unprecedented amount of information. However, this increase in available information comes at a price: hostile parties are gaining more user information than ever. As privacy concerns grow, government intervention has become necessary.
There are three primary laws regarding student data and privacy: the Children’s Information Protection Act, the Children’s Online Privacy Act and the Family Educational Rights and Privacy Act. CIPA imposes restrictions on the kinds of content that students can access on the internet, and COPPA pertains to websites and applications that knowingly collect and use data from children under the age of 13. FERPA gives students and parents more autonomy over their online privacy and concerns all schools that receive funds from the U.S. Department of Education. These laws protect underage students’ data and ensure that entities handle the information with care and respect for their privacy.
Because MCPS must comply with these laws, most student information collected is site data rather than personal information. According to Information and Technology Systems Specialist Helen Ward, there are two ways this information is collected: through the school-assigned Google accounts and a connection to the school Chrome Wi-Fi.
The school accounts track student website information using the Google for Education platform. Unlike the commercial side of Google, this platform doesn’t allow for Google’s use or selling of student data unless required by MCPS.
“Since this is a school system and they have certain laws they have to live up to, they stay away from collecting everything,” Ward said. “They’re a data-mining company, so they want to collect our information, but they’re restricted by federal law.”
Most of the school’s data tracking occurs through student Google accounts and any connection to the IBoss system — a cloud security company that allows and blocks content based on filters decided by the administration and sets up firewalls to prevent viruses from affecting school accounts.
The reason data can be tracked, collected and flagged through the school wireless network is because the Google for Education platform traverses the Wi-Fi, hitching a ride off of the network so it can scan and track the site info of everything loaded while using the Wi-Fi to keep student data on their personal computers and phones safe. To bolster this security, an additional layer of firewall protection is implemented to ensure that third parties cannot access the data.
Additionally, there is a tracking system associated with the MCPS Wi-Fi system. Though mainly used for network maintenance, it can also track individual connections to the Wi-Fi system, said Chuck McGee, the director of the MCPS Department of Technology Infrastructure and Operations.
“We have network maps that help us to know where various wireless access points are,” McGee said. “When there is an issue, the maps simply help us identify where in the school one of the many wireless access points could be located.”
While MCPS uses the system to sort out issues with the Wi-Fi system, it also means that anyone connected can be tracked based on their proximity to specific wireless access points. In 2018, a group of former Howard County students were exposed for defacing school property. They were caught due to their phones’ automatic connection to the school Wi-Fi.
While both Google and Canvas are not permitted to use student data for any purposes not sanctioned by MCPS, other apps and websites are not bound by the same stipulations.
Joel Schwarz, an Adjunct Professor at Albany Law School specializing in Cybercrimes, Cybersecurity and Data Privacy, and the founder and one of the board members of the Student Data Privacy Project, or SDPP, voiced concerns about the lack of regulations these third-party providers have.
“There is a lot of data being collected by those apps that the schools are not able to oversee,” he said. “They’re not checking on many of the providers, and most importantly, I don’t think they’re very much aware of how much data is being gathered.”
Teachers often use sites like Deltamath and Khan Academy as educational aids. While they don’t directly share personal data with third parties, they create another access point for unknown parties, potentially exposing students’ information. Even sites like Naviance, which are required for college applications and career exploration, could reveal private data, Schwarz said.
Freshman Sam Kuzee is understandably worried about these developments and fears for the privacy of his personal information.
“If my data was revealed, I would feel unsafe and angry at the third parties who accessed my data without my permission,” Kuzee said.
Issues like extensive data collection by third-party apps and school systems intensify during incidents like the Illuminate data breach in 2022. The personal data of 820,000 current and former public school students in New York City was compromised, including personal information such as students’ names, birthdays and ethnicities. Additionally, the breach exposed information about whether students received special education services or financial aid. According to FERPA, there’s no mandatory retention time — the period in which data is kept — for student records. Many states set their restrictions on data retention, with the average tending to be five years.
MCPS keeps a log of student web traffic for approximately 60 days according to McGee. While this helps protect student information within the school’s data records, this practice does not apply to third-party apps and vendors, who often hold unknown amounts of sensitive data. Organizations like the SDPP work to protect student data by petitioning districts to enforce stricter data privacy laws and protect students.
“Data is the currency, and the more data you have the more currency you have,” Schwarz said. “So put that together, a large increase in the use of technology, very little oversight of the users and of the ed-tech providers, and the incentive to make a lot of money by using this data creates problems for protecting data privacy.”
Helen Ward • Oct 17, 2023 at 6:22 am
Very good article!