|Good afternoon, and welcome to another year of FPF’s Student Privacy Newsletter! Below, we’ve rounded up noteworthy student privacy issues that surfaced in December and January. We saw a renewed focus on student mental health, continued attention to student privacy and equity during the pandemic, and several international child privacy developments.
Quick reminder: If you haven’t already, don't forget to sign up for FPF's free 10-month Student Privacy “Train-the-Trainer” Program that will help you become a student privacy expert and engage with other student privacy experts from across the country! This year we are offering two programs, one for K-12 (particularly professors at colleges of teacher education) and one for Higher Education. To learn more or nominate someone to join the program, please email Jim Siegl (email@example.com).
Before we get to the news, here are a few recent releases from FPF:
Last but not least, we’re excited to release FPF’s Youth and Education Privacy team’s 2020 Year in Review report, highlighting the Youth & Education team’s work over the past year! Thanks to all of you for sharing our resources and partnering with us - we look forward to collaborating with all of you even more in the year ahead!
- On February 10, join FPF’s 11th annual Privacy Papers for Policymakers, honoring leading privacy scholarship applicable to policymakers and regulators around the world. Of particular note, one of the winning papers explores what 1st and 4th Amendment legal challenges to student surveillance might look like and the likelihood of success of those arguments: Tinker-ing with Machine Learning: The Legality and Consequences of Online Surveillance of Students, by Amy B. Cyphert, West Virginia University College of Law.
- In early January, we released the Student Privacy Communications Toolkit: For Schools & Districts, which includes guidance, information, and insight of interest to all education stakeholders, including a student privacy primer, a roadmap for developing an effective student privacy communications strategy, tips for talking to parents about student privacy, resources for effectively engaging with educators, and guidance for including students in privacy discussions.
- Today, we published a series of interviews with college students about their perspectives on student privacy: Elevating Student Voices: Conversations about Student Privacy with Undergraduates During COVID-19.
- We published an analysis of Pasco County’s predictive policing program, highlighting the privacy and equity concerns raised by the initiative which received coverage in the Tampa Bay Times. ICYMI, read the news story about the program here.
- FPF’s Student Privacy Compass published Social Virtual Reality: Privacy Risks, Opportunities, and Guidelines to Keep Young People Safe in Immersive Social Spaces, a guest post from Divine Maloney, social virtual reality researcher and PhD candidate.
On to the news…
For schools that have reopened, many are still unsure about how they can permissibly share student health data with other state agencies under current privacy laws.
However, reporting and understanding health data isn’t all schools are worried about:
- As a result of the state’s stringent student privacy law, students and families in Louisiana who received free or reduced lunch were precluded from receiving pandemic EBT benefits until an emergency bill was passed. Data Quality Campaign’s Paige Kowalski wrote on the lessons learned from Louisiana and the importance of building data governance into student privacy legislation.
- A Louisiana school board also sent a request to the state’s Attorney General for clarification about sharing student data with the Department of Health. ICYMI, the U.S. Department of Education published guidance and a blog on FERPA’s requirements for sharing health data, and FPF and AASA published FAQs for School Administrators last March to provide additional plain language and guidance. We also highly recommend this 2019 letter on disclosing student immunization status from USED.
Concerns about surveillance technology to facilitate the physical return to school remain a top priority for education stakeholders, especially as schools continue to turn to increased data collection through technology like wearables and artificial intelligence. Similar concerns around surveillance technology are top of mind as students learn remotely. Many privacy advocates argue that increased surveillance is not an answer to the pedagogical concerns schools seek to address and could in fact introduce or exacerbate privacy and trust issues.
- As schools continue with remote learning, many educators are considering whether or not they will require students to have their cameras on, citing privacy concerns. Students are weighing in on the conversation because privacy concerns are also making their education environments more stressful than ever, and some students rely on the ability to learn with their cameras off to support their families.
- The 74million covered firsthand experiences from students juggling family responsibilities, including taking on the role of being a primary earner and caregiver for siblings, while also learning remotely. One student “works 40 hours a week at a Macy’s distribution center in Tulsa, Oklahoma” while still attending school full time. “They log on to Zoom with their microphones and cameras off and catch up with assignments during lunch breaks.” For more about student privacy and video mandates, check out FPF and the NEA’s privacy and equity considerations for video mandates.
Relatedly, the New York Times reports that schools in Las Vegas were pushed to reopen after an increase in student self-harm, and school districts in the city are investing in student monitoring software to better understand suicide risks and later increased their monitoring program to 24-hours.
- On December 3, a group of senators called on proctoring companies to respond to a range of questions on data protection, equity, and accessibility practices. The Electronic Privacy Information Center (EPIC) published the responses received from ProctorU, ExamSoft, and Proctorio.
- On December 9, the EPIC filed a complaint to the D.C. Attorney General, alleging that several proctoring companies violated D.C.’s Consumer Protection Procedures Act for “excessive collection” of student information.
- Consumer Reports conducted a deep dive into the security practices of online proctoring tools.
- Students continue to push against proctoring and plagiarism detection software.
- The University of Illinois Urbana-Champaign will discontinue use of a proctoring software after significant student backlash—over 1,000 students signed a petition against the service, citing student privacy and accessibility concerns.
- Students and faculty joined together to testify before the City University of New York Board of Trustees against the use of plagiarism detection software because of privacy concerns, particularly for marginalized and undocumented students.
- A teacher shared their perspective on how and why they monitor their students, finding that classroom monitoring software is a useful tool “that makes a positive difference in the education of [their] special needs students.”
- And some schools worry about what happens when they don’t monitor students to some extent: a New Jersey school recently entered into a settlement with the family of a former student who was able to communicate with an internet predator over a school-issued device; the family claimed the district failed to institute effective controls to limit the student’s access to inappropriate websites and actors.
International privacy regulators and organizations are taking strong stances and weighing in on children’s privacy.
- The Washington Post reports that teachers find it difficult to know when students need help and can’t assess their students’ mental wellbeing. A New Hampshire school district is piloting a monitoring system that incorporates “artificial intelligence to monitor student web activity on school computers and alerts administrators if a student visits a website or uses a search term that indicates they may be at risk for self-harm or suicide.” ICYMI, FPF outlined the privacy costs of schools employing network and social media monitoring in 2019.
- Privacy advocates caution against overreliance on monitoring technology to address these harms. Even before the pandemic, the Guardian reported that with such technology, “privacy experts – and students – said they are concerned that surveillance at school might actually be undermining students’ wellbeing.” ICYMI, FPF hosted a 2019 SXSW EDU panel discussing how school safety plans can still incorporate student privacy.
- Concerns about student wellness are also on the President’s radar, and may result in guidance on the issue. On his second day in office, President Joe Biden signed an Executive Order aimed at supporting schools through the pandemic. The EO directs the Secretary of Education to develop evidence-based guidance for reopening schools; provide advice to schools as they continue hybrid and remote learning with a focus on promoting “mental health, social-emotional well-being, and communication with parents and families”; and provide technical assistance to schools during the pandemic.
- In Canada, some institutions are providing students with online counseling services—however, advocates question whether there is sufficient evidence-basis, privacy protections, or benefit coming from these programs.
- Researchers at the University of South Australia are studying the use of augmented reality (AR) to deliver cognitive behavioral therapy to teens. According to the lead researcher, interactive technologies like AR appeal more to teens and may make them more comfortable than seeking professional help. A recent FPF blog post outlines some privacy concerns related to AR.
Security issues have plagued schools at all levels during the pandemic. Just before Baltimore County Schools experienced a ransomware attack that shut down the school system in December, the state of Maryland conducted security audits that found school districts throughout the state are facing security challenges.
- On December 18, Ireland’s Data Protection Commission published its draft “Fundamentals for a Child-Oriented Approach to Data Processing” which sets forth data protection recommendations and principles with regard to children. open for public consultation until March 31, 2020, and learn more about the fundamentals here.
- On January 27, Italy’s Data Protection Authority accelerated it’s inquiry into children on social media, after its January 22 order requiring TikTok to prevent users with unverified ages from accessing the app and prohibiting users under the age of 13 from registering. This comes after a 10-year-old user fatally participated in a popular challenge she saw on the app—the Authority points to “poor attention to the protection of minors” and “default settings falling short of privacy requirements” as reasons for the order, which will be enforced until February 15, 2021. The DPA is now investigating Facebook and Instagram as well, after finding that the same child user had accounts on both platforms.
- UNICEF’s Office of Global Insight and Policy published a summary of the comments received regarding its public consultation on child-centered AI policies and systems, noting that respondents supported “short courses for parents, children and teachers over the mechanism of data and the meaning of consent, privacy, etc.” Learn about FPF’s submission here.
- The Global Privacy Assembly’s Digital Education Working Group, composed of members from 74 Data Protection Authorities, adopted a joint contribution to the UN Committee on the Rights of the Child on its draft General Comment (GC) No. 25 (202x) on the rights of the child in relation to the digital environment. The contribution highlights the need to protect children from profiling, automated decision making, and commercial exploitation of their data, and to educate children on privacy and data protection.
- On December 10, the FBI, CISA, and MS-ISAC published a joint report on the increase in cyberattacks at K-12 schools that includes best practices and mitigation strategies.
- On December 2, the House Homeland Security & Governmental Affairs Committee held a hearing on cybersecurity in reaction to spikes in cyber threats across sectors. The Committee heard testimony from the Superintendent from Hartford Public Schools, which experienced a cyberattack that postponed virtual schooling last fall, inciting congressional interest in addressing the issue for the education sector.
- Cyberattacks aren’t only happening in U.S. schools—in early January, a 4th grade virtual classroom in Canada was hacked multiple times, with the attackers sharing pornographic content during classroom time.
FYI: Quick Hits
- On February 1, the FCC announced it is seeking comments on several petitions for emergency relief to expand E-Rate funding to cover remote learning during the pandemic. Initial comments are due on February 16, 2021.
- A school district in Florida is testing out a gun detection system that incorporates artificial intelligence—if a gun is detected, school resource officers, local police officers, and staff are automatically notified and sent a photo of the suspect. ICYMI: read the 2019 Wired-ProPublica report on similar audio-detection systems in schools and the implications for privacy.
- Also in Florida—federal lawmakers are requesting an investigation into the Pasco County Sheriff’s Office’s predictive policing system which incorporates student data, joining several public interest organizations in criticizing the program. ICYMI: check out FPF’s analysis of the sheriff’s program.
- On December 22, New York Governor Andrew Cuomo signed into law a moratorium on schools’ use of biometric identifying technology. The law prohibits schools from procuring or using biometric identifying technology until 2022, and requires the Education Department to conduct a study into the technology.
- Schools across the country are rethinking disciplinary policies as students learn online. Some experts are looking to reform truancy laws, as well. ICYMI, FPF’s Anisha Reddy and Amelia Vance published an op-ed last November outlining concerns around applying in-person disciplinary policies in a virtual classroom.
- Researchers are exploring whether smartwatches can help students with autism “be more independent” in schools through periodic reminders and prompts to interact with classmates and educators. However, schools should be aware that equipping students with wearable technology can raise a host of privacy risks, which we explored last year with a blog entitled As Personal as Data Gets: The Privacy Implications of Wearable Technologies in Schools and a brief on Wearable Technologies & COVID-19.
- Half of the undergraduate students at Tufts University joined a “marriage pact” app, developed by two Stanford students as a class assignment (now at 6 schools in the US), where participants are algorithmically matched with another student whom they would presumably marry after some time. According to the Marriage Pact’s “Data Principles and Practices” (a self-described informal policy) students can rest assured that their “privacy is not for sale” because the tool does not share any information collected with third parties.
- The Minnesota Department of Education is revising its data collection systems to expand the gender options available for LEAs to report to include nonbinary options. Throughout 2019 and 2020, the Department held public feedback sessions, which included concerns about student privacy—the public comment period closed on December 13th; and the state plans to move forward with a program by September 2021.
- University of Texas at Austin’s computer science department is phasing out a machine-learning system to evaluate applicants for its Ph.D. program. Critics of the program expressed concern the algorithm perpetuates inequities and lack of diversity in the field.
- A 2-year summary of the LEA Website Student Privacy Transparency Reviews the office is conducting, focusing on whether LEA websites included key student privacy documents and information about FERPA and PPRA.
- An update to the general PPRA guidance, with an overview of parental rights and institutional obligations.
- Eight flyers outlining key student privacy issues.
- In Issue 3 of Future Edge, an education journal run by Australia’s New South Wales Department of Education, Professor Evan Selinger and FPF’s Amelia Vance published a piece highlighting the importance of managing the risks of bringing AI into the classroom and engaging students in learning about AI privacy and ethics.
- Two Harvard students created a final project on strengthening student awareness on data privacy that turned into a weeklong campaign launched by Harvard’s Undergraduate Council. Content for the project can be found on the Council’s website and features a map of video surveillance around Harvard Yard, a review of exam proctoring software, and what data Harvard can access from students’ University Google Drives.
- Australia’s eSafety Commissioner published “Online safety for young people with intellectual disability” a report spotlighting youth, parent, and caregiver perspectives on the topic.
- Data Quality Campaign published a summary of January’s state education data legislative trends, “Legislative Update: Tracking the 2021 Legislative Session,” as well as their annual report “Time to Act,” an overview of education data issues during 2020 and the pandemic, along with five areas to focus on for 2021, including guaranteeing access to student data and protecting student privacy.
- A new paper “Virtual Classrooms and Real Harms” explores the student privacy issues raised by remote learning, provides an overview of the student privacy legal landscape at the state and federal levels, and provides student privacy recommendations for universities.
- Authors of Surveillant #EdTech Harms Nursing Students, the Profession, and the Public, shared a resource guide on alternatives to surveillant technologies and pedagogies.
- UNICEF’s Office of Global Insight and Policy published a report entitled “Governance of Student Data” that explores the use of edtech along with the collection and use of student data along with the pedagogical value of such technologies, and sets forth guiding principles for education stakeholders.
- RAND published a report outlining results from a school district survey entitled, Remote Learning Is Here to Stay. Although 20% of respondent school districts plan on keeping online learning around post-pandemic, only 5% ranked privacy and security as areas where resources are needed.
- USED’S Office of Educational Technology published the Teacher and School Leader Digital Learning Guides to help both stakeholders effectively support student and school use of technology—both guides include helpful tips related to privacy, security, and digital citizenship.
- CoSN released the 2020 State and Federal Cybersecurity Policy Trends report which examined the 89 cybersecurity bills introduced in 2020 that have direct or indirect application to schools.
- The Education Trust and National Women’s Law Center developed a guide for creating better, safer learning environments for girls of color. One policy that led to positive outcomes was making “data broken down by race and gender publicly available.”
- Learning Policy Institute published “Districts Advancing Racial Equity (DARE) Tool,” a framework for advancing racial equity in school districts—recommending that schools disaggregate data related to student race as appropriate to understand the differences in opportunities and outcomes for students of color.
Thanks so much for reading! Let us know if you have news or new resources we should include in future newsletters, or if we missed anything.