Education data mining puts kids’ privacy at risk

Is kids' privacy at risk from education data mining?

Education technology, image courtesy of ShutterstockOur kids are being watched, and the gushing data streams they’re emitting are getting analysed in granularity so minute, it puts data-mining companies like Facebook and Google to shame.

Jose Ferreira, who runs a firm called Knewton that analyses how people learn, wasn’t shy about the scope of his operation when talking to Forbes a few years ago:

Education is the world's largest data industry, by far.

We’re physically collecting thousands of data points per student per day.

Those data points come from software that monitors students’ every mouse click, every keystroke, every split-second hesitation as children work through digital textbooks, as Politico describes it.

In fact, Knewton is able to not only find out what individual students know, but how they think – including which kids will have trouble focusing on science before lunch and those who’ll struggle with fractions next week, the news outlet reports.

It’s impressive analysis based on breathtakingly thorough data mining. But as it turns out, this type of education-related technology often comes with a scandalous disregard for its subjects’ privacy.

Indeed, parents should be asking what privacy policies, exactly, are protecting their kids’ personal information?

Politico recently examined hundreds of pages of privacy policies for education software such as Knewton to ascertain how children’s privacy is being handled in this lucrative world of education-related technology.

If you’ve been reading related studies and keeping up with news such as that of Google getting sued for data-mining students through its Google Apps for Education (and subsequently giving up on that data-mining), you won’t be surprised to hear that there’s not much out there to protect kids’ privacy.

As it is, a December 2013 Fordham University School of Law study found that although 95% of US school districts rely on cloud services, those cloud services are opaque, poorly understood and weakly governed.

Parents are mostly kept in the dark about cloud storage of their children’s data, Fordham found, with only 25% of districts informing parents that they use cloud services.

Many districts don’t even have privacy policies, which is just one sign of what the study’s authors called “rampant gaps” in contract documentation in a “sizable plurality” of districts.

From the report:

Districts frequently surrender control of student information when using cloud services: fewer than 25% of the agreements specify the purpose for student information disclosures, fewer than 7% of the contracts restrict the sale or marketing of student information by vendors, and many agreements allow vendors to change the terms without notice.

This is all in spite of FERPA, the Family Educational Rights and Privacy Act, which gives parents some control over the disclosure of information from students’ records and which generally requires districts to have direct control of student information when disclosed to third-party service providers.

(On the flip side, FERPA also gives school districts the rights to share student data with private companies if it furthers educational goals.)

Beyond these issues, the study also found an “overwhelming majority” of cloud service contracts don’t even address parental notice, consent, or access to student information.

From the report:

Some services even require parents to activate accounts and, in the process, consent to privacy policies that may contradict those in the district’s agreement with the vendor, which contradicts laws that require parental notice, consent, and access to student information.

Neither, generally, do agreements between districts and cloud service providers account for data security.

In fact, they frequently allow vendors to retain student information in perpetuity, in spite of the fact that, as the report points out, “basic norms of information privacy require data security.”

As Politico reports, both Republicans and Democrats are all for this practice of private-sector data mining, even as legislators attempt to rein in NSA surveillance.

The Obama administration has even encouraged the practice by relaxing federal privacy law so that school districts can share student data more widely, Politico reports.

Resistance to this free-for-all plundering of children’s data has been mounting, however.

Last week, Senators Edward Markey (D-Mass) and Orrin Hatch (R-Utah) proposed the “Protecting Student Privacy Act”, a bill that would:

  1. Require data security safeguards for student data held by private companies;
  2. Prohibit the use of students’ personally identifiable information to advertise or market a product or service;
  3. Give parents the right to access personal information about their children held by private companies and amend it if it’s wrong;
  4. Make transparent the name of companies that have access to student information by directing school districts to maintain a record of all outside companies with who the school contracts;
  5. Minimize the amount of personally identifiable information (PII) transferred from schools to private companies; and
  6. Ensure private companies can’t maintain dossiers on students in perpetuity by requiring the companies to at some point delete PII.

As well, in addition to the court action against Google’s data-mining in Google Apps for Education, the past year has seen ferocious pushback from parents against cloud storage of their children’s PII.

InBloom, a cloud storage service provider that was offering to house and manage student data for public school districts across the US by extracting a dizzying array of information – some 400 data fields – from disparate school databases and new, optional, sometimes intrusive fields, closed up shop in April as a result of that pushback.

But what evil, exactly, have ed-tech companies done with kids’ data?

As Politico notes, there haven’t been big data breaches in K-12 education in the US, although there have certainly been plenty at university level.

Still, problems are rife. One company the news outlet examined notes in passing that confidential student data should be shared “very carefully”, but it offers no guidelines.

When Politico inquired about another company’s privacy policy – a policy that gave the company the right to use students’ PII in order to send them targeted advertising – the policy was speedily rewritten and reposted, with a brand-new emphasis on protecting privacy and minus a line about the targeted ads.

We haven’t yet seen the most intrusive technologies. As Reuters reported at the time, the Bill & Melinda Gates Foundation in 2012 funded a $1.4 million research project to outfit middle-school students with biometric sensors designed to detect how they responded on a subconscious level to each minute of each lesson.

At the end of the day, we’re left with many serious questions, the most basic of which is this: Are these technologies helping children to the extent that they warrant their obtrusiveness?

Please, tell us what you think, in the comments section below.

Image of education technology courtesy of Shutterstock.