Protecting
the personal privacy of students has gained national attention due to the
issues surrounding inBloom combined with several high profile data breaches.
Compounding
the privacy challenges facing students is that the Family Educational Rights
and Privacy Act (FERPA), which aims to protect
the privacy of students and their families, has not been updated to account for
the issues inherent in the Digital Age. The Electronic Privacy Information Center, along with
other privacy advocates, has alleged that the Department of Education actually
weakened FERPA in 2011.
In
fact, weakening student privacy protections at the dawn of the age of Big Data,
the cloud, mobile apps and social media appears to have lead to a situation
where some companies offer
student digital learning tools for free or a reduced price to schools and
in return student information may be data mined for profit. According to a recent Politico
"examination of hundreds of pages of privacy policies, terms of service
and district contracts there are gaping holes in the protection of children’s
privacy."
Earlier
this year, Education Week reviewed
the ongoing Gmail wiretapping
litigation, a case that began in 2010
seeking damages on behalf of Gmail and Google Apps for Education users and
those whose messages were sent to Gmail based services and made some very
startling discoveries. The most troubling was that Google "scans and
indexes the e-mails of all Apps for Education users for a variety of purposes,
including potential advertising, via automated processes that cannot be turned
off—even for Apps for Education customers who elect not to receive ads."
Google's
admission in federal court and its confirmation to the media about its practices
created such a huge media firestorm that within weeks after this information
became public, Google announced that it would
no longer scan the e-mails of students who utilize Google Apps For Education
for advertising purposes. While this announcement
was a step in the right direction, why did it take an international media
feeding frenzy for a change to a policy that should have never been implemented
in the first place?
In
response to Google's about face regarding its student email scanning policy, Prof.
Joel Reidenberg of Fordham stated, "Google can change this policy at
any time, and, the scanning disclaimer is associated with advertising purposes
only....There may be other commercial uses that they are exploiting student
data for,....such as selling information to textbook publishers, or test-preparation
services."
New
technology sometimes creates situations that were never imagined when FERPA was
enacted 40 years ago. For example, when
students utilize new digital learning tools offered through their schools is the
metadata (the information
associated with a student's use of the digital learning service) that may be
created by student usage considered an "education record" and thus
protected from being data mined for advertising purposes? According
to Kathleen
Styles, the U.S. Department of Education's Chief Privacy Officer, “I don’t
think it’s necessarily an easy decision, what is and what is not the
‘educational record,.... “It’s very contextual. A lot of metadata won’t fit as an educational
record.” This uncertainty demonstrates
the need for stronger privacy laws that better protects the personal privacy and
digital emissions of students.
States have began to
take action to enhance digital privacy protections for students. For example, Kentucky's recently enacted HB 232 bans ed-tech
service providers from processing student data for any purpose other than
providing, improving, developing or maintaining the integrity of the service. This type of prohibition is imperative in
order for parents and students to feel comfortable using new digital learning tools.
According to Politico, "in the past five
months, 14 states have enacted stricter student privacy protections, often with
overwhelming bipartisan support, and more are likely on the way."
Sens. Edward
Markey (D-MA) and Orrin Hatch (R-UT) recently introduced a discussion draft legislation
titled, "Protecting Student Privacy Act." According to the press
release, "The draft legislation would ensure that students are better
protected when data is shared with and held by third parties." While new federal legislation is a step in
the right direction since uniformity across the country is preferred by most
stakeholders, I believe an update to the terms "education records"
and "personally identifiable information" to account for the
increased capturing of student data in a digital format is needed to ensure
that children are better protected from companies that
put profits ahead of student privacy.
InBloom's
demise and Google's recently exposed student data mining practices have brought
greater attention to student privacy and the need for stronger regulations and
laws that prohibit ed-tech providers from utilizing student data for commercial
purposes which may include behavioral advertising, digital profiling, and other
exploitation. Ed-tech vendors must
incorporate Privacy by Design into their platforms and commit to making student
privacy a priority and not an afterthought.
The bottom line is that students, parents, teachers,
school administrators, lawmakers, state attorney generals, the FTC, and the
ed-tech industry must work together to ensure that student privacy is protected in the Digital Age.
Copyright 2014 by Shear Law, LLC. All rights reserved.
