Maryland's Student Data Privacy Act of 2015 Is Needed

The Internet and broadband access has led to many innovations in how we teach our children. During the past 10 years, K-12 schools have implemented new and exciting technologies that will help students learn and be prepared for life inside and outside of the workforce. Unfortunately, privacy law has not kept up with the technology that is being utilized by our schools because the primary student privacy law, the Family Educational Rights and Privacy Act (FERPA) was enacted in 1974 and it has not been updated to account for all of the new digital activities and metadata that is being created by students on school contracted digital platforms.

Earlier today, I testified again on behalf of a Maryland bill (HB 298) that would help better protect students' digital privacy without hampering educational technology companies with burdensome regulations.  Maryland's HB 298 is based upon California's landmark Student Online Personal Information Protection Act (SOPIPA or SB 1177).  I testified with the sponsor of the bill along with other advocates and some of my written testimony is as follows:

"House Bill 298 as passed by the House of Delegates is a positive piece of legislation that will help protect the personal privacy and safety of Maryland students and their families.  Three federal privacy statutes address student information that may be collected by and from schools:  The Family Educational Rights and Privacy Act (FERPA), the Children’s Online Privacy Protection Act (COPPA), and the Protection of Pupil Rights Amendment (PPRA).

FERPA was enacted in 1974 when student records were housed in filing cabinets.  This statute is essentially a confidentiality law designed to protect student paper records.  Forty years ago, schools didn’t have personal computers and Internet access.  FERPA was not designed to protect digital student information.  COPPA focuses on the online collection of personal information directly from children younger than 13 years old without parental consent.  The PPRA primarily address the use of certain types of data collected from in-school surveys as well as some marketing activities.   

FERPA covers “educational records” such as transcripts that were originally kept in a school principal or central district office.  The statute specifically carves out an exemption for “directory information” such as a student’s name, address, date of birth, telephone number, age, sex, and weight.  This 1974 definition of “educational records” and the directory information exclusion no longer makes sense in 2015.  Much of the data gathered and utilized by electronic based services is outside the scope of FERPA’s existing definition. 

As an example, the metadata gathered from a learning app used by a child in school is not considered an “educational record” and would not be protected by FERPA.  Under FERPA, the app maker and other third parties such as digital advertising networks may utilize the information obtained from our children’s use of school contracted online digital technologies.  This data which may include information regarding health, sexual orientation, religion, race, etc… may then be utilized by third parties to discriminate against our children when they apply to colleges, for jobs, insurance, etc…              

  

Absent stronger privacy protections for online student content, our children’s privacy will be compromised and innovative learning tools and educational technologies will face increased parent skepticism and opposition.  HB 298 as passed by the House of Delegates helps assuage parent’s fears while not stifling industry innovation.  HB 298 is modeled after California’s widely applauded Student Online Personal Information Act (SOPIPA) that has been called a “landmark” student data privacy bill by the highly regarded K-12 focused publication Education Week.    

Due to the well balanced approach that HB 298 takes, I am asking for your support of this legislation as it passed in the House of Delegates."  

Google and Facebook's representatives were lobbying to add amendments that would gut the bill's privacy protections for our children. Behind the scenes, these two companies appeared to be not just the two primary opponents of this bill but of other similar bills around the country (watch/listen to the testimony).  Google's behavior is not surprising since it has been caught by Politico spending hundreds of thousands of dollars to lobby against privacy bills that would better protect the personal privacy of students and their families around the country. Facebook's participation in this process appears to demonstrate that it wants to enter the education market. Due to Facebook's agreements with data brokers and its troubling privacy practices and policies, student data should not be entrusted on their platform.

The bottom line is that if you care about student privacy and cyber safety, our laws need to catch up with the technology that is being deployed.  To support Maryland's Student Data Privacy Act of 2015 please reach out to the senators on the Education, Health & Environmental Affairs Committee to voice your support.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Maryland's Student Data Privacy Act of 2015

Last fall, California enacted what Education Week called a "landmark" student-data privacy law (SB 1177).  This was passed because some educational technology companies were caught abusing their access to personal student data. 

As a parent, the digital privacy of my children is very important.  I don't want an educational technology vendor using my kids' school created digital data for behavioral advertising or for profiling purposes that may be utilized to discriminate against them in the future.  The Family Educational Educational Rights and Privacy Act (FERPA) was enacted in 1974 and has not kept up with the innovative digital learning technologies that are becoming more widely available for our students. 

Today, schools utilize cloud-based technologies, apps, and other digital services to teach our children.  Unfortunately, metadata created from these platforms is not considered an educational record under FERPA and thus not protected from the prying eyes of advertisers and others who covet this rich information.  Therefore, students and their families need stronger legal privacy protections.  Absent more robust student privacy laws, our children's privacy and safety will be compromised and innovative learning and educational technologies will face increased parent skepticism and opposition. 

Maryland, a state that has vied with California to be a national leader in digital privacy protection recently introduced the Student Privacy Act of 2015.  The bill is modeled after California's groundbreaking SB 1177.  Mark Schneiderman, senior director of education policy for the Software & Information Industry Association said California's SB 1177 "seems to generally strike the right balance".  Thus, the SIIA should hold the same position on Maryland's student data privacy act. 

Last month, President Obama gave a historic speech at the FTC about his privacy agenda for the last two years of his term.  In regards to student privacy the President stated: "But we’ve already seen some instances where some companies use educational technologies to collect student data for commercial purposes, like targeted advertising.  And parents have a legitimate concern about those kinds of practices.

So, today, we’re proposing the Student Digital Privacy Act. That's pretty straightforward.  We’re saying that data collected on students in the classroom should only be used for educational purposes -— to teach our children, not to market to our children. We want to prevent companies from selling student data to third parties for purposes other than education.  We want to prevent any kind of profiling that outs certain students at a disadvantage as they go through school."

Congress is also concerned about student privacy issues.  On February 12, 2015, it held a hearing entitled, "How Emerging Technology Affects Student Privacy".  The testimony during the hearing demonstrated that FERPA needs to be updated.  While my hope is that one day Congress passes stronger student privacy legislation, I am not optimistic in the short term due to all of the acrimony on Capitol Hill. 

Until this occurs, states such as Maryland must fill this void and step up to protect the digital privacy and cyber security of our kids. 

Copyright 2015 by Shear Law, LLC All rights reserved.

President Obama Proposes The Student Digital Privacy Act

In a very positive development, President Obama earlier today proposed The Student Digital Privacy Act.  According to The New York Times, the Act would "prohibit technology firms from profiting from information collected in schools as teachers adopt tablets, online services and Internet-connected software".

During the President's speech today at the FTC, he stated, "Our children are meeting and growing up in cyberspace", and  "here at the FTC, you’ve pushed back on companies and apps that collect information on our kids without permission"... and "we need our kids privacy protected." 

The President's speech appears to indicate that he is aware that Google and others have abused access to personal student data.  For example, in March of 2013, Google admitted to Education Week that it was data mining student emails for advertising purposes.  Soon after this was uncovered, a media firestorm erupted and subsequently Google allegedly changed its practices.  Therefore, when the President mentioned, "[b]ut we’ve already seen some instances where some companies use educational technologies to collect student data for commercial purposes, like targeted advertising" was he referring to Google?

President Obama stated, "I want to encourage every company that provides these technologies to our schools to join this effort.  It’s the right thing to do.  And if you don’t join this effort, then we intend to make sure that those schools and those parents know you haven’t joined this effort. So, this mission, protecting our information and privacy in the Information Age, this should not be a partisan issue.  This should be something that unites all of us as Americans."

I applaud the President and his team for recognizing the importance of student digital privacy and his willingness to make the issue an important part of his legislative agenda during his final two years in office.  As a parent, I want my children to be able to utilize the most advanced digital learning tools available.  However, our kids should not have to compromise their personal privacy and/or safety to utilize new digital technologies.

While I am optimistic about the opportunity for stronger student privacy protections to become law, I know there is a lot of work ahead.  Therefore, it is imperative for students, parents, teachers, school administrators, privacy advocates, and education technology vendors to work with regulators, lawmakers, and the President to enact a thoughtful and forward thinking bill into law.

Copyright 2015 by Shear Law, LLC All rights reserved. 

In The Digital Age It Takes A Village To Protect Student Privacy

Some privacy advocates have breathed a sigh of relief since hearing of the demise of non-profit inBloom, an organization that was created in 2011 to store and aggregate a wide range of student information to be used by classroom educators. The merits of inBloom's mission can be debated until its advocates and detractors are blue or red in the face.  Regardless of whether one is for or against inBloom, or its future progeny, the real win here is that student privacy is now part and parcel of the education technology (ed-tech) conversation.

Protecting the personal privacy of students has gained national attention due to the issues surrounding inBloom combined with several high profile data breaches. Compounding the privacy challenges facing students is that the Family Educational Rights and Privacy Act (FERPA), which aims to protect the privacy of students and their families, has not been updated to account for the issues inherent in the Digital Age. The Electronic Privacy Information Center, along with other privacy advocates, has alleged that the Department of Education actually weakened FERPA in 2011.

In fact, weakening student privacy protections at the dawn of the age of Big Data, the cloud, mobile apps and social media appears to have lead to a situation where some companies offer student digital learning tools for free or a reduced price to schools and in return student information may be data mined for profit.  According to a recent Politico "examination of hundreds of pages of privacy policies, terms of service and district contracts there are gaping holes in the protection of children’s privacy."

Earlier this year, Education Week reviewed the ongoing Gmail wiretapping litigation, a case that began in 2010 seeking damages on behalf of Gmail and Google Apps for Education users and those whose messages were sent to Gmail based services and made some very startling discoveries. The most troubling was that Google "scans and indexes the e-mails of all Apps for Education users for a variety of purposes, including potential advertising, via automated processes that cannot be turned off—even for Apps for Education customers who elect not to receive ads."

Google's admission in federal court and its confirmation to the media about its practices created such a huge media firestorm that within weeks after this information became public, Google announced that it would no longer scan the e-mails of students who utilize Google Apps For Education for advertising purposes.  While this announcement was a step in the right direction, why did it take an international media feeding frenzy for a change to a policy that should have never been implemented in the first place?  

In response to Google's about face regarding its student email scanning policy, Prof. Joel Reidenberg of Fordham stated, "Google can change this policy at any time, and, the scanning disclaimer is associated with advertising purposes only....There may be other commercial uses that they are exploiting student data for,....such as selling information to textbook publishers, or test-preparation services."

New technology sometimes creates situations that were never imagined when FERPA was enacted 40 years ago.  For example, when students utilize new digital learning tools offered through their schools is the metadata (the information associated with a student's use of the digital learning service) that may be created by student usage considered an "education record" and thus protected from being data mined for advertising purposes?   According to Kathleen Styles, the U.S. Department of Education's Chief Privacy Officer, “I don’t think it’s necessarily an easy decision, what is and what is not the ‘educational record,.... “It’s very contextual.  A lot of metadata won’t fit as an educational record.”  This uncertainty demonstrates the need for stronger privacy laws that better protects the personal privacy and digital emissions of students.

Possible Solutions

States have began to take action to enhance digital privacy protections for students.  For example, Kentucky's recently enacted HB 232 bans ed-tech service providers from processing student data for any purpose other than providing, improving, developing or maintaining the integrity of the service.  This type of prohibition is imperative in order for parents and students to feel comfortable using new digital learning tools.  According to Politico, "in the past five months, 14 states have enacted stricter student privacy protections, often with overwhelming bipartisan support, and more are likely on the way."

Sens. Edward Markey (D-MA) and Orrin Hatch (R-UT) recently introduced a discussion draft legislation titled, "Protecting Student Privacy Act." According to the press release, "The draft legislation would ensure that students are better protected when data is shared with and held by third parties."  While new federal legislation is a step in the right direction since uniformity across the country is preferred by most stakeholders, I believe an update to the terms "education records" and "personally identifiable information" to account for the increased capturing of student data in a digital format is needed to ensure that children are better protected from companies that put profits ahead of student privacy.

InBloom's demise and Google's recently exposed student data mining practices have brought greater attention to student privacy and the need for stronger regulations and laws that prohibit ed-tech providers from utilizing student data for commercial purposes which may include behavioral advertising, digital profiling, and other exploitation.  Ed-tech vendors must incorporate Privacy by Design into their platforms and commit to making student privacy a priority and not an afterthought. 

The bottom line is that students, parents, teachers, school administrators, lawmakers, state attorney generals, the FTC, and the ed-tech industry must work together to ensure that student  privacy is protected in the Digital Age.

Copyright 2014 by Shear Law, LLC.  All rights reserved.

Kentucky Takes the Lead To Protect Student Privacy in the Digital Age

According to WHAS11.com in Kentucky, HB 232 was signed into law today by Governor Steve Beshear.  This new law states "[a] cloud computing service provider shall not in any case process student data to advertise or facilitate advertising or to create or correct an individual or household profile for any advertisement purpose, and shall not sell, disclose, or otherwise process student data for any commercial purpose."  In a nutshell, the new law bans school vendors who provide cloud based services from data mining student digital communications for advertising purposes. 

HB 232 received bipartisan support and passed 98-0 in the Kentucky House and 38-0 in the Kentucky Senate.  The bill appears to be have been inspired by the Target 2013 holiday data breach and the Gmail data mining lawsuit where Google recently admitted in court documents that its Google Apps For Education platform that it offers for "free" to schools data mines student digital activity for corporate profit.   

Kentucky has taken a significant step to protect its students in the Digital Age.  This new law demonstrates that in Kentucky children's privacy and safety do not take a back seat to the special interests that believe they have the right to data mine our students' digital activity for commercial gain.  Other states such as Oklahoma and New York have enacted or introduced student privacy legislation in the past year; however, Kentucky's new law appears to be the first that offers much greater privacy protection than the Family Educational and Privacy Rights Act (FERPA).

My hope is that other states and eventually Congress follows Kentucky's lead to enact legislation that ensures our children's privacy is better protected in the Digital Age.

Copyright 2014 by the Law Office of Bradley S. Shear, LLC. All rights reserved.

The Student Privacy Bill of Rights

On March 6, 2014, Khaliah Barnes, the Director of the Electronic Privacy Information Center's (EPIC) Student Privacy Project authored an extremely important article that was featured in the Washington Post titled, "Why a Student Privacy Bill of Rights is desperately needed".  The piece details the digital privacy challenges students encounter and why they need to have stronger legal rights to better protect their personal privacy and safety.  I wholeheartedly agree with Ms. Barnes and believe our students need more robust digital privacy protections.

The main federal laws designed to protect student privacy, the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PRPA) have not been updated to keep pace with the Digital Age.  The lack of legal protections for our students' personal information that is stored in the cloud has made Ms. Barnes' Student Privacy Bill of Rights a necessity.  It enumerates six basic rights for students and I believe that in the age of Big Data, students have "certain unalienable Rights" regarding their personal privacy.  The Rights are listed below:

Right #1 Access and Amendment:  Students have the right to access and amend their erroneous, misleading, or otherwise inappropriate records, regardless of who collects or maintains the information.

While growing up in the 1980's, I didn't have to worry that everything I said to my classmates and/or teachers would be on my permanent record forever.  When I attended elementary, middle, and high school, the primary form of communication was in person, on the phone, and handwritten/typed letters.  In college, I recall sending out my first email and then in law school  email began to gain traction. 

As an adjunct professor at a major international university, I have noticed that students prefer email as their primary form of communication outside of class.  Students sometimes make inappropriate remarks in class and/or email.  However, students attend school to learn how to communicate and I believe the content of their school work and their school related communications should be protected and off limits from data mining.  My students and children should be afforded the same privacy protections I experienced in school without fear that every single student-teacher and  student-student digital interaction may be used against them in the future.     

Right #2 Focused collection:  Students have the right to reasonably limit student data that companies and schools collect and retain.

Schools, along with their vendors, and sub-contractors should be limited to what type of data they are able to collect and retain about students.  For example, some schools require student-athletes to install cyber-monitoring software onto their personal computers and personal digital media accounts so all of their online postings may be captured and archived indefinitely.  One school vendor was caught a couple years ago by Time Magazine abusing its access to personal student data and utilizing their content for advertising purposes.  Therefore, it is imperative that students have the right to reasonably limit the type of personal information that is collected and retained about them by companies that contract with schools.    

Right #3 Respect for Context:  Students have the right to expect that companies and schools will collect, use, and disclose student information solely in ways that are compatible with the context in which students provide data.

Unfortunately, some companies have not been honest about the manner in which they collect and utilize personal student information.  Education Week recently reported that Google is abusing its privilege as a school learning platform provider because it is using its Apps For Education offering to surreptitiously data mine student emails for potential advertising. 

Whether its through cloud computing, mobile communication devices, apps, or old school personal computer networks, a tremendous amount of information is being collected by third parties and this data is not under the direct control of our schools.  Therefore, schools and their vendors must be required to disclose exactly what is happening to student information that is stored digitally. 

Right #4 Security: Students have the right to secure and responsible data practices

Secure data practices do not happen overnight and requires cooperation from both schools and their vendors.  Professor Dan Solove of George Washington University has been advocating for years that schools hire chief privacy officers to educate and provide leadership on these issues.  Earlier this year, Prof. Solove told USA Today, “[w]ithout a privacy officer in schools, there will be no one looking out for privacy issues,”  Recent high profile data breaches at the University of Maryland and Indiana University demonstrates the need for educational institutions to implement policies and practices that better protect our students' privacy.    

Right #5  Transparency:  Students have the right to clear and accessible information privacy and security practices.

 
Transparency is key to fostering successful privacy and security practices.  Educational institutions and their contractors need to be required by law to be fully transparent about the type of information they collect, how it is utilized, how long it is archived, and who has access to it.  School vendors such as Google who have not been transparent about their privacy and security practices put our students' privacy and personal security at risk.  If schools are unable to provide clear and accessible information about their contractors' privacy and security practices, students should have the right to opt-out of participating in a school provided platform that harms their privacy and puts their personal security at risk.        

Right #6  Accountability:  Students should have the right to hold schools and private companies handling student data accountable for adhering to the Student Privacy Bill of Rights. 

FERPA has no private right of action against school vendors.  This is a huge loophole that puts the burden of protecting our children's privacy squarely on academic institutions even though many schools are ill equipped and under-funded to do so.  New state and/or federal laws/regulations are needed to hold school contractors accountable for violating the privacy of our students.   

A recently released report on Big Data and "alternative credit scoring" by the World Privacy Forum reinforces the need for greater regulation to protect our privacy.  The report discusses unfairness and discrimination issues that may soon become widespread because our current legal and regulatory privacy framework was designed before email, apps, and the cloud became ubiquitous.  Students shouldn't have to worry about whether their school related research, questions, communications, and/or projects on disabilities, HIV, personal sexuality, pregnancy, sexually transmitted diseases, etc... will be data mined and/or sold to the highest bidder. 

 

 If third party vendors mislead schools, parents, or students about their data handling or protection practices, they need to be held legally and financially responsible for privacy violations.  For example, students who utilize Google Apps For Education through their schools should be able to hold Google legally and financially accountable for data mining their school digital interactions, content, work etc...for non-educational purposes.  

Soon after the Education Week article that uncovered Google's very troubling student data mining practices was published, I reached out to Ms. Barnes and asked her to comment about these new revelations.  In an email Ms. Barnes stated, "Google's data mining admissions underscore the importance of the Student Privacy Bill of Rights. Here's a situation where students lost total control over their information. The students first lost control when the schools made a choice on behalf of students, without first adequately vetting Google's data practices and ensuring that those practices don't put students at risk. Second, students lost control when Google decided to read students' emails. Google's practices contravene the Student Privacy Bill of Rights by repurposing student data for commercial use. Google should be held accountable to students, the Education Department, and the Federal Trade Commission for violating student trust."

As a society, we need to do more to protect our children's privacy in the Digital Age.  A first step would be to adopt the principles advocated by Ms. Barnes' in her Student Privacy Bill of Rights. 

Copyright 2014 by the Law Office of Bradley S. Shear, LLC. All rights reserved.

New Laws Are Needed To Protect Student Privacy In The Digital Age

Students and schools around the country are utilizing new digital technologies in ways many people did not imagine at the turn of the century and those technologies offer great promise.  Just ten years ago, terms like "big data", "the cloud", "data mining", and "social media" were not well known by students, parents, and school officials.  To lower costs and to help our students learn more effectively, thousands of schools across the country have adopted new digital technologies. Unfortunately, the current legal framework designed to protect student privacy and safety has not kept up with the rapid advancements that have been created by the Digital Age. 

The federal Family Educational Rights and Privacy Act (FERPA) is the main federal law that protects student educational records.  This law was initially enacted in 1974 and has been amended multiple times by Congress; the last time being in 2001 before the widespread adoption of cloud computing and other digital platforms in schools.  While the statute hasn't been amended in more than 10 years, the rules that the U.S. Department of Education uses to implement FERPA have been more recently updated.  Despite these revisions, some public interest groups such as the Electronic Privacy Information Center allege that FERPA's rule changes undermine privacy safeguards set out in the statute and unnecessarily exposes students to new privacy risks.

At first glance, FERPA appears to be a robust law that protects the personal privacy and safety of students.  However, upon closer examination FERPA does not provide the protections that our students need in the Digital Age.  In the almost 40 years since FERPA's initial enactment, no school has been denied access to federal funds due to a violation that has put the personal privacy and/or safety of students at risk.  As more third parties have been contracted to handle student data through the spread of cloud and mobile technologies, FERPA has done little to constrain the behavior of these third parties because the statute does not contain a sanction that applies them. 

Does this mean that FERPA has been successful and that a school's actions have never put the personal privacy and/or safety of students at risk?  Or, does this validate the notion that FERPA lacks strong enforcement provisions and the U.S. Department of Education has not been provided the resources necessary to properly protect our children?

In 2002, the Supreme Court held that FERPA's nondisclosure provisions do not provide students a personal right to sue entities that fail to properly safeguard their educational records.  While this ruling appears to shield schools from student lawsuits based upon FERPA violations, it has also had a very troubling unintended side effect that may be leading some schools to put their guard down when engaging third party vendors to capture, process, and transmit student data. 

History has proved that some commercial enterprises will abuse their access to student data and that FERPA is unable to provide the privacy and/or safety protections our children need and deserve.  In 2003, multiple student survey companies were caught intentionally misleading schools, students, and parents about their data collection and utilization practices.  The FTC alleged that these entities sold personally identifiable information about millions of students to marketers for financial gain.  In addition to entering into a consent agreement with the FTC that ended these practices, the New York Attorney General's office fined these entities $75,000 for their actions.

In 2012, Time Magazine discovered that a company called UDiligence that had been hired by universities across the country to scan and archive the password protected personal digital content of student-athletes was abusing its access to student data by utilizing personal student content in advertisements for the company's services.  Only after Time Magazine questioned this practice did UDiligence stop monetizing students' personal digital content for pecuniary gain.

Several months ago, a judge in a lawsuit that accuses Google of violating multiple federal and state laws regarding its email data mining practices ruled that the case may move forward.  During a recent court filing in this lawsuit, Google admitted that its University of Alaska school branded Gmail system utilizes the information obtained from student emails for advertising purposes (Link to this document; See page 42, #88).  As part of an effort to dismiss the case, Google argued that two student plaintiffs from universities who were Google Apps for Education users consented to Google scanning their emails for advertising purposes when they signed onto the service the first time (Link to this document; See page 14).

Since Google provides this same exact service for free to thousands of schools across the country it raises a serious question of whether Google is data mining the school emails of millions of students across the country for financial gain.  Do the same arguments that Google has made in its motion to dismiss, that students have consented to this data mining, apply to students at other schools where Google Apps for Education is in use?  It does not appear that students, parents, and/or teachers have been informed and provided consent that would enable their digital interactions and the content sent and received on school contracted Gmail services to be utilized for advertising purposes. 

The personal safety of students are at risk when commercial entities obtain access to student data and act upon the information.  According to Education Week, some low-income children in Arizona were subjected to unnecessary dental work by corporate-affiliated "mobile dentists" who found their patients through easy access to school records.  In response to this troubling practice, Arizona enacted a new state law last year that tightened access to this information.

Several months ago, The New York Times discussed the privacy and safety challenges inherent when schools hire third parties to collect and store student data on the web.  A recent Fordham University Law School study found "weaknesses in the protection of student information in the contracts that school districts sign when outsourcing web-based tasks to service companies".  Fordham's findings were validated by the Maryland Attorney General's 2013 report on children's privacy that recommended a new state law that would prohibit cloud service providers from using data collected from students for commercial purposes.

Parents are extremely worried about their children's personal privacy and safety.  A new Common Sense Media Survey found broad support for stronger safeguards to protect our students in the Digital Age.  According to the survey, 91 percent of respondents support stronger parental-consent requirements related to the sharing of sensitive student data, and 89 percent supported tighter security standards for cloud storage.

Since FERPA has not been updated to reflect the tremendous change the Digital Age has brought to the education system, it is time for states to enact laws that better protect the personal privacy and safety of our students.  States should enact strict prohibitions on the use of student data (i.e.  emails, documents, or other content), ensuring that vendors do not have rights to use that data for advertising or marketing purposes or to otherwise build personal profiles of students that may be utilized to discriminate against students and/or their families.  Parents and students need to know that when they utilize school provided digital communication platforms their data is safe and secure and will not be used to prey upon their economic and/or personal situation.

Copyright 2014 by the Law Office of Bradley S. Shear, LLC All rights reserved.  

Massachusetts Bill To Ban Data-Mining of Student Emails

Massachusetts has become the first state to introduce legislation that would ban companies that provide cloud computing services from processing student data for commercial purposes. MA Bill 331 is sponsored by Rep. Carlo Basile and it was referred to the House Committee on Education on January 22, 2013.

MA Bill 331 states, "Section 1. Notwithstanding any general or special law to the contrary any person who provides a cloud computing service to an educational institution operating within the State shall process data of a student enrolled in kindergarten through twelfth grade for the sole purpose of providing the cloud computing service to the educational institution and shall not process such data for any commercial purpose, including but not limited to advertising purposes that benefit the cloud computing service provider."

The bill may be interpreted to mean that firms who offer cloud computing services to Massachusetts academic institutions that enroll kindergarten through twelfth graders may not utilize the information contained in student emails for monetary gain. If this legislation is enacted, cloud service providers may not serve ads to students on school provided digital accounts based upon a student's digitally expressed thoughts or ideas.

Internet advertisers monetize the thoughts and/or ideas of its users via behavioral advertising. Digital behavioral advertising may occur when an email service provider scans the content of an email and then serves the user ads based upon the information it processes. For example, if a student emailed his health or sex education teacher to ask about sexually transmitted diseases or teen pregnancy, MA Bill 331 would ban a cloud computing service provider from serving ads for condoms or other related products or services to the student's school owned digital account.

According to a statement from the American Academy of Pediatrics, "young people are cognitively and psychologically defenseless against advertising." Therefore, would it be acceptable if a teacher was paid to review student class work, noted student preferences, and then returned graded assignments with offers for discounted merchandise based upon a student's home work or in class assignments?

Since it would be a breach of the National Education Association's Code of Ethics if a teacher utilizes personal knowledge obtained from his students for private advantage, shouldn't it also be a breach of the Code of Ethics if a cloud computing service provider utilizes an algorithm to do the same digitally? Because it is not acceptable if teachers offered discounts based upon student preferences gleaned from school work it should also not be acceptable if a computer algorithm processed the same information digitally and then served ads based upon the same data.

While MA Bill 331 is a good start, it should be amended to cover post-secondary students because Massachusetts is home to tens of thousands of college students and some of the most prestigious academic institutions in the world. Shouldn't students in college and graduate school also have their student-teacher interactions protected from being utilized for commercial purposes?

In general, Google's Apps For Education standard agreement provides schools the ability to serve ads to its students. The agreements generally state that all advertising revenue generated will be retained by Google so at this point it appears that schools do not have an economic incentive to turn on the behavioral advertising function. However, what will stop Google from approaching schools and stating that in order to continue receiving Google Apps for Education for free the advertising function must be enabled? Should graded school assignments and personal student-teacher interactions be utilized to serve ads to students in order to pay for educational software?

Educational software is expensive and because of the terrible recession that our country has experienced many states have seen steep cuts in education funding. While Massachusetts public schools have not yet experienced the same type of funding cuts that have beleaguered many other states what will happen when Massachusetts decides it must recalibrate how it dedicates its resources and K-12 schools are negatively affected by this change?

Tens of thousands of kindergarten through twelfth grade students in Massachusetts may already be at risk of having their school work data mined for advertising purposes. For example, students who attend Burlington Public Schools and Plymouth Public Schools in Massachusetts utilize Google Apps For Education. If students at these schools use their school provided Gmail based accounts after they graduate or link their personal YouTube or Google Plus account to their school sanctioned Gmail account their student-teacher interactions and class work may be monetized by Google and/or its advertising partners. However, if MA Bill 331 is enacted it may stop third parties from being able to monetize the digital thoughts and ideas of Massachusetts students and better protect their privacy and security.

96 percent of Google's $37.9 billion in 2011 revenue was earned from advertising. Is Google providing schools free access to its Google Apps For Education software in the hopes that it will eventually earn advertising revenue from data mining our children's digital school assignments and education-related interactions? Absent state and/or federal laws that ban the data mining of our children's class work on school provided digital accounts companies that offer educational cloud computing services to our schools may utilize our kid's personal private data for commercial gain.

To learn more about these issues you may contact me at http://shearlaw.com/attorney_profile.

Copyright 2013 by the Law Office of Bradley S. Shear, LLC. All rights reserved.