How safe is school data?
Outside hackers pose known threats to students’ private information, but what about leaks from the software that schools trust?
Internet Safety Labs, a nonprofit watchdog organization, is calling for better product testing for educational technology companies. Alongside threats from cyber attacks, there may be data breach threats from inside the school building. Research on more than 1,000 apps used by more than 600 schools across America revealed that the apps may be passing student data along to outside interests.
TRANSCRIPT OF VIDEO
ROYAL GURLEY: I believe at the core of what we are required to do is to provide students with this world-class education, and times have evolved.
ANGIE MILES: The head of Charlottesville City Schools understands how crucial technology is for classroom learning.
ROYAL GURLEY: I grew up in a time where, you know, we instructed paper and pencil and now, you know, students rarely have access to a book because they get that via technology. And so, the balancing act now is how do you do that and do it safely?
ANGIE MILES: With a degree in technology. Superintendent Royal Gurley also understands the challenges of keeping student data safe. Charlottesville has managed to avoid data breaches like the one that impacted Los Angeles City schools and leaked sensitive student information onto the dark web. But many Virginia school divisions have had their technology systems compromised, data stolen and held for ransom. Since 2015, cyber criminals have hit Virginia universities, as well as large school divisions like Fairfax and Arlington but also smaller districts like Greensville and Smyth counties. The Federal Bureau of Investigations says to schools...
CHRISTOPHER COPE: Understand that you are a target. Your networks are a target, your school is a target, and that bad actors are trying to access all of that in order to find sensitive information, steal it, and profit.
ANGIE MILES: In an attempt to profit, these bad actors infiltrate vulnerable systems, encrypt the data so schools can't access it without a decryption key, and then blackmail divisions, threatening to release private data such as student ID numbers, social security numbers, birthdays, home addresses, test scores, mental health records, salaries, or other protected employment information unless the division pays a ransom.
CHRISTOPHER COPE: Anybody that has a laptop that connects remotely could potentially be compromised. The sooner the school districts train their students and more frequently train their staff on cybersecurity risks, the better off they will be. You know, even if they don't have, quite have, the budget or the ability to lock down those networks.
ANGIE MILES: Profit is the incentive, but experience says it's not just criminals who are incentivized by profit. Dorothy Rice is a retired Richmond educator with a daughter who has also become a teacher.
DOROTHY RICE: And she's always going into her pocketbook to provide for her students.
ANGIE MILES: The fact that many teachers are so committed to finding what will make learning more fun and more effective makes free resources like free apps enticing.
DOROTHY RICE: And I'm not so sure teachers are really scrutinizing it because as long as they are getting a useful product for their students to use, they probably don't really delve into any sinister notions.
ROYAL GURLEY: Nothing is free. And so, I think we've done a very good job through our professional development and say, hey, if you see something you'd like, let's run it through technology. Let your principal know. Let's do it the right way. Because there's so many unintended consequences.
ANGIE MILES: It's the unintended consequences that concern Amanda Kozak. The Powhatan mom has homeschooled her children since the start of the pandemic. She's been studying data privacy issues and she says parents should be paying much more attention.
AMANDA KOZAK: Yeah, so as a parent, there are a lot of concerns that I have from a data perspective. You know, a lot of this data collection starts when a child is in pre-K. Everything from their attendance to their test scores, their behavioral health. All of that is collected and stored and shared in the cloud, but we don't know who has access to it. You know, from a third-party perspective, how this information can be used later on down the road.
ANGIE MILES: Lisa LeVasseur says Kozak is correct. Her nonprofit, Internet Safety Labs, is on a mission. The technology watchdog organization recently tested apps for more than 600 schools, including 13 in Virginia, monitoring the flow of information that leaves the school networks.
LISA LeVASSEUR: We tested around, I think it was over 1300 apps we tested, and we looked at the data flow. We looked at the behavior of the apps. The result was that 78% of those apps, we scored them as a do not use because they were sending data to entities that monetize data, either advertising or analytics. The next bucket down, the high- risk bucket, 18% of the apps were in there. So, only 4% of the apps were reasonably safe.
ANGIE MILES: By their tally, 96% of education apps that are either required or recommended by schools are passing data directly or indirectly to others, including big tech companies like Google, Apple, and Facebook. LeVasseur says schools, like the general public, are mostly unaware of how the data is being used, partially because of the vetting process itself, which often relies on self-reporting of safety measures by the vendors, who may be looking to monetize or who may not be aware of what is actually happening to the data.
DOROTHY RICE: By virtue of calling them vendors, they're capitalists. They want to make money and they're looking at those students as potential customers, clients, or whatever. They can mine that information.
ANGIE MILES: Internet Safety Labs says that ‘yes,’ the data might be used for targeted ads in the future or to predict students' later behaviors or risk factors in ways that might benefit retailers or insurers, or might negatively impact those targeted.
LISA LeVASSEUR: We see direct pipelines between school technology and law enforcement, including emotional and social assessments and things like that, and that's deeply troubling, deeply troubling. Especially for communities of color because it's just a self-fulfilling machine with all of the implicit bias.
AMANDA KOZAK: This is an issue that impacts everyone. It doesn't matter how you vote. It doesn't matter what your background is like. This is an issue that's impacting every child right now within, not only our public school system, but also private schools and homeschools as well.
ANGIE MILES: Meanwhile, who is ultimately responsible for where the data goes? LeVasseur says the burden of guaranteeing student data safety is currently with the schools and with the parents, but she says it should not be that way.
LISA LeVASSEUR: It's as if we're asking people when they buy a car to install their own airbags and their own safety belts and their own safety equipment. That's where we are with software, and connected software today, and that is not right. Nobody should have to do that. You should be able to get a reasonably safe product directly from the manufacturer and trust that it is safe.
Correction, March 3: An earlier version of this article misattributed the photo credit.