Student Data Privacy for Parents, Teachers, Schools, and Students

Surveillance cameras, digital monitoring apps, and similar tools are becoming more common in schools. Students often receive devices from their schools with tracking software already installed for their own protection. But it’s important for both students and parents to know what is being monitored, how that data is collected, and what’s being done with it. Because often not even the school administrators know what’s really going on with these surveillance programs. And it’s compromising student data privacy and the privacy of their parents. See Surveillance and Student Privacy with Jason Kelley for a complete transcript of the Easy Prey podcast episode. Jason Kelly is the Associate Director of Digital Strategy at the Electronic Frontier Foundation (EFF). EFF is a digital rights organization with a lot of different focus areas. One of those areas is protecting privacy and fighting against surveillance. In his role, Jason’s primary goal is to get the message out to people. He also focuses on specific issues, mostly around privacy and surveillance. One specific issue that he has focused on in the past few years is student privacy and how surveillance has sneaked its way into schools and educational institutions. It’s important to note that it’s not just student data privacy that surveillance compromises. People of all ages are being monitored in a huge variety of different ways. But there are things that kids and their parents need to know about surveillance specifically in schools. The surveillance apparatus is coming at everybody from all angles. One thing we’ve seen frequently is big tech companies like Google offering free devices to schools to give out to students. As with many things in tech, this isn’t completely benevolent. With Google, for example, students had to make Google accounts to use the devices. Then Google could collect data about them. Google is an easy one to pick on, but it’s not just them – a lot of big tech companies are doing this. This student data collection was something EFF focused on for a while. They wanted to make sure students weren’t required to five their data to Big Tech in order to use the devices the schools gave them. Google made some changes in 2017. They stopped requiring the same kind of data collection on kids. Jason wouldn’t say they’ve won the fight, though. It’s more like it just got pushed to different areas. The last twenty years have been tragic in terms of school shootings. This has caused a lot of schools to also increase their surveillance through traditional means as well. This kind of surveillance is “traditional” because it’s not surprising and people normally aren’t opposed to it. Think about cameras in public spaces. A lot of schools are using cameras these days. Jason graduated in 2001, and there were no cameras in his school when he left. But he’s sure if he went back there today there would be. It’s one thing to talk about the need for something like a camera in a hallway to ensure safety and check recordings of incidents. But often they become a tool for even more student surveillance. It usually starts with the cameras just recording so there’s a video record of any incidents. But then administrators decide a live feed to them would help them stop incidents in the first place. Then something happens, the school board passes a new agreement with the police, and now the police have the live feed of the school’s cameras. Very few parents would have agreed to install cameras with a live feed straight to police, but that’s what ends up happening. You can make lots of arguments about why police should have a direct camera feed to schools. You can also make a lot of arguments for the opposite. Safety is important, but cameras only record certain things. And they’re being staffed by police who already have a biased interpretation. It just makes our already-tilted justice system more problematic. And now it’s becoming a problem for our children in their schools. Like all surveillance technology, cameras have benefits and blind spots. The benefit is that they generally don’t move. That makes them easier to evade but much better for privacy. But that also is part of their problem. We’ve all heard of instances where a bullied child finally decides to stand up to their tormentor, but because of how the cameras are positioned, the administration doesn’t see any of the bullying, only the victim punching their bully. Blind spots [in surveillance technology] – because of how technology tends to work – tend to exacerbate real problems that already exist within society. The surveillance technology schools use change, but the blind spots continue in different ways. If a school uses facial recognition to enter the building, leaving aside the issue of student data privacy, it’s more likely to fail for Black and brown students. That’s not out of malice. It’s just one of the many examples of technology’s blind spots. Many people don’t know what these blind spots are. Most people don’t understand what’s going on with student data privacy and school surveillance. Parents don’t know what software is on their child’s school-issued devices. If they get an email from the school saying their child was caught doing something by XYZ surveillance app, how is the parent supposed to talk about it with their child? And how is the child supposed to defend themselves? It’s gotten worse over the last decade. More tools have expanded schools’ abilities to invade students’ privacy, but there’s no educational component for parents and kids to understand what’s happening. Schools often provide parents with an agreement to sign saying their child will be monitored. Sometimes these agreements list the name of the software, but they often don’t say what capabilities it has and what’s been enabled. And school administration may not even know the details. With the devices from big tech companies, for example, administration is often more focused on the fact that this is a great way to get their underprivileged students access to devices. Even those without devices at home can get online and do their homework, and that seems like nothing but benefit. They’re not thinking about student data privacy. And they often don’t know that these devices have the capacity to see what the students do and even record video of them through the camera. There is a downside to digital surveillance and monitoring for students. Jason has seen it happen. Student monitoring software is often tied to the device, not the user. That can cause a lot of issues. When a student gets a laptop or other device from their school, it probably has a program like GoGuardian, which is one of the more well-known student surveillance tools schools use. Students often take those devices hope and use them for personal things after school hours. But they might not know that administration can set up pre-recorded times to do screen captures, and it can happen for up to eight hours at a time. The schools aren’t necessarily doing it with bad intentions. But because students often don’t know that it’s a possibility, they may have their private data, accessed at home on their own time, sent to their school. Privacy invasions could happen and have happened where students don’t know that a teacher or administrator can look at what they’re doing on their laptop … parents don’t know either. It’s not just student data privacy at risk, either. Parents often don’t know about this recording option, either. So if a parent uses their child’s school-issued device for anything, whatever they’re doing is going to the school, and often to a third-party company that’s also collecting info. And parents usually have no idea. There are instances where something like this can be helpful. But mostly, schools are subjecting tens of millions of students to privacy violations on the off-chance that someone searches “how to build a bomb” and they’re serious. It’s like putting a band-aid on a broken bone – it doesn’t solve the problem. Some would make the argument that it’s okay to sacrifice a bit of student data privacy if it helps keep everyone safer. And that would be a reasonable argument – if student surveillance technology actually did what it’s being used for. Many of these types of tools, including GoGuardian and most parental control apps , have the option to alert parents or school administrators if a student visits certain sites or searches for certain things. One joke going around the internet shows one of those notifications alerting parents that their child was searching for dangerous information. Except the “dangerous information” the child was searching for was “Teaching crabs how to read.” Not only are [surveillance apps] invading privacy for students, potentially even for parents, they’re also not very good at what they do. This leads to questions about the effectiveness and the accuracy of student surveillance. These apps often block a lot of informative, age-appropriate content about LGBTQ identities in the names of blocking sexually explicit content, but at the same time don’t reliably block neo-Nazi content. These tools and the people applying them are trying to solve every problem society has. But they just can’t do that. Technology can’t solve social problems. If a child is looking at porn, that needs to be a conversation. Blocking that site at that moment doesn’t address why they’re doing it. These [surveillance] tools simply can’t solve every problem that society has, but they’re trying to do that. When it’s a school setting, it gets even more complicated. Teachers may have classes of over sixty students. They’re trying to use technology to help them do their very difficult job. Jason understands. He knows teachers are busy. They can’t watch every student, check on what they’re looking at, and make sure it’s appropriate and relevant. They can’t even thoroughly watch every student take a test when they’re all in the same room. In a remote school environment like what happened during COVID, it becomes practically impossible. It makes sense that they’re going to use these tools, especially when many of their colleagues are using them in other schools. Teachers don’t know how inaccurate these tools are and how invasive they are in student data privacy. And it’s not a teacher’s job to understand programming and data collection. Their job is to teach kids, not understand the depths of the devices and apps. The blame here rests not on the teachers, but the companies selling tools without explaining what they do or their limitations. In February, EFF got a legal help request from a technologist whose partner was attending Dartmouth Medical School. The school was reviewing all the students’ logs on Canvas, the school’s e-learning platform, and using that data to accuse students of cheating. Dartmouth had learned that a student might be cheating, and their legal advisors said they should apply the same method to every student. The administrators were comparing time in remote exams and time accessing course material on Canvas to try to see if students were looking up their exam answers. The problem is that many students would log into Canvas with multiple devices, and then didn’t close the tab or exit the app when they were done. Canvas refreshes the data periodically. So it can look like a student is looking at course material, even though it’s just a tab open in their browser. EFF looked at the data this technologist sent. It was cherry-picked to look incriminating. Even so, they could tell it looked like automatic refreshes. Dartmouth had singled out twenty students that they were going to either expel or put a mark on their transcript. In medical school, a mark on your transcript can derail your whole career. EFF wrote a letter to the dean, but he refused to change the decision. So EFF contacted The Boston Globe . They ran a major story interviewing the students. A week later, the story reached the front page of The New York Times Sunday edition. It was a huge public relations fiasco for Dartmouth. They rescinded all allegations, apologized to the students, and said they wouldn’t do it again. It’s a happy ending, but there were two months where students weren’t sure if they would be able to be doctors because their school didn’t understand the tech. Whether you’re a student or a parent, you can take steps to protect student data privacy. The first step is to be careful with all technology a school gives you. If you can at all avoid it, it’s safest to not do anything private or personal on those devices. It’s similar to any workplace devices when you’re in the working world – assume anything you can do on that device will be viewable to your boss or to a school administrator. EEF also has a student privacy guide on their surveillance self-defense website, ssd.eff.org . It gives students tips for things they can do to protect their data privacy. That includes things like knowing what data is being collected, if you can, and setting up your social media settings correctly. Sometimes the answer is to only use the school device when you have to, and make sure you’re logged out if the school requires a proctoring software on your personal device. As a student, you can also take social measures. Jason has seen a lot of petitions where students have gotten together and said they don’t want proctoring apps that record their biometrics and personal data and potentially sell them or give them to a third party. Some of them have been successful. The entire University of California system has gotten rid of remote proctoring. As a parent, you can do the same thing. Make sure teachers and administrators understand the dangers these apps cause to student data privacy. A recent report showed schools and parents don’t really understand the tech students are using, but they’re willing to learn. If you have the ability and the interest, it’s on you to educate administrators, teachers, kids, and other parents about what’s happening on these devices. The pandemic and the sudden switch to remote school made it much more likely that schools would start adopting student surveillance and remote proctoring tools without understanding what they do or how they work. EFF didn’t have a specific student privacy working group until the pandemic started. They started the group parly because the number of students using proctoring tools more than quadrupled. Once that happened, it felt necessary to focus specifically on student data privacy. Student surveillance is just one of the many kinds of surveillance that we’ve implemented – some good, some bad, some much, much worse than bad – to try to make up for the problems of the pandemic. Proctoring is one area where they’ve focused heavily because it has so many issues. Remote proctoring tools work by installing a program on the device that uses your webcam or camera to record. Considering that many people fear nefarious actors watching them through their webcam , it’s already clear why some people don’t like this! Some programs have a live person watching you, but most record the video and use an algorithm to identify movements that indicate cheating. Many offer other services as well, such as facial recognition, locking down the device so the student can’t open another program, or even using behavioral biometrics like keystrokes to verify your identity. Not only does this have a lot of challenges for student data privacy, but many times it flags innocent people for cheating. Every law school graduate who wants to actually work as a lawyer has to take the bar exam. This is an intense, notoriously difficult exam spanning multiple days. When the pandemic hit, the exam had to go online. The bar associations agreed it could be done if the students used a remote proctoring tool. In the US, that was primarily the company ExamSoft. Not only does it record your video, it prevents you from opening other apps, uses facial recognition to see if you’re looking at the screen, and uses behavioral biometrics. EFF wrote a letter to the Supreme Court of California asking them not to require ExamSoft because of all the problems. They mentioned bias, inaccuracy, and student data privacy invasion, and the risk of data breaches . The California made clear that all data collected by ExamSoft would be deleted. This was an important step since it wasn’t previously clear if the school, the bar association, or ExamSoft would be responsible for that data. But it didn’t address many of the other issues. Nine thousand people took the bar exam, and ExamSoft flagged three thousand of them for cheating. Now the bar association had to review the video for three thousand tests. Out of all of that, only seventy students were actually disciplined for cheating. ExamSoft says that’s the way it’s supposed to work. They don’t determine if anyone cheats, only determine if they do something that might be cheating. Luckily in this case, the bar association understood that a third of test takers probably weren’t cheating and recognized that the software could be wrong. EFF has put a lot of effort into pushing back against the inaccuracies and student data privacy issues of proctoring. They recently had a big win. There are three major proctoring companies: ExamSoft, Proctorio, and ProctorU. In the previous example with ExamSoft, there was no reviewer on the company side, just an algorithm that says it thinks these people cheated. ProctorU had an AI-based algorithm that did the same thing. But they recently said gives so many false positives that they’re going to to sell it to anyone unless they also pay for manual review. The pandemic has made it more clear to people where technology fails us, especially in the educational realm. That’s what happened all across the pandemic in many places. Technology, either new or existing, is pushed to the front as a solution for all society’s problems. And it takes a year before people realize it doesn’t work. We’ve seen a lot of these scenarios over the last year. Jason is hoping the pandemic has made clear to people where technology fails, especially in education. That’s the best-case scenario. School surveillance and student data privacy over the last year has been a mess. It still remains to be seen if we learned, but there’s hope. Learn more about the Electronic Frontier Foundation’s mission and get resources at eff.org . The Surveillance Self-Defense Guide at ssd.eff.org is a great place to start for anyone. You can find Jason Kelley on Twitter @JGKelley , but like most people on Twitter, he tweets more about local politics and photos of sandwiches than student privacy. You can also follow EFF on Twitter @EFF or on Instagram @efforg .