VTech vs EDtech

This week we’ve seen news of a major breach of users’ data from an online service run by VTech.  What sets this one apart is that personal information was stolen from hundreds of thousands of children’s accounts, associated with some of the millions of adult accounts that were also compromised.

Troy Hunt has posted a detailed analysis of the breach and other problems with VTech’s web applications.  You can read it here on Troy’s site or here on Ars Technica.  I encourage you to read it.

Here is what Troy Hunt had to say about the severity of the breach: 

“When it’s hundreds of thousands of children including their names, genders and birthdates, that’s off the charts. When it includes their parents as well – along with their home address – and you can link the two and emphatically say “Here is 9 year old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question)”, I start to run out of superlatives to even describe how bad that is.”

When I read this paragraph, head nodding, I thought of the running list I keep of my own kids’ identifiable personal information I’ve been able to gain unauthorized access to through remote attack vulnerabilities in online services used at their schools. (A remote attack is something that does not require access to the user’s network traffic, and can be done from anywhere).

The list is below. I was able to collect all of this by exercising flaws in web pages and interfaces in the education-related services that hold my kids’ information.  It wasn’t all in one place like the VTech information but goes far beyond what was held there.

  • full name
  • gender
  • date of birth
  • in-class behavior records
  • reading level and progress assessments
  • math skill and progress assessments
  • in-class test and quiz scores
  • report cards
  • ability to send private message to a student through an app
  • voice recordings
  • usernames (some with passwords)
  • password hashes
  • school lunch assistance status
  • name and address of school
  • teacher name
  • classmate names (through class rosters)
  • class photos with students labeled by name
  • parent email addresses
  • parent names
  • home address
  • home phone number

My kids are still in elementary school.  Simply by going to school they’ve already had all of this information exposed to the possibility of unauthorized access and collection.

I don’t have knowledge that any of this information has been subject to unauthorized access — but the only difference between a responsible disclosure and a data breach is the ethics of the person who finds the vulnerability.   Most of these vulnerabilities exposed many thousands of students to potential breaches, some of them exposed millions of students to potential breaches of their personal and educational information.

This is a system-wide problem that educators, parents and technology providers must work together to address.  Things are improving but we have a long way to go.  Here are some previous posts on that topic:

Why we need standards: part one of many

A starting point: end-user web app security test plan

Edsurge: Why student data security matters

Bill Gates and the erosion of student privacy

bill gates v5

Bill Gates has had an enduring fixation on the need to expand the collection and sharing of personal student data. In 2005, the Gates Foundation organized a “data summit” among its grantees, at which launched the Data Quality Campaign, “to Improve the collection, availability and use of high-quality education data, and Implement state longitudinal data systems to improve student achievement.”

The Data Quality Campaign has received more than $13 million since 2013 from the Foundation, which they have used to advocate for the US Department of Education to weaken student privacy protections and to allow for the sharing of personal student information among state agencies, between states, and with researchers, test companies, and technology vendors.

In 2008 and 2011, The Data Quality Campaign, along with its “partners” among other Gates grantees, successfully lobbied the US Ed Dept. to relax FERPA, to allow for the creation of state longitudinal databases to link student data from preK through the workforce and beyond, and the disclosure and redisclosure of personal student data with a wide variety of third parties without parental knowledge or consent.

According to a participant in a webinar hosted by the Data Quality Campaign on April 14, 2011, Steve Winnick, a prominent DC attorney working for DQC emphasized the need to deny parents the right to consent or opt out of their children’s data being disclosed, saying, “we don’t want parents to get in the way.” You can see the 2011 fact sheet released by Steve Winnick and the Data Quality Campaign about the many ways the US Department of Education weakened this “outdated” privacy law in response to their advocacy here.

Earlier in 2009, the Foundation granted $22 million to schools, districts, and states for them to expand their data collection and disclosure efforts, and in 2011, spent $87 million to form the Shared Learning Collaborative, which in 2014 would morph into a separate corporation called inBloom Inc.

inBloom Inc. which would receive more than $100M in Gates funds before closing its doors due to parent protests in 2014, was a hydra-headed effort to collect the personal data from nine states and districts, store it on an Amazon cloud, with an operating system built by Amplify, and make it more easily accessible to ed tech vendors and other third parties without parental knowledge or consent. Here is more background on inBloom; here are a timeline and news clips.

Gates incentivized districts and states to participate in this project of data collection and sharing, with promises of big grants.  The Foundation also offered cash awards to vendors who would build their instructional products around this data, through  “interoperable” software.

inBloom was designed to help achieve Bill Gates vision of education: to mechanize instruction by plugging every child into a common curriculum, standards and tests, delivered by computers, with software that can data-mine their responses and through machine-driven algorithms, deliver “customized” lessons and adaptive learning.  By siphoning off the data into state and multi-state databases and then tracking children through life, educrats can better evaluate which teachers and software programs are effective, and also steer students towards appropriate college and careers, all in the name of improved “efficiency”. Gates has also funded multi-state student databases, which were illegal before FERPA was relaxed, including granting WICHE with more than $13 million, to enable the transfer of personal student information between fifteen Western states.

Since the demise of inBloom, the Gates Foundation has not given up their attempt to supplant real personalized learning with learning through software and machines. Recently, with the Future of Privacy, an ed tech industry group, they funded a survey that was pitched as showing that parents support schools sharing the personal data of their children, but upon further digging really showed the opposite.

Gates has also funded a new effort, in which 27 school districts along with The Consortium for School Networking, will create a “Trusted Learning Environment Seal” to reassure parents that their children’s data is safe. In this way, they appear intent on controlling the student privacy debate , and co-opting the intense parent concerns about rampant data disclosure that led to inBloom’s downfall.

SAMPLE letter to gain access to your child’s data in the state student database

Since Cheri Kiesecker and I wrote an article in the Washington Post Answer Sheet about all the data that the state is collecting on children, parents in CO, NJ, RI, and many other states have asked us for a sample letter they can use to demand to see the data that states hold for their children in their longitudinal student databases. So we have drafted one below.

In most states, this request will be made via a Freedom of Information request to your State Education Department FOIA officer, and/or the Department’s privacy officer, if there is one. Parents should also copy the State Education Chief Information Officer and/or the State Commissioner, if their contact information is available.

FYI, the state cannot force you to come to their office to see your child’s data if that would be a hardship – as it would for most parents. And while they can charge a minimal fee to make copies, they cannot charge you for the search and retrieval of these records. If they try to charge you more than a minimal fee, you can appeal that decision. If the state is being obstructive in any way, please contact us at info@studentprivacymatters; we can strategize and/or help you write a FERPA complaint. And please keep us in the loop in any case!

For more information, see the US Ed Dept. letter to the state of Nevada, referred to below.

Thanks, Leonie Haimson, co-chair, Parent Coalition for Student Privacy

To whom it may concern:

I am the parent and legal guardian of (full name of child), currently (x) years of age.

My child attended x school in grades K-x (during what years); x school in grades x-y, (during what years) and x high school (during what years) in [what] school district.

Please provide me with whatever personally identifiable information (PII) that the State Education Department has collected on my child and which of this information is included in the state’s student longitudinal database, including any and all information in the database that has been contributed by other state agencies.

To access this information, and challenge it if it is incorrect is every parent’s right under the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99), and the state cannot charge me a fee for accessing it.

This was confirmed by Dale King, Director of the U.S. Department of Education’s Family Policy Compliance Office, in a letter he wrote to the Nevada Education Department on July 28, 2014:

….educational agencies and institutions, as well as SEAs [State educational agencies] may not charge a fee for search and retrieval of education records. See § 99.ll(b)

According to the US Department of Education, you are obligated to provide me with my child’s data within 45 days of this request.

I also demand a list of any and all third parties, and/or governmental agencies, that have been provided with any of my child’s PII, which elements of PII they have received, and under what privacy and security agreements these disclosures were made.

Finally, I would like to know what governmental, citizen or advisory board exists to oversee the collection, use, distribution and eventual destruction of my child’s PII data, and their members.

Thank you for your cooperation in this matter and I look forward to hearing from you soon.

(Your name)
(Email address)
(Phone number)

Are Most Parents really Okay with Educational Use of Student Data?

Tim Farley is a public school parent, a public school Principal in the upper Hudson Valley and a co-founder of NYS Allies for Public Education.  He blogs here and this is reprinted with his permission. tim blog

Are Most Parents really Okay with Educational Use of Student Data?

The answer is most parents don’t know what data is being collected and shared in the name of “educational use”. This morning, I received my monthly subscription of the On Board newspaper published by the New York State School Boards Association (www.nyssba.org). I came across an article on page 11 misleadingly entitled, “Most Parents OK With Educational Use of Student Data, Says Survey”. It piqued my interest because I have observed a growing trend of parents being much more concerned about the sharing of their children’s personally identifiable information being shared beyond the classroom walls. So I read the article and then I read the report on which the article is based.

According to Gail Simidian, Research Analyst for NYSSBA, the survey of about 1,000 public/charter school parents revealed “Seventy-six percent said they have a clear idea about how their child’s school uses student data.” However, parents are “picky” about who can access that data (89% believe it is fine for school personnel to have access to their child’s data, “but less than 50% support non-profits or other educational firms having access.” (emphasis mine)

As the above result makes clear, most parents do NOT support vendors and other third parties outside of the school or district receiving their children’s personal data, as currently occurs with the proliferation of education technology and other corporations provided with access to this data.

The report is titled, “Beyond the Fear Factor, Parental Support for Technology and Data Use in Schools.” The study was undertaken by The Future of Privacy Forum to allegedly get a better understanding of what parents know and want with regard to the use of data and the use of the data within the educational system. Not surprisingly, this study was funded by the Bill & Melinda Gates Foundation. (emphasis added)

In the Executive Summary, under the heading, “What do parents know about the use of technology in schools,” the survey indicates that parents believe they are very aware of the technology being used and furthermore, “they understand what data are collected and how they are used.”

Under the “conclusions” section of the Executive Summary, it states, “More work must be done to explain to parents how their child benefits from improving the effectiveness of educational products based on lessons learned in the classroom… and educators and vendors (emphasis added) must make an effective commitment to parents that student data will never be exploited.”

Wow! According to the authors of this study, it is now the school’s responsibility to commit to parents that their children’s data given (without parental consent) to third party vendors will not be exploited. I find this conclusion to be ludicrous.

From my observations, parents have very little knowledge of the sheer magnitude of data being collected on their children and being shared with third party vendors at an alarming rate. Leonie Haimson, Executive Director of Class Size Matters, recently co-authored an article in the Washington Post highlighting just how rampant this problem is in our schools.

Student data collected by districts and states and potentially shared include: race, ethnicity, income level, discipline records, attendance records, participation in free/reduced lunch programs, parental marital status, family income, social security numbers, grades and test scores, disabilities and Individualized Education Plans (IEPs), “mental health and medical history, counseling records, and much more.” (emphasis added)

According to the “Parent Query” report, all of these data can be shared with: US Department of Education, organizations that offer financial aid, researchers who analyze the data and use their findings to make recommendations about how schools can improve, companies that create educational software, websites and apps (emphasis added), and non-profit organizations.

Another disturbing piece of this study can be found on page 39: “Student information can measure and hold teachers accountable for their effectiveness in the classroom.” (emphasis added) The Value Added Model (VAM) and the use of student results on standardized tests to measure teacher effectiveness have been heavily criticized by the American Statistical Association as not being a valid nor reliable .

If parents were told how much data is being collected on their children and shared with other companies, organizations, and governmental agencies, all without their consent, they would overwhelmingly oppose this practice in even greater numbers than this survey reveals.

Would Bill Gates be okay with the Lakeside School (prestigious private school where Bill and Melinda Gates children attend) collecting these types of data and sharing those data with third party vendors? If the unfettered collection of student data isn’t what most parents would want for their children, why is Bill Gates paying for “studies” that seemingly attempt to persuade us that they do support this, and that more efforts must be made by their schools to convince them that the sharing of this sensitive data is good for our children?

In the future, I hope that NYSSBA’s publication, On Board, will more honestly report on research, and feature less “research” funded by Bill Gates that benefits Bill Gates.

I do appreciate the help in opening the eyes of those who read it to expose the wizards behind the curtain who now have access to everything they believe they have the right and need to know about every student in New York schools.