During the pandemic, schools became more reliant on tech than ever.
The number of edtech products schools access in a typical month has tripled since four years ago to more than 1,400 tools, according to a recent estimate by Learn Platform, an edtech company that helps schools manage tech.
And the companies that provide these tools aren’t always careful stewards of the sometimes-sensitive information they collect from students. For example: A review of how companies handle student data by Internet Safety Labs, a nonprofit that tests software products, showed that 96 percent of apps used and recommended by U.S. educational institutions shared that data with third parties. Often the data was being shared with advertisers, even though schools — let alone parents or students — didn’t know or consent to it.
To observers, this threatens to amplify the data privacy problem faced by K-12 schools, which have become a big target for hackers. That’s because the growing number of companies handling student data through tech tools creates more potential sources of hacks or leaks.
These days the systems holding school data can seem like a bank vault with sophisticated locks but no back wall, says Michael King, a retired vice president and general manager of global education for IBM.
Not long ago, schools kept all their student data on servers at schools. But because the norm is now for services to keep data on cloud servers, schools must rely on the vendors to keep information secure, King says. “You can lock down all your student data you want within your district, but if a hacker hits one of your vendors, and they've got student data in their system, you’ve still got a leak of your student data,” King adds.
Keeping a Safe Distance
The companies that work with schools are aware of this concern. And with privacy concerns rising, some providers want nothing to do with personal data.
“Our privacy policy is extremely simple: this app collects absolutely NO personal information,” reads the data-privacy policy for ChessTiger, a chess app. The company does not keep a customer list nor does it collect emails, the policy elaborates, out of a belief that companies tend to misuse it. Inevitably, the statement concludes, once data is sold to advertisers, it “will be misused again, with sinister consequences to be expected.”
Though few companies go that far in avoiding data collection, the policy statement reflects an attitude to data that’s becoming more common in edtech, says Kevin Lewis, a data privacy officer for 1EdTech Consortium, a nonprofit industry association.
Lewis says that thoughtful companies want to stress their role as “partners” of schools in guarding sensitive information, as part of an effort to dramatize their compliance around personal data. Often that means getting third-party certifications that accentuate user privacy, such as the Future of Privacy Forum’s student privacy pledge.
For example: ClassLink, a company used by districts to manage sign-on information, currently displays on its website 17 such pledges, badges and guidelines.
But many companies aren’t being as careful.
Looking at a company’s privacy policy will give you a sense of whether the company understands privacy, Lewis says. Often when he examines a policy, he’s looking for what might be left out, such as whether the company is working to comply with privacy laws.
A Wall of Separation
But rather than forcing edtech companies to get better at handling data, what if schools just kept them from accessing data in the first place?
These days, King, formerly of IBM, is on the board of the public benefit corporation Global Grid for Learning. The company runs a private data exchange for the education system called School Passport.
These types of exchanges restrict access to student data, by scrubbing user records of personally identifiable information except for what is needed for transactions. The hope is that widespread adoption would reduce the pressure on schools to rely on the privacy practices of edtech vendors. And it's common in other industries with sensitive information like financial services, King adds.
There’s some appetite for the approach: more than 30,000 schools and hundreds of edtech companies use the exchange, according to the company’s latest count. The company is working with 1EdTech to release a standard for data exchanges that’s open to for others to use in early June. And at least one other company, ClassLink, offers a similar product.
King argues that data exchanges make it easier for teachers to try out new tech products in the classroom because they reduce the need for a school’s IT department to help serve as gatekeeper.
He also argues that it’s good for the companies, since it limits their risk. For example: he says that Coursera had avoided bringing its Career Academies into high schools for fear of dealing with K-12 student data, but GG4L “shielded” Coursera from the risk by limiting access to data. (When EdSurge reached out to Coursera, the company said it does not comment on business opportunities generally, but takes data privacy seriously.)
But for some privacy advocates, the challenges to student privacy go deeper, now that so many for-profit companies are involved with student learning. Schools are paying technology companies, but the students are often the product, argues Ellen Zavian, a professional lecturer for George Washington University Law School.
A parent advocate for student data privacy, Zavian decided early on that she wanted to work on safe tech — rather than, say, volunteer for a parent-teacher association — because Chromebooks were being rolled out in schools. Many parents and students don’t understand what’s at stake, Zavian says, but the companies are collecting information in a way that will deeply impact student lives. Companies are tracking students in a way that’s proven good for revenue streams but which hasn’t shown an acceleration in learning, she argues. These companies offer tools without clear metrics on whether they work for learning. “And I don't know where else you get to spend millions of dollars and don't know what success looks like,” Zavian says.
Meanwhile, federal laws for safeguarding student data — COPPA and FERPA — haven’t been updated in decades, she notes.
Her hesitation with approaches like data exchanges is that they assume that these tools are worth the cost. To her and some other advocates, that has yet to be proven.