Student Privacy Under Attack

Back to May 2014 Ed Reporter

Student Privacy Under Attack


With increased emphasis on computer analytics as a means to assess student progress and overall learning, particularly that demanded due to Common Core standards, wide-ranging personal information about students and families is stored on computer systems. Khaliah Barnes, a lawyer with a privacy watchdog group, the Electronic Privacy Information Center, claims that “Student privacy is under attack.” Her opinion represents that of a cadre of parents, advocacy organizations, school districts, and governmental agencies that fear student information is being used and abused due to carelessness, deceit, and subterfuge, sometimes for commercial profit.

inBloom, a $100 million student data collection project funded by the Gates Foundation and the Carnegie Foundation, closed up shop in April after the nine states that signed up to use the service realized the security of personally identifiable student information could be at risk. The organization claimed its storage was secure but many doubted this.

New York was the final state to withdraw from inBloom; “President Barack Obama’s Race To The Top education initiative, which awarded New York $700 million, is heavily reliant upon data and statistics for teacher and student achievement.” New York and other states intended to use inBloom to fulfill federal data storage and sharing requirements. A New York school official claims inBloom’s “system was ‘untested and unproven.’” (Newsday, 4-21-14) The demise of inBloom is a victory for parents trying to protect their children’s privacy.

Google Ogles Student Emails

Thousands of American K-12 schools and universities use Google Apps for Education, which is free and provides email, a calendar, cloud-based storage of student information, word-processing, spreadsheets, and other software applications. A lawsuit has been filed against Google by a student at the University of Hawaii and a student at the University of the Pacific in California. They are suing Google for “not only mining [their] email messages for keywords and other information, but also using resulting data — including newly created derivative information, or ‘metadata’ — for ‘secret user profiling’ that could serve as the basis for such activities as delivering targeted ads in Google products other than Apps for Education.” The lawsuit claims “that neither they nor any other users of Google Apps for Education consented to such practices.” Google’s claim that they don’t spy into student emails to gather data for advertising is contradicted by their own testimony in court. A representative of the Electronic Privacy Information Center stated, “Google’s sworn court statements reveal that the company has violated student trust by using students’ education records for profit.” (Education Week, 3-26-14)

Dept. of Education Privacy Belly Flop

In March, the Dept. of Education released a 14-page document intended to clarify student privacy issues titled “Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices.” No changes were made to protect students’ privacy. Education Secretary Arne Duncan is sticking with the administration’s previous easing of regulations made to the Family Educational Rights and Privacy Act (FERPA), changes which have weakened FERPA’s ability to protect student privacy.

The Education Department’s guidelines clarification didn’t clarify anything. It was meant to respond to questions from schools about securing and sharing student data. But the only thing the Department clearly stated was: “it depends.” In fact, on page 2 of the newly released clarification it states:

Question: Is Student Information used in Online Educational Services protected by FERPA?

Answer: It depends.

The executive director of Class Size Matters, a New York City student advocacy group, stated: “In the process of encouraging a market in data-mining software and the outsourcing of education into private hands, [the U.S. Department of Education] seems willing to sacrifice our children’s privacy.” (Education Week, 3-5-14)

Partially due to increased federal government requirements for student information, all Common Core school districts have online longitudinal data systems about elementary, middle, and secondary school students. School districts store personally-identifiable student information, including Social Security numbers, health information, family structure, test scores, and more. Security breaches have occurred and caused actual and potential harm to students. Identity theft crimes may be perpetrated against children but may not become apparent until they try to establish credit as adults. Other leaks and instances of schools sharing private information have done more immediate harm to students.

University Violations

At Indiana University, 146,000 students and recent graduates were informed in February that their names, addresses, and Social Security numbers were “stored in an insecure location for 11 months.” This was the result of careless online record maintenance, not a cyberattack.

Also in February, a “sophisticated cyberattack” was perpetrated at the University of Maryland. The Social Security numbers, birthdays, and university ID numbers of 309,000 students were leaked when “multiple layers of security were compromised.” (Christian Science Monitor, 2-26-14) A University of Maryland official stated that, although they doubled their Information Technology department staff and expenditures in 2012, schools are fighting a constant battle against hackers who become ever-more sophisticated.

Sinking Teeth into Students’ Private Info

An unexpected consequence of collecting private student data, lax control of the information, and sharing of information with third parties has been unnecessary dentistry done on children. Mobile dentists come to schools to perform services such as x-rays, teeth cleaning, fillings, and other procedures. These practices often serve low-income clients and the services are often paid for by Medicaid. Some practices and practitioners are subpar.

ReachOut Healthcare, Church Street Health Management, and other corporate dental chains in 23 states were investigated in 2013 by the U.S. Senate Judiciary Committee in response to complaints. Among other findings, the Committee determined that two-thirds of the baby root canals done by Church Street Health Management (later renamed CSHM) were “likely unnecessary.” CSHM dental clinics are called Small Smiles; CSHM gets potential patient information from school records and some dental work is done on school premises.

ReachOut Healthcare’s practice is to “make friends with employees on [school] campuses, particularly those in administrative or nursing offices, take them to lunch, and thereafter ask for student information databases,” according to Arizona state Sen. Kimberly Yee who sponsored a bill to “strengthen procedures related to the release of student directory information — which typically includes name, address, and phone number — to third-party vendors.” (Education Week, 1-22-14)

More Security Breaches

Other recent data breaches include those below, which occurred in the last two months of 2013:

  • In New York, the names, ID numbers, and free-lunch designations of 15,000 former students in the Long Island, New York, Sachem Central School District were posted online by a 17-year-old student who hacked and downloaded the information.
  • The names, birth dates, sex, and eye exam results of 2,000 students in Chicago were posted online after they received free vision exams at school.
  • In Virginia, a New York vendor “inadvertently uploaded and left unprotected directory information including students’ names, addresses, telephone numbers, dates and places of birth, course schedules, and attendance histories.” (Education Week, 1-22-14)

According to the Christian Science Monitor, “The ever-broadening potential uses of student data, for everything from marketing to federal tracking of the effectiveness of education policies, continues to concern privacy advocates.” (2-26-14)

Who Needs All The Data?

Some educators question the need for so much computerized student data to be collected and stored. Undoubtedly computers can be useful to educators. But is technology the be-all and end-all of education? Are people still the most important factor in educating children? Reacting to the shutdown of inBloom, teacher Michelle K. commented at the Washington Post website:

On any given day, I can say exactly where each of my students is academically because I am a professional, I know my job and I know my kids. I don’t need a computer to analyze the data and my students.

The role of teachers in classrooms is being discounted. There is constant pressure to use technology to teach and to measure student achievement. Commercial entities are being invited into classrooms via computers far too often and too much data about students is being shared.

The Dept. of Education website reveals troubling information about data-tracking systems on page three of the guidelines released in March. ( Not only can third parties mine emails for keywords in order to send relevant ads to students but they also have the ability at our schools to record how long a student hovers over a question before answering. Third parties record a student’s time spent online, success rates, and even keystroke information. If the U.S. Dept. of Education guidelines are faithfully observed, the students’ information, though personally identifiable when it is shared, should have personally identifiable information removed before a third party uses it outside the school setting. This seems to be exactly the Big-Brother style snooping on students that privacy experts have been warning against and about which parents have concerns.