Our Students cannot
afford to wait for Montgomery County Public School’s leaders to take action in
protecting our children’s personal digital privacy. It is up to parents, like you, to develop a
plan in their school, reach out to state lawmakers to support stronger
student privacy laws and to speak out publicly on this important issue.
With Superintendent Joshua
Starr’s reappointment process in the news, I want to provide some updates on
the technology in the
classroom
initiative he is touting as one of his ‘great accomplishments’ during his
four-year tenure. My focus has been
about the lack of the initiative’s strategic plan, the lack of measurable
goals, and the troubling lack of student privacy protections
in the Google Apps For Education and
Chromebook agreements.
Although no answers
have been provided by Starr and his team, to date, the State of Maryland and
Parents have made some positive inroads where MCPS failed us:
1.
State
lawmakers introduced in 2014 and may do so again in 2015 legislation that
protects the personal digital privacy of our students. and
2.
Piney
Branch Elementary School (PBES, Takoma Park, MD) has put together a
parent/teacher/principal working group to develop safeguards, code of usage,
and best practices that we hope will be a model for other schools in the
district to adapt. (I am part of this group)
If you desire to get
a working group started in your school, please start meeting with your
Principal.
While we hired Joshua Starr to protect our students, he not only FAILED
to protect our children’s personal information, but invited (and paid)
companies to freely take and use any personal information they find on our
children.
We, at PBES are
meeting with MCPS’s CTO, Sherwin Collette in February and asking the following questions (which Starr
has refused to answer, Collette has failed to address, to date, and MCPS’
Google agreements fail to incorporate):
1.
When will
MCPS’ agreements with third party vendors such as Google :
a.
Require
that student data collected may not be used for non-educational purposes..
b.
Require
that school vendors delete personally identifiable information about students
and their families upon request from parents or legal guardians
c.
Require
that vendors be fully transparent about their digital collection practices,
privacy policies and practices
d.
Require
that third party vendors be held legally and financially responsible in the
event of a data breach
e.
Require minimum
security controls that must be met
f.
Permit a
security audit by MCPS
g.
Detail
what specific information can and cannot be collected (e.g., metadata, forms,
logs, cooking, tracking pixels, etc…)
h.
Define
the specific purposes for which the vendor may use student information and bind
the provider to only those approved uses
i.
Specify
with whom the vendor may share student information
j.
Include
data archival and destruction requirements to ensure metadata is no longer
residing on the vendor’s systems after the contract expires
k.
Define
what disclosure avoidance procedures must be performed to de-identify student
information before the vendor may retain it, share it, use it
l.
A parent
portal to obtain access to the data collected by provider
m.
A process
of modifying the terms of the agreement if new laws are enacted during the term
of the agreement.
n.
Disposition
of student information by vendor at the end of the agreement
o.
Vendor
agrees to do X, if in violation of a law provision (damages).
2.
Why did
MCPS enter into agreements with Google that failed to include a strong privacy
policy that prohibits it from creating user profiles about students?
3.
Why is
our students’ personal digital data governed by Google’s weak Consumer Privacy
Policy that allows for data mining and behavioral advertising?
4.
Does MCPS
conduct an inventory of the online educational services currently being used
within our school/district? If so, does MCPS evaluate which services are most
effective and is that information communicated to parents?
5.
Does MCPS
have policies and procedures to evaluate and approve proposed online
educational services? How does this
apply to teachers/staff that click ‘I agree’ to software used in the
classroom? Does MCPS train the
teachers/staff to meet their standard internal controls when entering into an
agreement with a website vendor?
6.
What are
MCPS’ measurable Chromebook success goals in three years? Five years?
Following my meeting
with Collette, I will post any answers we receive. Please read on to get involved in the
solution at your school.
Information you can take to your Principal and
Other Concerned Parents that desire to take
action within their schools:
According to
estimates provided by the Software and Information Industry Association, a U.S.-based software and information trade
association, the market for education software for pre-K through 12thgrade students was approximately $8 billion in the
2011-12 school year, up $500 million from only two years prior.
Why the growth?
If you think the companies are all interested in the
education of our students…I have a bridge to sell you. It is about access and collection of very valuable data that they
will monetize over the life of that child (even if they do not have Facebook, Instagram,
Snapchat, or Twitter, etc…).
With substantial rise in schools’ use of online educational
technology products that monitor students’ progress and learning habits through
the collection of data by third-party cloud computing service providers, it is
critical that the School District protect the collection, misappropriation or
misuse of sensitive personal information.
The
School District will often state that all their third party educational
technology vendors abide by two Federal Laws that protect the personal privacy
of our children, FERPA and COPPA….but they conveniently leave out that FERPA is
four decades old and DOES NOT HOLD THIRD
PARTY VENDORS (only to the school district) legally accountable and COPPA only
protects children under 13 years of age.
Who has tackled this
issue?
Schools
have always kept records on students but today third party vendors are being
entrusted to store voluminous amounts of data in the cloud. Information such
as: individual progress, grades, discipline history, test scores,
attendance records, behavioral issues, special education development,
demographic data, medical history, academic performance may be collected and
utilized by vendors for non-educational purposes.
Other
data points such as race, religion, sexual orientation, etc… may also be
inferred by your children’s school digital activity and this information may be
tagged to your children forever and utilized in ways never before imagined.
Why is this an issue?
This information in the wrong hand will harm your child for
his/her entire life. It may be:
a.
leaked, exposed by
hackers, to the world,
b.
sold to advertisers by
the private companies hired by the schools themselves,
c.
sold to health
insurance companies to determine coverage and premiums,
d.
sold to potential
employers,
e.
sold to potential colleges
or graduate school admission offices
Is MCPS alone in not
protecting your child’s personal and private information?
No. In a December 2013
report entitled Privacy
and Cloud Computing in Public Schools, Fordham Law
School’s Center on Law and Information Privacy surveyed twenty school districts
across the country and uncovered the following:
·
95% of the school
districts surveyed rely on cloud computing for multiple functions, including
monitoring student performance, providing support for classroom activities,
data hosting and student guidance.
·
Only 25% of the school
districts inform parents of their use of cloud services.
·
20% of school
districts do not have policies governing the use of their online services.
·
Only 25% of the
contracts between the school districts and cloud service providers give schools
the right to audit and inspect the service provider’s practices with respect to
the student data collected.
·
Fewer than 7% of the
contracts between the school districts and cloud service providers restrict the
sale or marketing of student information by vendors.
·
Only one contract required
the cloud service provider to notify the school district in the event of a data
security breach.
While the Student Privacy Pledge is a positive
development, it was drafted by 2 interest groups who are funded by some educational
technology vendors who want to utilize our children’s personal student data for
profit. The Pledge is voluntary and
appears to have been created to help stave off stricter regulations that would better
protect our students from companies that may harm the personal privacy and
safety of our children for corporate profit.
Last year, Montgomery County’s House of
Delegates member Ann Kaiser introduced student data privacy protection
legislation in Maryland and Google led the charge to kill the bill. According
to Politico, Google has spent hundreds of thousands of dollars on lobbyists
across the country to ensure that stronger privacy legislation to protect our
children and consumers is not enacted.
Now that the MCPS Board is weighing whether
Starr will continue as Superintendent will the Board also now perform the due diligence
needed to ensure that its students’ personal privacy is properly protected by
its technology provider?
Thank
you for making a difference in your school by taking action on this important
issue.