Parents Need To Roll Out a Technology Plan In their School - Starr Forgot To!

Our Students cannot afford to wait for Montgomery County Public School’s leaders to take action in protecting our children’s personal digital privacy. It is up to parents, like you, to develop a plan in their school, reach out to state lawmakers to support stronger student privacy laws and to speak out publicly on this important issue.

With Superintendent Joshua Starr’s reappointment process in the news, I want to provide some updates on the technology in the classroom initiative he is touting as one of his ‘great accomplishments’ during his four-year tenure.  My focus has been about the lack of the initiative’s strategic plan, the lack of measurable goals, and the troubling lack of student privacy protections  in the Google Apps For Education and Chromebook agreements.

Although no answers have been provided by Starr and his team, to date, the State of Maryland and Parents have made some positive inroads where MCPS failed us:  

1.      State lawmakers introduced in 2014 and may do so again in 2015 legislation that protects the personal digital privacy of our students. and

2.      Piney Branch Elementary School (PBES, Takoma Park, MD) has put together a parent/teacher/principal working group to develop safeguards, code of usage, and best practices that we hope will be a model for other schools in the district to adapt. (I am part of this group)

If you desire to get a working group started in your school, please start meeting with your Principal.  

While we hired Joshua Starr to protect our students, he not only FAILED to protect our children’s personal information, but invited (and paid) companies to freely take and use any personal information they find on our children.

We, at PBES are meeting with MCPS’s CTO, Sherwin Collette in February and asking the following questions (which Starr has refused to answer, Collette has failed to address, to date, and MCPS’ Google agreements fail to incorporate):

1.      When will MCPS’ agreements with third party vendors such as Google :

a.       Require that student data collected may not be used for non-educational purposes..

b.      Require that school vendors delete personally identifiable information about students and their families upon request from parents or legal guardians

c.       Require that vendors be fully transparent about their digital collection practices, privacy policies and practices

d.      Require that third party vendors be held legally and financially responsible in the event of a data breach

e.       Require minimum security controls that must be met

f.       Permit a security audit by MCPS

g.      Detail what specific information can and cannot be collected (e.g., metadata, forms, logs, cooking, tracking pixels, etc…)

h.      Define the specific purposes for which the vendor may use student information and bind the provider to only those approved uses

i.        Specify with whom the vendor may share student information

j.        Include data archival and destruction requirements to ensure metadata is no longer residing on the vendor’s systems after the contract expires

k.      Define what disclosure avoidance procedures must be performed to de-identify student information before the vendor may retain it, share it, use it

l.        A parent portal to obtain access to the data collected by provider

m.    A process of modifying the terms of the agreement if new laws are enacted during the term of the agreement.

n.      Disposition of student information by vendor at the end of the agreement

o.      Vendor agrees to do X, if in violation of a law provision (damages).

2.      Why did MCPS enter into agreements with Google that failed to include a strong privacy policy that prohibits it from creating user profiles about students?

3.      Why is our students’ personal digital data governed by Google’s weak Consumer Privacy Policy that allows for data mining and behavioral advertising?

4.      Does MCPS conduct an inventory of the online educational services currently being used within our school/district? If so, does MCPS evaluate which services are most effective and is that information communicated to parents?

5.      Does MCPS have policies and procedures to evaluate and approve proposed online educational services?  How does this apply to teachers/staff that click ‘I agree’ to software used in the classroom?  Does MCPS train the teachers/staff to meet their standard internal controls when entering into an agreement with a website vendor?

6.      What are MCPS’ measurable Chromebook success goals in three years? Five years?

Following my meeting with Collette, I will post any answers we receive.  Please read on to get involved in the solution at your school.

Information you can take to your Principal and

Other Concerned Parents that desire to take action within their schools:

According to estimates provided by the Software and Information Industry Association, a U.S.-based software and information trade association, the market for education software for pre-K through 12^thgrade students was approximately $8 billion in the 2011-12 school year, up $500 million from only two years prior. 

Why the growth?

If you think the companies are all interested in the education of our students…I have a bridge to sell you. It is about access and collection of very valuable data that they will monetize over the life of that child (even if they do not have Facebook, Instagram, Snapchat, or Twitter, etc…).

With substantial rise in schools’ use of online educational technology products that monitor students’ progress and learning habits through the collection of data by third-party cloud computing service providers, it is critical that the School District protect the collection, misappropriation or misuse of sensitive personal information.

The School District will often state that all their third party educational technology vendors abide by two Federal Laws that protect the personal privacy of our children, FERPA and COPPA….but they conveniently leave out that FERPA is four decades old and DOES NOT HOLD  THIRD PARTY VENDORS (only to the school district) legally accountable and COPPA only protects children under 13 years of age.

Who has tackled this issue?

California recently  enacted  Senate Bill 1177/SOPIPA which helps better protect the personal digital privacy of students. California’s Senate Bill 1177 was mentioned by President Obama during his historic speech at the FTC earlier this year as the model for his forthcoming Student Digital Privacy Act proposal.   What kind of personal data do some school vendors collect about our children?

Schools have always kept records on students but today third party vendors are being entrusted to store voluminous amounts of data in the cloud. Information such as: individual progress, grades, discipline  history, test scores, attendance records, behavioral issues, special education development, demographic data, medical history, academic performance may be collected and utilized by vendors for non-educational purposes.

Other data points such as race, religion, sexual orientation, etc… may also be inferred by your children’s school digital activity and this information may be tagged to your children forever and utilized in ways never before imagined.

Why is this an issue?

This information in the wrong hand will harm your child for his/her entire life.  It may be:

a.       leaked, exposed by hackers, to the world,

b.      sold to advertisers by the private companies hired by the schools themselves,

c.       sold to health insurance companies to determine coverage and premiums,

d.      sold to potential employers,

e.       sold to potential colleges or graduate school admission offices

Is MCPS alone in not protecting your child’s personal and private information?

No.  In a December 2013 report entitled Privacy and Cloud Computing in Public Schools, Fordham Law School’s Center on Law and Information Privacy surveyed twenty school districts across the country and uncovered the following:

·         95% of the school districts surveyed rely on cloud computing for multiple functions, including monitoring student performance, providing support for classroom activities, data hosting and student guidance.

·         Only 25% of the school districts inform parents of their use of cloud services.

·         20% of school districts do not have policies governing the use of their online services.

·         Only 25% of the contracts between the school districts and cloud service providers give schools the right to audit and inspect the service provider’s practices with respect to the student data collected.

·         Fewer than 7% of the contracts between the school districts and cloud service providers restrict the sale or marketing of student information by vendors.

·         Only one contract required the cloud service provider to notify the school district in the event of a data security breach.

The company that MCPS chose to entrust our children’s personal information:  Google was caught last year scanning its student Google Apps For Education emails for advertising purposes.  After California’s ground breaking student privacy law was recently enacted, Google refused to clafiry whether it was creating student user profiles through its Google Apps For Education or Chromebook platforms.  Google initially refused to sign the weak industry created Student Privacy Pledge and only joined the initiative after President Obama threatened to call the company out for its troubling student privacy practices. 

While the Student Privacy Pledge is a positive development, it was drafted by 2 interest groups who are funded by some educational technology vendors who want to utilize our children’s personal student data for profit.  The Pledge is voluntary and appears to have been created to help stave off stricter regulations that would better protect our students from companies that may harm the personal privacy and safety of our children for corporate profit.    

MCPS’ has entrusted our children’s most personal information to Google.  A company that has been caught intentionally misrepresenting its privacy practices multiple times.  In 2012, Google paid a $22.5 million dollar record FTC fine for misleading users about its privacy practices regarding the scandal known as the Apple “Safari Hack”.  In 2013, Google paid more than $17 million dollars in fines to multiple states for the same troubling privacy violations and another $7 million dollars in fines for collecting private personal and business data during its Street View Project.   

Last year, Montgomery County’s House of Delegates member Ann Kaiser introduced student data privacy protection legislation in Maryland and Google led the charge to kill the bill.  According to Politico, Google has spent hundreds of thousands of dollars on lobbyists across the country to ensure that stronger privacy legislation to protect our children and consumers is not enacted.   

Now that the MCPS Board is weighing whether Starr will continue as Superintendent will the Board also now perform the due diligence needed to ensure that its students’ personal privacy is properly protected by its technology provider? 

Thank you for making a difference in your school by taking action on this important issue.