Our paper, entitled “Uncovering Privacy and Security Challenges In K-12 Schools” will be presented at the ACM Conference on Human Factors in Computing Systems (CHI) in April. Below is a summary of our findings.
TLDR: What does privacy look like for K-12 students in US public school districts? We know that many districts use educational technologies, like Zoom and Schoology to help their students learn. We found that these technologies could be sending sensitive information about students to advertisers, such as Facebook. Additionally, after talking with school officials and IT personnel in 11 different school districts, we found that many districts don’t take security privacy into consideration or don’t have the resources to deal with such issues.
What did we do?
K-12 students in public schools are exposed to a plethora of educational technologies (EdTech) in a typical school week. These digital tools can provide a range of benefits for students. For example, some of these tools, like Schoology, allow teachers to provide students with online educational content. Other tools, like myHomework, help students manage homework assignments and project deadlines. However, they also bring new privacy and security challenges that can have serious real-world consequences, such as increased monitoring and tracking of students. As a result, we conducted research into the ways that educational technologies are introduced into schools and the specific privacy risks they pose for students.
How did we do it?
First, we interviewed 18 stakeholders who were either school officials – think superintendents and principals – or IT personnel. We wanted to understand what educational technologies school districts use and how they manage student privacy and security around these technologies.
Second, we compiled a list of linked educational technology
websites scraped from 15,573 K-12 public schools or school district websites. We then analyzed the linked educational technology websites for privacy risks in the form of third-party trackers.
What did we find?
1. Schools experience privacy and security incidents but lack the resources to handle them.
Our paper focused on privacy incidents where student information was nonconsensually disclosed. Despite the widespread prevalence of privacy and security incidents both in our data and nationally, there is no uniform response protocol across the school districts in our study.
Some of the districts in our study didn't have any written policies in place, and only developed them after a privacy or security breach occurred as a "wake-up call." Other districts did have protocols in place, such as notifying parents of the breach or contacting law enforcement. However, none of the school districts had protocols that were robust enough to effectively safeguard student data after a breach.
2. Teachers’ goals and student data privacy are not always well aligned. Our participants felt that many teachers aren't fully aware of the privacy risks that come with using online EdTech products. Teachers may not realize that using certain tools can result in the sharing of student data for purposes that aren't related to education.
Without a solid understanding of EdTech’s potential privacy harms, it's difficult for teachers to make informed decisions about using educational technologies. They may see a new tool that could help their students learn and want to introduce it to the classroom without considering the potential privacy trade-offs. As a result, teachers incorporate EdTech products into their classrooms to help students learn, but these EdTech products may share student data with third-parties for non-educational purposes.
3. Current methods to acquire educational technologies for school districts do not fully consider privacy and security. In K-12 public schools, a variety of stakeholders, including school officials, IT personnel, and teachers, all play a role in deciding which educational technologies are used in the classroom.
Typically, it's an IT person who is tasked with evaluating new products to ensure they meet privacy and security standards. While certain states have privacy laws in place to protect student data, many IT personnel lack the necessary time and training to thoroughly vet every new educational technology that comes their way. Instead, they rely on heuristics like peer recommendation or vendor reputation as proxy.
As a result, some school districts have relaxed EdTech vetting processes that could leave student data vulnerable to privacy and security risks, while others have developed (comparatively) more meticulous vetting procedures, often motivated by state student privacy legislation.
4. School-run websites tacitly endorse many websites with potential privacy issues. Many school websites provide links to – i.e., tacitly endorse – external educational technology websites. However, we discovered that some of these linked websites may pose privacy risks.
For example, 26.5% of linked educational technology vendor websites have non-essential information gathering mechanisms like the Meta Pixel. The Meta Pixel could potentially be used to collect information about students and track them across the web while they are completing their school work.
While we are currently conducting more research to confirm this, our suspicions are not unfounded. Other researchers have found that the Meta Pixel, embedded on the FAFSA page, sent personally identifying information about students applying for the FAFSA to Meta.
What are the implications of this work?
Our findings suggest that the current educational technology and school district ecosystem needs to be reevaluated to ensure student data privacy and security. Specifically, we recommend three key changes.
Firstly, at the national level, school districts should develop and implement a standardized protocol for responding to privacy and security incidents to ensure equal protection for all students.
Secondly, schools should enhance their privacy and security training, along with their vetting processes; these steps will help keep EdTech products that are potentially risky to student privacy out of the classroom.
Lastly, schools should audit external websites they link to and verify that they don't pose a privacy risk to students.
Granted, these issues are not solely the responsibility of school districts. Educational technology companies must also make changes to protect student privacy. Privacy aware design decisions, like not using the Meta Pixel in an educational product, can significantly reduce privacy risks for students and relieve the burden on schools to screen for privacy-preserving products.
Read the full paper here.