School-issued computer devices – provided to one-third of school children across the US – collect excessive amounts of highly sensitive personal data on the students without parental consent or even prior notice, a new study finds.
Electronic devices distributed in US schools collect unprecedented amounts of personal data on children as young as five years old, according to a new report by Electronic Frontier Foundation (EFF), dubbed ‘Spying on Students’ – the result of a two-year study.
The surveillance comes under the guise of “personalized education.” Roughly one-third of primary and secondary education (K-12) students have received various electronic devices. Many tech companies provide electronic devices for free or a steeply reduced fee, as they seek their share in the $8 billion education technology (ed-tech) market.
Ed-tech, however, can be described as “the world’s most data-mineable industry by far,” according to the report, as the devices use apps and software which collect highly sensitive personal information, including names, dates of birth, browsing history and location data of children. Providers of ed-tech services, however, often fail to protect sensitive data.
The researchers “investigated the 152 ed tech services reported as in use in classrooms, and found troubling trends in their privacy policies regarding lack of encryption, opaque data retention practices, and inadequate data aggregation and de-identification.” Only 118 of them had published privacy policies, while some sort of encryption was mentioned in only 46 of them, and de-identification or aggregation of user data was mentioned in 51. De-identification – the prevention of linking a person’s identity with information – was almost exclusively mentioned in connection with providing information to third parties about their services, according to the report.
The potentially dangerous devices are also often distributed without parental consent or notice. Parents sometimes do not receive any information about ed-tech until after the technology is implemented, according to the study.
“We were given no information about our first-grader receiving a device – a tablet – this year. And when we ask questions, there is little information given at every level,” the report quoted parents from Maryland as saying.
Teachers and school officials are also obliged to use the school-issued devices, often without their consent as well.
“Staff and student details – that is, full names and school email addresses – were passed to Google to create individual logins without consent from staff. I’m not sure about consent from parents,” a teacher wrote on social media, according to the report.
Parents who expressed privacy concerns were often not able to opt out of the programs, as the authorities for some reasons protected interests of ed-tech providers instead of users. For example, when a California teacher allowed a schoolgirl to use her own device instead of a school-issued device after her parents voiced concerns over her privacy, district officials intervened and prohibited such exceptions, according to the report.
“While schools are eagerly embracing digital devices and services in the classroom – and ed tech vendors are racing to meet the demand – student privacy is not receiving the attention it deserves,” the study concluded. “Meaningful improvements in student data protection will require changes in state and federal law, in school and district priorities, and in ed tech company policies and practices.”