April 24, 2014

avatar

Privacy and Cloud Computing in Public Schools

As reported today by the New York Times here, we are releasing our research study this morning on “Privacy and Cloud Computing in Public Schools.”    Districts across the country are widely and rapidly adopting cloud services to fulfill educational objectives and take advantage of opportunities for cost savings and 24/7 services.  Disturbingly, privacy protection for the children’s data is essentially lost in the cloud.

Our study looked at all the cloud computing contracts, district policies and parent notices from a national sample of school districts.  We focused on K-12 public schools and examined how school districts addressed privacy when they transferred student information to cloud computing service providers.

The key findings are:

  • 95% of districts rely on cloud services for a diverse range of functions including data mining related to student performance, support for classroom activities, student guidance, data hosting, as well as special services such as cafeteria payments and transportation planning.
  • Vendor agreements often preclude districts from complying with statutory legal obligations under the Family Educational Rights and Privacy Act (FERPA), and the Protection of Pupil Rights Amendment as well as the privacy expectations of school communities.
  • Cloud services are poorly understood, non-transparent, and weakly governed: only 25% of districts inform parents of their use of cloud services, 20% of districts fail to have policies governing the use of online services, and a sizeable plurality of districts have rampant gaps in their contract documentation, including missing privacy policies.
  • Districts frequently surrender control of student information when using cloud services:  fewer than 25% of the agreements specify the purpose for disclosures of student information, fewer than 7% of the contracts restrict the sale or marketing of student information by vendors, and many agreements allow vendors to change the terms without notice.  FERPA, however, generally requires districts to have direct control of student information when disclosed to third-party service providers.
  • An overwhelming majority of cloud service contracts do not address parental notice, consent, or access to student information.  Some services even require parents to activate accounts and, in the process, consent to privacy policies that may contradict those in the district’s agreement with the vendor.  FERPA, PPRA and COPPA, however, contain requirements related to parental notice, consent, and access to student information.
  • School district cloud service agreements generally do not provide for data security and even allow vendors to retain student information in perpetuity with alarming frequency.  Yet, basic norms of information privacy require data security.

In the study, we propose a set of recommendations for school districts and vendors to address the documented deficiencies in privacy protection.  The recommendations call on districts to take specific steps for transparency and data governance and call on vendors as well as districts to reform their contractual terms to include specific, identified provisions protecting student data.

Comments

  1. paul says:

    Oops. You can blame the school districts, but on the other hand, any company offering a contract the acceptance of which they should reasonably know to be unlawful is probably not in a good situation either.

    So *can* cloud-based solutions comply with the law?

    • Joel Reidenberg says:

      “any company offering a contract the acceptance of which they should reasonably know to be unlawful is probably not in a good situation either.”

      Since many of the cloud arrangements are not covered by federal law (e.g. a school that outsources classroom functions like a dropbox for homework assignments), there is nothing illegal about the school surrendering student privacy– often unknowingly. As for the companies, they may not actually be doing anything bad with the student data now– we don’t know and neither do the schools–, but those companies are writing contracts that give them broad legal rights for any future data practices they may wish to monetize.

  2. Greg says:

    Everything about data-in-the-cloud is bad. Pie-in-the-sky researchers and academics that propose laws to govern the cloud as a solution to privacy problems are missing the point. Humanity at it’s core will do wrong regardless of laws if it benefits the self, that’s why prisons are full of criminals and that’s why everything about data in the cloud points to future dystopia for humankind. it is inevitable unless we stop this insanity of giving up all privacy to save money. So very shortsighted indeed.

  3. Roger says:

    Why hasn’t anyone extended this question to the NSA data-gathering and the impact on their own and other children? Consider the scenario where Common Core Standards (W.7.1 for example) require that students write an opposing view essay, and where the topic is anything concerning U.S. history or U.S. foreign policy or actions. Then in turn, all the text of that essay, as we now know, is swept up and made part of every student’s permanent “national security” data record and processed by algorithms that may flag the student and/or their family for questioning or even detention at the border when coming home from a trip from a vacation in a foreign country. When the kids are at home writing to their friends, at least they initiated what they wrote. We are now in a position where advocating technology in the classroom, signing up all the kids for a gmail account, and then requiring them to write essays that are “graded” by someone other than their teacher is no longer hypothetical or imaginary. When will we see a public discussion of that??

    • Joel Reidenberg says:

      You raise an excellent and very worrisome point. The school contracts (what we studied) cannot protect their children’s data against the NSA or other law enforcement access. If the NSA serves a cloud service provider with a “NSA letter” or a court orders a provider to give up children’s data, the families and schools may never know.

      • paul says:

        This seems to me to be in some ways a good thing. Not because punitive surveillance and random detention are good, but rather because making them widespread and more randomly applied may lead to regulation much sooner than the current situation, where only members of marginal groups get subjected to continual observaton and harassment. If the sons and daughters of people who are on first-name terms with their legislators are even within an order of magnitude as likely to be randomly detained as the sons and daughters of cabdrivers or secretaries, policy is more likely to change.