2 words about student data privacy: Snowden, Target

The national Education Writers Association sponsored a webinar this afternoon, hosted by Education Week’s Benjamin Herold and entitled “Student Privacy: Lost in the Cloud?”

The three expert panelists addressed issues surrounding the massive movement now taking place in schools across the country of outsourcing one form or another of student data storage in the cloud. One panelist, Professor Joel Reidenberg of Fordham University’s law school, estimated that at this time, 95 percent of US public school districts store some student data in the cloud. His estimate was based on a recent study in which he obtained public records and contracts between school districts and cloud computing vendors in several large, medium, and small districts.

There’s a gorilla or other primate in the student privacy room.

This is my way of saying, if you’re wondering whether student data will be stored in the cloud one day, stop holding your breath. It’s already happening in almost every public school in America. Districts may store attendance data, student grades, and any number of other data points about their students. The upside is, parents can get round-the-clock access to information about their sons and daughters; the downside is that data is on the Internet.

Mr Reidenberg was joined on the panel by Aimee Guidera, who founded the Data Quality Campaign more than 10 years ago and now serves as the organization’s executive director; and by Jim Shelton, the US acting deputy secretary of education.

The consensus among all three panelists was that privacy concerns being raised in our schools, by parents and others, are real and need to be addressed, or the country will lose faith in the technology that’s already changing how information about our students is maintained and used.

We’ll be running a series of reports about the webinar after we’ve had sufficient time to collect and analyze some of the research brought to the webinar and look for some research on our own part. But what I wanted to address in this initial post is an idea that nobody addressed—except for Ms Guidera, who touched it only tangentially—but which, I believe, has everybody sweating about putting sensitive data on the Internet.

Mr Shelton agreed with Mr Reidenberg that our laws, especially FERPA, are inadequate in dealing with new technology. And by “new,” I mean, in the last 20 years. Furthermore, contracts between school districts and vendors are also inadequate in many cases, and what’s worse: Parents in the school districts often have no idea what the terms of these contracts are.

So, besides educating parents about what questions they need to ask about the data being stored, how it’s used, and how they might opt out of providing some data, we need to take the conversation to a place that these three panelists were unable to acknowledge. See, the entire webinar was spent on how our laws need to be updated to allow us to take advantage of cloud computing with great responsibility. What no one mentioned was that criminals don’t care about the laws.

The National Security Agency must be—or at least, it should be—one of the most secure sites in the world. Yet one man, who thought he was blowing the whistle on unconstitutional activities by US government officials and got a few federal judges and major newspapers to agree with that point, exposed volumes of sensitive data and may be sitting on the really juicy stuff. Our credit card payment systems, used by one of the nation’s top retail giants, must be—or at least, should be—some of the most secure systems in the world. Yet one group of criminals, with full malice, got the data from 40 110 million credit cards and put it up for sale on the black market.

Now, let’s turn to the education field. This is a profession inhabited by people who are accustomed to being the smartest in the room and to being responsible for giving definitive answers. (They often work with young children, and they really do know more than their students.) It’s also a profession riddled by opinions on every side of every issue. Our teachers are a microcosm of America, and America is split right down the middle on several important issues, even beyond the Obama-haters and the creationists.

All it takes, apparently, if Edward Snowden and Target teach us anything at all, is one person or group who wants to take down a system. There seems to be no data system that can’t be cracked if someone has sufficient motivation, and that’s what worries me. There are people who absolutely loathe inBloom and the collection of sensitive data about our students. What if one of them is rich and can buy a few hackers from Romania or Albania or even the Massachusetts Institute of Technology (as long as the work was done from a foreign land)? What if? Do you honestly believe that data could be kept secure?

If you think that, think again. As recently as Tuesday of this week—yes, Jan 7, 2014—after years of reassurances about student data being secure, school officials allowed student data to be accessed without a password in Loudoun County, Va. According to school officials, the investigation is continuing. The exposed data had 1,286 links to personal information from 84 Loudoun schools. It’s not known how long the information was exposed or how many links were opened by unauthorized individuals. The breach was caused by district employees who were testing the computers late last year but weren’t adequately trained in security measures, an act that appears to have been accidental, not even criminal.

One mitigating factor is that organizations like inBloom, along with other cloud computing vendors who are seeking to do business with our schools, will make a tremendous profit. The K-12 software industry is estimated to be worth about $8 billion annually, according to one New York Times story. This profit on the part of vendors, not the schools or the students, will motivate vendors and equip them with great resources, provided they have appropriate expenditure levels, to keep the data secure. After all, if the data gets leaked, there would be irreparable harm to these businesses.

But that’s the paradox. Causing great, irreparable harm to cloud computing providers would suit those who loathe these businesses just fine, provided they were willing to risk a few criminal or civil charges. If they have to spend the rest of their lives in exile in Russia, they might even consider themselves a hero. Do you honestly not believe that if the New York Times can write an editorial declaring Mr Snowden a whistle-blower and not a traitor that similar editorials would be written about anybody who exposed a security hole in a cloud-based school data system or discovered Big Brother tracking students inappropriately?

I would have asked this question at the webinar, but I doubt it would have been read. First, priority was given to journalists working for print publications, and second, time was very short. Anyway, the main subject was about our current laws and how inadequate they are at safeguarding the privacy of our youngest citizens, a topic I will cover in the next few reports about the webinar. But I wanted to get this idea out of the way before I took a look at the webinar content itself.

About the Author

Paul Katula
Paul Katula is the executive editor of the Voxitatis Research Foundation, which publishes this blog. For more biographical information, see the About page.