Kyle Rankin

Chief Security Officer
PGP ID: 0xB9EF770D6EFE360F
Fingerprint: 0DFE 2A03 7FEF B6BF C56F73C5 B9EF 770D 6EFE 360F
Librem Social

Latest posts by Kyle Rankin (see all)

It’s back to school time and with so many school districts participating in distance learning, many if not most are relying on computers and technology more than ever before. Wealthier school districts are providing their students with laptops or tablets, but not all schools can afford to provide each student with a computer which means that this summer parents are scrambling to find a device for their child to use for school.

Geoffery Fowler wrote a guide in the Washington Post recently to aid parents in sourcing a computer or tablet for school. Given how rough kids can be with their things, many people are unlikely to give their child an expensive, premium laptop. The guide mostly focuses on incredibly low-cost, almost-disposable computers, so you won’t find a computer in the list that has what I consider a critical feature for privacy in the age of video conferencing: hardware kill switches. Often a guide like this would center on Chromebooks as Google has invested a lot of resources to get low-cost Chromebooks into schools yet I found Mr. Fowler’s guide particularly interesting because of his opinion on Chromebooks in education:

But I’ll be blunt: I don’t love Chromebooks, because Google is increasingly more interested in harvesting our data than in helping us. In February, New Mexico’s attorney general sued Google for child privacy violations. (Tip: Be sure your kid is using his or her school-supplied address to log in to theirs because Google isn’t allowed to track them as much with that account.)

Traditionally tech companies have provided schools with technology both for altruistic reasons, and also so that students learn their technology while they are young in the hopes that brand recognition will continue into adulthood. More recently there has been an even more powerful motivation–harvesting student data for marketing purposes. This is a major revenue source for companies and helps them sell hardware and software at steeper discounts as the product gets subsidized by years of student data.

The Washington Post article links to a few articles that highlight the privacy risks with Google in particular and provides a good tip [emphasis mine]: “Be sure your kid is using his or her school-supplied address to log in to theirs because Google isn’t allowed to track them as much with that account.” The author is referencing privacy laws that attempt to restrict how tech companies can capture and sell student data. Unfortunately there are massive loopholes in these laws and in this article I will highlight a few based on California Education Code 49073.1 because California is at the forefront for privacy legislation in the US and one would expect its legislation to be among the strictest.

Loophole 1: “Pupil Records”

The first loophole has to do with dividing student data into two different categories, each with a different level of restriction. When you read through the privacy legislation, you will see what appear to be strong privacy controls that protect student data:

(1) A statement that pupil records continue to be the property of and under the control of the local educational agency.

(3) A prohibition against the third party using any information in the pupil record for any purpose other than those required or specifically permitted by the contract.

(9) A prohibition against the third party using personally identifiable information in pupil records to engage in targeted advertising.

But upon a closer look you will notice that these protections only apply to a very specific type of student data classified as pupil records. This is defined as:

(i) Any information directly related to a pupil that is maintained by the local educational agency.

(ii) Any information acquired directly from the pupil through the use of instructional software or applications assigned to the pupil by a teacher or other local educational agency employee.

At first glance this seems very comprehensive, at least until you read the next section which defines what information does not qualify as “pupil records” according to the law:

(i) Deidentified information, including aggregated deidentified information, used by the third party to improve educational products, for adaptive learning purposes, and for customizing pupil learning.

(ii) Deidentified information, including aggregated deidentified information, used to demonstrate the effectiveness of the operator’s products in the marketing of those products.

(iii) Deidentified information, including aggregated deidentified information, used for the development and improvement of educational sites, services, or applications.

So the above protections only apply to a small subset of data that explicitly identifies a particular student. What does this mean in practice? That Google can capture all of a student’s web browsing data and all of their activity on the computer and beyond that, they can use this data in targeted advertising and profit from it as long as they “deidentify” it.

There is incredible value in this data even if it isn’t explicitly linked to a student, because it provides demographic data on a demographic (children) that is otherwise difficult (and in some cases illegal) to capture. Many parents would be upset to learn that Hasbro (hypothetically) provided free or heavily-discounted educational products to schools, in exchange for the ability to go on school campuses, put children into focus groups, and conduct market research for new toys under development. Yet schools give tech companies this exact privilege today, in exchange for cheap computers and software.

Loophole 2: Restrictions Limited to School Services

When a school enters a contract with a tech company, the restrictions in the privacy law only apply to the services that company is directly providing the school. As an example, if a school signs a contract with Google to use Chromebooks and Google G Suite for Education, the data privacy restrictions would apply to that suite of cloud tools including docs, email and the other parts of G Suite. The restrictions would not apply to the other properties that Google owns, such as Youtube. So if a student uses their school-provided Chromebook to visit Youtube, whether for a class assignment or outside of school hours, Google is free to capture and use that data without restriction.

Loophole 3: Account Transfers

So it’s clear that tech companies are allowed to capture and use student data in advertising as long as it’s deidentified, but what about pupil records? It turns out there is also a large loophole for it as well, that’s triggered when a student is no longer in school. It starts with the reasonable requirement that a student be able to keep their school projects when they are no longer in school:

(2) Notwithstanding paragraph (1), a description of the means by which pupils may retain possession and control of their own pupil-generated content, if applicable, including options by which a pupil may transfer pupil-generated content to a personal account.

There is even a requirement that tech companies get rid of pupil records when they are no longer in school:

(7) (A) A certification that a pupil’s records shall not be retained or available to the third party upon completion of the terms of the contract and a description of how that certification will be enforced.

Immediately after that paragraph is the loophole:

(B) The requirements provided in subparagraph (A) shall not apply to pupil-generated content if the pupil chooses to establish or maintain an account with the third party for the purpose of storing that content pursuant to paragraph (2).

Remember the tip from the Washington Post article: “Be sure your kid is using his or her school-supplied address to log in to theirs because Google isn’t allowed to track them as much with that account.” If a student graduates and wants to keep essays, pictures, or other school work they can transfer it from their school Google account to a personal Google account. The moment they do that, all protections are gone and Google can use that data how they please. Equally important, those two accounts would then be linked, and there is nothing in the law to prevent Google from migrating years of “deidentified” data including web browsing history and other data to the personal account and “reidentifying” it.

Protecting Student Privacy

Schools are at a disadvantage this summer in having the kind of leverage they would need to push for more privacy protections for students given the short timelines and requirements they have in many cases to provide all students with the ability to participate in distance learning. Yet if they have a choice in their vendors, picking one that doesn’t have a financial interest in capturing student data would be a great start.

Beyond that, most remedies will have to come in the form of legislation. The above loopholes could be closed by putting tight restrictions on what companies could do with “deidentified” data including explicitly prohibiting them from using this data for targeted advertising. Incentives matter and so if you want companies to stop collecting this data you must remove the financial incentive. There should also be an explicit requirement that the company delete all data it has collected on the student once they cancel their school account except for any specific documents the student wants to transfer.

If you are a parent who cares about privacy and is concerned with the amount of personal data school-provided computers are capturing, you can also invest in Purism products and have peace of mind that your child’s data is protected while they access school services over the web, and that they aren’t being watched through their webcams when the school day is done.


Recent Posts

Related Content