This weekend, the New York Times published a story mentioning the Obama administration’s focus on online privacy and security. As part of their initiative… the administration intends to introduce and pass legislation about breach notification and student data security.
From the NYT:
“The president will also propose the Student Data Privacy Act, which would prohibit technology firms from profiting from information collected in schools as teachers adopt tablets, online services and Internet-connected software, officials said. And he will announce voluntary agreements by companies to safeguard home energy data and to provide easy access to credit scores as an “early warning system” for identity theft.”
The story mentions that this a reaction to the industry’s attempt to self-regulate with a privacy pledge this past October, and that the legislation which will be similar to California’s SOPIPA, which prohibits targeting students with online marketing and advertising, selling student information, profiling students based on data collected, and requiring companies to put security measures in place to protect student data. (While security measures are required to protect student data, SOPIPA set no bare minimum security standards for education technology companies, and did not require companies to disclose their security measures to users.)
Over the past few months, bits of legislation and privacy pledges have been drafted across the country to protect student data, but they continue to only address small part of the threat model facing student privacy— the edtech industry handing over data for profit to advertisers and marketers. It’s all well and good that we’ve agreed politely among ourselves how to handle student data…but is anyone involved in any of these policy initiatives actually going look around and pay attention to the true state of security and privacy on the web this year this year? At all? Will anyone, anywhere in the course of these discussions about privacy sit down and try to construct a threat model or think critically about the technical means we use to provide security (and thereby privacy) to student data? Will anyone pay attention when Target, Sony, Home Depot, Kickstarter, Yahoo, and so many other major companies were getting hacked? Will anyone question should be done about data brokers preying on students, especially those who employ shady tactics to collect every piece of information they can for profit? Laws can fine and sue and regulate companies left and right, but of what use will they be when institutions and individuals outside of your borders and your jurisdiction steals student data and identifying information, what then? Companies that spend millions and millions of dollars a year have fallen victim to breaches and will continue to do so for some time to come— without a single dime of funding put towards information security awareness, what real chance at privacy does any student going through the education system really have?
At the end of the day, the average school is *just* as secure as Sony. Your the average student’s data is just as secure as all of those emails and all of the corporate documents that journalists have been pouring over and that the media has been leaking information about, and this legislation does nothing to change that. Remember the laughter and mockery of Sony employees who stored passwords and account credentials in spreadsheets? And remember how this information was clearly labelled shared this information via insecure channels like emails? Newsflash: Sony actually had employees focused on security, and their security was awful. Educators and administrators holding the keys to student records do these things too— thousands of passwords can be unearthed just through Googling the right set of keywords and parameters— and they don’t have a single person tasked with keeping data private and secure. If that isn’t bad enough, keep in mind that most schools are more focused on filtering web traffic than building secure networks, that most filtering software breaks the encryption that ensures end-user privacy (literally removing the “S” from “HTTPS”), and that the vast majority of educators have never received privacy training or thought critically about the security and privacy practices they employ in the classroom and model for students. Oh, and don’t forget— somewhere between 25%-40% of universities ever bother encrypting student data.
(Let’s keep in mind, too, that that the vast majority of developers in education technology still have not implemented secure development practices or used HTTPS/HSTS protocols to encrypt web traffic for their users. Most education technology companies are 3-5 years behind consumer technology (if not more) in their security practices, and have never undergone a 3rd party security audit or created a vulnerability disclosure policy or processes. Additionally, the vast majority education technology companies are not transparent about their security practices and policies, and they don’t employ intrusion detection systems to monitor for security breaches. )
While it’s nice to have delusions that “no one cares about student homework” and to say “no one’s going to hack a school!” and “advertisers + marketers are the only evil we face!” there are many, many instances in which schools have been hacked and privacy has been breached in ways that have nothing to do with advertising and marketing. By failing to create bare minimum industry standards for security, this legislation absolutely does not go far enough whatsoever to protect student data and ensure student privacy. Education technology companies and advertisers can’t profit from student data— but what’s stopping someone with malicious intent from gaining access to student records and sensitive information? We’ve long seen credit card numbers for sale in online black markets, and health records are worth as much as $500 in cybercrime forums. How long until we see student identities and student records up for sale and nefarious use there too?
Security is the thing that we do to give people privacy. But hey, nevermind that security thing… nope, we don’t need it in education. Let’s just continue (for another year) to ignore the reality of the web— that everything’s vulnerable to breach, breaches are a “when” not an “if” situation— and while we’re at it, let’s not set any rules that will actually protect student data from the run-of-the-mill hacking that goes on out there. Let’s not ask companies and schools to encrypt their data at rest and in transit, let’s not create an industry standard of zero-knowledge systems, let’s not set a stringent group of security standards for education technology to meet and make those rules part of the cost of doing business. Nope, now that we’ve protected students from advertisers and marketers, we’re all done here.
*(I’ve been meaning to write a post about the *two* education technology companies that I know of who are transparent about their security, and the policies and technologies they enact to protect student data. Two. TWO. Thats all, that’s it. Out of thousands of companies and billions of venture capital investment, two. Great job, edtech, you’re really on it with the security.)