What’s Stored in your School Google Drive Account? You Might be Surprised.

Reposted with permission from Missouri Education Watchdog.

Don't Be Evil

If you or your child have a Google account through school, you are going to want to read this.

WATCH THIS FOX 5 NEWS CLIP from Springfield, MO. They show one teacher log into her school issued Google Drive account where her personal information, including 139 passwords and audio of voice to text messages and Siri searches were stored, allegedly unencrypted.

While many have questioned Google’s invasion of the classroom and how Google Apps for Education, (now called G-Suite), collects and uses student or teacher information, few have really gotten much in the way of answers. What is reportedly happening with Springfield Missouri Public School’s use of Google Drive offers a rare glimpse into Google’s potential to collect data. School-issued student Google accounts connect to Google Drive which can allow for the ability to Auto-Sync devices to Auto-Save passwords, browsing history and other digital data points from numerous devices used by a single user. For students in SPS this could include digital data from non-school related accounts.  This July 17, 2018 Fox 5 KRBK  news story explains how one family discovered this practice and reported it to the school district.

“The Elys claim that the SPS Google Drive, given to all SPS employees and students, automatically begins to store information from any device the drive is accessed on. This includes browser history, but also personal information such as files and passwords. They add that even if you log out of the drive, it stays running and recording in the background.

After bringing their concerns forward this past May, they say that despite the evidence presented, no serious action has been taken on behalf of the district.

“They have a lot of evidence and have had it since December, and we have not heard one word from any of them, said Dianne Ely.

With more searching, the Elys have now found even more sensitive information that’s been stored to their daughter’s Google Drive, including 139 passwords to both her and her husband’s different accounts and also voice recordings of both her and her children.

“My voice to text was being stored as well as any search my kids did, and I could say ‘sure my daughter was searching on Google,’ but my phone uses Safari. When I used my texting app on my iPhone, it recorded my voice, as well as typing out the words and saving it on my Google Drive,” said Brette Hay, the Ely’s daughter and a teacher at Pershing Middle School.

The Elys hope with this new evidence, not only will parents, employees and students take action to check what private information of their own could be stored on the drive, but that the school district will also take the appropriate steps to make their Google Drive safe.” [Emphasis added]

Parents want to know: Why is Auto-Syncing of devices and Auto-Saving of passwords allowed on any school-issued Google account?

Google changed its Google Drive syncing in September 2017. This new policy raises several questions:

  • How does this Google change affect privacy and security and access to school-issued Google Drive accounts? Does it allow cross device tracking?
  • Are students, parents, school employees, (who are often required to use the school-issued Google Drive), informed that their devices could be automatically synced, and remain synced even when the log out? Are  users informed of what information, including personal passwords, could be stored on their school-issued Google Drive?
  • Since district administrators can set permissions, do districts have the ability to disable the Google Auto-Sync and Auto-Save function?

Each state has consumer protection laws and state privacy laws that may prohibit the collection or reporting of individual’s biometric information such as facial or voice recognition. There are also several federal privacy laws, highlighted below, that apply specifically to student information.

PPRA  The law requires that schools obtain written consent from parents before minor students are required to participate in any U.S. Department of Education funded survey, analysis, or evaluation that reveals information concerning the eight protected areas.

FERPA    34 CFR § 99.3 defines an education record as “The term education record means those records that are: (1) Directly related to a student; and (2) Maintained by an educational agency or institution or by a party acting for the agency or institution.  Generally, schools must have written permission from the parent or eligible student in order to release any information from a student’s education record.” However, FERPA allows schools to disclose covered information in education records, without consent, in certain situations.

The auto-syncing capability of Google Drive raises additional concerns for schools using this technology:

  • If personal devices are synced and passwords stored, and if a student’s personally identifiable (PII) is collected, does the district’s or Google’s access to student Google Accounts meet the requirements of federal and state laws? Should the district be required to obtain informed written parental consent prior to this PII data being aggregated on the Google Drive?
  • Has covered information stored on the Google Drive ever been accessed by anyone other than the student, parent, or school official?
  • Is posting a student’s ID on each school device, and generating a uniform password for all students, in compliance with best practices and FERPA? (See Dr. Ely’s May testimony for an example of this practice.)
  • If parents feel their student’s personally identifiable information has been disclosed improperly, they can file a FERPA complaint.

COPPA  “The primary goal of COPPA is to place parents in control over what information is collected from their young children online. The Rule was designed to protect children under age 13 while accounting for the dynamic nature of the Internet. The Rule applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.”

  • If personal information of children under the age of 13, such as their browsing history or location was collected when they were online (including when they accessed non-educational websites outside of school, while not actively logged into their synced Google Drive) and if the information from this synced device was stored on the school-issued Google Drive, along with saved passwords, who has access to this information? Is informed parental consent required?
  • Can this personal information in the Google Drive ever be accessed by anyone other than the student and their parent?

HIPAA  “The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.”

While information contained in a student’s education record is generally not covered by HIPAA, it is generally covered by FERPA.  This leads to a larger set of questions when Auto-syncing devices and storing  information in a school-issued Google Drive:

  • Is a student’s personal information stored in a school-issued Google Drive considered part of a student’s education record? What if the personal information was obtained outside of school, without the student’s or parent’s knowledge?
  • Does HIPAA apply if information stored on a school-issued Google Drive, is personal information about someone other than a student?
    • Is access to your family’s health record part of a student’s educational record, both FERPA and HIPAA compliant if you did not knowingly supply the information to the school?
    • Is audio of a parent discussing personal medical information considered part of a student’s education record?
    • If a relative or friend is a medical professional and you used his/her computer to log into your Google Drive, and now the device is synced, are the auto-saved passwords and medical information on this personal computer part of the student’s education record?
  • In general, is Google Drive HIPAA compliant? If passwords are exposed, does the district and Google follow the necessary steps to ensure Google HIPAA compliance?

Best Practices

In the Fox 5 news story, the School District claims that they followed best practices and there is no breach within the SPS system.  In response to these allegations, SPS stated:

“We believe that our data systems remain safe and secure. In reviewing the concerns brought forward, no data breach has been identified within the SPS system, nor are we aware of any personal information on our servers beyond the appropriate staff and student information provided to the district. We want to assure our community that SPS will always support any investigation into allegations, such as these, in order to address concerns. SPS is committed to doing all that is necessary to keep our staff and students safe and secure. This is true for both facility and cyber security. We work with third-party vendors to regularly monitor and evaluate our procedures and information systems. We implement ongoing updates to our best practices and information systems to maintain and strengthen, wherever appropriate. Our IT Department continues to review best practices in the industry, refining and enhancing district procedures on a regular basis, while also strictly adhering to the manufacturer’s terms of use for any software or other product. We know that ongoing training is essential to protecting the security of each individual and the district-at-large. Over the past three years, we have focused on new training for both staff and students regarding how to be responsible digital citizens. Because this is a personnel matter, we are limited in the details that we can provide, but we remain vigilant in our work to protect the safety and security of our systems, in the best interest of all SPS constituents. At this time, our internal and independent assessments do not indicate that there is a reason for the community to be concerned.”

Screenshot of teacher checking passwords saved on the SPS Google Drive account. The teacher has shown that if you click on the eye icon of any of these accounts, the passwords are exposed. (We redacted the email addresses and the Amazon account that shows the password has been deactivated.)

We wonder about the reported non-school related information and non-school related passwords to accounts (including accounts with personal banking information, medical accounts) that are allegedly stored unencrypted on school-issued Google Drive accounts?  Would this situation comply with Missouri’s new law, HB1606,  on student cybersecurity and breach reporting?

Regardless of the school district’s claim that there is no reason for concern, many people are concerned and are questioning the ethical and legal implications. Many are wondering if Google Drive Auto-Syncing and Auto-Saving is happening in other school districts across the nation. We have posted videos and links to public testimony presented at Springfield Public School Board meetings with detailed explanations from people who have experienced this first hand and have reported it both to the school district and have filed a police report. We have also posted instructions at the bottom of this blog for you to check what is in your (or your child’s) school-issued Google Drive account.

 

Public testimony of the July board meeting begins at the 4 minute mark.

 

Public testimony of the May board meeting begins at the 18 minute mark.

 

What do you think?  

If personal, non-education related information is being stored in school-issued Google Drives, would that data collection cross the line? After reading this blog and reviewing the testimony etc, let us know what you think and let us know what you find in your school Google Drive. 

(You can post a comment on this blog but please do not share your passwords or personal log-in information that would leave you open to hacking; just tell us the types of information you found in your Google Drive.)

We wonder why any school district would want the liability and security risk associated with storing personal information and allegedly unencrypted passwords to personal accounts. With cyber hacks targeting schools at an alarming rate, think of the security issues and potential for harm.

Ask your school district how their Google Drive is set up and look at the information stored in your school-issued Google Drive.

Here’s how to see what is in your school-issued Google Drive, according to May 2018 testimony provided by Dr. Ely. (It may look slightly different depending on the device you are using. )

Steps for checking your/your child’s/your grandchild’s SPS Google Drive Account

Sign- in and security (passwords and devices)

  1. Log into your account.
  2. Once into the Google Drive click on the top left the 3 lines, which pops open your Google drive account info. Look all the way at the bottom and click on the round picture of the round circle with your initial in it.
  3. Click on my account
  4. Click Sign-in & security
  5. Scroll all the way to the bottom of the sign in and security page to where it says saved passwords. This is where you can see all of the passwords stored to the SPS Google Drive Account. For the passwords, it might look like an eye but you just need to click on it to reveal the password.
  6. From the sign in and security screen you can also see what devices have been used to log into your sps Google account and allow you to see what devices have been synced with your account.
  7. You may need to click on “Mange My Activities” to see stored voice to text speech, location tracking, YouTube and search history.

 

References and related links:

May 15, 2018 Springfield Public Schools Board Meeting. Public comment starts at about 18 minutes https://www.youtube.com/watch?v=WIbjpjsKAc8

May 15, 2018 Written testimony from Dr. Norman Ely https://drive.google.com/open?id=1HKBAAvyZ39pSxASq2p6OCM-EoL9BbU2L

July 17, 2018 Springfield Public Schools Board Meeting. Public comment starts at about 4 minutes https://www.youtube.com/watch?v=kDREN3CCO3E 

July 17, 2018 Written testimony from parent and teacher Brette Hay https://drive.google.com/open?id=1PdFLlqaR-gvUB32nFsz-_ILoEt3fkpPA

July 17, 2018 Written testimony from Dr. Norman Elyhttps://docs.google.com/document/d/14Ikjd8TkQhhnGnwh7RdLdGGlo6VnFzKQ2GdXEjImPjs/edit?usp=sharing

July 17, 2018 Written testimony from Brooke Hendersonhttps://docs.google.com/document/d/1zvqD2p54Co1zStAkj7AoH1RDxx8Ys3LdwXtDSEkHHDQ/edit?usp=sharing

FOX 5 KRBK Family claims SPS Google Drive is storing personal information http://www.fox5krbk.com/story/38669634/family-claims-sps-google-drive-is-storing-personal-information#.W09T9C4KOr0.facebook

KOLR10 Parents of SPS Employee say Their Family was Hacked  https://www.ozarksfirst.com/news/parents-of-sps-employee-say-their-family-was-hacked/1181643101

Computer hacking, massive data breach revealed to Springfield Board, Attorney General reportedly investigating https://rturner229.blogspot.com/2018/05/computer-hacking-massive-data-breach.html

Springfield Public Schools 2017-18 School Handbook  https://isharesps.org/websitedoc/CommunityRelations/Student%20Handbooks/2017-2018%20handbook%20final%20complete.pdf

Springfield Public Schools 2018-19 School Handbook https://www.sps.org/Page/2623

How Google Took Over the Classroom https://www.nytimes.com/2017/05/13/technology/google-education-chromebooks-schools.html

EFF: Google’s Student Tracking Isn’t Limited to Chrome Sync
https://www.eff.org/deeplinks/2015/12/googles-student-tracking-isnt-limited-chrome-sync

State Attorneys General are next headache for Google 2017 https://www.wired.com/story/state-attorneys-general-are-googles-next-headache/

37 Attorneys General settle against Google for Consumer tracking violations 2013 https://www.privacyandsecuritymatters.com/2013/11/google-pays-big-to-state-attorney-generals-for-improper-consumer-tracking/

YouTube is Improperly Collecting Children’s Data, Consumer Groups Say  https://mobile.nytimes.com/2018/04/09/business/media/youtube-kids-ftc-complaint.html?smid=tw-share

Transparency and the Marketplace for Student Data
https://www.fordham.edu/info/23830/research/10517/transparency_and_the_marketplace_for_student_data/1

U.S. Education Dept. responds to TheDarkOverlord attacks with new cyber advisoryhttps://www.databreaches.net/u-s-education-dept-responds-to-thedarkoverlord-attacks-with-new-cyber-advisory/

Missouri Consumer Protection Law https://ago.mo.gov/civil-division/consumer/identity-theft-data-security/identity-theft

New Student Data Breach Reporting Requirements in Missouri  https://k12cybersecure.com/blog/new-student-data-breach-reporting-requirements-in-missouri/

Missouri Student Privacy Bill  HB14-1490 as found on the Missouri Department of Elementary and Secondary Education Data System Management website.   https://dese.mo.gov/data-system-management/data-access-sharing-and-privacy

HB-1490:

(4) Develop a detailed data security plan that includes:

(a) Guidelines for authorizing access to the student data system and to individual student data including guidelines for authentication of authorized access;

(b) Privacy compliance standards;

(c) Privacy and security audits;

(d) Breach planning, notification and procedures;

(e) Data retention and disposition policies; and

(f) Data security policies including electronic, physical, and administrative safeguards, such as data encryption and training of employees;

 3. The department of elementary and secondary education shall not collect nor shall school districts report the following individual student data:

(1) Juvenile court delinquency records;

(2) Criminal records;

(3) Student biometric information;

(4) Student political affiliation; or

(5) Student religion.

4. Any rule or portion of a rule, as that term is defined in section 536.010, that is created under the authority delegated in this section shall become effective only if it complies with and is subject to all of the provisions of chapter 536 and, if applicable, section 536.028. This section and chapter 536 are nonseverable and if any of the powers vested with the general assembly pursuant to chapter 536 to review, to delay the effective date, or to disapprove and annul a rule are subsequently held unconstitutional, then the grant of rulemaking authority and any rule proposed or adopted after the effective date of this section shall be invalid and void.

5. Each violation of any provision of any rule promulgated pursuant to this section by an organization or entity other than a state agency, a school board, or an institution shall be punishable by a civil penalty of up to one thousand dollars. A second violation by the same organization or entity involving the education records and privacy of the same student shall be punishable by a civil penalty of up to five thousand dollars. Any subsequent violation by the same organization or entity involving the education records and privacy of the same student shall be punishable by a civil penalty of up to ten thousand dollars. Each violation involving a different individual education record or a different individual student shall be considered a separate violation for purposes of civil penalties…

 

Missouri Student Privacy Bill  HB14-1490 as found on the Missouri Department of Elementary and Secondary Education Data System Management website.   https://dese.mo.gov/data-system-management/data-access-sharing-and-privacy

HB-1490:

…The department of elementary and secondary education shall develop criteria for the approval of research and data requests from state and local agencies, researchers working on behalf of the department, and the public
(3) Shall not, unless otherwise provided by law and authorized by policies adopted pursuant to this section, transfer personally identifiable student data;

(4) Develop a detailed data security plan that includes:

(a) Guidelines for authorizing access to the student data system and to individual student data including guidelines for authentication of authorized access;

(b) Privacy compliance standards;

(c) Privacy and security audits;

(d) Breach planning, notification and procedures;

(e) Data retention and disposition policies; and

(f) Data security policies including electronic, physical, and administrative safeguards, such as data encryption and training of employees;

 3. The department of elementary and secondary education shall not collect nor shall school districts report the following individual student data:

(1) Juvenile court delinquency records;

(2) Criminal records;

(3) Student biometric information;

(4) Student political affiliation; or

(5) Student religion.

4. Any rule or portion of a rule, as that term is defined in section 536.010, that is created under the authority delegated in this section shall become effective only if it complies with and is subject to all of the provisions of chapter 536 and, if applicable, section 536.028. This section and chapter 536 are nonseverable and if any of the powers vested with the general assembly pursuant to chapter 536 to review, to delay the effective date, or to disapprove and annul a rule are subsequently held unconstitutional, then the grant of rulemaking authority and any rule proposed or adopted after the effective date of this section shall be invalid and void.

5. Each violation of any provision of any rule promulgated pursuant to this section by an organization or entity other than a state agency, a school board, or an institution shall be punishable by a civil penalty of up to one thousand dollars. A second violation by the same organization or entity involving the education records and privacy of the same student shall be punishable by a civil penalty of up to five thousand dollars. Any subsequent violation by the same organization or entity involving the education records and privacy of the same student shall be punishable by a civil penalty of up to ten thousand dollars. Each violation involving a different individual education record or a different individual student shall be considered a separate violation for purposes of civil penalties…

 

-Cheri Kiesecker

Advertisements

Dear Congress, you are being duped. HR4174-S2046 is a Privacy Fail. Here’s why. ( And please no more suspended rules and voice votes on these bills. )

Reposted with permission from  Missouri Education Watchdog.

not_for_sale

I will say it again… When it comes to their own children, parents have little to no say in education matters. Parents are not invited to fancy conferences, we often aren’t even allowed to attend them. Parents don’t have a travel budget, a lobby budget, or a paid assistant to help write rebuttals and policy briefs. Nope, we are moms and dads and grandparents doing the best we can to protect our children. And that is why I am responding to the federal government’s response to my blogpost opposing their bill(s) HR4174 and S2046, Foundations for Evidence-Based Policymaking Act of 2017.

Dear  Congress,

The GOP Majority Staff of the Congressional House Committee on Oversight and Government Reform wrote and distributed a response to my November 12  blogpost  that opposed HR4174.  This response, which folks can see here begins with,

The Eagle Forum and other groups representing interests such as home schooling have raised concerns about H.R. 4174, the Foundations for Evidence-Based Policymaking Act of 2017The concerns relate to how the bill would affect the privacy of citizens (especially school-aged children) whose data  is being stored by the federal government. Those concerns arise from a misunderstanding of what the bill does to the personal data that the government already has.”

Let me clear something up.  I am not a member of Eagle Forum nor am I a member of a home school group, not that I have anything against them; I just don’t want them to be responsible for what I say.  Missouri Education Watchdog lets me write on their blog but my views are my own. I am a mom. My special interests are my children. I write as a parent, because like many parent advocates, blogging is the only (small) way to be heard.

And No.

My concern DOES NOT “arise from a misunderstanding of what the bill does to the personal data that the government already has.”  You have it sort of right;  let me restate it:

MY CONCERN IS THAT THE GOVERNMENT HAS CITIZENS’ AND ESPECIALLY SCHOOL-AGED CHILDREN’S PERSONAL DATA, WITHOUT PERMISSION…AND IS EXPANDING ACCESS, ANALYSIS OF THIS DATA, AGAIN WITHOUT PERMISSION.

It’s not your data. Data belongs to the individual. Data is identity and data is currencyCollecting someone’s personal data without consent is theft. (When hackers took Equifax data, that was illegal. When the government takes data… no different.)

If you support parental rights, you should not support HR4174 or its sister bill S2046.  Parents are often left out of the conversation about laws affecting their children.

I will say it again… When it comes to their own children, parents have little to no say in education matters. Parents are not invited to fancy conferences, we often aren’t even allowed to attend them. Parents don’t have a travel budget, a lobby budget, or a paid assistant to help write rebuttals and policy briefs. Nope, we are moms and dads and grandparents doing the best we can to protect our children. And that is why I am responding to the federal government’s response to my blogpost opposing their bill(s) HR4174 and S2046, Foundations for Evidence-Based Policymaking Act of 2017.

I invite members of Congress and policy makers, rather than refute, or ignore, please have a discussion with those closest to the children: parents.

You impose legislation that directly impacts our children and our families, without our input. We elected you to represent us, “we the people”.    Please hear us, the parents. These are our children, not your human capital, not your data, not your property.

What follows are sections on:

  1. Brief status of student data collection
  2. History and mission of CEP Commission, current linking of IRS data, Census Data, Education data.
  3. China, the US, tech companies and collection, analysis of citizens’ data, dangers of algorithms, metadata profiling.
  4. Status of HR4174, voice votes and suspended rules (why this controversial bill should have had neither)
  5. FACTS. Links to bill text, refuting the House Oversight rebuttal.
  6. Here is a two pager citing only facts, bill text.   http://tinyurl.com/HR4174twopage

The current state of student data collection– You need to know this.

Bill Gates, who has spent billions on reforming education, creating and sharing standardized data, state databases, also wants a national student database, linking k-12 and higher ed data. According to The Gates Foundation 2016 Priorities, this is the national database infrastructure he has in mind. Coincidence?

Gates data infrastructure

State agencies currently maintain personally identifiable data about citizens, including  k-12 school children. My focus is on student data because student data are collected and shared  and analyzed without parent consent. Parents have a right to direct our children’s education and citizens have a right to be secure in their property.  …or do we?  Taking personal information about a child, and sharing it, without the parents’ knowledge or consent is (SHOCKINGLY)  legal, thanks to a 2011 executive rule change that weakened FERPA.

Any Congressperson who would like to spend his or her Thanksgiving dinner explaining to friends and relatives why you think taking personal information about a child and sharing it without parent consent is ethical or principled, please go ahead. Also, let them know that you passed a bill giving more access to this ill-gotten, personal information of students. Be my guest.

As for me, I find HR4174 collection, sharing of a school child’s personal data without parent consent, unconstitutional and unethical and a violation of children’s privacy and parental rights.

The Electronic Frontier Foundation also challenged nonconsensual sharing of students’ personal information and the weakening of FERPA. See the EPIC lawsuit against the US Department of Education here.

Very personal information about k-12 students (ie: personal background info on kindergarten-12  registration forms, demographics, race,  health records, disability status, income status, a multitude of invasive surveys, even personality tests, etc.)  is currently collected at all public k-12 schools and can be shared outside of the school, without the parents’ knowledge.  Many have said for years,student data collection is out of control and we are not protecting children:  Asleep at the Switch: Schoolhouse Commercialism, Student Privacy, and the Failure of Policymaking.

Meta data and mouse-clicks to predict a child, measure their behavior. Amazon and Facebook and Google and Microsoft and many other edtech companies are invading the classroom. Edtech companies like  DreamBox, Khan Academy, and Knewton use adaptive or “personalized” online programs that collect large amounts of data on each child.  Knewton claims 5- 10 million data points per child, per day.  DreamBox claims 50,000 data points per hour on each student. These  “Personalized” software programs embedded in education technology are collecting data about a student, secretly determining which questions students will see, measuring how fast a child reads, what he or she clicks on, how long he or she takes to answer a question. This meta data is sometimes being used to measure a child’s  “social emotional learning” and engagement. One assessment company, NWEA, measuring test item response times, says if a child responds to a test question too quickly, this will give him/her a low engagement score.  NWEA thinks a child’s rapid response means the child is guessing and this disengagement can be applied to other “deep rooted problems” in a student’s life such as,

“a student’s likelihood of disengaging on a test was associated with his or her self-management and self-regulation skills, the ability, for example, to show up for class prepared and on time. “As they disengage from tests and the course material, a whole host of other things come up … attendance, suspensions, course failure … that have been connected to risk of dropping out of school,”

In a digital environment, everything a child does online can be captured, connected and catalogued. The LearnSphere project funded by the National Science Foundation and handled by Carnegie Mellon, explains this project which began in 2014:

“There are several important initiatives designed to address these data access challenges, for individual researchers as well as institutions and states. LearnSphere, a cross-institutional community infrastructure project, aims to develop a large-scale open repository of rich education data by integrating data from its four components.[17] For instance, DataShop stores data from student interactions with online course materials, intelligent tutoring systems, virtual labs, and simulations, and DataStage stores data derived from online courses offered by Stanford UniversityClick-stream data stored in these repositories include thousands and even millions of data points per student, much of which is made publicly available to registered users who meet data privacy assurance criteria. On the other hand, MOOCdb and DiscourseDB, also components of LearnSphere, offer platforms for the extraction and representation of student MOOC data and textual data, respectively, surrounding student online learning interactions that are otherwise difficult to access or are highly fragmented. By integrating data held or processed through these different components, LearnSphere will create a large set of interconnected data that reflects most of a student’s experience in online learning.” http://www.sr.ithaka.org/publications/student-data-in-the-digital-era/

Shouldn’t parents be able to see and consent to this information being collected and analyzed about their children? Will researchers and edtech companies be granted MORE access to the personal student data held by theDataShop, that HR4174 creates? (Yes, according to the bill excerpts below.)

Personal information about a student is already shared to a state longitudinal database, SLDS. See here for what data elements are stored in the state data dictionary. The states share this personal student data (personally identifiable information, pii) with other agencies, corporations, researchers–again without parent notification or consent, and parents cannot opt out. See here for example of state agreements to share student pii with companies, researchers, agencies, etc.

The Department of Defense also has access to student data through the Federal Learning Registry is a joint student data gathering project between the Department of Defense and the Department of Education. The Learning Registry and US Department of Education are also “encouraging districts and states to move away from traditional textbooks” and instead use the Learning Registry’s openly-licensed online materials, (Online Educational Resources, OERs), facilitated by Amazon, Microsoft, Edmodo, ASCD, Creative Commons. Can parents see this data or opt out? Nope.

The safest way to protect data, is minimize its collection. HR4174 does not minimize data collection, nor does it decrease disclosures. Schools and student databases across the country are currently being hacked and held for ransom, students threatened by cyber terrorists. With the federal government’s track record of failing FITARA security scores,  and recent data breaches, the thought of the federal government coordinating and maintaining expanded access to state level student data is concerning.

History and mission of CEP Commission

HR4174 is a result of the CEP (Commission for Evidence-based Policy); as stated in the bill and in the CEP final report, its purpose is identifying and reducing or removing barriers to accessing state-level data. The CEP commission held several meetings and three public hearings.  I suggest you review the minutes, video and audio of these meetings and hearings. You can read about the history of the CEP commission, watch the first public hearing, see written testimony submitted here.

The testimony from Oct 21, 2016 CEP hearing panelists is enlightening:

 For example: RK Paleru of Booz Allen Hamilton’s testimony, said that BAH supports, among other things, linking student data from surveys and multiple agencies, public-private partnerships, and data analytics, and “bringing the private sector perspective to the conversation.” He also stated the need for a data clearinghouse to be self-service and like a “Pinterest for data“, or data as paid service, and wanted to promote inter-agency data sharing.

Another Oct 21 CEP hearing panelist, Rachel Zinn, Workforce Data Quality Campaign, WDQC, said because of the current ban on a federal student database, “stakeholders” don’t have access to student information, she goes on to say in order to link and share data, stakeholders often have to use “non-standard processes, often goes through personal relationships or particular capacities within agencies at particular times” .   

Panelists at Feb 9, 2017 CEP hearing (listen to Audio at 57 min to 1hr14min mark):

Panelists discuss making it easier to link personally identifiable information from IRS records and personal information from Census population survey, personal information from education records and SLDS. With the CEP Commission making this personal data more accessible, more available, the researcher feels “like a kid in candy store“.  There are great barriers that prevent researchers from getting this data, currently researchers have to get it by “hook or crook” or  “by leveraging personal relationships”… CEP questions the coercive nature of obtaining this data.  At 1hour 11 minutes, they discuss how currently they can link Census population survey data and personal IRS data, with persistence any academic researcher can access these data, you just have to know the steps to get there and I think that’s the Commission’s charge“…

The Feb 24, 2017 CEP meeting:

Again, panelists discuss how they are already linking personally identifiable state-level education records with IRS records, but cite it is difficult and barriers need to be removed to make it easier to link this pii data between agencies.

IRS and student data.jpg

CHINA and US: Meta data, predictive algorithms, analyzing and generating data, social engineering

Linking all this personal data on citizens reminds me of why I mentioned that China collects and links data about its citizens.  Is there anything in HR4174 that says personal data cannot be used to rank a person, create a reputation score, or profile a person? HR4174 allows meta data analysis, generation of new data that can be  used to predict and profile. Algorithms can be biased and wrong. HOW can you possibly police this? A good start would be Europe’s General Data Protection Rule.

Tech companies in the US are ramping up their use of predictive analytics, artificial intelligence, despite dire warnings of existential risk  . This article on Twitter, Facebook and Google analytics is a warning on why we should be concerned. Do Facebook and Google have control of their algorithms anymore? A sobering assessment and a warning,

““Google, Twitter, and Facebook have all regularly shifted the blame to algorithms when this happens, but the issue is that said companies write the algorithms, making them responsible for what they churn out.”

Algorithms can be gamed, algorithms can be trained on biased information, and algorithms can shield platforms [tech companies] from blame.”

YET, have you ever heard of Yet Analytics? To quote this article,  Yet, HP and the Future of Human Capital Analytics: AI and your reputation score,

“querying of big data comprising information on learning, economic and social factors and outcomes gathered by the World Bank, the World Economic Forum, the United Nations and elsewhere. The outcome is the ability to predict multi-year return on investment on a great variety of learning, economic and social measures. We knew that variables including adolescent fertility rates, infant mortality rates and the balance of trade goods all had significant relationships with GDP per capita.”

Microsoft of course uses artificial intelligence and analytics with Cortana technology, but also has MALMO built in the MINECRAFT platform, “How can we develop artificial intelligence that learns to make sense of complex environments? That learns from others, including humans, how to interact with the world? Project Malmo sets out to address these core research challenges, addressing them by integrating (deep) reinforcement learning, cognitive science, and many ideas from artificial intelligence.”  Microsoft also has PROJECT BRAINWAVE capturing real time artificial intelligence data.

Facebook and your credit score? Facebook reportedly has a patent for technology that could potentially be used for evaluating your credit risk, which they say could be used to view your social network connections and determine your credit worthiness.

Status of HR4174

HR4174 was introduced on 10/31/2017 and was passed on voice vote in the House Oversight and Government Reform.  Yesterday, the US House of Representatives suspended their rules, something that, according to this document, is only done on non-controversial bills. Judging by the public outcry and the rebuttal response from House Oversight, I would argue this bill is controversial and should not have been voted on suspended rule. With rules suspended and another voice votethe House unanimously passed HR4174 on 11/15/2017. Watch the vote, starting at 4hr 52min mark here.

Myth or Fact?  You decide.

myth or fact

The rebuttal

FACT:  Parents cannot opt students out of this state data collection that is obtained without consent.

HR4174 will increase access to this state-level student data, allowing data to be linked or disclosed with government agencies, researchers, again without consent.

  • If HR4174 does allow parental consent, does allow parents to opt out of student data collection and sharing, please correct me. It would be imperative to specifically state parental consent and opt out rights in the bill, so schools and parents are aware of this provision. There’s still time to add this opt out provision in the Senate.

FACT: HR4174 removes barriers to state-level data access and creates a National Secure Data Service (NSDS) with a Chief Evaluation Officer in each federal department; the NSDS will be coordinated through the Office of Management and Budget (OMB). Data officers in each agency oversee the dissemination and generation of data between state agencies and private users, contractors, researchers while finding new and innovative ways to use technology to improve data collection and use.

Does that sound like a national  system to manage and disclose data?  …Keep reading.

  • § 3520A. Chief Data Officer Council

“(a) Establishment.—There is established in the Office of Management and Budget a Chief Data Officer Council (in this section referred to as the ‘Council’).

“(b) Purpose and functions.—The Council shall—

“(1) establish Governmentwide best practices for the use, protection, dissemination, and generation of data;

“(2) promote and encourage data sharing agreements between agencies;

“(3) identify ways in which agencies can improve upon the production of evidence for use in policymaking;

“(4) consult with the public and engage with private users of Government data and other stakeholders on how to improve access to data assets of the Federal Government; and

“(5) identify and evaluate new technology solutions for improving the collection and use of data.

FACT: HR4174 requires each agency (see list of 17 different agencies, A-Q below, who will maintain and disclose data) and will make any data asset maintained by the agency available to any statistical agency. The head of each agency shall …make a list of data the agency intends to collect, use, or acquire. This data may be in an identifiable form and may include operating and financial data and information about businesses, tax-exempt organizations, and government entities. 

  • HR4174 PART D—ACCESS TO DATA FOR EVIDENCE

    § 3581. Presumption of accessibility for statistical agencies and units

    “(a) Accessibility of data assets.—The head of an agency shall, to the extent practicable, make any data asset maintained by the agency available, upon request, to any statistical agency or unit for purposes of developing evidence.

  • § 312. Agency evidence-building plan

    “(a) Requirement.—Not later than the first Monday in February of each year, the head of each agency shall submit to the Director and Congress a systematic plan for identifying and addressing policy questions relevant to the programs, policies, and regulations of the agency. Such plan shall be made available on the public website of the agency and shall cover at least a 4-year period beginning with the first fiscal year following the fiscal year in which the plan is submitted and published and contain the following:

    “(1) A list of policy-relevant questions for which the agency intends to develop evidence to support policymaking.

    “(2) A list of data the agency intends to collect, use, or acquire to facilitate the use of evidence in policymaking.

    “(3) A list of methods and analytical approaches that may be used to develop evidence to support policymaking.

    “(4) A list of any challenges to developing evidence to support policymaking, including any statutory or other restrictions to accessing relevant data.

Agencies involved in the HR4174 Federal evidence-building activities.

HR4174 “SUBCHAPTER II—FEDERAL EVIDENCE-BUILDING ACTIVITIES

§ 311. Definitions

“(1) AGENCY.—The term ‘agency’ means an agency referred to under section 901(b) of title 31.

901(b) of title 31 :
(b)
(1) The agencies referred to in subsection (a)(1) are the following:
(A) The Department of Agriculture.
(B) The Department of Commerce.
(C) The Department of Defense.
(D) The Department of Education.
(E) The Department of Energy.
(F) The Department of Health and Human Services.
(G) The Department of Homeland Security.
(H) The Department of Housing and Urban Development.
(I) The Department of the Interior.
(J) The Department of Justice.
(K) The Department of Labor.
(L) The Department of State.
(M) The Department of Transportation.
(N) The Department of the Treasury.
(O) The Department of Veterans Affairs.
(P) The Environmental Protection Agency.
(Q) The National Aeronautics and Space Administration.

https://www.law.cornell.edu/uscode/text/31/901

FACT: Data is shared between designated statistical agencies and can be personally identifiable data. Agencies and the Director can promulgate their own rules about data disclosure and sharing. The overseers of disseminating and generating can make their own rules.

  • “(c) Sharing of business data among Designated Statistical Agencies.—

    “(1) IN GENERAL.—A Designated Statistical Agency may provide business data in an identifiable form to another Designated Statistical Agency under the terms of a written agreement among the agencies sharing the business data that specifies—

    “(A) the business data to be shared;

    “(B) the statistical purposes for which the business data are to be used;

    “(C) the officers, employees, and agents authorized to examine the business data to be shared; and

    “(D) appropriate security procedures to safeguard the confidentiality of the business data.

 

  • “(e) Designated Statistical Agency defined.—In this section, the term ‘Designated Statistical Agency’ means each of the following:

    (1) The Census Bureau of the Department of Commerce.

    (2) The Bureau of Economic Analysis of the Department of Commerce.

    (3) The Bureau of Labor Statistics of the Department of Labor.”.

  • “(3) BUSINESS DATA.—The term ‘business data’ means operating and financial data and information about businesses, tax-exempt organizations, and government entities.  [Note: Schools are tax-exempt and government entities.]

 

  • “§ 3562. Coordination and oversight of policies“(a) In general.—The Director shall coordinate and oversee the confidentiality and disclosure policies established by this subchapter. The Director may promulgate rules or provide other guidance to ensure consistent interpretation of this subchapter by the affected agencies. The Director shall develop a process by which the Director designates agencies or organizational units as statistical agencies and units. The Director shall promulgate guidance to implement such process, which shall include specific criteria for such designation and methods by which the Director will ensure transparency in the process.
  • “(b) Agency rules.—Subject to subsection
  • (c), agencies may promulgate rules to implement this subchapter. Rules governing disclosures of information that are authorized by this subchapter shall be promulgated by the agency that originally collected the information.

FACT: Data is linked between agencies.

  • § 316. Advisory Committee on Data for Evidence Building  During the first year of the Advisory Committee, the Advisory Committee shall—

    “(B) evaluate and provide recommendations to the Director on the establishment of a shared service to facilitate data sharing, enable data linkage, and develop privacy enhancing techniques,

FACT: Data may be shared with private organizations, researchers, consultants, contractors, employees of contractors, government entities, individuals who agree in writing to comply with provisions.

  • “(e) Designation of agents.—A statistical agency or unit may designate agents, by contract or by entering into a special agreement containing the provisions required under section 3561(2) for treatment as an agent under that section, who may perform exclusively statistical activities, subject to the limitations and penalties described in this subchapter.

 

  • “(2) AGENT.—The term ‘agent’ means an individual

    “(A)(i) who is an employee of a private organization or a researcher affiliated with an institution of higher learning (including a person granted special sworn status by the Bureau of the Census under section 23(c) of title 13), and with whom a contract or other agreement is executed, on a temporary basis, by an executive agency to perform exclusively statistical activities under the control and supervision of an officer or employee of that agency;

    “(ii) who is working under the authority of a government entity with which a contract or other agreement is executed by an executive agency to perform exclusively statistical activities under the control of an officer or employee of that agency;

    “(iii) who is a self-employed researcher, a consultant, a contractor, or an employee of a contractor, and with whom a contract or other agreement is executed by an executive agency to perform a statistical activity under the control of an officer or employee of that agency; or

    “(iv) who is a contractor or an employee of a contractor, and who is engaged by the agency to design or maintain the systems for handling or storage of data received under this subchapter; and

    “(B) who agrees in writing to comply with all provisions of law that affect information acquired by that agency.

  • SEC. 202. OPEN Government Data.(a) Definitions.—
  • Section 3502 of title 44, United States Code, is amended—
  • “(15) the term ‘data’ means recorded information, regardless of form or the media on which the data is recorded;
  • “(16) the term ‘data asset’ means a collection of data elements or data sets that may be grouped together;
  • “(17) the term ‘machine-readable’, when used with respect to data, means data in a format that can be easily processed by a computer without human intervention while ensuring no semantic meaning is lost;
  • “(18) the term ‘metadata’ means structural or descriptive information about data such as content, format, source, rights, accuracy, provenance, frequency, periodicity, granularity, publisher or responsible party, contact information, method of collection, and other descriptions;

FACT: You are correct that HR4174 does repeal E–Government Act of 2002 (Public Law 107–34744 U.S.C. 3501 and re-insert it in title 44. However, the CIPSEA penalty of $250,000 fine or 5 years prison is not new; it has been in place since 2002. Student data has been collected and shared without consent since 2012-CIPSEA was not applicable or not enforced. Ironically, HR4174 weakens CIPSEA.

CIPSEA is amended to expand access to data. Additionally, once again, the Director can promulgate regulation on what data to share.

  • 3582. Expanding secure access to CIPSEA data assets

“(a) Statistical agency responsibilities.—To the extent practicable, each statistical agency or unit shall expand access to data assets of such agency or unit acquired or accessed under this subchapter to develop evidence while protecting such assets from inappropriate access and use, in accordance with the regulations promulgated under subsection (b).

“(b) Regulations for accessibility of nonpublic data assets.—The Director shall promulgate regulations, in accordance with applicable law, for statistical agencies and units to carry out the requirement under subsection (a). Such regulations shall include the following:

“(1) Standards for each statistical agency or unit to assess each data asset owned or accessed by the statistical agency or unit for purposes of categorizing the sensitivity level of each such asset and identifying the corresponding level of accessibility to each such asset. Such standards shall include—

“(A) common sensitivity levels and corresponding levels of accessibility that may be assigned to a data asset, including a requisite minimum and maximum number of sensitivity levels for each statistical agency or unit to use;

“(B) criteria for determining the sensitivity level and corresponding level of accessibility of each data asset; and

“(C) criteria for determining whether a less sensitive and more accessible version of a data asset can be produced.

“(2) Standards for each statistical agency or unit to improve access to a data asset pursuant to paragraph (1) or (3) by removing or obscuring information in such a manner that the identity of the data subject is less likely to be reasonably inferred by either direct or indirect means.

“(3) A requirement for each statistical agency or unit to conduct a comprehensive risk assessment of any data asset acquired or accessed under this subchapter prior to any public release of such asset, including standards for such comprehensive risk assessment and criteria for making a determination of whether to release the data.

Continually saying that you aren’t collecting new data is meaningless – because the data was illegally obtained in the first place. HR4174 allows personal data to be shared without consent and importantly, allows generated data, meta data analysis of citizens without consent.  Personal data belongs to the individual. Data collection without consent is theft. It’s time the US updated our privacy laws  – not to further weaken them. Instead, it’s time for Congress to be a leader: minimize the data collected, protect privacy and security,  and look to Europe’s General Data Protection Rule, the strictest privacy law in the world.

-Cheri Kiesecker

Dear Teachers Using Google Classroom,

Reposted with permission from Wrench in the Gears

Don't Be Evil

I really need you to keep in mind that all the data run through those programs (your intellectual property, student work, correspondence, etc.) is being used to refine the AI systems destined to replace you. There is a price for this “free” convenience. The bill may come due after you leave the profession, but I beg you to consider the implications of your actions now.

If you don’t know about the NSA Data Center in Bluffdale, take 8 minutes and watch the video below.  The center, located in the Utah desert, has the capacity to store 100 years of global electronic communications. The NSA says they won’t “look” until such a time as you or a student fall under suspicion and trigger a FISA order.

Pushing education into the cloud had consequences. Digital devices should be considered tools of surveillance and treated with great care. Those valuing freedom of expression in educational settings would do best to take a moment and consider Google’s relationship to the state, their profit motives, and the power they wield globally. Remember, if it’s “free,” YOU’RE the product.

Sincerely,

A Concerned Parent Who Values HUMAN Teachers.

 

PS: Some of us are exercising our legal right to opt our children out of Google Classroom, so please have non-burdensome options for them to get homework information, class communications, and turn in assignments outside this corporate platform, ok?