Pandora’s box may not be a heavy wooden chest.
It might just be a laptop or an iPad.
The Federal Bureau of Investigations (FBI) issued a warning late last week about the proliferation of educational technologies (EdTech) in schools and the dangers they pose to student safety and privacy.
The devices and applications singled out by US domestic intelligence services all involve software that asks for and saves student input.
This includes classroom management tools like Class Dojo and eBackpack as well as student testing and remediation applications like Classroom Diagnostic Tools and StudyIsland.
The alert cautions schools and parents that the widespread collection of student data involved in these applications could cause safety concerns if the information is compromised or exploited.
It’s just such technologies that have proliferated at a breakneck pace in districts throughout the country while legislation, cybersecurity and even awareness of the danger has lagged behind.
The Bureau is concerned about EdTech services because many are “adaptive, personalized learning experiences” or “administrative platforms for tracking academics, disciplinary issues, student information systems, and classroom management programs.”
The Bureau clarified that use of EdTech applications was not, in itself, the problem. They are a tool, and like any tool, they can be used for good or ill.
Advocates say when used correctly, these systems offer the potential for student collaboration, and for teachers to collect and compare information about students to help design better lessons. On the other hand, critics warn that the problems with most EdTech is essential to the way it operates and that it is designed more for the purposes of student data mining and profitization by corporations than with academic success for children in mind.
In either case, the dangers posed by such devices are indisputable.
The amount and kinds of data being collected about students has not been well publicized or understood. Many school boards, administrators, teachers, parents and students may be using EdTech without a full appreciation of how it often surreptitiously collects data on children.
Analysts listed several types of student particulars being stockpiled:
“personally identifiable information (PII); biometric data; academic progress; behavioral, disciplinary, and medical information; Web browsing history; students’ geolocation; IP addresses used by students; and classroom activities.”
This is highly sensitive information that could be extremely harmful to students if it fell into the wrong hands.
Pedophiles could use this data to find and abduct children. Criminals could use it to blackmail them. It could even be sold to unscrupulous corporations or exploited by other children to bully and harass classmates.
These concerns are not merely academic. Data breaches have already occurred.
According to the FBI:
“…in late 2017, cyber actors exploited school information technology (IT) systems by hacking into multiple school district servers across the United States. They accessed student contact information, education plans, homework assignments, medical records, and counselor reports, and then used that information to contact, extort, and threaten students with physical violence and release of their personal information. The actors sent text messages to parents and local law enforcement, publicized students’ private information, posted student PII on social media, and stated how the release of such information could help child predators identify new targets.”
Though the Bureau did not mention them by name, it cited two specific cybersecurity failures in 2017 at two large EdTech companies where millions of student’s private information became publicly available.
The FBI seems to be referring to Edmodo and Schoolzilla. Hackers stole 77 million user accounts from Edmodo last year and sold that data to a “dark web” marketplace. Likewise, Schoolzilla stored student information on a publicly accessible server, according to a security researcher, thereby exposing the private information of approximately 1.3 million children.
It was these data breaches that prompted the Department of Education to issue a Cyber Advisory alert in October of 2017 warning that cyber criminals were targeting schools that had inadequate data security. Criminals were trying to gain access to this sensitive material about students to “shame, bully, and threaten children.”
In February, another cybercrime was reported by the Internal Revenue Service. The agency released an “urgent alert” about scammers targeting school districts with W-2 phishing schemes.
Of particular concern to the FBI are school devices connected directly to the Internet. They offer hackers an immediate link to private student information. This is true even if a school device is in the student’s home.
Tablets, laptops or monitoring devices such as cameras or microphones could be exploitable by tech savvy criminals – especially since many EdTech programs allow remote-access capabilities without the user even being aware of what is happening.
Indeed, some EdTech companies collect information on students’ feelings; become student data brokers and use voice-activated speakers in the classroom.
The FBI listed several recommendations for parents and families:
“Research existing student and child privacy protections of the Family Educational Rights and Privacy Act (FERPA), the Protection of Pupil Rights Amendment (PPRA), the Children’s Online Privacy Protection Act (COPPA), and state laws as they apply to EdTech services. Discuss with their local districts about what and how EdTech technologies and programs are used in their schools. Conduct research on parent coalition and information-sharing organizations which are available online for those looking for support and additional resources. Research school-related cyber breaches which can further inform families of student data vulnerabilities. Consider credit or identity theft monitoring to check for any fraudulent use of their children’s identity. Conduct regular Internet searches of children’s information to help identify the exposure and spread of their information on the Internet.”
The warning concluded by asking those who have information about cybercrimes or who have been victimized by data breaches to file a complaint with the Internet Crime Complaint Center at www.ic3.gov.
For some, the FBI’s warning highlights the need for greater education funding for cybersecurity.
“While other industries are investing in greater IT security to protect against cyber threats, many schools are facing budget constraints that result in declining resources for IT security programs,” staff members from the Future of Privacy Forum wrote on their blog. “Schools across the country lack funding to provide and maintain adequate security,” they wrote.
Others see the problem as one of antiquated legislation not keeping up with changing technologies.
The FBI memo highlights a need for Congress to update federal student privacy laws, said Rachael Stickland, co-founder and co-chair of the Parent Coalition for Student Privacy.
At present, these issues are covered haphazardly from state to state, a situation Strickland finds intolerably inadequate.
The main federal law safeguarding student data privacy, The Family Educational Rights and Privacy Act, should be updated, she said. It must address exactly which ways districts should be allowed to share data with EdTech companies.
“What we need is a comprehensive approach at the federal level to address these outdated federal laws,” she said. “We really need these modernized to address not only the cybersecurity threats but also the potential misuse of this data.”
However, some critics are skeptical of the very use of EdTech in the classroom, at all.
They see the potential dangers being so massive and difficult to guard against that any remedies to fix the problem would be counterproductive.
Instead of spending millions or billions more on cybersecurity measures, we should use any additional funding for more essential budget items like teachers, tutors, nurses and counselors.
The goal is to provide a quality education – not to provide a quality education with increasingly complex technologies. If the former can be done with the latter, that’s fine. But if we have to choose between the two, we should go with proven methods instead of the latest fads.
EdTech corporations are making staggering profits off public schools while almost every other area goes lacking. In the nexus of business and industry, we may be losing sight of what’s best for students.
The question is have we already opened Pandora’s box, and if we haven’t, can we stop ourselves from doing so?