If you’re confused about or unsure what student data privacy is, don’t worry — I was, too. But that all changed in early March thanks to SXSW EDU, the education arm of the Austin-based conference/festival/extravaganza.
I traveled to Austin to attend a private workshop hosted by the Education Writers Association. We attended a podcast recording where experts spoke on student data privacy as a civil rights issue, and then headed to a conference room for an afternoon of sessions with reporters who have done amazing work on issues related to student data privacy.
The sessions focused on student data privacy and all of the pieces that go into it, like artificial intelligence, surveillance systems, and cyberattacks.
And, as a bonus, I got to meet our health reporter, my colleague Alexa Imani Spencer, in person! We grabbed dinner at a food truck park.
Let’s dive in to what I learned and how I’ll use that information to tell deeper stories at Word In Black.
What Is Student Data Privacy?
“Student data privacy” encompasses a whole lot. Basically, it can be summed up as what information a school is keeping about a student, who has access to it, and what they are doing with it.
Schools keep an abundance of information about students, even without considering their health and medical records. There are the basics: they know a student’s address, contact information, demographic information, religion, and family’s financial information. On top of that, they keep grades, attendance and participation records, behavior, assessment results, benchmarks, and other observational data.
That’s a lot! So… what laws are in place to keep this data protected? It turns out, there are some outdated ones.
An Outdated and Imperfect System
There are two main laws that protect student data privacy: Family Educational Rights and Privacy Act (FERPA) and Children’s Online Privacy Protection Rule (COPPA).
Briefly, FERPA, which applies to all educational institutions that receive federal funds, allows parents the right to access their child’s education record, have it amended, and have some control over the disclosure of any personally identifiable information. And COPPA regulates any online service, commercial website, or mobile application that collects data from people under the age of 13 from unfair or deceptive practice of collecting the information or disclosing it.
Unfortunately, both of these laws were enacted prior to the 21st century, so neither was prepared to protect against all that comes with the World Wide Web.
On top of that, the penalty for violating FERPA is for the government to withhold federal funding, and that has never been imposed in the nearly 50 years the law has existed. But a recent example of a COPPA violation was TikTok, which is said to be collecting information from kids under 13 without their parents’ consent.
Plus, now kids have to battle “algorithm bias,” — or human biases that are automated and amplified by technology. Clarence Okoh from the Center for Law and Social Policy talked about how the laws designed to protect student privacy don’t think about civil rights protection, and that this data is often used to discriminate against student populations.
For example, schools are using AI to monitor what students are seeing and saying on their social media profiles, facial recognition to control entry and exit in schools, and to detect irregular body movements in the hopes of being alerted to self-harm or mass violence. But, aside from not having proven effectiveness, these obviously have unintended consequences.
The Spy Is Coming From Inside the School
My favorite session of the day was with Pia Ceres from WIRED and Benjamin Herold from Education Week.
They talked about the various ways schools have surveilled and tracked students through school-issued devices, especially since the pandemic when these were distributed more widely to help with virtual learning. Some of these programs let teachers see what exactly is happening on students’ screens, and even take control of the screen or privately message students.
They also allow schools to set specific terms or words that, when a student uses them, it flags it and sends it to administrators. On the surface, this is meant to prevent self-harm or mass violence by detecting words like “suicide,” “gun,” etc. It can also monitor hate speech or offensive language.
What is lingering the most with me is the access to students’ personal lives that administrators have gotten through these surveillance systems. For example, based on the search terms, schools have outed LGBTQ+ students.
It gets worse. Students who used their school-issued device to charge their personal cell phones were unaware that the entire contents of their phones were uploaded to the surveillance system, allowing administrators to see extremely sensitive information, like photos of drug use and nudes. They even found out about student pregnancies.
Plus, we’ve already seen examples of Black and Brown students being disciplined at higher rates because of data collected on devices distributed by schools.
Districts Are Not Honest About Cyberattacks
Have you ever been curious about what’s on the dark web? Wall Street Journal reporter Tawnell Hobbs can tell you all about it.
Hobbs talked to us about the increasing rise of cyberattacks against schools and school districts, and how, though they’re victims, the schools often lie about being hacked. They don’t want to admit what happened. And schools often have a very small IT department with the job of distributing computers and keeping the Wi-Fi running, not negotiating with hackers to keep sensitive information about students off the dark web.
It’s extremely common for parents and students to be unaware that their information was stolen, Hobbs told us. In some states, schools and districts are required to report to the state’s education department that the attack happened, but what they actually have to disclose is varied.
Hobbs had a lot of stories she shared with us about communicating with hackers and watching auctions for students’ data on the dark web. But two things stuck out the most to me. The first is that schools are good targets because they keep information for too long. Think about how long you’ve been out of the K-12 system, and think about which of your records you could still get by calling your old high school. The other terrifying piece was that kindergarteners are the biggest targets of cyberattacks because it will be around 10 years before they realize their identity has been stolen.
Stories I Will Pursue
Listening to all of these sessions — and being in rooms surrounded by really smart and passionate people — made my brain swim with story ideas to pursue for Word In Black.
If you are or know someone willing to talk about your experiences with student data privacy, please introduce yourself! You can reach me at email@example.com.