Edtech has become inseparable from the education system.
But how prepared are K-12 districts to handle the thorny privacy and security issues that these tools raise?
Not very, according to “Uncovering Privacy and Security Challenges In K-12 Schools,” a new study of how districts handle privacy and security issues from researchers at the University of Chicago and New York University.
But that may be largely because they’ve been ill-equipped to do so.
Scoping the Problem
After interviewing a number of school officials about privacy issues, researchers scraped 15,573 websites from K-12 public schools and districts in the U.S. to find out which edtech products those schools most often use or recommend to students — as well as what risks those tools raise and whether schools are prepared to meet them.
The study marks the first quantitative sweep of the privacy and security snags raised by the edtech products currently being used by American public schools, according to the researchers.
The resulting list includes many well-known tools like Zoom, Scholastic, College Board, Khan Academy and Clever.
Nearly all of the top sites linked to by schools “extensively” used tracking software, according to the report. The researchers also note that many sites — 7.4 percent — also used session recorders, which are known to capture sensitive information like keystrokes.
Previous studies of policies around student information have revealed that edtech companies often don’t disclose their data practices. And human rights groups and regulators have also raised alarms about the vulnerability posed by invasive surveillance tech and school mishandling of data.
Yet, the precise nature of the risks edtech poses weren’t well understood or addressed by schools, the latest report found.
Administrators may not be aware of what information edtech products they’re using — or the sites they’re recommending to students — may be tracking, says Brandon Sloane, a Ph.D. candidate at New York University who worked on the report.
Vetting processes tend to mention privacy but are relatively fuzzy on the details, the report found. The result is that schools sometimes rely on vendor reputation and standard-issue contracts. And once that edtech is purchased, public schools don’t have the resources or training to handle the security and privacy risks, the study reported.
This report adds to a growing list of research that calls for K-12 laws to better shield student privacy, at a time when experts say that edtech companies have put too much of the burden of ensuring data security onto schools.
In addition to addressing concerns about students’ daily use of edtech, the study also responds to a steep increase in cybersecurity incidents at K-12 schools over the past half-decade. There have been several high-profile incidents, including the Illuminate Education data breach that exposed the data of hundreds of thousands of students.
These incidents — ranging from breaches to ransomware attacks like the one that hit Los Angeles Unified School District, the second largest in the country, last year — have been noted for imperiling sensitive information, and also for being a stealth cause of “learning loss” since the disruption can force schools to close for a time.
Regulators have begun to wake up to this situation, with think tanks describing themselves as relatively optimistic over the legislation that came out at the end of last year, and some researchers are calling for adjustments to federal laws that would better protect student privacy.
Meanwhile, this latest study calls attention to the usefulness of state regulations.
State laws that specify privacy standards for edtech companies have helped woefully under-resourced schools, says Jake Chanenson, a Ph.D. candidate at the University of Chicago who helped conduct the report. Some districts in Connecticut and Illinois were particularly ahead of the curve, he says.
“They credited their state data privacy laws as being part of the reason why they’re on top of it,” Chanenson adds.
But what should educators do?
Pushing for more training is good, Chanenson says. The professional development days that schools have on tech should also feature student privacy as a theme, he adds.
Further, teachers should also be conscientious when considering if a new edtech product actually adds legitimate value to teaching, he says.