Can we teach our kids how to “share” in the social media sandbox?

 

More than half of teens go online several times a day. Some of us could argue that our kids never go “offline” as approximately ¾ of American teens say they have access to a smartphone. Not surprisingly 71% of teens use more than one social network site, defining teens as kids between 13-17 years old. The most popular social media platforms used by teens? Facebook, Instagram and Snapchat. None of these statistics are surprising. Kids willingly use and post information about themselves on social media. Then why does it matter if parents post about their kids on social media? And why are kids not happy about the fact that the adults in their lives feel as they can post anything they choose about them?

So off I went to do one of my informal, unscientific and most likely biased polls with a sample group of guinea pigs, my kid’s friends, my kid’s, willing subject matter experts…..yep – that one….

There is a clear tension between kids feeling comfortable with posting information about themselves and adults deciding what information to post about kids. And what I find most interesting is that what kids are really saying is that they want to control their privacy – maybe not in those words but that certainly is the message. It is clear how they feel between what they decide to post versus someone else deciding. And as I have conversations with kids of different ages, they are aware that, for the most part, they are not comfortable making these decisions on their own and arbitrarily. They are looking for some form of adult guidance on being responsible at least at the outset of their social media experience. Really showing a deeper insight into their understanding of the perils of social media and internet use and the importance of their privacy.

So what can adults do to help their kids? For starters, we can make sure we teach them responsible digital citizenship. They need to understand the consequences of posting information that while not all bad, some information could be embarrassing down the road. Like pictures of me in my 80’s outfits including the fantastic hairstyles of the moment, but I digress……we need to be able to teach our children what is a good app to use, which ones to avoid, and the appropriate time to post information about themselves. The more I talk to my own kids the clearer it is. Kids are growing with technology, no doubt about it, they are also growing with an increased awareness of privacy. So how do we help them navigate this social media sandbox? For starters we need to give them the decision making power of the information we disclose about them. They are a lot more comfortable when they can decide what is disclosed about them, so why not honor that?

However, parents face many challenges when trying to help their kids navigate social media platforms and apps. There are many articles about the “best apps” or the “most popular social media platforms” but little information on what apps / social media protects their privacy and data. Further, there is very little information in a format that kids can understand and relate to.  So while articles like this one from EdSurge are great for deciding whether an app is useful or not, it doesn’t provide insight into the apps privacy policies. And that matters, because apps are downloaded, most likely kids provide information about themselves, and they need to understand the ramifications of providing this information.

So as our kids continue to play in the social media sandbox, we need to help them learn how to “share” or not….depending on what they want to say about themselves.

 

 

Playing in the Social Media Sandbox

 

A few weeks ago, I received an email from my kid’s school. It was a letter from the Principal talking about social media use and tips for creating a safe environment for students. It’s middle school, my kid has a smartphone and continually begs for a YouTube, Instagram and Twitter account…..hence my interest in the letter (notwithstanding my interest in privacy and all things Ed-tech). Maybe not sandbox age kids but close…..

It was an interesting letter, pointing out the benefits and perils of social media (I am sure we are all saturated with these types of communication) and I almost closed my email and hit the delete button. But what made it stand out was that the letter had a list of “top ten” apps / social media sources kids are currently using and it didn’t lecture parents on good use of screen time but it provided a nice “cheat sheet” for parents to learn about these apps.  Now I don’t have an excuse to say “I’ve never heard of that but my kid always uses it.”

Most of us are using social media to communicate with our personal or professional networks and a primer on popular teen social media platforms is great. They are using these platforms to communicate with their friends and showcase what is important to them about their lives. And here is where I see the tension between what our kids voluntarily post and what we, as parents, choose to post about them. We are proud parents of our moppets and can’t wait to share with the world their latest and greatest, even if the latest is them doing something that appears funny but to our kids could be potentially embarrassing either now or in the future. The New York Times recently ran an article appropriately titled “Don’t Post About Me on Social Media, Children Say”

I advocate for us to recognize kids own their data, their information. This article certainly expresses how children see their information and how it should be disclosed. It’s interesting when you read it from a privacy standpoint as it is clear to me that kids want to protect and determine what their data trail should be. When we post specifics about our kids in social media we are contributing to their data trail but we often do not ask them how they feel about it. It was not surprising to me that this generation of kids, growing up with these technology tools understand that social media is an extension of themselves. It’s worth asking if we are protecting our kids privacy when we post information about our kids, are we aware of the history we are creating for them as they act as, well….kids…..and as much as it is newsworthy to us, after all we are the proud parents, it might not be something our kids want out about themselves.

When we talk about children’s privacy we need to include the concept of agency and granting it to kids so that they can craft their own data trail. However, often this idea is viewed as radical as we are not comfortable with allowing this. There is a real struggle between what we want to disclose about our kids and what our kids want to disclose about themselves. The idea of giving kids autonomy on decisions about their data opens the dialogue into a wider context and one in which we relinquish some of our decision making abilities regarding our kids. But I can’t help but think this is a good thing. Kids can be great advocates for themselves especially when they know we are listening. Even a very young kid can state what works and doesn’t work for them in school. What would kids determine to be their history if we empower them to make the decisions early on how to craft their story. I’m sure the social media sandbox would look vastly different.

 

 

South by south what??? SXSWedu 2016 Privacy Panels –privacy still matters

 

SXSWedu is described as the conference to attend when it comes to tech and education. The events are fun, the parties can be a blast, and the innovation presented is often quite impressive. SXSWedu prides itself in bringing a diverse group of stakeholders to discuss everything and anything tech, education and lately – privacy. But to me, the bottom line is that really smart people attend SXSWedu to talk about education and technology. In education, privacy is a topic discussed and debated constantly and there were many panels focused on privacy at SXSWedu this year.

I wasn’t able to attend but I asked a couple of my privacy peeps to give me their perspective and summary of what they saw in the privacy panels they attended.

 

Elana Zeide, Research Fellow at New York University’s Information Law Institute, an Affiliate of the Data & Society Research Institute, and an Advisory Board member of the and iKeepSafe gave me her thoughts on the conference this year and what she saw as different from last year’s discussions. Below is her summary.

“The panels were more positive than last year, when much of the discussion was about warning vendors and educators about the dangerous consequences of poor privacy practices.”

“Many panelists also noted the potential for poorly crafted student privacy legislation to cripple core information flow in schools. For example, prohibitions on collecting biometric information impeded school obligations to students with special needs.”

“People were more aware of their responsibilities when collecting and handling student data.”

“The discussion was also much more focused on actual information privacy practices instead of education policy. People finally seem to understand that creating systems to ensure appropriate use of student data is separate from issues regarding standardized testing or the Common Core.”

 

Amelia Vance, Director of Education Data & Technology at the National Association of State Boards of  , created an awesome Storify on some of the privacy discussions of the conference. You can read her amazing recap for a summary of what the live panels focused on and where the “privacy trends” so to speak are headed.

The full storify is here – https://storify.com/ameliaivance/eduprivacy-at-sxswedu-2016

 

Brenda Leong, Senior Counsel and Director of Operations at the Future of Privacy Forum participated in an interactive panel focused on discussions around trust. Brenda’s recap follows.

“I participated in a summit – which is longer and more interactive than a panel – on moving toward a “trust” model for ed tech companies in partnership with schools, particularly in terms of transparency and communication with parents.  It was led by CoSN (CoSN works on behalf of ed tech leaders nationwide and provides leaders with management, community building, and advocacy tools) and we ran interactive small group sessions with teachers, ed tech vendors, parents, and advocates to identify the key barriers to trust in various contexts, with follow-on discussions to propose solutions to overcome those barriers.  CoSN is putting out a school evaluation process which will include some of these ideas. One key point we all recognized was ‘how far we’ve come’ from SxSWEdu 2-3 years ago when everyone was just starting to realize privacy was a “thing” that needed to be addressed in the education context.  We all agreed that it’s great that it feels like we’ve passed beyond the “fear” factor and into the “data can be such a tool– let’s see what we can do with it!” perspective. (Of course still assuming we have appropriate protections in place.)”

Thanks to Elana, Amelia, and Brenda for providing insight into this year’s SXSWedu!

 

 

 

What do education leaders think about the debate around parental consent?

 

Much has been discussed about the role of parental consent in education when it pertains to student data. Some are of the opinion that parents should be able to choose whether their child’s data is sent to a third party or not, others don’t believe parents should have the responsibility to make this decision. The Data Quality Campaign compiled the thoughts of different voices in education and privacy and asked whether education agencies and/or 3rd party contractors be able to share student data if a parent consents to the use or should state/federal privacy law prohibit this exemption?

The DQC brought together several voices and perspectives including the National PTA and ACLU. You can read the entire post herehttp://dataqualitycampaign.org/blog/2016/02/debating-parental-consent/

It’s a worthy read providing additional information for us regarding this controversial topic.

 

Court in California orders millions of student records to be released…..what?!?!?

 

When I was a freshman in college (bear with me, it wasn’t that long ago) I had to take a required class called “Critical Thinking.” As the title suggests, it was a course designed to teach college freshmen how to discern fact from fiction. Our professor particularly focused on teaching us the skills to read articles and decide whether they presented enough evidence to be reliable sources. I am fairly certain my professor would have been disappointed at the first draft of this blog post. I jumped to a conclusion and did the opposite of what she taught us – I did not go to the sources for clarification. News came out that California will soon release the personal information of students to a non-profit community organization and I was alarmed and immediately assumed the worst. Thankfully, my wonderful privacy peeps pulled me back from the abyss and I applied my learnings to a rewrite of the original post.

According to reports, millions of public school student records are to be handed over to the Concerned Parents Association. This organization fought in court for the data to be released in spite of objections from the California Department of Education. The intent of the organization is admirable. The Concerned Parents Association aims to determine whether California schools are violating the Individuals with Disabilities Education Act (IDEA). In order to do so, they believe they need access to all information of children K-12 who are or at some point were students in the California school system since 2008. I am sure most of us that work with students with IEP’s (Individualized Education Plans) or 504 plans have more than one story to tell in which students rights under IDEA were violated. In order for this analysis to be done millions of records with student names, address, date of birth, behavior and mental information as well as health and expulsion records will be released. It’s easy to jump to conclusions regarding the safety and privacy of such sensitive information and be concerned that the information of students will be accessible and vulnerable to misuse.

But this is what I found in the court order (not everything is listed and the complete protocols can be found here) –

  • Discussions were held between the plaintiffs and the CDE regarding safeguarding student data and the court approved the security process outlined in the plaintiff’s proposed discovery protocol
  • Plaintiff’s counsel will carry a third party risk assessment of their IT infrastructure and protocol for storing and transmitting student data
  • All sensitive data transmitted will be on fully encrypted external hard drives
  • Plaintiffs are to confirm deletion of any copies of sensitive data once it has been uploaded from the external hard drives to a fully secure server

There are other protocols outlined in the court case such as maintaining a copy of all devices used to store or access the data, maintaining a list of all the names and positions of individuals who may access this information during discovery as well as the protocols to be used to notify the affected students of this undertaking as well as the opt-out form they can use if they choose to have their information removed.

While this process may not be ideal, at least there is the comfort that the court addressed some of the issues that would arise from the movement of such a massive database outside the CDE’s system. I still have concerns and I am not entirely comfortable with the idea of releasing such a big database in this format as I think it creates vulnerabilities for those records in which students could be identified. I would prefer if the data was de-identified and I don’t believe the court addressed this. The Future of Privacy Forum wrote an excellent paper on de-identification of student data (shameless plug but it’s a great paper!) There are many de-identification techniques that can be used depending on the disclosure and risk level of the data without compromising the integrity of such information.

Is the court approved protocol to safeguard the privacy of these students adequate? I am not so sure. There is a good outline on the security measures required in the transfer of files and storage but there is a difference between privacy and security. De-identifying data is not the only way to protect the privacy of students. There is also a dire need for individuals working with this information to be trained on how to maintain these databases securely to ensure the privacy of all students. Sometimes because of lack of understanding data is not handled properly and student data is exposed because it was uploaded to…..Dropbox……

Lesson learned, don’t jump to conclusions. The protocols for handling the data in this case may not be perfect but it is not the free for all scenario that is depicted in some news outlets. I am encouraged that organizations are looking to advocate for students, in particular those with disabilities, and I hope that this case brings more awareness to the need of adequate security protocols for data transfer as well as additional training for those involved in working with student data.

If you’d like to read the court order, you can find it here.

Next time I promise my college professors to apply what they so diligently taught me through my college career…..pinky promise…..

 

School Officials? What do they do and who are they?

 

 

When we talk about protecting student data, we typically think of apps or student portals holding student data and the challenges of protecting this data. But the reality behind these electronic archiving mediums is that there are many human beings involved in the creation and maintenance of such systems. There are also many individuals and organizations that interact with schools on a daily basis that effectively act on behalf of the school to perform these services such as bus companies or lunch room system administrators. These individuals or organizations are called “school officials”. Under FERPA, a school official can be a teacher, counselor, admissions officer or a contractor, consultant or any organization to which a school has outsourced their services.

Students are increasingly using tech in the classroom and this technology is provided and managed by a third party (Google for example) and thus fall under the “school official” designation. We could hold a debate regarding the many concerns of multiple individuals having access to highly sensitive data. However, outsourcing services is not unusual in other environments, whether it be business, finance, technology or even medicine. And these third party providers and any sub-providers, are bound by the policies of the company they are contracted to. Parents and students have valid concerns on the amount of metadata being collected and how this is used by the school vendors. Companies are not as transparent as they need to be for us to understand their products and how the data is handled. But we also need to build a bridge between third party contractors and parents. We probably didn’t expect that our kids would go to school and have their data captured in such a way, but since this is inevitable, schools should inform parents of who the providers are so that at a minimum parents are not left wondering how their children’s data is captured and secured.

The Future of Privacy Form wrote an article on this particular topic and explains thoroughly what a school official really means and the responsibilities they hold as such.

It is important to note that although many individuals or organizations will be designated “school officials” that does not mean that they have an inherent right to all education records pertaining to students. Schools designate what information each school official receives and should be responsible when making the decision of how much data a particular vendor can have access to. A school official is in a unique position in which they may have access to tremendous amounts of information about students but they should be held accountable and act responsibly towards this data. I would love to see more communication between parents and schools regarding their school’s “school official” in order for us to understand what tasks they are performing and what data is needed.  For the most part, we don’t know what apps our kids are using in school and we should have access to that information. Some could argue that providing parents with a list of all the outsource resources they use is a burden on the school, but really, all that is needed is a list of “school officials” on a website so that we can understand who the school is working with. Transparency is key and it will help build the bridge between schools and parents on how and when their children’s data will be used in school and for what purpose.

 

 

Can we “quantify” students and protect their privacy?

 

When I was in high school, a moon or two ago, I was offered a “career aptitude test” that was supposed to determine what career was best for me based on my responses. Most of us laughed at the results that came of that test. It’s 2016 and some argue that this is the year of the quantified student. Will students today laugh at that concept 20 years from now?

At first glance, one would think that the more information we can collect, analyze and provide back to students would enable them to make better choices in their education and how they carve their educational and professional paths. The claim being that with better visibility in one’s own learning patterns and behaviors we can better control the outcome of our development. With increased use of computers and apps, students are generating massive amounts of data. Data that can tell a comprehensive story of that student’s learning history as well as learning patterns, strengths and weaknesses. If we can quantify our learning then we have better insight into ourselves. But is that really the case? How do students react to the information given to them about their reading skills or mathematic learning patterns? Will students be able to see this information as a useful tool, or will they allow algorithms to determine their path? And as exciting as knowing more about ourselves may be we need to take a step back and ask the question – is it to the benefit of the student to be quantified?

More data is not necessarily more beneficial data. School should be the environment in which students are allowed to make mistakes, decide to take a class so out of their comfort zone that they might discover something new. School is the time in which mistakes can be made without fearing permanent consequences. But if we quantify student learning to such granular detail are we preventing high school students from experimenting with opportunities that can guide them to a rich a college experience?

Let’s not forget privacy. Who decides what information can be disclosed or to whom? As the quantified data grows we increasingly profile students, making the risk of exposing their data much greater. Are we protecting the student’s data trail enough that they can sufficiently control what others can see? Thus the argument continues for how to balance the ideal amount of information to enrich a student’s learning experience and control disclosure without exposing an entire dossier of information on a particular student. It seems to me that as we increasingly quantify student learning we risk shifting the focus of student data from one that is for the benefit of students to one that is for the benefit of someone else. To me that is not what student data should be about. Student data should be created, analyzed and used for the benefit of the student. If we allow quantified student data to be made available to colleges to create market driven skill sets, we are in fact negating student ownership of data. Students cease to become the focal point of education and become a product being formed to satisfy a market need and we cannot ignore students in that way.

We must understand that while generating data to quantify student progress and learning is important, we cannot create an environment that is prioritizing market needs over student needs. A student should be able to determine the educational story they choose to disclose and not have only algorithms determine the path they are to take.

 

 

Parental choice…

 

 

As parents we are constantly making decisions on behalf of our children. We act in what we believe are the best interests of our children and, for the most part, make the decision quickly because we understand the ramifications of our choices and nobody knows our children as well as we do. Making choices involves weighing multiple options and selecting what we think is best. Sometimes we even make those choices without enough caffeine in our system and well, then we can debate the merits of our decisions….but I digress…..

An article from EdWeek discussing the new California law SOPIPA came across my desk and, of course, it caught my attention. What I found particularly interesting was the mention of parental choice exemptions and the passing of the bill without the controversial parental consent exemption. As it currently stands, SOPIPA doesn’t allow a parent to authorize sharing their children’s information to additional 3rd parties beyond the parties expressly identified in the law, for example colleges and future employers. However, if I wanted to allow my children’s information to be shared with a third party, like a reading tutoring service, I am not allowed to do so. Let’s say, for the sake of argument, that my child is struggling with reading comprehension and the school is using a particular reading program that is capturing valuable information on how my child is learning and progressing. If I decided I wanted to supplement the support by using a reading tutor after school, I could not legally give consent to have that data shared with my child’s tutor. While I do have access to my child’s data I cannot authorize the information to be released. I would have to pull it myself either by downloading the information and providing it to the tutor. An argument against these exemptions is that parents cannot be allowed to have these choices because they get convinced, even coerced, to give away all of their children’s information in exchange for a service. I’d argue that parents need to be given more credit than that. Parents should be the ones to decide what is in the best interest of their children.  And thus the problem, if we cannot build a complementary support system for a struggling child, at the parent’s own choosing, then we are limiting the availability of information to third parties that could help our students. If we, as parents, cannot make the choice to have this data disclosed to a third party of our choosing, then we are not being allowed to make the decisions that we believe are in the best interest of our children. Further, if parents are not allowed to provide consent to disclose this information to a third party, the burden of figuring out what information to get and how to go about obtaining it is squarely placed on the parents. It should be relatively simple for a parent to create a connection between their school’s vendor and the additional 3rd party helping that student.

And this is why student data privacy is difficult. There are no absolutes when it comes to discussing student privacy and we need to be cognizant of the ramifications, not only of our choices, but of the decisions we make when enacting laws. However, as much as I am advocating for allowing parents to be able to decide if their children’s information can be shared with a third party, we also need to be careful that we do not shift the burden of protecting student data entirely on parents. The task needs to be equally shared among parents, schools, Ed-tech vendors and even the students. Rather than enacting absolutes as the only way to protect student data, I strongly believe that we need to encourage trust. Trust between schools, parents and students is essential for all of us to understand how data is used so that we can work together to enhance a students’ learning experience. Though there are instances where the value of data collected for education is not diminished by prohibiting disclosure, there are times when comprehensive data sets gives us the ability to provide the best learning experience for these young, developing minds.

 

 

And the conversation continues……

 

28 laws in 15 states and 186 bills in 47 states….big numbers…all concerned with one topic, and no these laws and bills are not related to any issue made popular by a political campaign, the numbers refer to laws and bills written to protect student data privacy. It appears that not only did the conversation continue through 2015 but it was discussed outside of what I fondly call my “privacy geek” friends.

What made student privacy so prominent in 2015? Certainly the increased use of technology in the classroom made parents aware that their children’s information is being collected and used by different systems throughout the school districts. In 2014, EdTech funding increased by 55% and showed no signs of slowing down as 2015 came to an end. The use of MOOC’s increased and more and more students used Google Apps for Education in schools. All of this activity certainly brought an increased awareness that our little moppets’ personal information is being collected and stored in multiple systems.

We also discussed a project called LearnSphere meant to help educators understand student learning “better”…. fascinating if we can figure that one out but even more interesting was the fact that the project claims that the student data collected and used is de-identified and focuses on maintaining student anonymity.

Student Privacy was prevalent enough that the Electronic Frontier Foundation (EFF) filed an FTC complaint against Google arguing that the company was in violation of the Student Privacy Pledge. Noteworthy that the Student Privacy Pledge (200 signatories strong) proved to be a viable enforcement mechanism, which the EFF used to file their complaint….so there’s that. You can read the EFF complaint here and the Future of Privacy’s response to the complaint here.

At the federal level we had the reauthorization of the Elementary and Secondary Education Act (ESEA) but it was kinda disappointing (ok, very disappointing) to see that it failed to include significant protections relating to student data privacy. Especially considering that FERPA is well, you know, in its fourth decade and counting without any touchups…..

And closing the year strong, because we all needed to feel better about the toys our kids play with, big toy manufacturers had major data breaches. Not exactly the holiday present we were all waiting for. And as problematic as the breaches present, on many different levels, it brings parents, advocates and tech companies back to the table to continue discussing the issues surrounding the collection of data from minors.

2016 promises to be an interesting year. After all, kids will increasingly use technology at home and in schools. Even my 3 year old picks up a phone and pretends to receive and send emails. Technology is going to continue to increase its presence in all facets of our lives. Student data privacy will and should continue to be discussed so that we can protect kids’ information as much as we can. And maybe, 2016 is the year we finally stop talking about inBloom….wishful thinking.

Wishing all of you a very Happy New Year full of peace, good fortune and of course, privacy!

 

 

All I want for the holidays is…..privacy

 

It has been an interesting year in student privacy. It has been a very interesting year for me as I navigate a new school system with apps and integrated student portals I did not have access to before. But nothing can compare to the recent data breaches in the toy industry. So in this season of gift giving, all I want for the kids is some privacy……

It is easy to begin to condemn the different companies that were breached recently such as V-Tech, Barbie and now Hello Kitty, not only because of the size of the breach, but also because of who these breaches affected. The data breaches appeared to have affected a very large number of people – close to 5 million, if not more. When we think of data breaches we think of name, address, credit card info, birthdate etc. being breached, in some cases we disclose deeply personal information to companies such as healthcare information. But what makes it more problematic to me is that minors’ information is now in the hands of hackers that can take a child’s information and run with it.

But the privacy discussion has to be broader than being appalled at the lack of security surrounding children’s data. Once the breach happened with children’s information we can’t help but shift the conversation to discuss not only how this breach happened but what could be done to protect this information. For starters, children’s accounts were linked to their parents’ accounts. Why wouldn’t these companies silo the data sets so that if hackers wanted credit card information they would not be able to immediately link to children? I also read that the data was encrypted with antiquated systems at best. Now, I am not a data encryption expert but when it comes to personal data (in particular children’s) we should be thinking of encryption as a necessity in which corners cannot be cut, not ever. Data at rest encryption anyone?

Further, hacking children’s data takes it to a different level of concern. Most of these toys collect personal preferences from the kids playing with them. It is not only name and address that is collected but patterns, behaviors, reactions to the toy. So if a hacker has access to this information they could have a detailed picture of a family’s routines and a child’s interests etc.

So what do we do? I believe we need to reexamine how the data is collected and stored. If parent and child accounts are linked, then you literally have offered the keys to the kingdom to anyone hacking into the system. Toy companies in particular must have adequate encryption and security standards surrounding their customers’ information. Don’t forget these customers are children, little human beings. More importantly, we need to ask what data does a toy really need to work, and if the data collected makes us uneasy in the slightest way, well, maybe we shouldn’t be collecting that information for a child to play with a toy.

Finally, I think we all need to be conscious that we don’t collect (or provide) so much data from children that they turn into data entities void of any human connection. I have spoken to app and software developers and in the midst of their excitement they tend to forget who their end users are. When it comes to toys or apps geared to the under 18 crowd, we must remember that there is a little person at the other end utilizing and providing personal information in order to be entertained, engaged and challenged in their play and development. We are responsible for ensuring only the necessary data is collected, if at all. We are responsible for protecting the data collected from children. We must ensure that not only is data safe but that children are safe in case of a breach. We owe them that gift for the holidays.