Common Sense Media Student Privacy Summit All About Self-Regulation

The biggest takeaway from Common Sense Media’s School Privacy Zone Summit was, in the words of U.S. Secretary of Education Arne Duncan, that “privacy needs to be a higher priority” in our schools.  According to Duncan, “privacy rules may be the seatbelts of this generation,” but getting these rules right in sensitive school environments will prove challenging.  As the Family Educational Rights and Privacy Act (FERPA), one of the nation’s oldest privacy laws, turns forty this year, what seems to be apparent is that are schools lack both the resources and training necessary to even understand today’s digital privacy challenges surrounding student data.

Dr. Terry Grier, Superintendent of the Houston Independent School District, explains that his district of 225,000 students is getting training from a 5,000 student district in North Carolina.  The myriad of different school districts, varying sharply in wealth and size, has made it impossible for educators to define rules and expectations when it comes to how student data can be collected and used.

Moreover, while privacy advocates charge that schools have effectively relinquished control over their students’ information, several panelists noted that we haven’t yet decided who the ultimate custodian of student data even is.  One initial impulse might be to analogize education records to HIPAA health records, which belong to a patient, but Cameron Evans, CTO of education at Microsoft, suggested that it might be counterproductive to think of personalized education data as strictly comparable to individual health records.  On top of this dilemma, questions about how to communicate and inform parents have proven difficult to answer as educational technology shifts rapidly, resulting in a landscape that one state educational technology director described as the “wild wild west.”

There was wide recognition by both industry participants at the summit and policymakers that educational technology vendors need to establish best practices – and soon.  Secretary Duncan noted there was a lot of energy to address these issues, and that it was “in the best interest of commercial players to be self-policing.”  The implication was clear: begin establishing guidelines and helping schools now or face government regulation soon.

Recapping EPIC’s Failing the Grade Educational Privacy Event

The arrival of new technologies in the field of education, from connected devices, student longitudinal data systems, and massive open online courses (MOOCs) present both opportunities and potential privacy risks for students and educators.  As part of my work at the Future of Privacy Forum, I have started surveying the issue of privacy in education, and early, anecdotal conversations suggest a pressing need for more education and awareness among all stakeholders.  With that in mind, I was pleased to see the Electronic Privacy Information Center (EPIC) host an informative discussion on education records and student privacy.

The focus of the discussion was on the growing “datafication” of student’s personal information.  Sen. Edward Markey (D-Mass), who has been active in the field of children’s privacy, opened the event with an introduction to the topic area.  In addition to discussing his Do Not Track Kids legislation, which would extend COPPA-type protections to 13, 14, and 15 year-olds, the Senator highlighted his new student privacy legislation.  The goals of the legislation were explained as follows:

  1. Student data should never be available for commercial purposes (focus on advertising);
  2. Parents should have access and rectification rights to data held by private companies, similar to what is afforded for records held by schools;
  3. Safeguards should be put in place to ensure that there are real protections for student records held by third parties; and
  4. Private companies must delete information that they no longer need. Student records should not be held permanently by companies, only by parents.

The panel itself featured Marc Rotenberg and Khaliah Barnes of EPIC; Kathleen Styles, Chief Privacy Officer at the Department of Education (DOE); Joel Reidenberg of Fordham Law School; Deborah Peel of Patient Privacy Rights; and Pablo Molina, Chief Information Officer at Southern Connecticut State University.

Read More…

MOOCs and My Future Employment Prospects?

Massive open online courses are a new, rapidly evolving platform for delivering educational instruction. Since their appearance just a half-decade ago, multiple platforms now offer dozens of free courses from leading universities across the country. However, as MOOCs work to transform education, they also seek to find ways to turn innovative educational experiences into viable business models. In many respects, this is the same challenge facing many Internet services today. Yet while many “free” Internet services rely upon their users giving up control of their personal data in exchange, this bargain becomes strained when we enter the field of education.

Education aims to encourage free thought and expression.  At a basic level, a successful learning experience requires individuals to push their mental abilities, often expressing their innermost thoughts and reasoning. A sphere of educational privacy is thus necessary to ensure students feel free to try out new ideas, to take risks, and to fail without fear of embarrassment or social derision. As a data platform, MOOCs by their very nature collect vast stores of educational data, and as these entities search for ways to turns a profit, they will be tempted to take advantage of the huge quantities of information that they are currently sitting upon.

As MOOCs look for ways to turn a profit, they will be tempted to turn to the vast stores of personal data that they are currently sitting upon.  It will be essential to consider the privacy harms that could result if this personal educational data is treated carelessly.

This is already some evidence that MOOC organizers recognize this challenge.  In January, a dozen educators worked to draft a “Bill of Rights” for learning in the digital age.  The group, which included Sebastian Thrun, founder the MOOC Udacity, declared that educational privacy was “an inalienable right.” The framework called for MOOCs to explain how student data was being collected, used by the MOOC, and more importantly, made available to others.  “[MOOCs] should offer clear explanations of the privacy implications of students’ choices,” the document declared.

In addition to Udacity, the leading MOOCs–Coursera and edX–can improve how they approach student privacy.  Most MOOCs have incredibly easy sign-up processes, but they are much less clear about what data they are collecting and using.  At the moment, the major MOOCs rely on the usual long, cumbersome privacy policies to get this information across to users.

These policies are both broad and unclear.  For example, Coursera states in its Privacy Policy that it “will not disclose any Personally Identifiable Information we gather from you.”  However, it follows this very clear statement by giving itself broad permission to use student data: “In addition to the other uses set forth in this Privacy Policy, we may disclose and otherwise use Personally Identifiable Information as described below. We may also use it for research and business purposes.”  More can be done to offer clear privacy guidelines.

Beyond providing clearer privacy guidelines, however, MOOCs also should consider how their use of user-generated content can impair privacy.  A potential privacy challenge exists where a MOOC’s terms of service grant it such a broad license to re-use students’ content that they effectively have the right to do whatever they wish. EdX, a project started by educational heavyweights Harvard and MIT, states in its Terms of Service that students grant edX “a worldwide, non-exclusive, transferable, assignable, sublicensable, fully paid-up, royalty-free, perpetual, irrevocable right and license to host, transfer, display, perform, reproduce, modify, distribute, re-distribute, relicense and otherwise use, make available and exploit your User Postings, in whole or in part, in any form and in any media formats and through any media channels (now known or hereafter developed).” Coursera and Udacity have similar policies.

Under such broad licenses, students “own” their exam-records, forums posts, and classroom submissions in name only. The implications of a MOOC “otherwise using” my poor grasp of a history of the Internet course I sampled for fun is unclear. This information could be harnessed to help me learn better, but as MOOC’s become talent pools for corporate human resource departments, it could bode ill for my future employment prospects.

At the moment, these are unresolved issues.  Still, as MOOCs move to spearhead a revolution in how students are taught and educated, providing students of all ages with a safe-space to try out new ideas and learn beyond their comfort zone will require both educators and technology providers to think about educational privacy.

 Scroll to top