Growing public concern about student-data privacy is prompting fresh scrutiny of the ways technology vendors handle children's educational information—and opening the gates for a flood of new questions and worries from advocates and school officials.
Take prominent ed-tech players Edmodo, Khan Academy, and Pearson.
Each already has access to the information of tens of millions of U.S. schoolchildren.
But a review of each group's privacy policies by two leading experts, conducted at the request of Education Week, yielded concerns about the use of tracking and surveillance technologies that allow third parties to gather information on students; questions about the collection, use, and sharing of massive amounts of student "metadata"; and criticism of the growing burden on students and families, who experts maintain are being forced to navigate an ever-shifting maze of dense vendor policies on their own.
"We're just scratching the surface with our understanding of how the education sector is gathering and looking to monetize student information," said Joel R. Reidenberg, a law professor at Fordham University, in New York, and Princeton University. "We as a society need to have a very clear discussion about how we want to protect the privacy of our children in this environment."
Education Week selected the three online education service providers whose privacy policies were reviewed by Mr. Reidenberg and Khaliah Barnes, a lawyer for the Electronic Privacy Information Center, or EPIC, a Washington-based advocacy group. Each provider was chosen for its size and popularity with K-12 students and teachers. Each of the three organizations also offers a type of digital product or service that is used by the vast majority of school districts in the United States.
The concerns raised extend far beyond the direct serving of advertisements to students, which Mr. Reidenberg described as "just one piece of the commercialization of children."
Pearson's PowerSchool student information system, which currently contains data on roughly 13 million students in K-12 schools in the United States, raised the fewest concerns, in large part because the system does not collect data directly from students.
Officials from Edmodo, meanwhile, vigorously defended the company from the experts' questions about its use of "cookies," relationships with third-party partners, and handling of the metadata generated by students as they use the company's "social learning platform," which currently has more than 33 million users, including children and teachers in more than 100,000 schools.
"The bottom line is that Edmodo is not going to use anyone's information in ways they don't know about," said Aden Fine, the general counsel and chief privacy officer for the Mateo, Calif.-based company, founded in 2008 to provide a safe educational alternative to consumer social media platforms, such as Facebook.
The back-and-forth is part of the growing public debate surrounding the rapid growth in the use of educational data, hailed by proponents as the key to building more-personalized learning opportunities for students.
More than 80 student-data-privacy bills have been considered in 32 states this year alone, according to the Data Quality Campaign, a nonprofit based in Washington. Advocacy organizations, industry groups, and professional associations have also in recent months initiated new campaigns and released guidelines and toolkits on the topic. In February, the federal government issued guidance intended to help schools and districts interpret and apply federal privacy laws, and U.S. Secretary of Education Arne Duncan has publicly supported the principle that student data should not be used for commercial purposes.
But many are concerned that the horse is already out of the barn.
Last month, for example, Education Week reported on concerns about online-services giant Google, which acknowledged as part of an ongoing federal lawsuit that student emails sent and received using the popular Apps for Education tool suite are "scanned and indexed" for purposes that remain murky. The product, provided for free to thousands of schools and universities, already has 30 million users.
"In the education space, privacy has unfortunately been an afterthought," Ms. Barnes said.
Advocates and industry representatives agree that in an age where the methods used to collect, analyze, and share digital data are highly sophisticated and constantly evolving, companies' publicly posted privacy policies are critical to better informing parents.
But the policies themselves are often confusing, even to experts.
That complexity is creating big challenges for the nascent efforts to develop industry-wide standards to guide the creation, implementation, and enforcement of such policies.
Just last month, for example, the 210,000-student Houston Independent School District unveiled a new system for rating the security and privacy practices of its software vendors. Of the five providers initially evaluated, the most highly rated was Edmodo—the same company that came under question by the experts consulted by Education Week.
Lenny Schad, the Houston district's chief technology officer who is spearheading the new rating system, did not disagree with the more critical take on the company provided by the experts consulted by Education Week, saying his district's efforts are in an "early stage." Mr. Schad said the most important development is that people are finally starting to pay attention to what companies are doing with students' information.
"This is exactly what we want to start happening," he said. "Now there is a dialogue between the user side and the software side."
• Mateo, Calif.
• Social learning platform/learning management system
• 33 million registered users
Mr. Reidenberg saw several positive signs from Edmodo, including a recent move to make encryption of student information a default, rather than an optional, policy, and a clear disclosure of the active role parents and guardians can play in monitoring student accounts.
Edmodo also recently received a thumbs-up from the Houston Independent School District, which is initiating an effort to rate the privacy and security practices of software vendors doing business with its schools.
"We don't rent or sell anyone's personal information to anyone, period," said Aden Fine, the company's general counsel and chief privacy officer, in an interview.
Even after several readings of Edmodo's policy, Mr. Reidenberg said, he remained unsure exactly how different types of student information are categorized and protected by the company.
Both experts also raised questions about Edmodo's use of its own "cookies" (small data files that track users' website activity) and those of the third parties with which the company partners.
"Privacy policies are never perfect," Mr. Fine said. "It's important that users read them, and that companies answer questions about them if they're not clear enough. Edmodo does that."
• Mountain View, Calif.
• Open education resources
• 10 million unique users per month
"They are essentially enabling third parties to gather unlimited information about users and disclaiming any responsibility for that," Mr. Reidenberg said of the organization.
Plus, Khan Academy users who want to know how their information will be utilized are advised to review the privacy policies of all the third parties with whom the organization partners—none of whom are identified by name, and most of whom likely reserve the right to change their policies at any time, with limited or no notice, she said.
Khan Academy officials declined to be interviewed on the record about such concerns, instead issuing a statement to Education Week via email.
The spokeswoman also wrote that Khan Academy is "adamantly opposed to the idea of commercializing student information, particularly through third parties" and that explicit consent beyond user registration has been procured in instances where students' user information has been shared with third parties.
• London and New York City
• Student information system
• 13.5 million students
Among the numerous products and services offered to K-12 schools by publishing giant Pearson is the PowerSchool student information system, currently used by about 4,500 school districts, according to Bryan MacDonald, the managing director of the company's school systems group.
While the system contains thousands of pieces of data—everything from academic performance to disciplinary and health records to course rosters—on millions of U.S. school children, the privacy and security issues surrounding PowerSchool are somewhat different than for products with interfaces that allow data to be collected directly from students, Mr. MacDonald said.
"One fundamental difference is that we don't have any right at all to the data," he said.
Furthermore, in many cases, Pearson does not even store the student data itself: About half of PowerSchool users, covering about 9 million students, host the data on their own servers.
As a result, Ms. Barnes and Mr. Reidenberg spoke primarily in generalities about potential areas of concern related to PowerSchool, saying parents and educators should be mindful of both how the company safeguards data and should scrutinize the various contracts that govern its individual relationships with districts and states.
"There are universal issues [in the education arena] involving data security, and from an administrative perspective, there are always issues about how other entities can gain access to student information," Ms. Barnes said.
One of Pearson's highest-profile PowerSchool clients, the North Carolina Department of Public Instruction, offers a window into those concerns.
The department has spent much of this school year dealing with an extensive series of implementation problems associated with its quick rollout of PowerSchool across the state's 115 school districts and 253 charter and special schools.
But Philip Price, the chief financial officer for the department, said security concerns have been limited to a few hours last fall, when the system was briefly shut down after being hit with a distributed denial of service attack by hackers.
The student data contained in PowerSchool, Mr. Price said, "is totally ours, not Pearson's."
And third-party access to that information, Mr. Price said, can only occur when local districts have authorized those other vendors to access student data and specified exactly what data should be shared.
Mr. MacDonald of Pearson said the company has upgraded its technical processes for enabling such sharing of data and now uses an application programming interface, or API, to make third-party integrations "more efficient and seamless." The new technology is far more secure than the old practice of "putting data on a floppy disk or attaching it to an email," he maintained.
Mr. Reidenberg also urged skepticism of claims about high-tech security practices from ed-tech vendors.
"Every adult American has likely had his or her financial information stolen in the last three years from banks, credit card companies, and retailers that have spent millions of dollars on data security," he said. "Does Pearson really think it's doing a better job than the entire financial-services industry?"