Monday, June 11, 2018

Have education advocates sold out students' and educators' privacy for money from technology firms? (Michael Simkovic)

The Department of Education's failures to safeguard student data against leaks have led to repeated Congressional hearings over the last few years. (see here, here, and here).  Even some of the best state education agencies have also suffered data breaches.

Privacy advocates, student and parent groups, and educators are therefore understandably concerned about sharing even more detailed and personal student information with government agencies that cannot adequately safeguard the information they already have.

A network of think tanks, advocacy groups, and media organizations with links to technology firms have been pushing for extremely intrusive and detailed collection of information about individual students.  Disclosures would no longer be limited to aggregated, anonymized data, but rather would include information about individual students.  Extant disclosures have already undermined student privacy far more than was anticipated.  Student contact lists are commercially available for purchase on the basis of ethnicity, affluence, religion, lifestyle, awkwardness, and even a perceived or predicted need for family planning services.  Disclosure of disciplinary records -- which occurs in spite of legal assurances that such data will remain confidential -- can put students at a disadvantage in the job market for a lifetime. (See also here).1

As one expert on technology explained:

"The bill proposes a new system to collect student-level data . . . . And that's where we all should feel a little queasy. Despite the obvious benefits of having access to data . . . the inherent security and privacy concerns of such a system are significant.

The definition of "data in scope" might change over time. And once the data is collected, there it sits, ready to be leaked, breached or worse. Without getting too deep into Big Brother conspiracy theory, there are so many ways for the system to go wrong."

Tech-backed groups want even more data collection mandated by the federal government.  Many of these groups are funded by the Gates Foundation and related groups with links to technology firms. 

Technology firms have a tendency to have faith in data-driven solutions to problems.  But technology firms would also benefit financially from more onerous reporting obligations because technology firms provide compliance and reporting services to education institutions.  Rising technology and compliance costs are among important reasons that higher education has become more expensive.  

The American Council on Education (ACE) has stopped defending student privacy against these demands after ACE received grants from the Gates Foundation (including one to promote online education) and after ACE was viciously attackedby Gates-funded journalists3 for opposing Gates-backed policies. 

The American Association of State Colleges and Universities also received a substantial grant from the Gates Foundation around the time it ceased defending student privacy (see also here).  So did the Association of Public and Land-Grant Universities (see also here, here, here, here, here) and the American Association of Community Colleges (here, here, here, here, here).  (While there may be innocent explanations, the optics are not great).

One of the few remaining defenders of student privacy is the National Association of Independent Colleges and Universities, which represents private non-for-profit universities.  However, even NAICU appears increasingly likely to compromise and give the Gates-backed group much of what it wants. 

Technology firms might obtain access to extremely sensitive data through a revolving door between the Gates Foundation, the Department of Education, and Edu-Tech firms.  Such data could be advantageous when technology firms negotiate the price of technology servicing contracts or compete with education institutions through online offerings. 

One wonders if higher education "lobby groups", rather than educating policymakers about the needs of students and universities, have found it more advantageous to lobby higher education institutions on behalf of technology firms.  

Although intrusive data collection has been ostensibly justified as a source of valuable information to students, recent DOE-backed increases in higher education data disclosures have thus far attracted very little interest from students (see also here).

If additional data collection were actually a cost-effective approach to improving student outcomes, it seems likely that higher education institutions would be voluntarily collecting and analyzing such data already. Higher education institutions operate in an intensely competitive market.  Thousands of institutions compete for students and aggressively cut their prices through scholarships.  Most of the surplus generated by education goes to students and the government (as tax collector), not to education institutions.  To try to remain competitive, education institutions routinely seek advice from competent consultants with relevant expertise.

Technology firms may be seeking to use the government to force educators' hands because technology firms' arguments about the benefits of additional data collection are not persuasive to those who best understand the industry.

In addition, driving up traditional educational institutions' costs and reducing the gulf in student privacy protection between brick-and-mortar and online education could help make online offerings more attractive, to the benefit of the technology companies that produce and market online education.  There have recently been many allegations of disturbing student privacy violations by purveyors of online and for-profit education.  (See here, here, here, herehere and here). 

Now that the Department of Education has found that Edu-Tech companies' cannot cause students to waive privacy protections through terms of service, tech companies are apparently seeking to weaken those privacy protections through legislation.


[1] Explicit disclosure of disciplinary records and health information would be prohibited by the current version of the CTA, but it may very well be possible to make highly accurate inferences about discipline or health problems from information that could be disclosed, such as non-completed courses and breaks from education. Political or religious affiliation also could not be directly disclosed, but could likely be inferred from other information such as course enrollments and student organization memberships. In addition, future legislation may be even less protective of privacy.  A small toe hold of student-level data collection could expand to much more comprehensive and intrusive data collection.  The amount and type of data collected could be changed at the discretion of the Department of Education without further Congressional action.  Powerful appointed positions within the DOE under both Presidents Obama and Trump have been held by individuals with links to Edu-Tech, online, and for-Profit education companies.

[2]  For additional attacks by Gates-funded journalists and pundits on ACE, see also here, here, here, here.  For a remarkable claim by a Gates grantee (covered by another Gates Grantee) that Mr. Gates is up against a powerful higher education lobby, see here.  Mr. Gates and his foundation can outspend ACE a hundred times over with a fraction of the annual returns on his portfolio of investments.

[3] For a few examples of Gates funding journalists and think tanks responsible for attacks above see also

There are many more examples of Gates funding for media organizations, think tanks, and advocacy groups that have advanced his policy agenda and business interests.


See also:

Rhea Kelly, The Risk — and Value — of College Transparency, Campus Technology, 5/23/17

As Congress proposes a new postsecondary data reporting framework to help calculate the worth of higher education, security and privacy issues loom.

Parent Coalition for Student Privacy, Nov. 14, 2016

"We cannot overstate the threat to student privacy that would be posed by the development of such a database, including breach, malicious attack, or use of student [data] for purposes not initially intended. Ever since a federal student unit-record system was first proposed . . . the reasons against creating it have only become more persuasive in recent years.

First, we are gravely concerned about the high probability of breaches and unauthorized access to the data. . . .[S]ecurity incidents involving breaches of personal information held by federal agencies rose from 10,481 in 2009 to 27,624 in 2014 – an increase of 164 percent over five years -- for a total of 144,439 reported instances. [T]hese events can “adversely affect national security; [and] damage public health and safety” . . .' Personnel records of about 22.1 million people had been maliciously hacked by foreign interests -- not only federal employees and contractors but also their families and friends, including highly sensitive information gathered for the purposes of security clearance.

The US Department of Education has been found to have especially weak security standards in its collection and storage of student information . . . This puts at risk the huge amount of data that the agency already holds, including student loan information involving information on more than 100 million individuals and at least 39 million unique Social Security numbers. A reported by the audit, staff in the IG office hacked into the Department’s main IT system and gained unfettered access to personal data without anyone noticing. Overall, the audit found significant weaknesses in four out of the five security categories.  In May 2016, the government scorecard created to assess how well federal agencies were implementing data security measures awarded the Education Department an overall grade of D.

Second, K-12 student data currently collected by state departments of education in statewide longitudinal data systems (SLDS) that would potentially be shared with the federal database . . . include upwards of 700 specific personal data elements, including students’ immigrant status, disabilities, disciplinary incidents, and homelessness status. Data collected ostensibly for the sole purpose of research but without the individual’s consent or knowledge would likely be merged with other federal agency data sets, to follow students into the workplace and beyond, and could include data from their military service, tax returns, criminal and health records.

If this granular level of sensitive information were available in a universal U.S. student record database, it could quickly become a go-to repository for purposes that should never be allowed.

A real-life example of the potential misuse of a system of this nature has just been reported in England. . . . [T]he names and home addresses of thousands of students in the NPD have been requested by police and the Home Office for various purposes . . . including to curb “abuse of immigration control.”  A group of parents, teachers, and human rights campaigners has launched a national boycott to urge parents and schools to withhold their children’s country of birth and nationality, data which is being collected at national level for the first time.

Finally, we are very concerned about recent revelations of the widespread surveillance on ordinary citizens by the federal government, and the way in which a national unit-record system could be used to expand tracking of students. While data holds promise to solve complex problems and may be used to improve our nation’s policies, we have a responsibility to our nation’s citizens to protect the privacy of their most personal information, especially that of vulnerable children."

Guest Blogger: Michael Simkovic, Law in Cyberspace, Of Academic Interest, Student Advice, Web/Tech, Weblogs | Permalink