Future of Privacy Forum Releases Student Monitoring Explainer

On October 27, FPF released a new infographic, “Understanding Student Monitoring,” depicting the variety of reasons why schools monitor student digital activities, what types of student data are being monitored, and how that data could be used. While student monitoring is not new, it has gained significant traction recently due to the shift to remote learning and the increase in school-managed devices being issued to students. 

“Student monitoring has been happening for years, but too often families only learn about it after their child has been flagged or they’ve read something in the news. And that lack of transparency creates questions and confusion about how exactly it works, and what is – and is not – being monitored,” said Amelia Vance, FPF’s Vice President of Youth and Education Privacy. “We hope that this infographic will help parents, students, educators, policymakers, and other stakeholders understand generally how student monitoring works and what it aims to do, and ultimately become empowered to ask questions about the monitoring products being used in their own districts, as there is often considerable variation.”

The infographic depicts the main reasons why schools monitor student activity online—ensuring student safety, legal compliance, and addressing community concerns—and highlights two areas of frequent confusion: what types of student data are being monitored, and how that data could be used.

While school administrators work with their chosen service provider to set up a monitoring system that meets their school’s needs, student data can be collected in multiple ways, including from:

• School-Issued Devices: any student data that travels through an internet connection, wired or wireless, on a school-managed device.

• School-Managed Internet Connections: data from students’ online content or activities on school-managed internet connections, potentially including take-home internet hotspots.

• School Apps & Accounts: student data from certain school-managed accounts, regardless of whether students access the accounts from personal devices or personal internet connections at home.

Monitoring systems analyze student data from these sources for potential concerning indicators, which are typically related to warning signs of self-harm, violence, bullying, vulgarity, pornography, or illegal behaviors. Some systems flag content for human review. From there, depending on the nature and severity of the flagged content and monitoring system in place, several actions could occur. The student could be sent a warning, the content could be blocked, or a designated school contact could be alerted. These actions are explored in further depth in FPF’s accompanying blog.

“Many school administrators, students, and families may be aware that monitoring systems seek to identify concerning indicators from students’ online activities, but there is often less understanding about what occurs once a system does flag concerning activity,” said Yasamin Sharifi, a Policy Fellow in FPF’s Youth and Education Privacy team. “FPF’s new infographic clarifies the analysis, actions and data retention that a monitoring system and school may perform. This understanding is crucial for any stakeholder seeking to comprehend the practical impacts of a student monitoring system.”

The infographic builds on a report released last month by FPF on the potential impacts of self-harm monitoring systems on students, “The Privacy and Equity Implications of Self-Harm Monitoring: Recommendations for Schools.” Prior to the pandemic, FPF took a closer look at the practices of network monitoring and social media monitoring in the context of school safety policies, and recently published a Student Privacy Primer that explains the foundational student privacy concepts, federal laws, and school and district policies that are often cited in discussions about student monitoring. 

U.S. Department of Education Opens an Investigation into Pasco County’s Predictive Policing Program

This post was originally released on studentprivacycompass.org, and can be found here.

On Friday, the U.S. Department of Education opened an investigation into the data-sharing practices between Florida’s Pasco County sheriff’s office and school district. First uncovered in November 2020 by reporting by the Tampa Bay Times, the Department will be investigating the school district’s partnership with the sheriff’s office, which allowed the sheriff to use student grades, attendance, disciplinary records, and aspects of their home life to identify and target students “at-risk” of criminal activity. FPF applauds the Department’s decision to investigate this concerning partnership. Any school data-sharing partnership must value student privacy and build in community trust and transparency—before the Tampa Bay Times story, parents and students in Pasco County were completely unaware of the sheriff’s practices. 

In December 2020, FPF analyzed the sheriff’s public documentation and contract with the school board, concluding that the sheriff’s office unlawfully accessed and used student records for their database in violation of the Family Educational Rights and Privacy Act, FERPA, as well as their contract with the school board. Amelia Vance, FPF’s Director of Youth and Education Privacy, was quoted in the original Tampa Bay Times article revealing the program, noting that

“The law does say school resource officers can access education records because they can be considered ‘school officials.’ But under most circumstances, they can’t share the records with the rest of the department. And they can’t use them in a law enforcement investigation without permission from a parent, unless there is a court order or a health and safety emergency.”

The Department’s announcement follows significant public outcry. Unfortunately, the Department has refused to share the letter during the early stages of its investigation. In January, Representative Bobby Scott (D-VA), Chair of the House Education and Labor Committee, called on the Department to investigate the program for FERPA violations. In his letter Rep. Scott decried the program, noting “this use of student records goes against the letter and spirit of FERPA and risks subjecting students, especially Black and Latino students, to excessive law enforcement interactions and stigmatization.”

Future of Privacy Forum Releases New Youth Privacy and Data Protection Infographic

WASHINGTON, D.C. – The Future of Privacy Forum (FPF) today released a new infographic, Youth Privacy and Data Protection 101 which provides an overview of the opportunities and risks for kids online, along with potential protection strategies. It also features young people’s voices from around the world on their preferences and attitudes toward privacy.

“We all want to keep kids safe online, but the desire to shield them from risk can also limit their access to important opportunities,” said Amelia Vance, FPF’s Director of Youth and Education Privacy. “When considering any protection strategies, policymakers must carefully evaluate both opportunity and risk in order to foster the development of a robust, thriving online ecosystem that is also suitable for kids. We hope that this infographic effectively conveys that challenge, as well as the diversity of approaches to youth privacy protections being considered and implemented around the world.”

View the infographic and an accompanying blog post here. 

Risks for youth online include well-known concerns such as coming across age-inappropriate content, encountering predators, and being a victim of cyberbullying or cyber harassment. Other, less visible risks include commercial exploitation through profiling and targeted marketing as well as societal shifts such as surveillance normalization, as young people may become accustomed to constantly being watched and recorded.

Of course, there are also a wealth of opportunities for youth online. With school closures due to the pandemic, many students now access their education virtually. Unable to connect with their friends and communities in person, young people rely on social media and other online tools to play, build their communities, explore their identities, and participate in civic and political forums. Online spaces are also integral to fostering creative expression and providing resources related to health and well-being.

The Youth Privacy and Data Protection 101 infographic highlights the range of strategies that governments, online service providers, educators, parents, and others can use and encourage to find that appropriate balance between protecting kids online and not limiting their opportunities. These strategies include things like limiting access to age-inappropriate content, requiring age verification prior to accessing a service, and incorporating privacy into services by default. Those strategies and others that policymakers may wish to consider are discussed in detail in FPF’s latest blog post, available here.

FPF Testifies on Maryland Student Data Privacy Bill

Amelia Vance, Director of Youth and Education Privacy for FPF, recently testified before the Maryland House Ways and Means Committee on HB 1062. The legislation proposes several updates to the state’s Student Data Privacy Act, and an extension of the Maryland Student Data Privacy Council, which Vance was asked to serve on when it was created in 2019.

While Vance applauded many of the proposed updates in HB 1062, her testimony focused on two recommended amendments: clarifying how the bill defines Operator, and the scope of the Council’s recommendations. 

Vance urged the Legislature to consider aligning the definition of Operator in the bill with the full definition as proposed by the Council, noting: 

The Council’s definition was carefully crafted to ensure that companies have adequate notice that their products are subject to this law. Some companies are not aware that their tools are used in an educational context, such as general audience services used to assist special education students. HB 1062’s current definition could compel companies to either ban the use of their products by schools, or push companies to collect and link more identifiable user data to determine whether their product is used in Maryland schools.

Clarifying the definition of Operator would also ensure that it does not unintentionally apply to other entities such as education researchers, whose work is as crucial as ever as educators look to measure learning loss and other student challenges during the pandemic. 

Finally, Vance noted that the original intent and scope of the Council is to provide expert recommendations on student privacy laws as they relate to edtech products and companies – not to schools. While the reporting requirements for County Boards outlined in HB 1062 could be useful, Vance cautioned that overly burdensome transparency requirements often end up making well-intended student privacy legislation ineffective or even counterproductive by overwhelming parents with information that doesn’t help them make educated decisions about their children’s privacy.  She recommended specifically tasking the Council, whose mandate would be expanded by this legislation, to “provide expert recommendations on this topic [to] help ensure the right balance.”

Read Vance’s written testimony on HB 1062 here and watch the testimony here (add YouTube link teed up to the right time code). For more background on Maryland’s Student Data Privacy Council, statutorily created in 2019, click here.