Recently, a number of bills have been proposed at both federal and state levels aimed at protecting student data privacy. Laws, codes of conduct, better contracts and training all play key roles in ensuring that student data will be used responsibly. However, the most important effort that has yet to be well addressed is the communication between schools and parents.
At FERPA|SHERPA, we highlight some school districts that have succeeded in offering parents a clear description of the technologies they use and the data collected. We were pleased to recently come across another great example of parent communication at the Smithfield Public School District in Smithfield, RI. Smithfield provides an informational webpage that informs parents about the applications used in the district, the purposes for which they are being used and what information they collect. The webpage also provides links where parents can see the privacy policy, terms and conditions and other relevant information about the educational applications.
Kudos as well to Smithfield for designating two leading school officials, Paul Barrette, the school department’s director of technology, and Craig Levis, special education director, as the privacy leads for the district. It is essential that schools appoint privacy officers and institute appropriate training if we expect compliance with laws and policies.
Please let us know of any other schools that have provided helpful communications for parents, so that we can share great examples that the school community can learn from.
Pew Tackles the Future of Privacy
On Wednesday, the Pew Research Center released its third report on Americans’ attitudes towards privacy and surveillance. While the report confirms previous findings that, no, privacy is not dead, it focuses a broader look at Americans’ views on privacy in public and information control. It finds that our privacy-values are particularly heightened with respect “to having a sense of control over who collects information and when and where activities can be observed.”
Nearly all adults report that who is gathering information and what information are an essential dimension of privacy control. Strong majorities believe — 74% believe “very strongly” — that it is important to be in control of who can get information about you. The home continues to be viewed as “do not disturb” zones, which may present interesting implications for the emerging Internet of Things. And by a 2-to-1 margin, Americans believe in limits on employer-monitoring of employees.
One particularly interesting finding from the report are the Americans’ views toward data retention broadly. Most Americans believe that only “a few months” or less is long enough for companies to store most records of their activities. Different industry sectors get more or less leeway. For example, majorities support credit card companies retaining their data, but even here, the length of time people feel are reasonable retention periods varies. Once again, strong majorities were skeptical of the need for online advertisers to “safe any info” about them for lengthy periods of time, if at all.
The Future of Privacy Forum’s Capitol-Area Academic Network was privileged enough to discuss the Pew privacy project with the report’s authors last fall, and Pew’s series continues to demonstrate not only the value of privacy — but the strong need to think about better ways to offer privacy controls and communicate practices with consumers.
We were especially concerned with the requirement that apps be automatically capable of “collecting and transmitting” a wide array of data including the requested pick-up time, date, and location, which could be collected even in the event that the passenger later cancelled the trip. The proposed rules provide no guidance with regard to when and how such transmission would occur, suggesting this data could be requested at the sole discretion of TLC.
This sort of broad data collection by a government agency presents important privacy issues. In particular, it raises key Fourth Amendment concerns, as well as permits wide swaths of sensitive data to potentially be released publicly through state Freedom of Information laws. Several news reports have previously demonstrated how even allegedly anonymized taxicab data can be “reverse engineered” to reveal passenger names and trip pick up and drop location information.
Everyone understands the TLC’s need to regulate FHVs and that mobile apps are increasingly the mechanisms that govern these services. FPF in particular has been a strong proponent of smart city initiatives, and using trip data to optimize traffic flows, improve the environment, and advance safety.
Nonetheless, we urge the TLC to seriously consider the privacy challenges posed by its proposal. Our letter encourages the Commission to engage in a more in-depth consultative process with privacy experts, organizations and the public in order to determine how to achieve TLC’s goals to guide FHV apps without unnecessarily placing passengers’ privacy at risk. The full letter is available to read here.
A Historical Primer on Section 215 Bulk Collection
Over on the IAPP’s Privacy Tracker blog, FPF Senior Fellow explains how the past week has seen two significant events concerning Section 215 of the USA PATRIOT Act. First, on May 7, the Second Circuit ruled that “the telephone metadata program exceeds the scope of what Congress has authorized and therefore violates” Section 215. And yesterday, the House of Representatives approved the USA FREEDOM Act by 338-88, which could limit by statute collection of domestic telephone metadata and other records under Section 215. According to Swire, this week’s activities will have potential important effects in the long term on surveillance policy.
Parents Rights To Student Data Privacy
FUTURE OF PRIVACY FORUM INTRODUCES DIGITAL GUIDE TO EQUIP PARENTS WITH KNOWLEDGE, UNDERSTANDING OF LAWS GOVERNING STUDENT DATA USE AND PRIVACY
New Website Developed in Partnership with National PTA, ConnectSafely.org
WASHINGTON, D.C. – Monday, April 27, 2015 – As the digital revolution continues to transform students’ learning, how teachers instruct in classrooms, and the way schools gather pupil data and information to improve education, the Future of Privacy Forum (FPF) today unveiled a new, timely web resource to provide clear and straightforward overviews of parents’ rights to student data under the various relevant federal laws in effect.
“A Parent’s Guide to Student Data Privacy Rights”, developed and published in partnership with the National PTA and ConnectSafely.org, is a valuable tool for parents seeking answers and guidance related to major federal laws on education privacy, such as the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA), as well as other laws and policies. It is also designed to help parents better communicate on these topics with teachers, schools and school districts.
“As data and technology use expands to improve educational outcomes, the focus needs to stay on parents and students, and it is essential for parents to understand how their children’s information is being handled and used,” said Jules Polonetsky, Executive Director, FPF. “We developed this guide with the National PTA and ConnectSafely to help parents understand the laws that protect student data and their rights under these laws. We live in an increasingly connected world, but whether the information is online or on paper, the basic privacy and access rights remain the same.”
The free, digital guide also includes a list of additional resources on topics related to student privacy from organizations such as:
National PTA
ConnectSafely
Future of Privacy Forum
S. Department of Education
Federal Trade Commission
Fordham University School of Law
Some of the common questions that are answered in the guide include:
Who has access to information about children?
What is COPPA and when does it apply to information from students?
Are there other laws about student data?
What about companies that provide online tools to schools?
When do I have the choice to “opt out” of my child’s information being shared?
Your child’s data: How to gain access, make corrections, or request deletion
“Technology and the Internet are powerful tools for teaching and learning, but at the same time, it is imperative that students’ academic and personal information is protected,” said Otha Thornton, Jr., President, National PTA. “It is a top priority of National PTA to safeguard children’s data and make certain that parents have appropriate notification and consent as to what and how data is collected and used. National PTA is pleased to collaborate with the Future of Privacy Forum and ConnectSafely.org to bring the Parents’ Guide to Student Data Privacy to families nationwide to ensure they are knowledgeable about the laws that protect student data as well as students’ and parents’ rights under the laws.”
“As schools increase the use of technology and student data, parents have privacy concerns regarding their children’s information,” said Olga Garcia-Kaplan, parent and advocate for student data privacy. “This guide provides a clear and concise explanation for parents to understand their rights and laws that are in place to protect their privacy.”
The guide is part of FPF’s “FERPA|SHERPA” website, which provides service providers, parents, school officials, and policy makers easy access to laws, best practices, and guidelines that are essential to understanding privacy issues in education and how to responsibly use student data.
About Future of Privacy Forum
The Future of Privacy Forum (FPF) is a Washington, DC based think tank that seeks to advance responsible data practices. The forum is led by Internet privacy experts Jules Polonetsky and Christopher Wolf and includes an advisory board comprised of leading figures from industry, academia, law and advocacy groups. For more information, visit fpf.org
This morning, the Center for Strategic and International Studies presented a panel conversation on some of the challenges – and opportunities – around domestic drone use. After following the issue for years, it would appear that drone policy’s day has finally arrived. According to the FAA, nearly 4,500 comments were submitted in response to the agency’s proposed rulemaking for drones, or unmanned aircraft systems (UAS), and the NTIA received over 50 comments specifically on privacy issues around drones.
While the Future of Privacy Forum continues to think about how best to address these issues, there is little question that domestic and commercial drone use offer tremendous societal benefits. At the panel, Brian Wynne, President of AUVSI, a leading robotics trade association, explained that drones will create over $83 billion in economic activity in their first decade, and promise to generate tens of thousands of jobs. Wynne suggested that it is “almost impossible to anticipate all the different ways we can utilize UAS moving forward.”
Even the ACLU’s Jay Stanley, who remains concerned about law enforcement’s eagerness to use drone technology, admitted that drones could be a “generative technology” in the private sector. He noted that privacy issues on the commercial side are incredibly complicated, not only implicating the First Amendment but perhaps lacking the sort of privacy-invasive incentives that could exist in law enforcement. Indeed, his “nightmare scenario” is a world where drones could be used for persistent surveillance, while members of the public, including journalists and entrepreneurs, will be hamstrung in their ability to use UAS technologies.
Stanley applauded the “outpouring” of interest on privacy with drones. He echoed notions that drones are more salient among the public. “It’s not hard to see the privacy issues with a drone with a camera on it,” he said. “Things like big data are more abstract.”
Adam Cox, from CSIS and an advisor to DHS’ Advanced Research Projects Agency (HSARPA), suggested that privacy and drones presents a “technically sexy problem.” “A lot of people are interested [in the technology],” he explained, and because drones allow everyone to engage in flight, “people are going to want to put new things on this.” He encouraged technologists to work hand-in-hand with policymakers, recommending both geofencing solutions and education efforts toward both manufacturers and operators of drones.
On that front, the Future of Privacy Forum is eager to engage. Last week, we filed comments with the NTIA on our thoughts on privacy and domestic drone use. A wide variety of individuals and organizations also submitted comments ahead of a new drone privacy multistakeholder effort, and it is clear that there are a number of ideas in play for how to address data collection and use by drones, as well as the address public concern about a loss of privacy from above.
In addition to several procedural recommendations, our comments focus on the value of transparency and training to address privacy concerns. We recognize that drones present different types of transparency challenges, both in terms of general practice and then individual drone flight. In both instances, we support conversations about what sort of information could be communicated to consumers in a way that does not place significant burdens onto individual UAS operators. Further, while drone operation will require at least some degree of safety training, we are hopeful some type of privacy training can be incorporated into that.
As today’s panel and all these comments suggest, there is much work to be done to figure out how general privacy principles can be applied to a diverse array of UAS technologies. While we support a technology neutral approach, it is clear that consumers, businesses, and policymakers all need to have a voice in determining how commercial drones can and should take flight.
-Joseph Jerome, Policy Counsel
FPF Senior Fellow Peter Swire Provide Comments to the FCC on Broadband Consumer Privacy
Later today, Peter Swire, FPF Senior Fellow, will participate at the FCC’s public workshop on broadband consumer privacy. He also prepared written comments expanding on his thoughts. Professor Swire summarizes his research as follows:
First, I examine the effect of the Section 222(a) definition of “proprietary information” as compared with the Section 222(c) definition of “customer proprietary network information.” (CPNI) My conclusion, based on some analogous provisions from HIPAA and GLBA, is that the Commission should be cautious about founding any additional regulatory requirements under this proceeding based on the language in 222(a).
Second, I examine the intersection of privacy and competition law, drawing on my previous writings in the area. New entry into online advertising, including by broadband providers, could be a new source of competition on privacy attributes. My recommendation to the Commission is to consider the effects of this potential competition on privacy and other non-price aspects of competition, along with price aspects of competition, as part of the overall assessment of how to govern the use of CPNI for broadband providers.
Third, I address priority uses of information that I believe should be permitted in the CPNI context. Although I do not seek to create a complete list of possible exceptions to the general CPNI rule of consumer opt-out, I do emphasize three areas where an opt-out is not generally appropriate – anti-fraud, cybersecurity, and research on network usage. I also analyze the role of de-identification and aggregate information under Section 222, suggesting strategies to preserve the utility of de-identified and aggregate information while protecting privacy. In this discussion, I do not take a position on whether a rules-based, principles-based, or other approach should be adopted by the Commission. Instead, I emphasize that important interests such as anti-fraud and cybersecurity should be taken into careful consideration in whatever approach the Commission pursues.
He concludes that translating Section 222 privacy protections to the broadband sector is far from a simple task, noting the “considerable technical and market differences from the telephone market governed by the 1996 CPNI rules.”
Future of Privacy Forum Releases Statement on FTC's Settlement with Retail Tracking Company
“Today’s settlement by the Federal Trade Commission with Nomi, a mobile location tracking company, demonstrates the need for companies with emerging technologies to be clear about the choices they provide consumers”, said FPF Executive Director Jules Polonetsky.
The need for transparent privacy policies in the field of mobile location analytics was the genesis behind the development of FPF’s Mobile Location Analytics “Code of Conduct”. Signatories of this binding set of privacy principles must provide consumer with clear opt-out options for tracking by MAC address or similar identifiers.
Consumers can easily and quickly opt-out of mobile location analytics by entering their device’s Wi-Fi or Bluetooth MAC addresses at www.smart-places.org.
Comcast Newsmakers: Jules Talks Consumer Privacy and Location-Based Services
In a recent episode of Comcast Newsmakers, Jules discussed the many new ways that data about your location is being used — such as navigation or helping you connect with friends. He addressed what can you do to protect the privacy of that data? A conversation with Jules Polonetsky, Executive Director and Co-Chair of the Future of Privacy Forum.
When Opting Out of Student Data Collection Isn't the Solution
Opting-out, whether for testing or other activities, is getting a lot of press in the Education world right now. Jules and I recently wrote for EdSurge on this topic…when it is, or isn’t, the right policy decision.
The bottom line? “Opt-out rights should be an opportunity for parents to decline uses of data that truly are secondary to the functioning of our educational system – not an opportunity to avoid resolution of education policy issues that affect all students.”
