She explained that the colloquial term “always on” is often not an effective way to describe the range of technologies that use audio and video recording hardware. Instead, three general categories of microphone-enabled devices are proposed: (1) manually activated (requiring a press of a button, a flip of a switch, or other intentional physical action); (2) speech activated (requiring a spoken “wake phrase”); and (3) always on devices (devices, such as home security cameras, that are designed to constantly transmit data, including devices that “buffer” to allow the user to capture only the most recent period of time).
Seven Basic Security Checks for Evaluating Educational Platforms
FPF has produced a checklist to assist parents and schools in considering the “basics” of security standards on new ed tech products and services they may be considering or using. In on-line security, there is unfortunately no “one size fits all” solution, but with so many products and services available, this checklist is designed to provide some initial key triggers of areas that either meet a basic threshold, or might serve as discussion points for further review with the company involved.
Evaluating security standards on any particular product, site, or service can be challenging, and unlike privacy policies, there’s often no “security policy” in one location to review. People who are not security specialists may have a hard time knowing where to start. This checklist is designed for those who have some familiarity with computers, but are not security or technical specialists, to be able to do some simple tests to see what protections are in place, and help guide their discussion with the company for a more in-depth understanding.
The Seven Steps include:
Look for an Encrypted Connection
Ensure That Applications Use TLS Between Email Servers
Ensure That URLs Do Not Contain Sensitive Information
Ensure Sensitive Information Is Not Stored in the Cache or Browser History
Ensure That Passwords Are Protected
Ensure That the Login and Password Recovery Mechanisms Do Not Reveal Unnecessary Information (e.g. the Existence of an Account)
Be Watchful for “Information Leakage”
For each step, we’ve provided a step-by-step process to evaluate the topic area, and additional security resources are also identified for those looking for more detailed guidance. As the checklist says, it does not answer all questions for all situations. A company who complied with all these steps might still have security concerns; a company that does not do every step may still have quite sufficient security in place. We hope this checklist – which can be used as a companion to our Quick Security Tips for Ed Tech Vendors – will simply prove to be a useful resource for schools and parents who want to make an initial review of a product or service and it’s security protections.
FPF Guide to Student Data Protections Under SOPIPA: For K-12 School Administrators and Ed Tech Vendors
Co-written with education privacy experts Linnette Attai of PlayWell LLC, Amelia Vance of the National Association of State Boards of Education, and David B. Rubin, Esq., this document provides an in-depth analysis for ed tech companies. In particular, we examine the definitions and unique requirements of the California Student Online Personal Information Protection Act (SOPIPA). Topics include:
Who Must Comply?
What is “Actual Knowledge”?7
What are “K-12 School Purposes”?
What Information Is Protected Under SOPIPA (“Covered Information”)
Specific Requirements of SOPIPA for Ed Tech Vendors
What is Targeted Advertising?
When Can an Operator Disclose Covered Information?
How Can Operators Use Student Information?
SOPIPA Rights for Students
SOPIPA was the first state law to comprehensively address student privacy. It became effective January 1, 2016 and applies to websites, applications, and online services that provide programs or services for K-12 students. SOPIPA applies to operators (as defined in the statute) that collect covered information from students in the state of California. This guide provides general information, not legal advice, and following the recommendations or tips within does not guarantee compliance with any particular law.
SOPIPA is important because most education technology companies do business with California schools, and because it became a template for similar statutes around the country. Our goal is to clearly explain what companies and information is covered, and what the law does (or doesn’t) require. This may be useful for companies and schools operating in California now, and also may prove helpful to policymakers in those states who may still be considering updates to their student privacy laws, and are considering whether to follow the California model.
On November 4, 2016, the California AG’s Director of Privacy Education and Policy released their document: Ready for School: Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data. This is valuable information for vendor’s use on the state’s view of the requirements of the law. However, these are non-binding recommendations, and do not definitively address all the areas of the law that will have to be addressed by vendors operating in California schools. Our detailed guide provides a useful companion tool for vendors to make informed decisions about their privacy policies and practices when operating in California schools.
FPF Hires New Policy Counsel – Amelia Vance
We are thrilled to welcome Amelia Vance to Future of Privacy Forum (FPF) as of November 7, 2016, as Policy Counsel. In this position, Amelia will lead FPF’s work to ensure the responsible use of student data and education technology in schools, helping educators with resources and information, and seeking inputs from all stakeholders to ensure students succeed.
Amelia came to us from her role as the Director of the Education Data & Technology Project at the National Association of State Boards of Education (NASBE). In that capacity, she tracked and provided comments on state and federal legislation, provided technical assistance to over 30 states, spoke at events with attendance ranging from 10 to 800 people, provided guidance on the nuances of student privacy law to most major education organizations, and wrote op-eds, short pieces, and longer reports, including “Policymaking on Education Data Privacy: Lessons Learned” and “School Surveillance: The Consequences for Equity and Privacy.”
Amelia is a member of the Virginia State Bar, the International Association of Privacy Professionals, the American Constitution Society, and is a board member of the Virginia Equality Bar Association. She is a graduate of McDaniel College and William & Mary Law School.
We are delighted to have Amelia on board as FPF continues to grow its impact within the public policy discussion on the responsible use of student data and education technology. For inputs or questions, please contact Amelia at [email protected].
Future of Privacy Forum Welcomes New Leader for Student Data Privacy Program
FOR IMMEDIATE RELEASE
November 7, 2016
Contact: Melanie Bates, Director of Communications, [email protected]
Future of Privacy Forum Welcomes New Leader for Student Data Privacy Program
Washington, DC – Today, the Future of Privacy Forum (FPF) announced that Amelia Vance has joined the organization as Policy Counsel. Her portfolio includes student privacy for K-12 and Higher Education environments, and education technology initiatives. Vance leads FPF’s work to ensure the responsible use of student data and education technology in schools, helping educators with resources and information, and seeking inputs from all stakeholders to ensure students succeed.
“I am thrilled to have the opportunity to continue working on this important issue,” Vance said. “FPF has already done amazing work in this arena, and I look forward to expanding FPF’s project to develop robust policies and practices that will transform the ed tech and student privacy space.”
Prior to FPF, Vance was the Director of the Education Data & Technology Project at the National Association of State Boards of Education (NASBE). In that capacity, she tracked and provided comments on state and federal legislation, provided technical assistance to over 30 states, spoke at events with attendance ranging from 10 to 800 people, provided guidance on the nuances of student privacy law to most major education organizations, and wrote op-eds, short pieces, and longer reports, including “Policymaking on Education Data Privacy: Lessons Learned” and “School Surveillance: The Consequences for Equity and Privacy.”
“Technology and data, if used with respect for students, teachers, and parents has great potential to advance learning,” said Jules Polonetsky, FPF’s CEO. “In her previous position, Amelia helped chart best practices for student data and we are excited to have her shape FPF’s activities going forward.”
“Having worked closely with Amelia on student data issues while she was at NASBE, I have complete confidence that she will build on FPF’s strong student privacy foundations, designing new initiatives and support for the growing use of technology and data to achieve educational objectives,” said Brenda Leong, FPF’s Senior Counsel and Director of Operations.
Vance is a member of the Virginia State Bar, the International Association of Privacy Professionals, the American Constitution Society, and is a board member of the Virginia Equality Bar Association. Vance is a graduate of McDaniel College and William & Mary Law School.
###
The Future of Privacy Forum is a non-profit organization that serves as a catalyst for privacy leadership and scholarship, advancing principled data practices in support of emerging technologies. To learn more, visit www.fpf.org.
7th Annual Privacy Papers for Policymakers
If this page does not automatically re-direct, please click here: https://fpf.org/7th-annual-privacy-papers-policymakers-january-11-2017-capitol-hill/.
FPF Talks Corporate Email Security with NPR
On November 1, 2016, Jules Polonetsky was featured on NPR‘s Marketplace to discuss corporate email security. In light of recent hacks, it is imperative for companies to educate employees about best practices. Jules discussed the importance of two-factor authentication for log ins and encouraged the use of strong passwords.
FPF Commends New America's Report on Predictive Analytics in Higher Education
New America released a report today that addresses the use of data in higher ed analytics – predicting student outcomes and managing university academic programs based on prior data. The growing ability to gather and analyze this data allows colleges to intervene with struggling students, put in place mentoring programs, create support structures addressing “whole student” welfare, and ultimately improving academic outcomes and graduation rates.
This is an excellent report showing the great potential of this use of data. In particular, we commend the sensitivity to flagging the privacy and security issues. It will be important to ensure those privacy policies are prioritized and well addressed throughout the development and expanded use of these analytics tools.
FPF runs a Higher Education Working Group focused exactly on these issues, and the work being done to address and handle them responsibly. We work with many of the higher education advocacy groups, along with colleges and universities, to represent the privacy interests in these discussion, in suppor of their ultimate goals of better student support and learning outcomes.
For companies or organizations interested in this work, please contact us to learn more about joining us to be part of these discussions. Contact [email protected] for more information.
Future of Privacy Forum and Carnegie Mellon University Research Leads to New Tool from California Attorney General
Attorney General Harris’ announcement explained that FPF’s 2011 research into app privacy policies had prompted an earlier agreement between her office and prominent mobile app platforms to encourage apps to post privacy policies. Now, a new FPF study commissioned by Attorney General Harris revealed the need for further work, leading to the release of the new complaint form.
The FPF Mobile Apps Study revealed that while the number of apps that provide privacy policies continues its upward trend from FPF’s previous surveys in 2011 and 2012, health and fitness apps – which may access sensitive, physiological data collected by sensors on a mobile phone, wearable, or other device – do worse than average at providing privacy policies. Only 70% of top health and fitness apps had a privacy policy (6% lower than overall top apps), and only 61% linked to it from the app platform listing page (10% lower than overall top apps).
The App Study also looked specifically at period tracking and sleep aid apps. Only 63% of period tracking apps provided a link to the privacy policy from the app platform listing page. More disappointingly, only 54% of sleep aid apps provided a link to the privacy policy from the app platform listing page.
Attorney General Harris has also worked with Carnegie Mellon University privacy researchers to review apps for compliance with the law and is collaborating with the Usable Privacy Policy Project at CMU to develop a tool that will identify mobile apps that may be in violation of CalOPPA.
FPF applauds Attorney General Harris for her long standing commitment to protecting consumer privacy and encourages consumers to utilize the new form to report suspected violations of CalOPPA.
Student Privacy Pledge Loopholes? Nope. We Did Our Homework.
The Student Privacy Pledge was introduced over two years ago by the Future of Privacy Forum and the Software and Information Industry Association. It was endorsed by the White House and published at the forefront of the movement to clarify responsible practices in the collection, protection, and use of student data as the presence of technology in schools expanded. The Pledge has since been signed by more than 300 ed tech companies as a way to help demonstrate their commitment to student privacy.
The Electronic Frontier Foundation yesterday published a confusing analysis of the Pledge. EFF generally praises the Pledge commitments, but claims that the Pledge includes some fine print definitions that undercut its protections. The Pledge defines ’Student personal information’ as “personally identifiable information as well as other information when it is both collected and maintained on an individual level and is linked to personally identifiable information.” EFF claims that the Pledge “is surely meant to be narrowly interpreted” and would “seem to permit signatories to collect sensitive and potentially identifying data such search history, so long as not tied to a student’s name.”
We don’t agree. We have written extensively on the definition of personal information, in general and under FERPA. FERPA, SOPIPA and other statutes define student personal information broadly and, in our view, any reasonable analysis of the definition of Personally Identifiable Information would cover direct or indirect information that could be reasonably used to identify an individual student. To conclude, as EFF has done, that we “surely meant” some narrower definition is not consistent with either the plain meaning of the Pledge language, our published discussions about it, or the use of this definition in subsequent state student privacy laws where the Pledge has been a basis for the legislative language. There is no logic in creating or implying a meaning that would be in violation of FERPA and state laws, and we would have been happy to explain this to EFF had they reached out to us.
But whatever our view, the FTC has the authority to enforce the Pledge and interpret what the Commission thinks the language means – and we would be very surprised if they were to adopt EFF’s position that the language of the pledge should be read in a narrow and limited way.
EFF also takes issue with the fact that the Pledge covers only “school service providers” – that is, services designed and marketed to schools. However, the Pledge definition tracks consistently with the definitions in state laws and in previously proposed federal bills. SOPIPA, for example, covers programs and services that are primarily used for K-12 school purposes “and (were) designed and marketed” for such purposes. It would be quite confusing to schools and to vendors if the Pledge was interpreted to be out of sync with the standard definitions that have become widely adopted.
Why do state laws and the Pledge cover only services designed and marketed to schools? As we have discussed previously, vendors who sell general products shouldn’t be required to revamp their services simply because a school is using their product. In many cases, the vendor may not even know that a school is using their products. However the Pledge does cover services that are designed and marketed to schools, a distinction consistently made by the Pledge and state laws. We disagree that this is a “loophole” – in fact it’s an important legal distinction that policymakers have supported.
The Future of Privacy Forum has worked on student privacy with just about every major privacy group and education organization involved with student data. Getting this right is important to us. Ensuring responsible use of student data requires close collaboration between school leaders, teachers, parents, vendors, and students. We have huge respect for EFF’s smart advocacy across a range of tech policy issues, and hope they will take the time to work with us and others who are working to ensure responsible uses of technology for student learning.
