By Alex Psilakis
While the COVID-19 pandemic revolutionized how communities educate students across the globe, it likewise exposed students to new data privacy risks. The recent case of Illuminate Education emphasizes this all too clearly.
Between December 2021 and January 2022, Illuminate Education fell victim to a cyberattack that exposed the personal data of millions of users across America, including 800,000 current or former students across 700 New York City public schools. The cyber attack on Illuminate Education leaked personal data, including race and ethnicity data, as well as student test scores. It even included student tardiness rates, migrant status, behavior incidents, and descriptions of disabilities. In the Rochester City School District, leaked data dated as far back as the 2011 through 2013 academic years. In other words, rising high school seniors suddenly had to worry about who had access to their behavior incidents as a kindergartener.
While Illuminate Education’s case is deeply distressing, it is not unprecedented.
Last year, the Chicago Public Schools system also fell victim to a damaging cyberattack. CPS used a teacher evaluation vendor named Battelle for Kids, which was the target of a ransomware attack. As a result, nearly 500,000 CPS students and close to 60,000 employees had their personal data exposed.
In our previous investigations, IDAC has identified apps with cybersecurity vulnerabilities that jeopardize user data privacy. In a 2020 investigation of EdTech apps, we found that some apps shared personal user information, such as email addresses, names, cities, and Google Advertising IDs in the query parameters of the URL. To address this, we urged developers to follow best practices and review URLs to prevent the possible transmission of personal data.
In another 2020 investigation, IDAC revealed that Twitter’s inability to protect unencrypted data transmissions led to the exposure of nearly 10 million app users’ location data. In that case, seven apps using the Twitter-owned MoPub failed to use updated MoPub software development kits (SDKs) and ended up using an unsecured mechanism for sending precise GPS location data. Apps that used this info and had a million or more installs included Beach Cricket, Yellow Pages, and Baby Care – track baby growth!
To help address the data privacy and security risks, policymakers, regulators, and developers must all work together. Specifically, Congress must ensure that the Federal Trade Commission (FTC) has the resources and funding needed to enforce key data privacy policies, like the Children’s Online Privacy Protection Act, or COPPA, which limits the type and amount of data companies can collect on children. In a May 2022 policy statement, the FTC clarified that it is placing special emphasis on ensuring EdTech companies follow COPPA. The FTC even went so far as to state that developers with inadequate or missing data security policies risk violating COPPA.
But policymakers and regulators cannot address this alone. Developers must also prioritize data privacy and security in their work. Developers must not only ensure that they have the strongest cybersecurity measures that are feasible in place, but they must also limit the amount of user data they collect to what is absolutely necessary for their product to function. Limiting data collection not only respects user privacy, but limits the amount of data that may fall victim to security breaches.
By following these steps, policymakers, regulators, and developers may limit data privacy breaches that often occur alongside cyberattacks. Doing so will help protect the data privacy of the countless users that have come to depend on areas like EdTech in their day-to-day lives.