Three lessons to take away from the IRS breach
August 27, 2015
There is no silver bullet to prevent the kind of attack that exposed the tax records of more than 300,000 people, but there are lessons to be learned.
Jake Williams is a Staff Reporter for FedScoop and StateScoop. At StateScoop, he covers the information technology issues and events at state and l...
Advancements in educational technology may have found a way to personalize a student’s coursework to maintain engagement. But as the ability to personalize technology continues to increase, some ed tech companies, according to a study done by POLITICO, are monitoring students’ activity online and mining data about their usage, a subject of growing concern for privacy advocates.
Under 2011 revisions made by the Education Department to the Family Educational Rights and Privacy Act, initially signed into law by President Gerald Ford in 1974, this data mining is legal. The revisions, according to the Education Department’s summary in the federal register, were made to protect privacy — the law’s initial intent — while allowing for the data to be used effectively.
“The use of data is vital to ensuring the best education for our children,” the summary said. “However, the benefits of using student data must always be balanced with the need to protect student privacy.”
But in 2012, the Electronic Privacy Information Center filed a lawsuit against the Education Department, claiming the 2011 revisions to FERPA — which allowed “organizations conducting studies for, or on behalf of, educational agencies or institutions for the purpose of developing, validating or administering predictive tests, administering student aid programs and improving instruction” to share student information — were not within the department’s power.
Khaliah Barnes, the director of EPIC’s Student Privacy Project and Administrative Law Counsel, said in a phone interview the Education Department would need Congress to amend FERPA in order for the revisions to be legal. The lawsuit was dismissed in September 2013 for lack of standing.
“Modern privacy law is about an individual's right to control his or her information that he or she has entrusted to others,” Barnes said. “Every day we give our information to our bank, doctors and teachers with the idea that it won’t be disclosed broadly. Individuals lose their rights when someone gives that data to someone else, in a way that they haven’t authorized.”
Barnes authored a “Student Privacy Bill of Rights” in March that would recommend restrictions on the amounts of data accessible by organizations and private companies. In this bill of rights, EPIC asserts students have the right to access and amend their records, limit data collection and expect companies and schools that do collect data are doing so in a way that aligns with what they say they are doing with it.
However, companies like Knewton, LearnBoost, Kahn Academy and Moodle, according to the POLITICO study, are monitoring the online activity of students while they’re interacting with those companies’ educational platforms.
The companies claim to be mining the data and using the information to further improve the educational experience. But in early 2014, Google admitted to using data mined from their Apps for Education platform to target ads toward users of the platform, according to an article by the Huffington Post. Google has since stopped that data mining.
“Google’s practices highlight some of the problems with the regulations,” Barnes said. “Broadly speaking, before the Education Department released those regulations, students and parents monitored the access to the records. After the regulations, more and more people have access to those records.
“Google is just one of many companies who, pursuant to the regulations, have access to a student’s information,” Barnes said. “There are countless organizations and private companies who access student information without oversight and without enforcement.”
Ryan Baker, a professor at Teachers College Columbia University and president of the International Educational Data Mining Society, noted the difference between ad targeting and educational data mining.
“By definition, educational data mining is data mining with the goal of better understanding students and their learning, towards improving student outcomes," Baker said. “Ad targeting should be avoided.”
From the standpoint of privacy, though, Barnes said educational data mining is defined too broadly and often occurs without the consent of parent or students.
“Data mining student’s information violates FERPA and it repurposes the information in a way that neither students, nor their parents, have consented to,” Barnes said. “It’s never really permissible to use someone’s information for another purpose. Modern privacy law is about an individual’s right to control his or her information that he or she has entrusted to others.”
When used correctly, Baker said data could be used for a number of beneficial purposes.
“Educational data can be used for a number of purposes,” he said. “Some are in the students’ interests, and some aren’t. This should be the criterion we use when considering legislation and policy for privacy and educational data.”
Baker said reports from leading educational technology manufacturers suggest uses of educational data that can be beneficial for students, despite privacy concerns.
“Some commercial uses of educational data — for example, a for-profit curriculum company studying data from students using their curriculum to determine which topics are being taught less effectively, or a commercial provider offering a district better-quality predictions of which students are at risk for dropout — are beneficial, and legislation should reflect that,” Baker said.
Barnes said EPIC is not necessarily against using a student’s educational data to enhance or improve a student’s education, but the current definition is too broad.
“If the information is going to be used, it should be narrowly tailored for an educational purpose,” Barnes said. “[The current definition] almost grants a limitless opportunity to access that kind of information. It needs to be more narrowly tailored than just improving educational quality.”
With more controls in place, Barnes said, educational data mining could achieve the purpose it sets out to do, but the current standards do not pose enough control.
“We absolutely understand the value that technology can bring into the classroom,” Barnes said. “What we’re seeing is not enough oversight, not enough transparency and not enough accountability.”
Baker also said more work could be done, whether through policy or legislation, to improve the effectiveness of educational data mining.
“Ultimately, the challenge is to craft legislation and policy that makes it feasible to use data to improve education,” Baker said. “What we should avoid — and what some proposals would bring into being — is a world where the power of data mining ends up being used to sell children soft drinks, but not to help them succeed in learning.”