As legislators consider updating the Family Educational Rights and Privacy Act, school advocates argued Thursday during a hearing that software companies must be held accountable for the trove of student information they collect.
The House Education and the Workforce Committee’s Early Childhood, Elementary and Secondary Education Subcommittee held a hearing on what has become a hot-button issues consuming Congress and schools across the country: student data privacy. Reps. Luke Messer, R-Ind., and Jared Polis, D-Colo., also present at the hearing,
plan to unveil a bill soon modeled after their Pledge to Protect Student Privacy that dozens of companies have signed.
“Unless Congress updates FERPA and clarifies what information can be collected, how that information can be used and if that information can be shared, student privacy will not be properly protected,” said Rep. Todd Rokita, R-Ind., chairman of the subcommittee.
It’s important that families have the ability to get redress if their information is compromised. Right now, we have no mechanism for that in FERPA.
Lawmakers and experts said the existing federal law is not strong enough to protect kids from the onslaught of companies that currently track students’ digital footprints — and ensure that their information is not being sold to third-party vendors for nefarious purposes.
“I think it’s important that families have the ability to get redress if their information is compromised,” Joel Reidenberg, director of the Center on Law and Information Policy at Fordham Law School, testified before the subcommittee. “Right now, we have no mechanism for that in FERPA.”
The federal protections, which give parents access to their children’s academic records and some control over their disclosure, were signed into law by President Gerald Ford in 1974. The law was updated in 2012 to protect kids’ emails and other means of online identification.
Experts argued that the law should also regulate third-party vendors — and levy penalties, like a fine — if the companies use student data for banned purposes like advertising.
“If students are using certain cloud infrastructures, and it’s held by a third party, it is possible for [the vendors] to trend through the data,” said Allyson Knox, director of education policy and programs for Microsoft. “When [information] is flowing through a data center, it’s possible to take a peek at it and find trends and put it on the market to other businesses who want to advertise to those students.”
Knox said Microsoft has a “remote data center” where student information is housed but that “students’ data belongs to them.”
“If we design a product, there’s always a privacy expert with the product developer,” she testified. “Wherever we go, we try to be extremely transparent about the data.”
Lawmakers expressed a concern shared by many of their constituents — that once Congress actually gets around to passing a bill, the language may be archaic.
“There is a great danger we will be trundling along years behind,” said Rep. John Kline, R-Minn. “In the House, we move slowly. In the Senate, they hardly move at all. So it’s a little troubling that we can develop policy, but by the time it’s enacted, it’s already outdated.”
Other legislators were still trying to understand the scope of the data that is collected, from birthdays to test scores to disciplinary records. Rep. Glenn Grothman, R-Wis., asked the panel to provide a summary of all the information collected by the time a student reaches graduate school.
“Just think George Orwell, and take it the nth degree,” Reidenberg said. “We’re in an environment of surveillance, essentially. It will be an extraordinarily rich data set of your life.”