Growing public concern about student-data privacy is prompting fresh scrutiny of the ways technology vendors handle children's educational information — and opening the gates for a flood of new questions and worries from advocates and school officials.

Take prominent ed-tech players Edmodo, Khan Academy and Pearson.

Each already has access to the information of tens of millions of U.S. schoolchildren.

But a review of each group's privacy policies by two leading experts, conducted at the request of Education Week, yielded concerns about the use of tracking and surveillance technologies that allow third parties to gather information on students; questions about the collection, use and sharing of massive amounts of student "metadata"; and criticism of the growing burden on students and families, who experts maintain are being forced to navigate an ever-shifting maze of dense vendor policies on their own.

"We're just scratching the surface with our understanding of how the education sector is gathering and looking to monetize student information," said Joel R. Reidenberg, a law professor at Fordham University in New York, and Princeton University. "We as a society need to have a very clear discussion about how we want to protect the privacy of our children in this environment."

Education Week selected the three online education service providers whose privacy policies were reviewed by Mr. Reidenberg and Khaliah Barnes, a lawyer for the Electronic Privacy Information Center, or EPIC, a Washington-based advocacy group. Each provider was chosen for its size and popularity with K-12 students and teachers. Each of the three organizations also offers a type of digital product or service that is used by the vast majority of school districts in the United States.

Responding to Criticism

The concerns raised extend far beyond the direct serving of advertisements to students, which Mr. Reidenberg described as "just one piece of the commercialization of children."

Khan Academy, which provides open instructional resources to 10 million unique users per month, came under the sharpest criticism. Ms. Barnes, for example, said the Mountain View, Calif.-based nonprofit's privacy policy allows for "almost limitless" sharing of student information with third parties. Khan Academy officials disputed that contention as not reflective of their organization's mission or actual practices and said their organization is "adamantly opposed to the idea of commercializing student information, particularly through third parties."

Pearson's PowerSchool student information system, which currently contains data on roughly 13 million students in K-12 schools in the United States, raised the fewest concerns, in large part because the system does not collect data directly from students.

Officials from Edmodo, meanwhile, vigorously defended the company from the experts' questions about its use of "cookies," relationships with third-party partners, and handling of the metadata generated by students as they use the company's "social learning platform," which currently has more than 33 million users, including children and teachers in more than 100,000 schools.

"The bottom line is that Edmodo is not going to use anyone's information in ways they don't know about," said Aden Fine, the general counsel and chief privacy officer for the Mateo, Calif.-based company, founded in 2008 to provide a safe educational alternative to consumer social media platforms, such as Facebook.

The back-and-forth is part of the growing public debate surrounding the rapid growth in the use of educational data, hailed by proponents as the key to building more-personalized learning opportunities for students.

More than 80 student-data-privacy bills have been considered in 32 states this year alone, according to the Data Quality Campaign, a nonprofit based in Washington. Advocacy organizations, industry groups, and professional associations have also in recent months initiated new campaigns and released guidelines and toolkits on the topic. In February, the federal government issued guidance intended to help schools and districts interpret and apply federal privacy laws, and U.S. Secretary of Education Arne Duncan has publicly supported the principle that student data should not be used for commercial purposes.

But many are concerned that the horse is already out of the barn.

Last month, for example, Education Week reported on concerns about online-services giant Google, which acknowledged as part of an ongoing federal lawsuit that student emails sent and received using the popular Apps for Education tool suite are "scanned and indexed" for purposes that remain murky. The product, provided for free to thousands of schools and universities, already has 30 million users.

"In the education space, privacy has unfortunately been an afterthought," Ms. Barnes said.

Creating a Dialog

Advocates and industry representatives agree that in an age where the methods used to collect, analyze and share digital data are highly sophisticated and constantly evolving, companies' publicly posted privacy policies are critical to better informing parents.

But the policies themselves are often confusing, even to experts.

That complexity is creating big challenges for the nascent efforts to develop industrywide standards to guide the creation, implementation and enforcement of such policies.

Just last month, for example, the 210,000-student Houston Independent School District unveiled a new system for rating the security and privacy practices of its software vendors. Of the five providers initially evaluated, the most highly rated was Edmodo — the same company that came under question by the experts consulted by Education Week.

Lenny Schad, the Houston district's chief technology officer who is spearheading the new rating system, did not disagree with the more critical take on the company provided by the experts consulted by Education Week, saying his district's efforts are in an "early stage." Mr. Schad said the most important development is that people are finally starting to pay attention to what companies are doing with students' information.

"This is exactly what we want to start happening," he said. "Now there is a dialog between the user side and the software side."

Edmodo

• Mateo, Calif.

• Social learning platform/learning management system

• 33 million registered users

Mr. Reidenberg saw several positive signs from Edmodo, including a recent move to make encryption of student information a default, rather than an optional, policy, and a clear disclosure of the active role parents and guardians can play in monitoring student accounts.

Edmodo also recently received a thumbs-up from the Houston Independent School District, which is initiating an effort to rate the privacy and security practices of software vendors doing business with its schools.

"We don't rent or sell anyone's personal information to anyone, period," said Aden Fine, the company's general counsel and chief privacy officer, in an interview.

But Mr. Reidenberg and Ms. Barnes questioned what Edmodo's privacy policy has to say about how the company collects, uses, and shares the "metadata" generated by students as they use the platform, which can include server-log data, users' Internet protocol addresses, clickstream data and more. Such information has not traditionally been considered as "personally identifiable" as name, date of birth or email address, but most computer-science experts contend that those types of metadata can now easily be tied to individual users, even without a name.

Even after several readings of Edmodo's policy, Mr. Reidenberg said, he remained unsure exactly how different types of student information are categorized and protected by the company.

Both experts also raised questions about Edmodo's use of its own "cookies" (small data files that track users' website activity) and those of the third parties with which the company partners.

Mr. Fine, Edmodo's chief privacy officer, acknowledged the general concerns in the ed-tech field about the handling of student metadata, but said his company's privacy policy explicitly states that such information is protected, and he stressed that Edmodo does not collect geo-location data on its users. He also said that users' metadata is only combined with their personal information for internal Edmodo use, and that the company would only share with third parties aggregate metadata that it does not consider to be personally identifiable.

And while Mr. Fine acknowledged that Edmodo's privacy policy states that the use of cookies by third parties is not covered by the policy, he also pointed Education Week to another section of that policy, as well as a separate publisher's agreement, which indicate that those partners are prohibited from collecting or using any information beyond what Edmodo is permitted to collect.

"Privacy policies are never perfect," Mr. Fine said. "It's important that users read them, and that companies answer questions about them if they're not clear enough. Edmodo does that."

Khan Academy

• Mountain View, Calif.

• Open education resources

• 10 million unique users per month

Both the experts consulted by Education Week blasted the privacy policy of Khan Academy, a nonprofit organization that has made a big push to expand its reach in recent months via new partnerships and new math resources tied to the contentious Common Core State Standards.

"They are essentially enabling third parties to gather unlimited information about users and disclaiming any responsibility for that," Mr. Reidenberg said of the organization.

Ms. Barnes pointed to Khan Academy's integrations with Facebook and Google — "businesses that are founded on the idea of commercializing information" — and liberal approach to granting third-party advertisers and app developers access to student information as particularly problematic. Worse, she said, the organization explicitly says that its privacy policy "does not apply to, and we cannot control the activities of" those third-party partners.

Plus, Khan Academy users who want to know how their information will be utilized are advised to review the privacy policies of all the third parties with whom the organization partners — none of whom are identified by name, and most of whom likely reserve the right to change their policies at any time, with limited or no notice, she said.

Khan Academy officials declined to be interviewed on the record about such concerns, instead issuing a statement to Education Week via email.

Users can and do access the Khan Academy site anonymously, a spokeswoman wrote. The organization's origins, which include using YouTube as a platform for distributing free instructional videos to users, account for some of the language in the privacy policy, she wrote, but "we do not provide [YouTube] with broad access to student information, and we turn off all advertising on our videos on YouTube."

The spokeswoman also wrote that Khan Academy is "adamantly opposed to the idea of commercializing student information, particularly through third parties" and that explicit consent beyond user registration has been procured in instances where students' user information has been shared with third parties.

Mr. Reidenberg said the latter claim is "directly contradicted" by the terms of Khan Academy's own privacy policy, which clearly indicates that advertisers may use tracking and surveillance technologies that "automatically route user information to the third party."

On the positive side, Mr. Reidenberg and Ms. Barnes praised Khan Academy for the detail in its privacy policy, as well as the data-security practices it describes.

Pearson PowerSchool

• London and New York City

• Student information system

• 13.5 million students

Among the numerous products and services offered to K-12 schools by publishing giant Pearson is the PowerSchool student information system, currently used by about 4,500 school districts, according to Bryan MacDonald, the managing director of the company's school systems group.

While the system contains thousands of pieces of data — everything from academic performance to disciplinary and health records to course rosters — on millions of U.S. school children, the privacy and security issues surrounding PowerSchool are somewhat different than for products with interfaces that allow data to be collected directly from students, Mr. MacDonald said.

"One fundamental difference is that we don't have any right at all to the data," he said.

Furthermore, in many cases, Pearson does not even store the student data itself: About half of PowerSchool users, covering about 9 million students, host the data on their own servers.

And the security and privacy of the data stored in PowerSchool is governed not by the company's privacy policy, Mr. MacDonald said, but by a combination of contracts with clients (usually districts or states) and those entities' own privacy policies.

As a result, Ms. Barnes and Mr. Reidenberg spoke primarily in generalities about potential areas of concern related to PowerSchool, saying parents and educators should be mindful of both how the company safeguards data and should scrutinize the various contracts that govern its individual relationships with districts and states.

"There are universal issues [in the education arena] involving data security, and from an administrative perspective, there are always issues about how other entities can gain access to student information," Ms. Barnes said.

One of Pearson's highest-profile PowerSchool clients, the North Carolina Department of Public Instruction, offers a window into those concerns.

The department has spent much of this school year dealing with an extensive series of implementation problems associated with its quick rollout of PowerSchool across the state's 115 school districts and 253 charter and special schools.

But Philip Price, the chief financial officer for the department, said security concerns have been limited to a few hours last fall, when the system was briefly shut down after being hit with a distributed denial of service attack by hackers.

The student data contained in PowerSchool, Mr. Price said, "is totally ours, not Pearson's."

And third-party access to that information, Mr. Price said, can only occur when local districts have authorized those other vendors to access student data and specified exactly what data should be shared.

Mr. MacDonald of Pearson said the company has upgraded its technical processes for enabling such sharing of data and now uses an application programming interface, or API, to make third-party integrations "more efficient and seamless." The new technology is far more secure than the old practice of "putting data on a floppy disk or attaching it to an email," he maintained.

Mr. Reidenberg also urged skepticism of claims about high-tech security practices from ed-tech vendors.

"Every adult American has likely had his or her financial information stolen in the last three years from banks, credit card companies, and retailers that have spent millions of dollars on data security," he said. "Does Pearson really think it's doing a better job than the entire financial-services industry?"

© 2014 Education Week (Bethesda, Md.)