But as governments and schools sped to implement more technologies, they may have left behind some of the guardrails for children’s security and online privacy.
A new study finds evidence that some of these platforms used by children around the world — and in many cases, still in use two years after the shutdowns — did more than just provide virtual homework assignments. Some have built-in mechanisms to track children’s online behavior for the benefit of advertisers or others, raising serious concerns about how new technology could cross privacy boundaries.
The research, conducted by Human Rights Watch, dug into platforms used for remote learning around the world, including some platforms used in Texas. Researcher Hye Jung Han wrote in her report that her findings indicate that remote learning tools are surveilling children at a “dizzying scale.”
Some of those surveillance tactics may be skirting the limits of state and federal law, a data privacy lawyer told the Star-Telegram.
While many of these platforms are not used as extensively as they were during fully remote learning, technologies used during the height of the pandemic are still used in classrooms. And teachers and students can’t meaningfully opt out of such platforms, said Daniella Smith, an information science professor at the University of North Texas.
“This is so daunting because we can’t design our own materials,” Smith said. “We’re kind of caught, where we need to be able to use these resources to connect our kids.”
Several tech companies reviewed in the research have said that the findings are flawed or otherwise not reflective of children’s experience in the virtual classroom. That concern about the relevancy of the research was echoed by the Texas Education Agency, which has contracts with two of the companies.
And, because of the design of the Human Rights Watch research, the report did not definitively conclude whether students’ data has been harvested inappropriately. But even the possibility raises alarm for the Texas state representative who authored the state’s 2017 Student Privacy Act.
“Our schools, obviously their purpose is educational, but their primary purpose is to protect the student while they’re in their care,” said Texas Rep. Gary VanDeaver, R-New Boston. “And I believe protecting their data is a very important piece of protecting that student.”
THE RESEARCH
Human Rights Watch, an advocacy organization that investigates human rights abuses and pushes for change, set out to determine whether remote learning platforms are secure for children.
Han, who is a children’s rights researcher and advocate at Human Rights Watch, selected 164 educational technology products that are used around the world — from broadly used products such as Microsoft Teams and Zoom, to government-developed platforms used in specific countries. She evaluated both the data collected by websites and the capabilities that are built into apps, and found that the majority of the platforms she investigated posed some level of risk to children’s privacy.
Describing the worldwide findings, the report says the remote learning platforms “monitored children, in most cases secretly and without the consent of children or their parents, harvesting data on who they are, where they are, what they do in the classroom, who their family and friends are, and what kind of device their families could afford for them to use.”
Human Rights Watch provided the research report ahead of its publication to 13 media outlets worldwide, including the Star-Telegram and other McClatchy-owned news organizations, as well as The Washington Post. The media consortium, called EdTech Exposed, was facilitated by the nonprofit organization The Signals Network.
The research included three education-specific platforms used in Texas: Schoology, Seesaw and ST Math. The research did not analyze all of the platforms used in Texas, including the popular learning management system Canvas.
Seesaw is used in school districts across North Texas, including many in Tarrant County. However, because of restrictions on who can create Seesaw accounts, the researcher analyzed only the platform’s homepage. This did not allow for any conclusions to be drawn about the internal, student-facing portion of its platform. Seesaw chief operating officer Brett Garrett said the platform complies with state and federal law, and that the team is “really proud of our level of data security.”
The other two platforms analyzed in the research, Schoology and ST Math, had specific agreements with the Texas Education Agency.
SCHOOLOGY
In July 2020, the Texas Education Agency announced that it had purchased access to the Schoology platform for all of the state’s 1,200-plus school districts. PowerSchool, the parent company of Schoology, also has a Texas-specific page on its website, pledging that “only PowerSchool provides all the solutions that Texas schools and districts need to unlock potential.”
Although every public school district in the state was able to use the platform for free, many North Texas districts opted for different systems and did not report using Schoology.
The Human Rights Watch report says the Schoology app has a built-in functionality that is designed to collect users’ online identifiers. In general, these identifiers are used to build ad profiles for individuals, based on the sites they visit and the information they share on web pages. These profiles are then used to tailor advertisements to people’s specific tastes.
The report did not conclude that the Schoology app did collect users’ or children’s online identifiers, only that the app is designed to do so.
Through a spokesperson, PowerSchool contradicted the research’s implication and said the “Schoology app does not collect users’ advertising IDs.”
The spokesperson also pointed to PowerSchool’s Schoology-specific privacy policy. That policy tells users that the platform may collect information such as “your unique device identifier, IP address, your browser type and configuration, the date and time of your use of the product or service and cookie data.”
The policy also says the platform uses that collected information in accordance with its contracts and in compliance with the relevant laws.
Of Tarrant County’s 20 school districts, just one – Burleson – told the Star-Telegram that it was using the Schoology platform. Two school districts, Kennedale and Mansfield, did not answer requests for information on their remote learning platforms.
The Dallas school district also reported using Schoology. It’s unclear how many districts across the state may be using the platform.
ST MATH
ST Math is designed to help students catch up on their math skills.
The platform, owned by MIND Research Institute, restricts user accounts to students and educators, which the Human Rights Watch researcher said barred her from ethically logging onto the platforms.
However, ST Math provides a select number of math games for free on its website. Those free games don’t require a login, allowing Han, the Human Rights Watch researcher, to analyze the pages.
The analysis consistently showed that ST Math’s publicly accessible pages, including the ones designed for children, were using ad trackers to send information to advertising companies, according to Han. Human Rights Watch found 19 ad trackers on the website, which were sending information to Facebook, Google, PayPal and Twitter. The website was also sending information to the website tracking platform Crazy Egg, according to the research, although a Crazy Egg representative said the account linked to ST Math was canceled at the platform’s request in May 2020.
The ST Math public-facing website was also logging users’ keystrokes, according to the report, capturing anything users type.
The Texas Education Agency has a contract with ST Math and is providing the platform to public school districts for free. While ST Math as a whole is aimed at children from preschool through eighth grade, the agreement with the state is aimed at kindergarten through fifth grade.
The Texas Education Agency, through a spokesperson, highlighted that Texas schools using the state’s contract with ST Math would not access the public-facing website, but the user-restricted version of the platform. The Human Rights Watch research did not investigate that portion of ST Math.
“TEA welcomes all efforts to review and otherwise strengthen data security and privacy practices in the education technology industry, especially as schools around the country use more tools like these,” said the agency’s deputy commissioner of technology, Melody Parrish, in a prepared statement. “But in order to clearly discern where there are real concerns, these efforts must be as sophisticated as the threats we face.”
ST Math’s parent company, MIND Research Institute, similarly pushed back on the research findings and said the student-facing platform does not track children’s data for marketing or advertising.
Liz Neiman, vice president of engagement, said in an email that users accessing the user-restricted portion of the platform do not interact with the pubilc pages in order to access their material.
“It seems a rather significant and misleading assumption to make,” Neiman wrote of the researcher’s use of public-facing webpages.
But Han, the researcher, maintained that children are also likely to use the ST Math public website, given the free games that are provided there. The ST Math games, including some of the ones provided online for free, are aimed at kids as young as preschool. The platform’s privacy policy does not include mention of the data collection practices that the Human Rights Watch researcher reported.
The platform is used in at least two school districts in Tarrant County — the Azle school district and the Carroll school district in Southlake — as well as the Dallas school district. Through the state contract, the user-restricted version of the platform is also available directly to families and students.
State and federal law bars tech platforms from knowingly gathering certain types of children’s data for targeted advertising and other marketing purposes. And while the research did not make definitive conclusions, the possibility of such data collections in remote tech raises ethical and legal concerns.
WHAT THE LAW SAYS
State and federal law is designed to give Texas children more online privacy protections than adults have.
Federal law, under a provision called the Children’s Online Privacy Protection Rule or COPPA, restricts companies from collecting certain types of information on websites and platforms that are aimed at children under 13. Texas law, under the Student Privacy Act, restricts companies from knowingly collecting kids’ personal information except for educational purposes, and from targeting kids with ads. (Students at institutions that receive federal funding are also protected under the federal Family Educational Rights and Privacy Act, although those regulations are specific to educational records.)
Kate Morris, a data privacy lawyer at Dallas firm Hosch & Morris, said the word “knowingly” is significant in determining whether a platform is violating the state law.
But, she said, if a platform was knowingly collecting children’s online identifiers or collecting children’s data for targeted advertising, that would likely be a violation of the laws.
For VanDeaver, the state representative, the purpose of authoring Texas’ Student Privacy Act was to safeguard children from “solicitation” broadly.
“Obviously, we (can) let our minds run wild with what that might involve, but whether it’s solicitation to buy the latest video game or solicitation for something much darker — we want to protect them from any of that,” VanDeaver said.
Both Arlington and Fort Worth school districts said they review technology companies’ security policies before entering into contracts with them. However, they said those reviews focus primarily on ensuring that a company’s privacy policy and the contract indicate that the platform complies with law. This means the school districts are not conducting preemptive technical analyses to confirm that companies are complying with their own privacy policies or contracts.
Parrish, of the Texas Education Agency, said in her statement that the agency also conducts a security review before entering into agreements with technology companies, and at times during the contract. An agency spokesperson added that the state review does include some technical analysis.
But, Morris said, even if technical analyses were to uncover potential breaches, it’s unclear what legal steps the state or a school district could take. The state regulations, Morris said, have no case law backing them up – meaning they’ve never been enforced against a violator.
“Basically, it’s all an open question, because this law has just been … on the books,” Morris said. “It doesn’t have teeth. There’s no penalty. There’s not even an enforcement mechanism.”
Morris similarly said that while the Federal Trade Commission is responsible for enforcing the federal COPPA, enforcement is notoriously difficult.
“Big tech especially has so outgunned the government ... that you just aren’t getting meaningful enforcement actions from the FTC,” Morris said.
However, the Federal Trade Commission issued a policy statement last week that it will “crack down” on companies that illegally surveil children. Chair Lina Khan said in a statement that the commission plans to “vigorously enforce these restrictions in order to protect children online.”
UT Dallas computer science professor Murat Kantarcioglu said he generally doesn’t expect tech companies that are collecting users’ data to change their practices unless they’re forced. If a product’s business model relies on advertising sales, for instance, companies may have not much incentive to change.
“Unless they are required by laws — either it’s a state law or by a federal law — I don’t think they will be changing their behavior,” Kantarcioglu said.
ADDING SAFEGUARDS
Independently of laws and privacy policies, parents can take additional steps to safeguard their children and their data, Kantarcioglu said.
He encouraged parents to teach their children how to be safe online, including by installing ad blockers and limiting the permissions on apps or websites. Kantarcioglu also recommended using private browsers when possible.
“This kind of tracking shouldn’t be happening. But there could be things the parents could be doing to limit that tracking,” Kantarcioglu said.
Smith, the UNT professor, encourages parents and students to deny camera and microphone access unless necessary.
“You definitely shouldn’t let every single app have access to what you’re saying,” Smith said. “You have to know how to cut these things off.”
She pointed to the importance of decoupling students’ personal and educational information and using separate email addresses for social media activity and school work. For families that can afford to, she said, it can help to have separate devices for personal and educational use.
“Everybody doesn’t have the luxury of doing this,” Smith said. “But what we can do is just be diligent in how we’re informing our students about what they need to do (and) how we are selecting different things for our students.”
In addition, parents can review the data collection disclosures from the technology companies used at their children’s schools. The Arlington and Fort Worth districts said that they do not proactively share each privacy notice with families, in part because of the volume of information that would entail. Fort Worth school district’s chief technology officer Marlon Shears said that the district aims to kickstart an open data portal within a year, which could include that information.
Lane Gregory, the founder of social media marketing platform Crowdshare, has a blended family with children in the Arlington, Mansfield and Northwest school districts. He said he’s generally comfortable with student data that’s collected for educational purposes. But anything beyond that is crossing the line, he said.
“I believe that our children in no way, shape or form should be marketed to or marketed through,” Gregory said. “Kids shouldn’t be targeted.”
In light of the Human Rights Watch report, VanDeaver, the state lawmaker who authored Texas’ Student Privacy Act, said he hopes that TEA will first provide answers to whether there are any potential violations of student privacy. And if any violations are uncovered, the representative said, he’d expect the state to correct those issues and enact safeguards to prevent those issues from recurring.
©2022 Fort Worth Star-Telegram. Distributed by Tribune Content Agency, LLC.
