Read Fine Print on Learning Apps, Experts Warn
To safeguard student data privacy, districts need to pay more attention to the service agreements for educational online applications.
From math games to study skills, the potential use of educational online applications has exploded in schools—but so has the potential for problems if school staff members don't read the fine print on the service agreements.
The industry-analyst firm Technavio predicts the education app market will continue to grow at a compound annual rate of more than 28 percent through 2020, to nearly $6 billion. A 2016 survey by the Consortium for School Networking found nearly all its members (mostly school district education-technology officials) are using or plan to use digital open educational resources in the next three years, but fewer than half have clear policies on how apps are selected and used to safeguard students' privacy and teachers' intellectual property.
"For a lot of districts, [app security] hasn't come up yet," said Steve Smith, the chief information officer for the Cambridge, Mass., public schools. "If they are not thinking about data privacy and they are being pushed to use a lot of free online resources, there is potential for a lot of student-data leaks."
The 22,000-student Green Bay district in Wisconsin became aware of the challenges in 2014, as it began to integrate tablet- and cloud-based software into classrooms. Diane Doersch, Green Bay's chief technology and information officer, said that within a few years, she found herself combing through 10 to 15 app service agreements every month—"It was taking forever; every review of a terms of service agreement was taking two hours"—only to find other apps being used informally.
Many districts have lists of approved apps for teachers or students to use, Smith said, but they often have been vetted by educators or curriculum experts for their pedagogical quality, not by technology or legal experts analyzing terms of service. Even in those districts that do vet apps holistically, it's tough to keep on top of changes and updates in approved lists of hundreds or thousands of apps.
Among the most common sins were those of omission: companies that collected location or time-on-task data without disclosing that information. For example, more than 40 percent of the apps collected location information, and 17 percent shared data with other companies without saying so in their privacy policies.
"It's great to have innovative schools and teachers taking advantage of all these tools, but they have to know what they are getting into," Smith said. "A lot of free applications are free for a reason; they are not just doing it out of the goodness of their hearts, they want that data."
Jim Flanagan, the chief learning-services officer for the International Society for Technology in Education, an industry group, agreed: "Nothing is totally free. You are for sale; that's the cost of free."
'Like the Wild West'
Jason Kunze, an intellectual-property lawyer with Nixon Peabody LLP, who reviews and studies software terms of service agreements, said the educational-app field is still new enough that there isn't a lot of standardization, and there are many policies and legal precedents from the real world that don't translate well to the virtual space, such as whether a provider can create a profile about students based on their geographic location or whether a teacher retains rights to a lesson plan she developed on an app.
"If I want to publish a website or create an app, I don't need a factory. A lot of people can get into this space very quickly," he said. "It's good in that it allows for rapid innovation, but the downside is [it's] a bit like the wild, wild West."
Doersch said the district had always been able to leverage its regular software contracts to make sure vendors stayed in line with district policies and the federal Family Educational Rights and Privacy Act, but, "we were finding with the rise of cloud-based and [open educational resources], we didn't have the leverage to say, 'We'll pay you when you sign this.' The providers would say, 'FERPA? What's that? Why should we care? Oh, we signed the privacy agreement, we're fine."
School districts are starting to push back. Green Bay and Cambridge both helped found the Student Data Privacy Consortium—an alliance of districts in California, Connecticut, Florida, Maine, New Hampshire, Massachusetts, Oregon, New Jersey, Rhode Island, Tennessee, Virginia, Washington, and Wisconsin. The consortium drafted a model contract and questions for districts to use when working with app providers. Other districts have partnered with the nonprofit Common Sense Media to develop a privacy yardstick to evaluate apps.
"Historically, educators could be isolated, but they can't be anymore," ISTE's Flanagan said; because there is no single list of safe apps that educators can consult, reaching out to colleagues is even more important. "Before you start a new app, see what your peers think of it."
More than 300 companies have signed a 12-part "privacy pledge" to adopt safer practices in their education apps, including providing clear lists of the data a company will collect on students and not selling student data. The pledge is voluntary, but the Federal Trade Commission has sued companies like Snapchat and Yelp for collecting data on users—particularly on children—contrary to their public statements about safeguarding privacy.
But even developers with a strong commitment to data security can run into trouble in the K-12 space. The most secure log-in systems use complex passwords, for example, but Doersch said such systems break down in the early grades.
"We're asking kids to make a combination of numbers and letters they don't even know yet, and when you add in upper- and lowercase letters, it's just too much; it takes a whole day to get them logged in," she said. Facial-recognition systems can be an alternative, but even there, a 6th grader who hits a growth spurt can throw off the software.
Green Bay now uses key cards to let young students log into programs securely, and teachers go through training on how to assess an app's educational content and privacy concerns. The district approves new apps only during a "vetting window" at the start of each semester, and both staff and students learn to recognize signs of an app or website that could contain malicious code, like a keystroke collector or virus.
Regardless of whether districts use model contracts or write their own, try out new free apps, or stick to subscription services, Smith, Doersch, and Flanagan agree that it's important for districts and app providers to work together.
"There are great opportunities, but ... we need to be careful both as consumers and producers of data," Doersch said. "We have no idea, 20 years from now, what the digital footprint of a 2nd grader will mean for his future."
Vol. 36, Issue 26, Pages 24, 26Published in Print: March 29, 2017, as Reading the Fine Print