Many state and local education agency websites aren’t disclosing the presence of third-party tracking services, which can use information about users’ browsing history and online activity to target advertisements, according to a study released this week by EdTech Strategies, an education consulting group.
A large majority of education agencies—over 90 percent of all state departments of education, and all but one of a sample of 159 school districts—are using free, cloud-based tracking tools offered by tech giants Google, Facebook, and Twitter to gather and analyze information about their audience, the study found.
These free site analytics come with a cost. Companies provide them in exchange for the ability to track users’ internet activity and browsing history over time, gathering information they can use to show targeted ads.
This use of this practice—known as ad tracking—and the use of third-party surveillance tools in general, are hardly unique to education websites. Just under two-thirds of the top 10,000 most popular sites on the internet use Google Analytics, according to BuiltWith, a company that tracks what technologies are being used in websites.
But ad tracking has seen scrutiny for collecting and using data in ways that could violate users’ expectations of privacy—including in ed-tech products. Edmodo, a popular classroom learning system, came under fire last May when it was discovered to have embedded ad tracking in its platform.
If states and districts choose to use this technology, they have a responsibility to clearly define the privacy and security implications for the students, parents, educators, and community members using the site, said Doug Levin, the president of EdTech Strategies, in an interview.
“School districts should be intentional about this,” said Levin. The study, he said, demonstrates that most education agencies aren’t currently fulfilling this obligation.
About a third of state departments of education that allowed ad tracking on their websites either didn’t reference it on their sites, or provided misleading information in a site privacy policy that suggested users’ activity was not being recorded and stored by a third party. Omitting this information can also be a violation of the partner company’s policies: Google Analytics requires that websites disclose that they’re using the service, and explain that Google will be collecting data on the site’s visitors.
Only 30 of the 159 school districts (19 percent) included in the sample published a district privacy policy on their website. Of those, about two-thirds mentioned the use of tracking—but, similar to the state departments of education, some mischaracterized how the site would track users.
For example, one district’s policy said that their website doesn’t “place a ‘cookie,’” a small data file that can keep track of a user, on visitors’ computers. But the study found that the same district website used Google Analytics and two Twitter trackers—all tools that use cookies.
Privacy and Security Gaps Likely Are Not Intentional
To determine which trackers and analytics software education agency websites deployed, EdTech Strategies used Tracker Tracker, an automated website scanner that identifies ad tracking and other surveillance tools, to review the homepages of all state departments of education and a national sample of 159 districts. Districts represented were either recipients of the Consortium for School Networking’s Trusted Learning Environment Seal, members of the Council of Great City Schools, or members of Digital Promise’s League of Innovative Schools, with some overlap.
The report also found that many websites in the study did not support secure browsing—the “https” protocol that provides increased privacy protections, compared to “http"—leaving their users vulnerable to threats like malware and hackers.
Just over half of the state websites and 43 percent of the district websites didn’t reliably support secure browsing, according to an analysis of results from Observatory, a Mozilla tool that evaluates website security.
In many cases, these privacy and security gaps are most likely not intentional, said Levin. States and districts with thin IT staffs may be overwhelmed with other security concerns, or education agencies that contracted out their website development might not be aware of, as he put it, “the data collection and sharing that is happening under the hood.”
The report includes a list of action steps for states and districts looking to implement secure browsing or evaluate their use of third party tracking tools.
Levin said there are other free website analytics tools available that take more steps to protect users’ privacy than the solutions offered by Google, for example. The report also identifies free tools that can be used to test a website’s ability to support secure browsing.
See more: