Use of Backpack may cross digital privacy lines

Students react to this story in “Students react to Backpack investigation.”

Amid college application deadlines, school-work and football games in mid-October, duPont Manual’s senior class met in the auditorium, quickly filling the seats at the front of the room as Principal Darryl Farmer and several assistant principals faced them.

The administrators quieted the group of students and began to show them how to log in to a special website where they would upload evidence of their learning as part of Jefferson County Public Schools’ (JCPS) newest graduation requirement, the Backpack of Success Skills.

But what students and some administrators didn’t know was that the district may have been violating federal law by requiring them to use online resources, like the Backpack, without obtaining parental consent for the district-issued account used to access it per the Family Educational Rights and Privacy Act and the Children’s Online Privacy Protection Act.

The requirement leaves students’ personal information available for Google to use in order to make changes to their own services and for YouTube to track usage history and target advertising, which goes against promised practices of providing educational services without gaining a profit.  

Origins of the Backpack of Success Skills

The Backpack of Success Skills is special software created by Amplified IT, an education technology company based in Norfolk, Virginia, that uses the G Suite for Education to assist JCPS in evaluating students’ educational growth.

As part of the JCPS Vision 2020 Plan, Superintendent Dr. Marty Pollio and Chief Academic Officer Dr. Carmen Coleman introduced the Backpack in August 2018 as an attempt to fulfill a goal of “deeper learning.”

The district spent $63,000 on the initial set-up, according to a contract obtained by Manual RedEye reporters through the Kentucky Open Records Act. But according to the Courier Journal, JCPS spent roughly $255,000 through June 30, 2018 on the Backpack in order to continue their pursuit of the Vision 2020 Plan.

The newest graduation requirement compels students to place papers, art projects, test scores, videos, service hours and other school-related “artifacts” — accompanied by written reflections — in Google Drive folders that represent five skills:

  • Effective communicator
  • Prepared and resilient learner
  • Productive collaborator
  • Globally and culturally competent citizen
  • Emerging innovator

While schools around the district have their own requirements for how many artifacts students must upload each year due to the novelty of the program, every JCPS student must justify the items in their Backpack to a panel of teachers, parents and administrators at the end of fifth, eighth and 12th grades.

Protecting minors online

In order to access the Backpack, email and other services, students use a personalized username and password issued to them when they are first enrolled in a JCPS school.

Students’ privacy as they interact specifically with the Backpack is protected by federal law, policies of both Amplified IT and G Suite as well as a “sophisticated firewall” to protect against outside entities, according to JCPS attorney Kevin Brown.

G Suite for Education’s Online Agreement is what any user of Google Classroom, Drive or Sites would normally agree to when setting up their account, but students never went through this process because their accounts were already set up for them by the district.

The agreement includes a section called “Customer Obligations” which describes Google’s conformity with portions of the Children’s Online Privacy Protection Act (COPPA) dealing with parental consent and the use of Google products. “Customer” in the following excerpt is defined as JCPS and “End Users” are defined as students according to the Electronic Frontier Foundation (EFF):

“If Customer allows End Users under the age of 13 to use the Services, Customer consents as required under [COPPA] to the collection and use of personal information in the Services.”

This portion means that Google is asking JCPS to consent on behalf of parents for the collection of student information: their full name, email address, phone number, location, internet service provider, computer operating system, search terms and time spent on particular websites.

According to the EFF, a nonprofit civil liberties organization based in San Francisco, the Federal Trade Commission (FTC) only allows companies to collect student information without consent if they are using it for non-commercial, educational purposes.

In the privacy policy in question, as well as other language on Google’s websites about the education suite, Google claims that they do not use collected information to target ads toward accounts used for an educational purpose. However, Google still admits to collecting information from students in order to improve their own services.

Michael Abate, a constitutional and media law litigator with Louisville-based Kaplan Johnson Abate & Bird, said that the use of students’ private information without parental consent to improve Google’s services raises ethical concerns.

“I don’t think [Google] would have the right, absent consent, to use that information for their own purposes,” Abate said. “Is the development and refinement of Google software a legitimate educational interest of JCPS? Or is that a business interest of Google? And I don’t know, maybe there’s a point in which that Venn diagram overlaps but I think we’re starting to get into some real gray areas here.”

“Additional Services” and their interaction with federal law

The second half of the COPPA clause extends to Google’s “Additional Services.” The section reads:

“Customer will obtain parental consent for the collection and use of personal information in the Additional Products that Customer allows End Users to access before allowing any End Users under the age of 18 to use those services.”

While the Backpack itself is not an “Additional Service,” JCPS requires students to use their district-issued accounts which are also connected to YouTube.

Users can view and edit their own personal YouTube search and watch history — two of the main activity controls left on by the district — through myaccount.google.com while signed in to their school account. The information can lead to improvements to Google’s services and targeted advertising.

https://vimeo.com/340258264

“JCPS does not control or limit a student’s personal web browsing decisions, which very well may include voluntary participation in Google’s or any other internet entities’ ‘Additional Services’ at the discretion of the student,” district attorney Kevin Brown wrote after RedEye inquired about the possibility of a COPPA violation.

However, as an administrator presiding over all student accounts, JCPS does have control over what “Additional Services” students have access to through Google and the district is required to obtain parental consent for use of the permitted services.

In addition to consent, COPPA says that the operator of a website or online service must “provide notice on their website of what information is collected,” how the operator uses the information and their disclosure practices.

Information about the data collected by both Amplified IT and G Suite are accessible through their websites. As a third party who is expected to follow best practices outlined by the FTC, JCPS should have provided families with this information and made it easily accessible on their website as well.

Google has a notice template available for schools and school districts to use if and when they choose to introduce the G Suite for Education in their classrooms. The release asks for the student’s full name, a parent’s consent, explains what information is collected and for what reason and provides links to more information.

Despite this resource being available online, JCPS did not use the template.

(Story continues below the infographic.)

Graphic by Bryce Grant.

Amplified IT’s privacy policy and consent

Like the G Suite for Education, Amplified IT says they “do not use Personal User Data to target ads” and their tools are “explicitly designed not to prompt for or collect Personal User Data from student users.”

However, early in the policy, the company explains how they gather — no matter the circumstance — information like a user’s full name, email address, phone number, location, school identifiers, internet service provider, operating system, time spent on websites they have created as well as various search terms and other keywords.

The Amplified IT privacy policy states the following:

“Schools are solely responsible for compliance with [COPPA] and the Family Educational Rights and Privacy Act (FERPA), including, but not limited to, obtaining parental consent concerning the collection of students’ Personal User Data used in connection with the provisioning and use of the Tools.”

JCPS never obtained explicit parental consent under COPPA or FERPA or as outlined in both the G Suite and Amplified IT privacy policies. It is true that JCPS is allowed to grant consent on behalf of students per language in COPPA — but not in all cases.

And when it comes to FERPA, web-browsing history and information collected by Google and Amplified IT are arguably education records and therefore require the consent of a parent and/or guardian.

In a recent Kentucky Court of Appeals case, Kentucky Kernel v. University of Kentucky, the protection of student information under FERPA is reevaluated. In the opinion, the court decided that “it is clear that ‘education record’ means more than an individual student’s academic performance, financial aid record or scholastic probation record.”

In response to a RedEye inquiry about student data from “Additional Services” accessed under their district-issued account and shared with Google, JCPS attorney Kevin Brown said that “there is no FERPA protection for things that fall outside of the scope of an education record, for example, a student’s personal web-browsing history as dictated by students’ individual decisions and actions while online which […] is not recorded by JCPS or considered an education record.”

However, Louisville attorney Teddy Gordon, who has brought numerous lawsuits against JCPS, disagrees.

Even if web-browsing history is proven to not be included in the scope of education records, Gordon is “100% sure that JCPS information to Google is a violation of FERPA.”

“The data being held by Google should never happen without permission of a parent and/or guardian,” Gordon said.

The laws that protect students and their data online have been put in place by legislators for specific reasons. Experts agree that businesses, technology companies and school districts cannot selectively follow laws, they must comply with all of them.

“Schools and technology companies shouldn’t view privacy laws as mere inconveniences to work around,” EFF attorney Sophia Cope said. “Both the letter and the spirit of privacy laws should be adhered to. Students and parents should fully understand what student personal information is shared with or collected by private companies.”

Privacy loophole through a different law

Under FERPA, a law that protects education records and other identifying student information, the G Suite for Education has the rights of a “school official,” therefore avoiding the typical requirement of obtaining parental consent for the sharing of student information with third parties, according to the EFF.

To legally be considered a “school official” under FERPA, a contractor or third party must meet the following requirements:

  • The contractor acts on “educational interests”
  • The contractor agrees to not use student information for any other purpose than that which is outlined in an original contract or policy
  • The contractor performs a service that no current employee could perform

As a “school official,” Google is allowed to continue providing services to students without parental consent because they have “educational interests” and employees within school districts lack the resources to provide the same service.

The collection of student data for the betterment of their own services still occurs in mass quantities without consent.

Media attorney Abate thinks that the absence of consent is only reasonable if the educational interests of third parties is ethical.

“The appropriate legal lens for all of this is not commercial use or non-commercial use per se, [it’s] the furtherance of legitimate educational interests of the school or the school district or the other educational institutions that have put data on the Google platform,” Abate said.

These educational interests entered the spotlight in 2015, when the EFF filed a complaint with the FTC against Google over the “school official” loophole in FERPA as well as several violations of the Student Privacy Pledge (SPP) including continuing to collect, use and share student information “except when needed for legitimate educational purposes or if parents provide permission.”

PRIMARY SOURCES FOR THIS STORY

 

After some public hesitation, Google signed the SPP in January 2015, which is maintained by the Future of Privacy Forum and the Software and Information Industry Association, and is legally enforced by the FTC. But the SPP also contains loopholes that “prevent it from offering meaningful protection to student data,” according to the EFF.

Because FERPA and COPPA were written before the internet became an international digital network used widely by K-12 schools, attorneys have not been able to definitively say whether or not the Backpack and the required use of the account to access it violate their precedents.

“This is undoubtedly one of the areas where technology has moved at an exponentially faster rate than the legal structure that governs it,” Abate said.

The wider scope of tech and personal privacy

Very few school districts in the U.S. are requiring similar initiatives like the Backpack, so with the creation of the internet 50 years ago and online education programs only surfacing in full within the past two decade, there is little precedent for addressing ethical and legal dilemmas about student privacy.

But the larger issue of cybersecurity has already emerged in national discourse. Most recently, Wired and The Guardian reported on Facebook’s exposure of about 50 million users’ personal information allegedly used to target ads on behalf of Donald Trump’s 2016 election campaign.

While this information breach is not as closely related to a web host like Google having access to information stored in their own services, it still made waves at a federal level and represents most of the debate surrounding cybersecurity.

(Story continues below the timeline.)

The New York Times reported late last year that Virginia Senator Mark Warner believed that Facebook’s breach “is another sobering indicator that Congress needs to step up and take action to protect the privacy and security” of internet users.

And even the extent of what digital giants have stored about their users is unprecedented and overwhelming. In May 2018, Dylan Curran, a web developer and data consultant, downloaded all of the content and data that both Facebook and his regular Google account had about him.

NBC News reported that the result from Facebook was a 600-megabyte file and the content he received from Google was a nine times larger five gigabyte file.

“This is one of the craziest things about the modern age. We would never let the government or a corporation put cameras/microphones in our homes or location trackers on us, but we just went ahead and did it ourselves because … I want to watch cute dog videos,” Curran told NBC.

Advocacy groups around the country are still attempting to change the conversation about privacy, especially when it comes to students. In 2017, the EFF investigated and analyzed school-issued devices and student privacy.

They reported that not only was there a lack of transparency from the school and the tech companies but “parents who sought to opt their children out of device or software use faced many hurdles, particularly those without the resources to provide their own alternatives.”

But their conclusion was simple: “While schools are eagerly embracing digital devices and services in the classroom — and ed tech vendors are racing to meet the demand — student privacy is not receiving the attention it deserves.”

Google did not respond to several requests for comment.

This story was made possible with additional research by Audrey Champelli (12, J&C) and Olivia Brotzge (12, J&C).