Privacy Concerns in the Age of Expanding Online Education
Many schools may be relying on services that do not provide adequate privacy protection and security, or that expose student data to third parties. As distance learning might become the new normal for many students, it is important that educators, government agencies, and state and federal lawmakers, ensure that the privacy of students is protected in these distance learning programs.
Candace Paul, JD, Outreach and Engagement Strategist at the Electronic Privacy Information Center (EPIC)
Online education is in the global spotlight as governments and education providers turn to the industry to connect and communicate with students in the wake of school closures due to the novel coronavirus pandemic. Currently, around 1.2 billion children in 186 countries are unable to attend class as schools have shut down globally due to the pandemic, according to the World Economic Forum.
While e-learning is more accessible than ever thanks to advances in technology, like cloud platforms and artificial intelligence (AI) coupled with increasing internet reach across the globe, distance learners remain vulnerable to online privacy risks as demonstrated by a recent lawsuit.
The State of New Mexico sued Google earlier this year for allegedly collecting student data through Chromebooks and their G-Suite for Education. Google claims that 80 million people around the world currently use their G-Suite for Education. This issue brings up concerns about how data is being tracked in online education spaces, particularly when major companies like Google are engaging in the ed-tech space.
While those under 13 years of age are protected by the Children’s Online Privacy Protection Act (COPPA), protections for those over 13 vary by state. This leaves a large population of online learners at risk, especially when accepting the terms and conditions that allow data sharing may be required to participate in a degree program?
We talked to a digital privacy professional to find out about issues in online education privacy regulations and what steps students can take to protect themselves in the information age.
Meet the Expert: Candace Paul, JD
Candace Paul serves as an outreach and engagement strategist at the D.C.-based Electronic Privacy Information Center (EPIC), a public interest research center that seeks to focus public attention on emerging privacy and civil livery issues and to protect privacy, freedom of expression, and democratic values in the information age. Paul has assisted non-profits, private companies and government agencies in the development of strategic communication plans and process improvement measures for over ten years.
She holds a JD from the University of the District of Columbia David A. Clarke School of Law and a bachelor’s degree in public relations from Howard University. She has worked at the Department of Justice, the Department of Agriculture, National Labor Relations Board, and in the D.C. Office of Communications with former District of Columbia Mayor Anthony Williams.
Issues in Data Collection Legislation During the COVID-19 Pandemic
One of the main issues in the U.S. education space is the discrepancy between and lack of legislation for online education spaces at both state and federal levels.
The United States currently has no uniform, comprehensive federal privacy law and, as a result, states are able to establish their own online privacy and data protection standards. Over 40 states have passed laws to protect student privacy, but when it comes to limiting commercial use of that data, many states don’t have clear standards.
“Although there are standards set by the Department of Education at the federal level under the Family Educational Rights and Privacy Act (FERPA), compliance is not mandatory,” explains Paul. “Unlike FERPA, which allows rights to be transferred from parent to child at 18 during post-secondary education, other federal online privacy laws like the Protection of Pupil Rights Amendment (PPRA) and the Children’s Online Privacy Protection Rule (COPPA), are specifically geared toward children and online safety.”
Many students participating in higher education online are therefore left largely unprotected. For example, only California, Georgia, Kentucky, Oregon, Tennessee and Utah directly prohibit or limit the use or selling of students’ private information for commercial purposes, according to the Department of Education. Many states also do not require that schools or electronic service companies provide students information on how their data is or will be used.
“So, we need more [information and regulations],” Paul comments. “Without a cohesive framework, it’s unclear how rules should be applied, what new policies businesses should adopt now specifically for students, and how emerging issues should be addressed.”
For instance, EPIC recently filed a complaint with the Federal Trade Commission (FTC) against the U.S.-based online chat service provider Zoom alleging that the company committed “unfair and deceptive practices” by designing its web conferencing service to bypass browser security settings and remotely enable a user’s web camera without the knowledge or consent of the user. EPIC filed an initial complaint with the digital communications service provider in July last year.
However, as Zoom has gained immense popularity in the wake of the COVID-19, it is pertinent that it and similar companies address privacy issues. Zoom is already notorious for its vulnerability to “zoom-bombing,” or cyberattacks initiated by uninvited attendees that disrupt an online meeting. The University of Southern California is one provider in the education space that has already fallen victim to zoom-bombing attacks interrupting its online classes.
While Forbes reported in April that Zoom has taken several measures to strengthen that specific vulnerability, there is still lack of clarity regarding how Zoom will make detailed and appropriate adjustments to address the other vulnerabilities, especially for students participating in distance learning programs.
National Legislation Efforts to Strengthen Security and Protect Students Online
The Department of Education proposed a new “Distance Learning and Innovation” rule on April 1 that would govern distance learning for higher education students. Although work on the proposed rule started more than a year ago, the COVID-19 pandemic underscores the need for reform and for all educational institutions to have a robust capacity to teach remotely. According to the Department of Education, the rule will be published sometime before November 1, 2020, and will be aimed at enhancing educational quality and reducing barriers to innovation while maintaining safeguards to limit the risks to students and taxpayers.
“While the proposed Distance Learning and Innovation rule will be open for public comment, it is unclear how much security will be a focus of that rulemaking,” Paul says.
The establishment of a comprehensive federal privacy law and a Data Protection Agency (DPA) to address online privacy and data protection issues for everyone is an alternate option that could offer a stronger approach than a broad regulation.
“An independent federal agency would help solve many of the data protection issues we encounter online. It would work to protect data, safeguard privacy, and ensure data practices are fair and transparent,” Paul says.
In February, New York Senator Kirsten Gillibrand announced legislation that would create the Data Protection Agency (DPA). If approved, the DPA would have the authority and resources to effectively enforce data protection rules created either by itself or congress, and would be equipped with a broad range of enforcement tools, including civil penalties, injunctive relief, and equitable remedies. The DPA would also promote data protection and privacy innovation across public and private sectors, by developing and providing resources such as Privacy Enhancing Technologies (PETs) to minimize or even eliminate the collection of personal data.
Many countries already have data protection agencies in place. The U.S. is one of the only democracies, and the only member of the Organization for Economic Cooperation and Development (OECD), without a federal data protection agency.
In addition to establishing a DPA, Paul believes it is important that federal legislation does not preempt stronger state legislation. A robust federal privacy legislation “should be a floor, not a ceiling” and should include a few key components:
- Strong definition of personal data;
- Establishes an independent data protection agency
- Individual rights (right to access, control, delete)
- Strong data controller obligations
- Algorithmic transparency requirements
- Data minimization and privacy innovation requirements
- Prohibits take-it-or-leave-it or pay-for-privacy terms
- Private right of action
- Limits government access to personal data
- Does not preempt stronger state laws
“Again, if these were to be implemented in a federal law and enforced by a DPA, anyone doing business online would have much more protection, including distance learners,” Paul states.
To best protect themselves now though, Paul recommends that students read the terms of service when joining digital platforms and online education spaces to understand how companies plan to use the data they provide. Students should opt-out where they can and limit the amount of data they provide in exchange for service.
Looking forward: Protecting Student Privacy in Online Education
So, where does this ultimately leave online learners?
Even before COVID-19, there was already high growth and adoption of education technology. Global edtech investments reached $18.66 billion in 2019 and the overall market for online education is projected to reach $350 billion by 2025, according to the World Health Organization.
Although it is difficult to predict the future, the surge in online education engagement due to the coronavirus can likely be expected to have a lasting impact on e-learning moving forward.
So, given the growing importance of online education, this period may be a critical time for schools offering distance learning to take a closer look at the online resources and security they will be offering students.
“Many schools may be relying on services that do not provide adequate privacy protection and security, or that expose student data to third parties,” Paul says. “As distance learning might become the new normal for many students, it is important that educators, government agencies, and state and federal lawmakers, ensure that the privacy of students is protected in these distance learning programs.”