How Ed Tech Tools Track Kids Online — And Why Parents Should Care
Receive stories like these directly to your email inbox by signing up for Newsletter.
As technology continues to be integrated into education, concerns about the collection and use of personal information have emerged. Startling new research led by the University of Chicago and New York University reveals that for-profit tech companies have gained significant access to young people’s lives through schools. This drive to adopt new technologies has created an $85 billion industry that poses data security risks for teachers, parents, and students. The issue has become even more prevalent with the shift to remote, online learning during the pandemic.
High-profile ransomware attacks have increasingly exposed students’ sensitive information online, and tech companies, including those serving the education market like Google, utilize user data monetization as a core business strategy. However, student privacy is often overlooked when teachers adopt new digital tools, as revealed through interviews with district technology officials. In fact, schools often lack the resources and knowledge to assess potential vulnerabilities.
This reality raises concerns. An analysis of widely used or endorsed educational technologies revealed numerous privacy risks. The analysis utilized Blacklight, a privacy inspection tool created by the nonprofit news website The Markup, which scans websites to uncover data-sharing practices. The education tools analyzed showed "extensive use of tracking technologies" that have potential privacy implications. The most alarming finding was that 7.4% of these tools utilized "session recorders," trackers that document every user action.
"When users visit these sites, their entire session is recorded, including information such as clicked links, hovered images, and data entered into fields but not submitted," the report explains. "This could include data that users consider private, like autofilled credentials or social network data."
spoke with Jake Chanenson, co-author of the report and a Ph.D. student at the University of Chicago, to gain further insights into the study’s findings and understand why parents and students should be concerned about the collection, storage, and use of personal data by ed tech companies.
Why did the shift to remote learning lead you to take an interest in digital privacy, and what are the primary concerns that worry you?
The rapid transition to remote learning during the global pandemic meant that schools had to quickly find solutions to reach and educate their students without adequately testing or critically evaluating these technologies. With limited time and resources, they did their best to maintain classes. Whether in school, at work, or simply trying to stay connected with friends, people used whatever tools were available. I found this situation particularly interesting and somewhat concerning because we didn’t fully understand the implications of these technologies, and now many of them are here to stay.
I don’t want to demonize all technology because that would be unfair. The issue lies in the fact that sometimes these technologies are oversold, and now we have the added concern of data privacy. When interacting with these platforms, vast amounts of student data are collected, including how students engage with the platform, their performance on assignments, their procrastination habits, and their interests. These companies accumulate all these data points, and I wanted to understand what they collect, what they do with it, and specifically for this study, what schools consider regarding data privacy in this realm, if they consider it at all.
Many individuals were aware that their security and privacy practices were not up to par.
The school districts that had the best security and privacy practices were those where someone, typically in the IT department, had a genuine concern for student privacy. They went beyond their job requirements because they genuinely cared about the students.
This is not to suggest that school officials do not care about the students – they care deeply about them. However, they are often preoccupied with ensuring that all necessary tasks are completed, such as maintaining the functioning of the school and dealing with disciplinary and staffing issues. Privacy and security of data may not be their primary focus.
Your research takes a unique approach to demonstrate the real-world impact of educational technology on student privacy. How did you go about conducting this research?
We examined the online platforms of educational websites and investigated the privacy risks associated with them. Our findings revealed that 7.4% of these websites contained a session recorder, which records every action performed when engaging with a webpage. This includes details such as the duration of hovering over a particular element, scrolling frequency, and click behavior.
This data collection is concerning, especially considering that these websites are primarily meant for education purposes. Additionally, we discovered a high prevalence of cookies and other trackers being sent to third-party advertising networks. These networks use the collected data to track students’ online activities. As a student, even while completing schoolwork, my online behavior is being used to create an advertising profile that encompasses both my activities outside of school and my actions as a student. This comprehensive profile is then utilized to target me with ads.
This could be distressing for individuals who believe that their school-related activities should only involve themselves, their teacher, parents, and principal.
What is the reason behind education technology companies using session recorders?
While we identified the presence of session recorders and other trackers on these websites, we do not yet have a clear understanding of what information they are recording. We are currently working on a project to investigate this further.
Without this knowledge, it is difficult to make well-grounded assumptions regarding their use – whether it be for legitimate diagnostic purposes to enhance the technology or for more malicious intents. Session recorders are commonly used by technology companies to gain insights into how users interact with their platforms, which can aid in improvement. However, the actual data collected may extend beyond what is strictly necessary to enhance the service, and it could be retained for future use without users’ explicit knowledge.
While malicious uses of session recorders are possible, I cannot speculate on them without definitive proof.
Why should people be concerned about the technology procurement decisions made by school districts? These districts utilize a wide range of digital tools, including those from prominent companies like Google and smaller tech companies. What potential issues can arise if privacy is not prioritized in the selection of these tools?
There are several worrisome outcomes that can arise in such cases. Firstly, the data collected by these companies may not solely reside on their own servers – it can be sold to third parties. Some companies are unclear about which third parties they sell data to, while others explicitly disclose the parties involved and the purpose of the sale.
From a normative perspective, it is concerning that actions performed in the classroom may be harvested and sold, especially considering that these companies often secure large contracts worth millions of dollars to license their technology. They have alternative revenue sources, but the data they can acquire from students can be highly alarming. Information regarding socioemotional behavior, such as instances of misbehavior, trouble at home, or instances of bullying, can be collected by particular services and stored somewhere. And, of course, holding this data poses a security risk.
Illuminate Ed, a learning management system, has decided to withdraw from the ‘Student Privacy Pledge’ following a significant data breach. Learning management systems collect vast amounts of metadata, which includes information about how students approach their assignments, such as whether they procrastinate or complete them early, if they attend class without doing the required reading, and the number of attempts taken to complete quizzes.
While these data are accessible to teachers, they are stored on servers and not regularly deleted. This lack of data minimization and inadequate security measures pose a potential privacy risk for students in the event of another breach, which has unfortunately become a recurring problem. Previous breaches have already exposed sensitive student information, prompting calls for federal regulations to safeguard privacy rights in an educational setting.
Certain types of information, such as nonconsensual disclosures of intimate images (commonly known as revenge porn), can be compared to student data. Just as there should be a zone of privacy around personal intimate life, there should also be a similar zone of privacy around a student’s educational life. Education should be a space where students can learn, make mistakes, and grow without fear of being constantly recorded. The consequences of such monitoring can impact future prospects, such as college admissions or employment records. For example, if a potential employer has access to a student’s complete history of assignment submission, they may prefer to hire someone who consistently turns in work early. However, this information may not reveal the improvement made by a student who struggled with organizational skills in the past but later overcame their challenges in high school.
Ultimately, how a student performs in the classroom should remain confidential. While final grades are shared, more detailed data should only be accessible to the student and their teacher. The educational environment should be a safe space for learning, growth, and the freedom to make mistakes, without facing external repercussions.