Cross-posted on the K-12 Cybersecurity Resource Center blog: https://k12cybersecure.com/.


New Study of School Websites Reveals Widespread Online Security and Privacy Issues

According to a new study released today by EdTech Strategies, Tracking: EDU – Education Agency Website Security and Privacy Practices, state and local education agency websites were found to lack important security and privacy protections for students, families, and educators. “State department of education and school district websites have become indispensable for accessing information about public schools and to communicating with school officials,” said Douglas Levin, president of EdTech Strategies and study director. “However, analyses of education agency websites suggest a widespread lack of attention to issues of online security and privacy.”

Based on automated and manual reviews conducted over 4 months (between October 2017 and January 2018) of every state department of education website and a nationwide sample of 159 school district websites, Tracking: EDU found that:

The use of third-party ad tracking and online surveillance technology was found to be nearly universal on both state and local education agency websites. While the use of Google user tracking technology, including but not limited to the use of Google Analytics services, was found to be deployed on 9 of 10 state and local education agency websites, well over 40 unique tracking services were identified in the limited scans conducted by this study. Also commonly found on state and local education agency websites were ad trackers provided by Twitter and Facebook.


The Tennessee Department of Education website deploys a large number of ad trackers. Retrieved October 25, 2017.


While 63 percent of state education agency websites published a privacy policy that disclosed the presence and use of ad tracking and/or cookies on their sites, no fewer than 10 states made misleading or provably false statements about their data collection and privacy practices. School district practices were found to be even more concerning: only 12 percent of school district websites published a privacy policy that disclosed the presence and use of ad tracking and/or cookies on their sites. Finally, despite the near universal deployment of the Google Analytics product on state and local education agency websites, only 4 states and 2 school districts were found to be approaching compliance with Google’s Terms of Service, which require specific privacy-related disclosures by its customers to their users (including about what it is collected and how users can opt out of data sharing).

Report of Firefox’s Lightbeam extension after a brief visit to a school district website (recorded on October 26, 2017). Triangles represents tracking of this visit by third-parties, including online advertising companies.

State department of education websites, like those offered by Maine and Utah, demonstrate that state and local education agency websites can offer meaningful, privacy-respecting experiences to parents, educators, and other stakeholders without resorting to invasive and undisclosed ad tracking.

School districts included in the study were drawn from the membership of the Council of Great City Schools; the League of Innovative Schools, a program of Digital Promise; and, members of the first cohort of the Consortium for School Networking‘s Trusted Learning Environment Seal initiative. Membership in these groups was not found to be consistently associated with better website security or privacy practices.

School administrators, technology directors, and education policymakers – including state board of education and local school board members – are encouraged to act swiftly to address the issues raised by this first-of-its-kind study. “Partnerships with online advertising companies on school websites must be disclosed. In the vast majority of cases, these relationships do not offer substantial benefits to students, families, or educators – and they should be discouraged,” said Douglas Levin. “The good news is that there are free, privacy-respecting tools that exist to improve website security and replace the functionality of many of these advertising-based services. The cost of seeking news and information about your state and community’s public schools should not be your privacy or online safety.”


About EdTech Strategies

EdTech Strategies, LLC, is a boutique consultancy focused on providing strategic research and counsel on issues at the intersection of education, public policy, technology, and innovation. Douglas Levin is founder and president. A trusted adviser to federal and state policymakers and education leaders, Mr. Levin has conducted high-profile empirical research that has informed and shaped the field, helped build unique online tools for educators and school leaders, and written and spoken widely about the trends shaping the future of education. He developed and maintains The K-12 Cyber Incident Map, a unique resource that sheds light on emerging school cybersecurity issues and practices. For more information, please visit: https://www.edtechstrategies.com.