Tracking: EDU

Part IV: Implications & Action Steps

Based on automated and manual reviews conducted over 4 months (between October 2017 and January 2018) of every state department of education website and a nationwide sample of 159 school district websites, Tracking: EDU found that:

In sum, this analysis of education agency websites suggest a widespread lack of attention to issues of online security and privacy, and should spur prompt action at the highest levels of education leadership to remediate the many (and sometimes significant) deficiencies and lack of compliance brought to light.


Use of School Websites is All But Mandatory

School, district and state department of education websites serve as the definitive public sources of information about school schedules, news and events, academic standards and curricular resources, testing and school accountability, teacher certification, support services for students with special needs, supplemental learning opportunities, and school and staff contact information. These websites also allow educators and students’ families easy opportunities to update school records, check on their students’ progress, make payments for school services, and sign up for educational, financial, and other social service programs.


Implications

At the same time, the study also has broader implications and raises broader questions about state and local education agency website security and privacy practices. While not exhaustive, these questions include the following:


Do the security and privacy of state and local education agency websites matter if these are not primarily student-facing websites?

Yes. All users of and visitors to state and local government websites – including state and local education agencies – should expect that baseline security and privacy practices are in place. These practices serve to protect both users of the site (including employees) and the government administrators of the websites from malicious third-party actors. Moreover, it is vital that all data collection by state and local governments is disclosed, and that members of the public are fully informed of their rights under applicable law, including the possibility, if it exists, of opting-out of such collections. Finally, the security and privacy of state and local education agency websites is important, because it reflects the care with which state and local agencies manage the data and IT assets entrusted to them, including sensitive data about students.


Are the data harvested by ad trackers and online surveillance classified as ‘personally identifiable information’ (PII)? If the data collected are not personally identifiable, why should anyone be concerned?

While the data elements collected by ad trackers and online surveillance tools may not meet legal definitions of personally identifiable information (PII) for the state and local education agencies that deploy them on their websites, they are nonetheless extensive and arguably intrusive. For instance, the Matomo (Piwik) JavaScript Tracker automatically collects and logs by default the following data from every user of the websites on which it is installed:

  • User IP address (which may be optionally anonymized)
  • Optional User ID
  • Date and time of the request
  • Title of the page being viewed (Page Title)
  • URL of the page being viewed (Page URL)
  • URL of the page that was viewed prior to the current page (Referrer URL)
  • Screen resolution being used
  • Time in local user’s timezone
  • Files that were clicked and downloaded (Download)
  • Links to an outside domain that were clicked (Outlink)
  • Pages generation time (the time it takes for webpages to be generated by the webserver and then  downloaded by the user: Page speed)
  • Location of the user: country, region, city, approximate latitude and longitude (Geolocation)
  • Main Language of the browser being used
  • User Agent of the browser being used

From that data, Matomo can infer the browser, operating system, device used (desktop, tablet, mobile, TV, car, console, etc.), brand, and model. If not disabled, information also is stored by default in first party cookies and then collected by Matomo, including: (a) Random unique Visitor ID, (b) Time of the first visit for this user, (c) Time of the previous visit for this user, and (d) Number of visits for this user. Custom configurations allow even more fine-grained data collection and tracking.

While a state or local education agency may be hard pressed to identify specific individuals from access to these sort of data alone, when these data are combined with data from other sources and/or ad tracking tools – such as is routinely done by the third-parties providing the services found by this study to be deployed on state and local education agency websites –  research has repeatedly demonstrated that it is trivial for data analysts to identify specific individuals:

“The current regulatory framework is predicated on the supposition that data that has been scrubbed of direct identifiers is ‘anonymized’ and can be readily sold and disseminated without regulation because, in theory, it cannot be traced back to the individual involved. However, today’s techniques of re-identification can nullify scrubbing and compromise privacy.” (Lubarsky, Boris. Re-Identification of “Anonymized” Data. Georgetown Law Technology Review 202, 2017.)

For instance, consider the 2017 research that demonstrated that knowing a mere 10 URLs that an individual visits can be enough to uniquely identify them. Or, consider other recent research that showed that for roughly $1,000, someone with devious intent can purchase and target online advertising in ways that allow them to track another individuals behavior, including their specific location in the real world.

It is no wonder that some ad tracking or online surveillance providers treat the data aggregated by their services as personal data (PII), even if their partners (such as state and local education agencies) don’t at the time of collection.


Why are state and local education agencies sharing data with online advertising companies? Is this allowable?

Some – but not all – school districts partner with private companies to market products and services to students, families, and educators. State education agencies are less likely to do so (and often are prohibited under state rules from doing so). However, it seems clear that the vast majority of those districts that have policies about advertising have not explicitly considered the implications of embedded free-of-cost ad trackers on their websites. State and local education agency policies must be updated to reflect partnerships and data sharing agreements with online advertising companies.


Can’t users – whether parents, students, educators, members of the media, etc. – just opt out of these automated collections if they have concerns?

First, state and local education agency website users can only opt out of data collection when they have been informed it is occurring. Ad tracking and online surveillance tools collect data from users without their explicit knowledge or consent. As such, the only way that typical users would know they could opt out is if that was clearly explained to them on the state or local education agency’s website (such as in their privacy policy).

Second, given ever evolving and more sophisticated ad tracking technology, it is not clear that there are even effective means to opt out. Tech-savvy users can install ad blockers and set their web browsers to reject cookies and scripts, for instance, but this can break website functionality – to say nothing of the fact that online surveillance tools are regularly enhanced to penetrate these privacy and security protections.


Website analytics tools help website administrators manage their sites. Why should anyone be concerned that the vast majority of state and local education agency websites rely on Google Analytics?

Google Analytics is a freemium product that Alphabet (Google’s parent company) uses as one of the foundations for its lucrative online advertising business. That business is based on increasingly sophisticated user tracking across websites, across devices, and over time, which provides the company with the ability to precisely categorize, segment, and target internet users with great precision:

“We generate revenues primarily by delivering online advertising that consumers find relevant and that advertisers find cost-effective” (Alphabet 2016 annual report, page 1)

Google Analytics is a powerful online marketing tool, and while it may be configured to be more privacy-respecting of website visitors, privacy advocates have repeatedly raised questions about the potential negative consequences of the company’s disproportionate market share (including in the K-12 education market) and lack of transparency, (including in the K-12 education market).

One alternative, free-to-deploy, powerful website analytics tool used by some state and local education agency websites is Matomo (formerly, Piwik). Matomo is privacy-respecting open source software (with paid support options) that provides website owners with powerful analytics about visitors to their website. Website administrators running Matomo on their servers maintain direct control over all data collection, analysis, and third-party sharing (which is in contrast to many commercial alternatives, including Google Analytics). Given the widespread lack of compliance in the education sector with Google Analytics Terms of Service, it may be that state and local education agencies would do well to consider alternatives.


Isn’t it enough for state and local education agencies to develop and enforce strong privacy policies about the collection and use of student data?

There are good reasons that the K-12 education sector has been focused on issues of student data privacy in recent years. However, state departments of education and school districts are charged with managing a growing array of valuable data and IT assets, including on school facilities, employees, and operations. (Indeed, the K-12 Cyber Incident Map documents some of the challenges facing school districts in this regard.)

As Tracking: EDU has shown, not all of the data (or metadata) that state and local education agencies collect and share with third-parties is with the knowledge and/or consent of the people from whom it is collected. It is not sufficient that state and local education agency privacy policies and practices focus solely on students or solely on active data collection. Indeed, in some cases, the data collected invisibly by these tools is equally if not more valuable to third-party marketing companies than what is transparently collected.


Action Steps

School website polices and practices have evolved over time, and it may take time to improve them. Nonetheless, this study revealed potentially significant issues with state and local education agency websites, including apparent violations of state laws and widespread breaches in the terms of service that education agencies have entered into with third-party providers. Numerous action steps are warranted for leadership at different levels of the education system:

Members of state boards of education and state education agency staff should:

  • Ensure their state education agency website is in compliance with all applicable federal and state laws and the terms of service of third-parties with whom they have partnered.
  • Ensure their state agency website privacy policy (a) accurately describes the agency’s data collection practices and policies, including for data sharing with third-party online advertising companies, and (b) clearly informs website visitors of their ability to opt out of any such collections, if at all.
  • Re-evaluate the need for and use of propriety third-party ad trackers and online surveillance tools on their state agency website. If a need for the functionality provided by these tools is identified, assess whether there are more privacy-respecting options available.
  • Regularly evaluate the sufficiency of their agency’s website security features (e.g., by using Observatory) – and implement a plan to improve them.
  • Develop and disseminate guidance on school websites to local education agencies on how they can comply with applicable laws and the terms of service of third-parties, including by setting expectations for minimum privacy and security features.

Members of local school boards and school district staff should:

  • Ensure their local education agency website is in compliance with all applicable federal and state laws and the terms of service of third-parties with whom they have partnered.
  • Ensure their local agency website privacy policy – as distinct from their website vendor’s privacy policy, if they have contracted a vendor to host their website – (a) accurately describes the agency’s data collection practices and policies, including for data sharing with third-party online advertising companies, and (b) clearly informs website visitors of their ability to opt out of any such collections, if at all.
  • Re-evaluate the need for and use of propriety third-party ad trackers and online surveillance tools on their local agency website. If a need for the functionality provided by these tools is identified, assess whether there are more privacy-respecting options available.
  • Regularly evaluate the sufficiency of their agency’s website security features (e.g., by using Observatory) – and implement a plan to improve them.

Educators, students, families, and other members of the public concerned about the issues raised by this study should:

  • Learn about the real-world consequences of school cyber security incidents at the K-12 Cyber Incident Map.
  • Get better informed about the security and privacy features of their state and local education agency websites. The approach employed by this study to evaluate school websites and privacy policies is transparent and straightforward to replicate.
    • Use Observatory to help assess the security features of school websites.
    • Use alternate browsers (e.g., Brave or DuckDuckGo) or browser plug-ins (such as Lightbeam or Ghostery) to help identify the presence of third-party ad tracking and online surveillance.**
    • Locate and read school website privacy policies to learn about their data collection and sharing practices, and your rights to opt out, if applicable.
  • Take steps to protect your online privacy and security by installing a blocker, such as uBlock Origin, and modifying how your browser handles cookies. Log out – not just close the browser tab, but proactively sign out – of social media accounts and online services, including email, if you are not using them. Follow other expert advice about online privacy and security by visiting the Security Planner by the Citizen Lab and Consumer Reports’ 66 Ways to Protect Your Privacy Right Now.
  • Speak up and share your findings, observations, and concerns with others, including with members of your local school board, and advocate for the development of updated policies and regulations.

**NOTE: The process of identifying ad tracking and online surveillance by websites is complex and evolving. Other approaches – while more accurate and/or more privacy-respecting – are also more involved and require more technical skills. 

 

^^ Home  <<Part V: State of the States

 

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.