Fordham Center on Law and Information Policy study: Cloud computing poses privacy risks for school information

15 Dec

Many schools and districts are using cloud computing. Judith Hurwitz, Robin Bloor, Marcia Kaufman, and Fern Halper from Cloud Computing For Dummies wrote about cloud computing in What Is Cloud Computing?

Cloud computing is the next stage in the Internet’s evolution, providing the means through which everything — from computing power to computing infrastructure, applications, business processes to personal collaboration — can be delivered to you as a service wherever and whenever you need.
The “cloud” in cloud computing can be defined as the set of hardware, networks, storage, services, and interfaces that combine to deliver aspects of computing as a service. Cloud services include the delivery of software, infrastructure, and storage over the Internet (either as separate components or a complete platform) based on user demand. (See Cloud Computing Models for the lowdown on the way clouds are used.)
Cloud computing has four essential characteristics: elasticity and the ability to scale up and down, self-service provisioning and automatic deprovisioning, application programming interfaces (APIs), billing and metering of service usage in a pay-as-you-go model. (Cloud Computing Characteristics discusses these elements in detail.) This flexibility is what is attracting individuals and businesses to move to the cloud.
The world of the cloud has lots of participants:
•The end user who doesn’t have to know anything about the underlying technology.
•Business management who needs to take responsibility for the governance of data or services living in a cloud. Cloud service providers must provide a predictable and guaranteed service level and security to all their constituents. (Find out what providers have to consider in Cloud Computing Issues.)
•The cloud service provider who is responsible for IT assets and maintenance.
Cloud computing is offered in different forms: public clouds, private clouds, and hybrid clouds, which combine both public and private. (You can get a sense of the differences among these kinds of clouds in Deploying Public, Private, or Hybrids Clouds.)
Cloud computing can completely change the way companies use technology to service customers, partners, and suppliers…. http://www.dummies.com/how-to/content/what-is-cloud-computing.html

Moi wrote about cloud privacy concerns in Does ‘cloud storage’ affect student privacy rights?

Mike Bock wrote the intriguing Education Week article, Districts Move to the Cloud to Power Up, Save Money:

There are serious questions and concerns, however, about moving computer operations to the cloud. Chief among those worries is the security of sensitive data, such as student records. That concern alone has led some district information-technology leaders to remain hesitant about moving in that direction….
Bandwidth Needs Grow
But for districts with the bandwidth infrastructure in place, experts say cloud approaches offer lower costs and less time spent on maintenance. Since many cloud-based applications are offered either for free or for a monthly subscription rate, upfront costs for software are typically lower than the standard model of purchasing software and installing it across the district….
Privacy Concerns
But there is a trade-off. If a district puts its student-information system in a cloud environment, the cloud provider has access to information about all students.
Districts need to be protective and aware of that reality and must follow requirements outlined in state and federal policy, including the Children’s Online Privacy Protection Act, a federal law that requires that websites obtain parents’ consent before collecting personal details about users, such as home addresses or email addresses, from children younger than 13…. http://www.edweek.org/dd/articles/2013/02/06/02cloud.h06.html?tkn=PYMF4hhA6EcyMvzcq4T6AaBDFNeT6fynaPVn&cmp=clp-edweek&intc=es
School districts have to balance the rights of students to an education with the need to know of other parties. https://drwilda.com/2013/02/19/does-cloud-storage-affect-student-privacy-rights/

Kalyani M. posted Privacy Issues For Schools Using The Cloud at Spideroak blog:

While use of cloud services help schools to save thousands of dollars, the data security and privacy risks presented by these services cannot be ignored. The survey report by SafeGov.org says “there are a number of areas where advertising-oriented cloud services may jeopardize the privacy of data subjects in schools, even when ad-serving is nominally disabled. Threats to student online privacy occasioned by the use of such services in the school environment include the following:
•Lack of privacy policies suitable for schools: By failing to adopt privacy policies specifically crafted to the needs of schools, cloud providers may deliberately or inadvertently force schools to accept policies or terms of service that authorise user profiling and online behavioural advertising.
•Blurred mechanisms for user consent: Some cloud privacy policies, even though based on contractual relationships between cloud providers and schools, stipulate that individual data subjects (students) are also bound by these policies, even when these subjects have not had the opportunity to grant or withhold their consent.
• Potential for commercial data mining: When school cloud services derive from ad-supported consumer services that rely on powerful user profiling and tracking algorithms, it may be technically difficult for the cloud provider to turn off these functions even when ads are not being served.
•User interfaces that don’t separate ad-free and ad-based services: By failing to create interfaces that distinguish clearly between ad-based and ad-free services, cloud providers may lure school children into moving unwittingly from ad-free services intended for school use (such as email or online collaboration) to consumer ad-driven services that engage in highly intrusive processing of personal information (such as online video, social networking or even basic search).
•Contracts that don’t guarantee ad-free services: By using ambiguously worded contracts and including the option to serve ads in their services, some cloud providers leave the door open to future imposition of online advertising as a condition for allowing schools to continue receiving cloud services for free.”
SafeGov has also sought support from European Data Protection Authorities to implement rules for both cloud service providers and schools. As per these rules or codes of conduct-targeted advertising in schools and processing or secondary use of data for advertising purposes should be banned. In the privacy policy agreement contract between the schools and service providers it should be clearly stated that student data would not be used for data mining and advertisement purposes.
Keeping all these things in mind, the schools should make sure the data would be stored and managed by the service providers before moving to cloud services. They should demand assurance from the service providers that the information collected by them will not be used for data mining, targeted advertising or sold to third parties… https://spideroak.com/privacypost/cloud-security/privacy-issues-when-schools-use-cloud-services/

See, Testing the Waters of Cloud Computing http://www.scholastic.com/browse/article.jsp?id=3753288

Sean Cavanaugh reported in the Education Week article, Districts’ Use of Cloud Computing Brings Privacy Risks, Study Says:

School districts have become increasingly reliant on cloud-based technologies despite “substantial deficiencies” in policies governing those Web-based systems and their protection of private student data, a new study finds.
The study, released today by the Fordham Law School’s Center on Law and Information Policy, seeks to provide the first national examination of privacy and cloud computing in public schools. The study authors also put forward a series of recommendations to policymakers for ramping up safeguards on students’ private information.
Fordham researchers based their study on a national sample of public school districts, asking for detailed information from 54 urban, suburban, and rural systems around the country.
Among the information they sought: contracts between districts and technology vendors; policies governing privacy and computer use; and notices sent to parents about student privacy and districts’ use of free or paid, third-party consulting services.
The study concludes that privacy implications for districts’ use of cloud services are “poorly understood, non-transparent, and weakly governed.”
Only 25 percent of the districts examined made parents aware of the use of cloud services, according to the study. Twenty percent do not have policies governing the use of those services, and a large plurality of districts have “rampant gaps” in their documentation of privacy policies in contracts and other forms.
To make matters worse, districts often relinquish control of student information when using cloud services, and do not have contracts or agreements setting clear limits on the disclosure, sale, and marketing of that data, the Fordham researchers say.
The Fordham study concludes that districts, policymakers, and vendors should consider taking a number of steps to increase privacy protections, including:
• Providing parents with sufficient notice of the transfer of student information to cloud-service providers, and assuring that parental consent is sought when required by federal law;
• Improving contracts between private vendors and districts to remove ambiguity and provide much more specific information on the disclosure and marketing of student data;
• Setting clearer policies on data governance within districts, which includes establishing rules barring employees from using cloud services not approved by districts. States and large districts should also hire “chief privacy officers” responsible for maintaining data protections;
• Establishing a national research center and clearinghouse to study privacy issues, and draft and store model contracts on privacy issues. The center should be “independent of commercial interests to assure objectivity,” the study authors said.
“School districts throughout the country are embracing the use of cloud computing services for important educational goals, but have not kept pace with appropriate safeguards for the personal data of school children,” said Joel Reidenberg, a professor at Fordham’s law school who worked on the study, in a statement accompanying its release. “There are critical actions that school districts and vendors must take to address the serious deficiences in privacy protection….” http://blogs.edweek.org/edweek/DigitalEducation/2013/12/fewer.html?intc=es

Citation:

Center on Law and Information Policy
Privacy and Cloud Computing in Public Schools
Joel R. Reidenberg, Fordham University School of Law
N. Cameron Russell, Fordham University School of Law
Jordan Kovnot, Fordham University School of Law
Thomas B. Norton, Fordham University School of Law
Ryan Cloutier, Fordham University School of Law
Daniela Alvarado, Fordham University School of Law
Download Full Text (760 KB)
http://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?article=1001&context=clip
Description
Today, data driven decision-making is at the center of educational policy debates in the United States. School districts are increasingly turning to rapidly evolving technologies and cloud computing to satisfy their educational objectives and take advantage of new opportunities for cost savings, flexibility, and always-available service among others. As public schools in the United States rapidly adopt cloud-computing services, and consequently transfer increasing quantities of student information to third-party providers, privacy issues become more salient and contentious. The protection of student privacy in the context of cloud computing is generally unknown both to the public and to policy-makers. This study thus focuses on K-12 public education and examines how school districts address privacy when they transfer student information to cloud computing service providers. The goals of the study are threefold: first, to provide a national picture of cloud computing in public schools; second, to assess how public schools address their statutory obligations as well as generally accepted privacy principles in their cloud service agreements; and, third, to make recommendations based on the findings to improve the protection of student privacy in the context of cloud computing. Fordham CLIP selected a national sample of school districts including large, medium and small school systems from every geographic region of the country. Using state open public record laws, Fordham CLIP requested from each selected district all of the district’s cloud service agreements, notices to parents, and computer use policies for teachers. All of the materials were then coded against a checklist of legal obligations and privacy norms. The purpose for this coding was to enable a general assessment and was not designed to provide a compliance audit of any school district nor of any particular vendor.
Publication Date
12-13-2013
Rights
© 2013. Fordham Center on Law and Information Policy. This study may be reproduced, in whole or in part, for educational and non-commercial purposes provided that attribution to Fordham CLIP is included.
Publisher
Fordham Center on Law and Information Policy
City
New York
Keywords
children, education, cloud computing, school, FERPA, PPRA, COPPA, privacy, Joel Reidenberg, Cameron Russell, Fordham, CLIP
Privacy and Cloud Computing in Public Schools
Included in Communications Law Commons

There is a complex intertwining of laws which often prevent school officials from disclosing much about students.

According to Fact Sheet 29: Privacy in Education: Guide for Parents and Adult-Age Students,Revised September 2010 the major laws governing disclosure about student records are:

What are the major federal laws that govern the privacy of education records?
◦Family Educational Rights and Privacy Act (FERPA) 20 USC 1232g (1974)
◦Protection of Pupil’s Rights Amendments (PPRA) 20 USC 1232h (1978)
◦No Child Left Behind Act of 2001, Pub. L. 107-110, 115 STAT. 1425 (January 2002)
◦USA Patriot Act, P.L. 107-56 (October 26, 2001)
◦Privacy Act of 1974, 5 USC Part I, Ch. 5, Subch. 11, Sec. 552
◦Campus Sex Crimes Prevention Act (Pub. L. 106-386)
FERPA is the best known and most influential of the laws governing student privacy. Oversight and enforcement of FERPA rests with the U.S. Department of Education. FERPA has recently undergone some changes since the enactment of the No Child Left Behind Act and the USA Patriot Act…. https://www.privacyrights.org/fs/fs29-education.htm

The Fordham study indicates that many schools and districts have not fully analyzed student privacy concerns in their rush to the cloud.

Resources:
What cloud computing really means http://www.infoworld.com/d/cloud-computing/what-cloud-computing-really-means-031

What Is Cloud Computing? http://www.pcmag.com/article2/0,2817,2372163,00.asp

FERPA General Guidance for Students http://ed.gov/policy/gen/guid/fpco/ferpa/students.html

No Child Left Behind A Parents Guide http://ed.gov/parents/academic/involve/nclbguide/parentsguide.pdf

Related:
Data mining in education https://drwilda.com/2012/07/19/data-mining-in-education/

Who has access to student records? https://drwilda.com/2012/06/11/who-has-access-to-student-records/

Where information leads to Hope. © Dr. Wilda.com

Dr. Wilda says this about that ©

Blogs by Dr. Wilda:

COMMENTS FROM AN OLD FART©
http://drwildaoldfart.wordpress.com/

Dr. Wilda Reviews © http://drwildareviews.wordpress.com/

Dr. Wilda © https://drwilda.com/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: