FBI Memo: Ed Tech Data Collection Poses Risk to Student Privacy, Safety
Vast student data collection by education technology companies and school districts could put children at risk, the Federal Bureau of Investigation said Thursday in a public service announcement. Following several high-profile cyber attacks, the memo offered steps families can take to protect their children’s online information.
“Malicious use of this sensitive data could result in social engineering, bullying, tracking, identity theft, or other means for targeting children,” the FBI memo said.
Student privacy groups cheered the FBI’s release but added that Congress should take steps to update federal student privacy laws they described as antiquated.
The memo highlighted a 2017 cyber attack that targeted school districts across the country and used education data to send students death threats. Hackers also sent ransom letters to school districts, demanding money in exchange for not releasing student information. In separate episodes, the FBI memo noted that two large education technology companies faced cybersecurity issues in 2017. One company exposed student data by storing it on a public-facing server, and another faced a data breach in which student information was later “posted for sale on the dark web.”
Although the FBI memo didn’t specify the education technology companies by name, it likely referred to Edmodo and Schoolzilla. Last year, hackers stole 77 million user accounts from Edmodo and sold the data to a “dark web” marketplace. Meanwhile, a security researcher found that Schoolzilla stored student information on a publicly accessible server, exposing data on an estimated 1.3 million children.
A range of school technology, from laptops to surveillance cameras, could expose students to cybersecurity threats. To address the risk, the law enforcement agency said parents should conduct credit and identity theft checks to ensure student data aren’t being used fraudulently. Parents should also perform regular web searches of student information to ensure it hasn’t been exposed online. Student data at risk of exposure include personally identifiable information, disciplinary records, medical records, web browsing history, and classroom activities, among other information, the FBI said.
The Future of Privacy Forum, a Washington-based think tank, applauded the FBI memo in a blog post Thursday but said school districts often lack financial resources to adequately address such concerns. The group said policymakers need to invest more in security programs that protect student data. To address student privacy, 40 states have passed more than 120 laws since 2013 to better protect information, according to a Future of Privacy Forum tally.
Rachael Stickland, co-founder and co-chair of the Parent Coalition for Student Privacy, said in an interview with The 74 that the FBI memo highlights a need for Congress to update federal student privacy laws. She said the memo offers crucial visibility to the issue as schools increasingly are adopting services offered by education technology companies at a time when “antiquated laws” don’t outline what student information districts can share with third-party vendors. A patchwork of state laws is inadequate, she said. The Family Educational Rights and Privacy Act, the main federal law safeguarding student data privacy, should be updated, she said, to address how districts can share data with education technology companies.
“What we need is a comprehensive approach at the federal level to address these outdated federal laws,” she said. “We really need these modernized to address not only the cybersecurity threats but also the potential misuse of this data.”