By Sharon Noguchi, San Jose Mercury News | http://bit.ly/1q5gG7q
8/31/2014 03:39:02 PM PDT :: SACRAMENTO -- Trying to protect children from marketers, identity thieves and predators, California could establish the nation's toughest protections of student privacy and forbid the sale and disclosure of schools' online student data.
"It's a big win for kids," said James Steyer, whose advocacy group Common Sense Media pushed hard for the bill. He called it a landmark for student privacy and said he hopes other states will follow suit.
Despite forceful pushback from high-tech heavies, the bill by Senate President Pro Tem Darrell Steinberg passed the Legislature unanimously last week.
If signed by Brown, Senate Bill 1177 would prohibit targeted ads based on school information and creating student profiles when not used for education purposes. And it would require that educational tech data be kept secure.
Steinberg, D-Sacramento, called the bill "a reasonable but aggressive measure that makes clear that data collected by private companies needs to be used only to enhance and improve the education for young people."
A tandem bill by Assemblymember Joan Buchanan, D-Alamo, that was also approved by the Legislature requires that student data managed by outside companies remain the property of school districts and in their control. Some data-management contracts have awarded companies the right to use records as they please.
The legislation comes amid rapid growth in the educational software and digital content industry, estimated more than a year ago at $8 billion nationally. School districts outsource management of student records -- covering attendance, grades, discipline, health, academic progress as well as parent and student contact information and sometimes even a child's physical location.
Teachers use programs to teach and track progress or control behavior. Both types of systems include individual accounts brimming with information on each student, the type of data enticing to those wishing to sell to or prey on children.
Federal law already prohibits districts from releasing student information but doesn't limit the firms that contract to manage data.
"That information is never supposed to leave the district, but, by definition of the cloud infrastructure, it's already left the district's hands," said Steven Liao, a Danville parent who has been alarmed about gaps in schools' cybersecurity. Classroom technology, he said, is proliferating more quickly than systems to manage it.
"Teachers are under tremendous pressure to implement web-based technology. Students learn to type in third grade, do Google Docs in fourth grade, blog in fifth grade," said Liao, a former information security auditor.
"It puts children's physical security at risk," he said. "It's irrelevant for the data to be encrypted if people have access to it."
The bill offers needed guidance for educators and protection for students, said Kelly Calhoun, chief technology officer of the Santa Clara County Office of Education. It will enable teachers, she said, "to use good instructional materials without worrying about what might happen to any data shared in the process.
Industry officials have vehemently denied that they use any student data for anything other than the intended educational purposes, even though studies have pointed out that educational technology contracts often fail to prohibit the sale of students' personal information.
Last spring, Google admitted to Education Week magazine that in its classroom applications it scanned the content of student emails for advertising purposes. Illustrating the sensitivity of the issue and the push to protect children online, tech companies did not register formal opposition to the Steinberg bill and declined to explain any concerns about it. In a statement, Mark Schneiderman of the Software & Information Industry Association said that current laws already safeguard student privacy.
"We appreciate both Senator Steinberg's leadership on this issue and his willingness to work with industry groups and other interested parties on SB1177," the statement said, adding that the group and its members will carry out the law, known as the Student Online Personal Information Protection Act.
The bill is likely to force companies to more diligently encrypt data, although it's unclear how that will work in class. San Francisco-based ClassDojo, an application that helps manage class behavior, is encrypted -- but some schools block such encryption in order to monitor teacher-parent-student communication, company cofounder Sam Chaudhary said.
But Los Altos parent Tony Porterfield has found portions of ClassDojo not fully encrypted. He has lobbied schools, sports teams and companies to tighten privacy protections. And he calls the bill "a great start."
Unlike the finance industry, he said, for education technology "there are no standards and no real transparent metrics for a lay person to know if a site is secure or not."
Porterfield pointed to proliferating software that helps educators track how students perform and that collect names, achievement and behavior. In the case of behavioral management programs, "What if they aggregate that and start tracking kids?" he asked. "That's a huge concern."
Aden Fine, chief privacy officer for EdModo, said the San Mateo-based company "never had any concerns with the intent of this bill." The company was founded to link teachers and students securely online; last year it became fully encrypted.
Steyer of Common Sense Media said that "technology used wisely can transform learning, but students should never have to surrender their privacy at the schoolhouse door."