11/29/14 8:59 AM EST :: Massive open online courses, first envisioned as a way to democratize higher education, have made their way into high schools, but Washington is powerless to stop the flood of personal data about teenage students from flowing to private companies, thanks to loopholes in federal privacy laws.
Universities and private companies this fall unveiled a slew of free, open-access online courses to high school students, marketing them as a way for kids to supplement their Advanced Placement coursework or earn a certificate of completion for a college-level class.
But when middle and high school students participate in classes with names like “Mars: The Next Frontier” or “The Road to Selective College Admissions,” they may be unwittingly transmitting into private hands a torrent of data about their academic strengths and weaknesses, their learning styles and thought processes — even the way they approach challenges. They may also be handing over birth dates, addresses and even drivers license information. Their IP addresses, attendance and participation in public forums are all logged as well by the providers of the courses, commonly called MOOCs.
With little guidance from federal privacy law, key decisions on how to handle students’ data — including how widely to share it and whether to mine it for commercial gain — are left up to the company hosting the MOOC or its business partners. In fact, student data is even less protected by federal law since the Education Department updated regulations in 2012 to allow for even greater disclosure of students’ personal identifying information.
Parents, activists and a select group of lawmakers are clamoring for a fix. They’ve made student data privacy a top issue in state legislatures, and they’ve even dismantled major data collection efforts. For example, massive parent pushback led to the demise of inBloom — the $100 million student database funded by the Bill & Melinda Gates Foundation — a little more than a year after its launch.
The White House also announced this month that course provider edX will give low-income high school students free completion certificates when they take the classes. And Coursera, another provider, will give teachers free online training. President Barack Obama lauded both commitments for advancing his ConnectED initiative, which aims to connect almost every student in the country to high-speed broadband and transform teaching and learning with technology.
Congress is divided on how to tackle federal privacy law, and existing proposals haven’t gotten traction. Sens. Ed Markey (D-Mass.) and Orrin Hatch (R-Utah) proposed a bill in July that would prohibit the use of personally identifiable information to target advertising to students. Some advocates says it doesn’t go far enough. But Reps. Jared Polis (D-Colo.) and Luke Messer (R-Ind.), among others, want to ensure that fears over student data privacy don’t stifle innovation and make it hard for schools to use online resources that personalize instruction for every student.
They have more of an appetite for industry self-regulation — but critics argue that really isn’t regulation at all.
The people behind the online courses say the metrics they collect will help them better understand not just what students learn, but also how they learn. Less clear is the extent to which providers might profit from the information in other ways, be it by selling the data to other organizations or mining it themselves for marketing gold.
The trend is still young, but an Education Department official urges school districts that are contemplating MOOC instruction to bone up on The Family Educational Rights and Privacy Act and wade carefully through the often jargon-laden privacy policies of companies they work with.
“This is a space where districts need to get up to speed before they jump,” a department official said. “They need to have a common understanding with the MOOC provider about what would happen with the data.”
Murky federal privacy laws
The Family Educational Rights and Privacy Act gives parents rights to their child’s education records up to age 18, after which those rights are transferred to the student. While the department has received no complaints about MOOCs at the college level, “I anticipate receiving inquiries from K-12 officials on the subject,” the department official said.
Several states, including Colorado and Oklahoma, have filled the void with privacy laws of their own. In September, California Gov. Jerry Brown signed landmark legislation banning companies from using students’ personal information collected through online education technology for anything other than the purpose for which it was collected.
The National Association of Secondary School Principals recently issued strong recommendations suggesting that every shred of student data produced as students work online should be designated part of an official “education record” so it’s protected by FERPA. Districts should also appoint a chief privacy officer and ensure that all data involved in contracts with online service providers is protected. And the group said any federal agency or vendor storing student data should use strong encryption data.
So how is the ed tech industry approaching the issue? At the urging of Polis and Messer, 13 companies signed a pledge in October swearing never to sell student data or use it to target advertising at students. The pledge was signed by companies like Microsoft, Amplify, Edmodo, Knewton and Houghton Mifflin Harcourt.
But the pledge omits key protections, some privacy advocates say. And conspicuously absent were big names like Apple, Google, Pearson and Khan Academy, which offers free online tutorials used by millions of people worldwide.
Also not listed are edX and Instructure Canvas Network, two MOOC providers that offer courses to high school students.
EdX, a nonprofit founded by Harvard University and the Massachusetts Institute of Technology, unveiled more than two dozen MOOCs for high school students in September. The nonprofit says it now offers more than 40 high school and AP courses. In January, a high school guidance counselor plans to offer a course called “The Road to Selective College Admissions.”
Instructure, a for-profit company, began hosting more than a dozen MOOCs for K-12 students and teachers in August on its platform called Canvas Network. One course, called “Mars: The Next Frontier,” is designed for students ages 14 to 18. There are also a few history courses, like “The Civil War Era,” “The Gilded Age to the Roaring Twenties” and “The Great Depression to the War on Terror.”
Melissa Loble, senior director of Canvas Network, said the company would never release student data for noninstructional or noneducational purposes. But the company is still trying to decide whether to share student data with third parties for educational or research purposes, she said. If the company did, it would severely limit third parties’ access to the data, said Jared Stein, Instructure’s vice president of Research and Education. Stein said most privacy issues would be handled through him or the company’s vice president of operations. Employees are educated about privacy protections under the law when they’re hired, he said.
But privacy advocates note that “educational purposes” is an extremely vague term. It can also mean commercial purposes. For example, providers can use the data to develop new products or market specific courses to students who look like they need help in a certain area — which could ultimately benefit their own bottom line.
Also, the policy notes, aggregate information that isn’t personally identifiable can be shared with the public, researchers and business partners. (EdX has a list of the schools and partners that it works with.)
The nonprofit’s mission “is to allow the use of data from MOOCs for research into how students learn, but we place learner privacy as the priority,” edX General Counsel Tena Herlihy said in a statement. EdX “has appropriate policies and procedures in place to protect privacy, and we protect learner data to the levels required under FERPA.”
The problem is, FERPA is “hopelessly out of date,” said David Hoffman, global privacy officer for Intel Corp., which offers some educational services for teachers.
An Education Department official said that if a student’s performance in one of the online courses is tied to the student’s grade, the MOOC becomes part of the curriculum and the data generated may be protected by law.
The department issued guidance in February to help schools, districts and ed tech vendors navigate the murky world of federal law and how to use student data without subjecting it to commercial exploitation. But even that guidance got some heat for being unclear. “It depends,” begins the answer to one question, about whether student information is protected. “Because of the diversity and variety of online educational services, there is no universal answer to this question.”
What complicates things even further is that the online courses for high school students, still in their infancy, often aren’t supplementing students’ grades. Teachers might use MOOCs, which are open to anyone with an Internet connection, for practice, or students might enroll on their own.
Indeed, some enterprising high schoolers were already taking edX’s free, online college-level courses before the company launched MOOCs for high school students. EdX estimated that about 150,000 of its 2.5 million students were already in high school.
Coursera, another major MOOC provider, has encouraged participation from younger students in the past. For example, an eighth-grader in Pakistan advised interested students to balance MOOCs with homework or take a course with their family. The eighth-grader, her twin brother and mother also blogged about their experience for Coursera last year.
Striking the right balance
The value of data to researchers is also sketchy. In the post-secondary world, striking a balance between sharing data for research purposes and maintaining privacy has proven difficult for the online courses. A study from August found that sharing MOOC data can yield tremendous potential for social science research. But stripping the data of information that can be traced back to students can render it useless, the researchers said. Polis worries that privacy concerns could turn any number of digital learning initiatives into the next inBloom.
“A lot of the practices that occur instill fear in families and prevent them from taking advantage of these new services,” he said. “We need to provide answers and understanding so parents and families have the confidence that they need to have in their kids’ privacy.”
Intel’s Hoffman suspects many start-ups would not be able to answer basic questions — such as “Who is your chief privacy officer? Can you show me your documented internal policy that says how you will use data and what uses of data are prohibited? Will you show me the educational policies you use internally? Can you describe the risk management process to make sure policies are being upheld? Are your third-party vendors being held to the same standards? Do you audit those vendors?”
The potential of the online courses to transform education globally is tremendous, Hoffman said. Policymakers and providers need to unlock the tremendous potential of MOOCs, he said — but they need to do it up front, and they need to do it responsibly.
“We’re transitioning into a new phase of privacy,” he said. “We’re entering the phase of data ethics.”