Peter A Clarke

As the saying goes, the road to hell is paved with good intentions.  That may be the sombre story of education apps used during the Pandemic.   The Human Rights Watch has undertaken a detailed study, How Dare They Peep into My Private Life.  Of particular interest is some of the practices of EdTech.  The EdTech apps were used by students in Australia during the lockdowns.  The Victorian and New South Wales Governments have announced inquiries.  The Victorian Information Commissioner raised concerns about education apps as far back as August 2020 stating in a report that “..we consider that schools are at risk of breaching the [Information Privacy Principles] IPPs when using apps and web?based learning tools that handle student personal information.” 

The report has been reported in Itnews with Edtech vendors invaded student privacy: Human Rights Watch,  InnovationAus in ‘Dystopian’: Govt-endorsed education apps surveilling Australian children and the ABC with Investigation reveals tracking by EdTech of millions of Australian school students during COVID lockdowns.

Some interesting findings from the Report are:

•  Of the 164 EdTech products reviewed, 146 (89 percent) appeared to engage in data practices that put children’s rights at risk, contributed to undermining them, or actively infringed on these rights. The products monitored or had the capacity to monitor children, in most cases secretly and without the consent of children or their parents, and harvest data.
• Most online learning platforms:
  • installed tracking technologies that trailed children outside of their virtual classrooms and across the internet, over time.
  • sent or granted access to children’s data to third-party companies, usually advertising technology (AdTech) companies. In doing so, they appear to have permitted the sophisticated algorithms of AdTech companies the opportunity to stitch together and analyze these data to guess at a child’s personal characteristics and interests, and to predict what a child might do next and how they might be influenced.
• Some EdTech products targeted children with behavioral advertising — to target them with personalized content and advertisements that follow them across the internet.
• these companies not only distorted children’s online experiences, but also risked influencing their opinions and beliefs at a time in their lives when they are at high risk of manipulative interference.
• many more EdTech products sent children’s data to AdTech companies that specialize in behavioral advertising or whose algorithms determine what children see online
• In all cases, data surveillance took place in virtual classrooms and educational settings where children could not reasonably object to such surveillance.
• most EdTech companies did not allow their students to decline to be tracked; most of this monitoring happened secretly, without the child’s knowledge or consent.
• in most instances, it was impossible for children to opt out of such surveillance and data collection without opting out of compulsory education and giving up on formal learning altogether during the pandemic

On 19 May the Federal Trade Commission announced that would be cracking down on education technology companies if they illegally surveil children. Coincidence the work of Human Rights Watch?  The FTC also issued a policy statement.  The FTC statement provides:

The Federal Trade Commission announced today that it will crack down on education technology companies if they illegally surveil children when they go online to learn. In a new policy statement adopted today, the Commission made it clear that it is against the law for companies to force parents and schools to surrender their children’s privacy rights in order to do schoolwork online or attend class remotely. Under the Children’s Online Privacy Protection Act, companies cannot deny children access to educational technologies when their parents or school refuse to sign up for commercial surveillance.  

“Students must be able to do their schoolwork without surveillance by companies looking to harvest their data to pad their bottom line,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Parents should not have to choose between their children’s privacy and their participation in the digital classroom. The FTC will be closely monitoring this market to ensure that parents are not being forced to surrender to surveillance for their kids’ technology to turn on.”

The policy statement underscores that, even as companies across the economy become more aggressive in harvesting and monetizing individuals’ data, ed tech providers cannot do the same:  Ed tech providers must comply fully with all provisions of the COPPA Rule. Today’s policy statement makes clear that the Commission will vigilantly enforce the law to ensure that companies covered under COPPA are complying with all of the rule’s provisions, including:

• • Prohibitions Against Mandatory Collection: Companies cannot require children to provide more information than is reasonably needed for participation in an activity.

• • Use Prohibitions: Ed tech providers that collect personal information from a child with the school’s authorization are prohibited from using the information for any other commercial purpose including marketing or advertising.  

• • Retention Limitations: Ed tech providers are prohibited from retaining children’s personal information for longer than is necessary to fulfill the purpose for which it was collected and therefore cannot keep such data just because they might want to use it in the future.

• • Security Requirements: Ed tech providers must have procedures to maintain the confidentiality, security, and integrity of children’s personal information.

The policy statement notes that companies that fail to follow the COPPA Rule could face potential civil penalties and new requirements and limitations on their business practices aimed at stopping unlawful conduct.

On the criminal, rather than exploitative, front hackers have been reported sexually extorting children with data stolen from large tech companies which include Apple, Twitter, Google’s parent company Alphabet, Discord, Meta, and Snap Inc according to Bloomberg’s Tech Giants Duped Into Giving Up Data Used to Sexually Extort Minors and Gizmodo’s Report: Hackers Have Been Sexually Extorting Kids With Data Stolen From Tech Giants. 

The ABC article provides:

More than 4 million Australian school students were at risk of unprecedented tracking and surveillance during remote learning as corporations exploited their access to children.

The findings come from the most comprehensive global study into the murky world of student data during COVID-19 lockdowns, and the privacy risks for both students and their families as education shifted from schools to homes.

The global advocacy group Human Rights Watch (HRW) analysed 164 educational apps and websites used in 49 countries, running tests on the code and attempting to track where the data of hundreds of millions of children worldwide ended up.

The HRW findings show that 89 per cent of the educational technology, or “EdTech”, products used globally could put children’s privacy at risk.

Despite international privacy obligations, the products requested access to students’ contacts and locations and monitored their keystrokes. The data was sent to nearly 200 ad-technology companies.

Parents and schools had little choice but to adopt these products to ensure their children kept up with classmates. Opting out could mean repeating a year.

In Australia, it is alleged a number of companies did not meet the promises made in their privacy statements.

ABC News shared the findings with students in years 11 and 12 at a Sydney school where the products were used.

“It’s pretty shocking,” said year 12 student Liam, whose last name has been withheld for privacy reasons.

“When you’re at school, you have the right to feel protected and feel safe. And school ensures that you’re protected and safe. So to have this going on, you don’t expect it.”

The products of concern

The HRW investigation began a year after remote learning began in March 2021 — well beyond the first chaotic months of the pandemic.

Many Australian schools were still using the Adobe Connect app for videoconferencing and screen sharing.

The application had access to students’ cameras and microphones, and HRW identified code allowing it to collect phone numbers.

 

A software development toolkit (SDK) was also detected, which allowed Google to access the same data in real time.

Chris Cooper, the Executive Director of Reset Australia, said tech companies like Adobe had “opaque” business models and were not subject to the same regulations as other companies operating in Australia.

“Teachers, students and parents are left really in the dark with what’s happening with the data the company is collecting on young people,” he said.

ABC News engaged Mr Cooper for expert technical analysis and independent review of the HRW findings. Reset Australia is part of a global, apolitical advocacy group pushing policy solutions to data privacy issues as well as countering digital threats to democracy.

“The big tech companies like us to believe that any kind of regulation is going to break their products and break the internet, but there is a range of sensible, reasonable, appropriate regulations that we can introduce,” Mr Cooper said.

Adobe made clear in its privacy policy that it uses users’ personal data to target them with behavioural advertising and that data is shared with third parties.

Adobe was approached for comment but declined, citing an unpublished response to HRW.

Another global giant

After Microsoft spent $US2.5 billion ($3.5 billion) purchasing the popular Minecraft adventure game, it leveraged its investment by creating a new education spin-off, Minecraft: Education Edition.

The purchase came just before remote learning — a once in a lifetime opportunity to push the product as schools relied on software rather than teachers.

But HRW has accused the company of breaching its privacy policy, which reassured parents with promises that it would not collect or use children’s personal data for non-educational purposes.

The investigation found code in the app making it possible to track children’s precise locations and times they were at those locations, as well as embedding seven SDKs which gave other giant corporations like Google, Twitter and Facebook the same access.

“We know that the tracking built into these apps is very comprehensive and collecting a wide range of data, including real-time GPS location data, as well as information sometimes from the contact lists on people’s phones. As well as things like who they’re hanging out with, where they go to school,” Mr Cooper said.

A Microsoft spokesman declined to address questions about the discrepancies in its privacy policy but said the company was investigating further.

“We take reports of this nature seriously and are investigating these allegations: however, Human Rights Watch has not provided sufficient information on the configurations they tested for us to verify their findings. We’re reaching out to them to get more information so that we can conduct any further investigation needed,” a Microsoft spokesperson said.

The local company

A smaller company that started in New Zealand is among those seeking a future in the rapidly expanding EdTech industry.

It is accused, though, of violating its own privacy policies.

Education Perfect: Science, an online learning platform, is used around the world.

The global private equity giant Kohlberg Kravis Roberts purchased a majority stake in June last year in a deal that valued the company at $US318.82 million.

In Australia, the educational product is in fact licensed to a company called EPL Marketing Services Pty Ltd.

Despite the company’s pledge to protect student data, the HRW analysis shows the presence of ad trackers from Google and Facebook. It also shows keystroke logging was used to monitor students’ work and send it to a third-party American company.

“The parents, teachers and students that are using this platform will have signed a privacy policy consent form that neglects to talk about the 11 or so trackers that the report identified that is collecting a wide range of data on these young people,” Mr Cooper said.

In a statement, Education Perfect acknowledged those trackers and keystroke monitoring are used on its home page but said they were no longer in use once students and teachers logged in.

“We only use Appcues, Mixpanel, Google Tag Manager and Sentry in the logged-in teacher and student accounts. All tools mentioned above do not capture student data and only track anonymous behavioural user data,” the statement said.

The company said it used a different version of Google Tag Manager after login to ensure student data was not captured.

Overseas-based companies analysed in a similar way, through the login page rather than truly replicating the student experience, said this approach was “flawed” as students may enter the site another way.

HRW said five of the 12 companies analysed in this way were “clean” and able to operate without privacy concerns, including a product used in Australia called Stile Education.

Privacy review

With the Privacy Act currently under review, Mr Cooper says governments should ignore lobbying from the EdTech industry and apply to them the proposed new laws designed to protect children’s data.

“Our Privacy Act is woefully outdated for the digital age and so its current review is really important,” he said.

“But we also need specific rules on the use of children’s data, rules that ensure their data is only used in ways that are in their best interests, not the best interests of companies.”

Year 12 student Liam and his friend in year 11 Sofia were the first people in Australia to be briefed on the findings.

The students were particularly concerned about “persistent identifiers”, an anonymised number given to students to track their behaviour and create profiles.

 

Liam noticed an increase in targeted personal advertisements after remote learning.

“It’s pretty nerve-racking, knowing that sometimes you’re just going to be speaking about something and that it’s then being advertised to you later. And I think it’s definitely going to become a big, big issue in the future,” Liam said.

Sofia said that despite her generation being more aware of tracking than others, the fact it could be happening through school worried her.

“It’s really frightening when you realise that you’re being watched all of the time and everything that you search up can be turned against you,” she said.

“Who knows — if this data came into the wrong hands, what could happen? It’s really scary.”

Legal analysis

As well as technical analysis, ABC News briefed UTS data expert and former Australian human rights commissioner Edward Santow to understand how students could be better protected in the future.

Like HRW, Professor Santow believes the state governments responsible for education should have been more aware of the risks of remote learning and were “naive”.

“There’s been years of experience here where tech companies have been offering what looked like very discounted products and services,” Professor Santow said.

“But there’s a reason for that. There’s some other value they’re deriving from it. Governments really need to be awake to that.”

The HRW investigation focused on Australia’s two biggest states, New South Wales and Victoria, but the products described were used across the country.

The ABC briefed both state education ministers on the findings.

Victorian Education Minister James Merlino said the products HRW highlighted had been through a “rigorous privacy impact assessment” and while the companies had reassured government about their conduct, he was having this reviewed independently.

“Any misuse of sensitive student information is extremely concerning,” Mr Merlino said.

“We won’t take any chances on the safety of our students and I have asked the Department of Education and training to undertake a review to ensure these tech companies are staying true to their Privacy Policies and not compromising any student data.”

The New South Wales Education Department is also now investigating.

“The findings of the report are concerning, and the Department is liaising directly with the three platform providers to ensure that student data is protected as agreed,” said the department’s chief operating officer, David Withey.

Professor Santow warned of the risk of the commercialisation of the classroom.

“Our laws set out special protections to keep young people safe. And so that means that companies that are really trying to exploit personal information of kids really need to be pushed back on very firmly,” Professor Santow said.

‘We’re failing all young Australians’

As EdTech becomes a part of Australian schools beyond the pandemic, the upcoming review of the Privacy Act will be crucial in determining the protection students have.

“These practices pose serious harms for all young people but the impact on individual children varies depending on socio-economic background, ethnicity, race, gender and more,” Mr Cooper said.

“When these companies are allowed to collect and use the data of our young people wholesale, we’re failing all young Australians, but particularly those who are marginalised.”

ABC News was among 13 international media outlets in 16 countries given exclusive access to the raw data and findings, as part of a consortium called EdTech Exposed.

The consortium was coordinated by non-profit group The Signals Network, which coordinates global media investigations and assists whistleblowers. For two months, journalists have independently sought to test the findings with technical experts. 

The reporting will reach an estimated audience of 185 million people in seven different languages.

Human Rights Watch will release its raw data and technical analysis globally on June 8.

The Innovation article provides:

A number of education apps and websites endorsed by Australian governments and used throughout the pandemic have been surveilling and tracking children and sending their data to advertisers, according to a report by Human Rights Watch.

The New South Wales and Victorian governments have announced inquiries into the education technologies (EdTech) used in schools in the states in response to the report, released on Wednesday.

The NSW Privacy Commissioner has also confirmed they are making “further enquiries” into the issues raised in the report.

The Human Rights Watch report examined 164 EdTech products – apps and websites – and found that 146 (89 per cent) appeared to engage in data practices that put children’s rights at risk, contributed to undermining them, or actively infringed on these rights.

“These products monitored or had the capacity to monitor children, in most cases secretly and without the consent of children or their parents, in many cases harvesting data on who they are, where they are, what they do in the classroom, who their family and friends are, and what kind of device their families could afford for them to use,” the report said.

Most of these products also sent data, or granted access to this information, to third-party companies, typically advertising technology firms or Big Tech companies such as Google and Facebook.

Human Rights Watch looked at New South Wales and Victoria and the EdTech products used in those states, including Minecraft, Cisco Webex and Zoom.

It found that many of these apps used in Australian schools harvested a significant amount of data on children, including their precise location, and also tracked them online even after classes had finished and then shared this data with advertisers.

“An invisible swarm of tracking technologies surveil our kids throughout their day,” the report said.

“By endorsing and enabling the wide adoption of EdTech products, many governments offloaded the true costs of providing online education onto children, who were forced to pay for their learning with their privacy.”

These practices are a “deep breach of young people’s privacy”, Reset Australia executive director Chris Cooper said, and governments need to act to protect children from online surveillance.

“This is dystopian. While students were at their most vulnerable, and states were scrambling to work out how best to provide high quality education to young people in lockdown, private companies used this as a chance to track students, build commercial profiles about them and hone their invasive advertising practices. It’s the commercialisation of our education system by stealth,” Mr Cooper said.

In Victoria, EdTech products including Minecraft: Education Edition, Cisco Webex and Education Perfect: Science were endorsed by the state government.

According to the Human Rights Watch report, the Minecraft education app has access to the Wi-Fi media access control address, a “persistent identifier”, potentially engaged in “ID bridging”, tracked the precise location data of users and included software development kits.

This is despite Microsoft, which owns Minecraft, saying in its privacy policy that it won’t collect or use children’s personal data for non-educational purposes.

According to the report, Cisco Webex is collecting IMEI numbers, potentially engaged in ID bridging, tracking the precise location of users, collecting information about wireless networks a phone was connected to, and tracking who a child knows through their contacts.

Education Perfect: Science was also found to include Facebook Pixel, which allows users’ data to be sent to Facebook, and engaged in key logging, a “particularly invasive procedure that surreptitiously captures personal information that people enter on forms, like names, phone numbers and passwords, before they hit submit”, according to the report.

In response to the report, the Victorian government said these products had been through a “rigorous privacy impact assessment”, and that the companies had assured the government about their conduct. It has pledged to have these assessments reviewed independently.

The Office of the Victorian Information Commissioner was not consulted about the specific EdTech apps in use in Victorian schools, but did produce a report in August 2020 on the use of EdTech in the state’s primary schools.

This report found that schools are at risk of breaching the Information Privacy Principles when using these apps that handle the personal information of children.

In NSW, EdTech products including Microsoft Teams and Zoom are used by school children throughout the state.

The report found that Microsoft Teams is tracking the precise location data of users, information about wireless networks a phone is connected to, tracking a user’s contacts and embedding software development kits.

Zoom is also tracking precise location data and wireless network information, according to the report.

The NSW government conducted assessments of two of its three EdTech products in June 2020 and October 2021, the Human Rights Watch report found, but these relied on a self-reported questionnaire completed by the companies and reviewed independently.

The state government has also said that it is investigating the claims in the new report.

The new Labor government needs to act on the report and move to legislate better privacy protections for children online, Mr Cooper said.

“This research provides significant evidence that regulation is needed, and that an opportunity exists for the new government to develop legislation that ensures all digital services young people use are included within their scope,” he said.

“No-one is going to read this report and think it’s acceptable that so-called ‘education products’ passed kid’s data on to Google’s Ad Manager, or embedded Facebook tracking pixels. Australian teenagers and parents have consistently told us they want more protection from exploitation online. This is a great opportunity for the new government to step up for our kids.”

The previous Coalition government’s Enhancing Online Safety bill, which it failed to pass through Parliament before the election, specifically excluded education products from these increased protections.

Interestingly the Victorian Government has been very proud of its association with EdTech on its A thriving digital economy page stating:

Positioning Victoria as the ‘place to be’ in terms of investment and skilled migration is key for economic recovery and growth.

How we will act on it

• • • Put Victoria on the global map for skills and investment by promoting the state as the ‘place to be’ in terms of building a career as a skilled worker, living well and making smart and sustainable investments.
    • Highlight the attractiveness of a career in Victoria by marketing our digital capabilities in selected industry sectors and emphasising our competitive advantage.
    • Continue to invest in sectors with leading capability – such as AgTech and EdTech – to enhance our global reputation and attract more talent and investment.
    • Strengthen our reputation as a world leading innovation hub by moving towards an adaptive regulatory environment that supports innovation.

On 18 August 2020 the Victorian Information Commissioner released a report on Examination into the use of apps and web-based learning tools in Victorian government primary schools.  The Commissioner sounded the alarm about privacy problems with web based learning tools. The concerns were valid, about handling and use of apps which schools use.  But it was satisfied that the Department of Education and Training had a sound process for assessing privacy risks in the tools that it procured to provide to schools, such as EdTech.  That comfort may have been misplaced given what Human Rights Watch has reported.  This poses some interesting questions for the Information Commissioner as to its methodology and the depth of its analysis.

In the Executive Summary and conclusions the Commissioner stated:

    What apps and web?based learning tools are being used in Victorian primary schools?

5. Schools use a wide range of apps and web?based learning tools, which vary from school to school. Some of these tools are provided by DET, while others are selected by schools. Some tools were used at all or most of the schools we visited. These tools are listed below.

How are apps and web?based learning tools selected for use?

6. Schools are responsible for selecting the digital tools used in the classroom, although some tools are provided by DET. Schools are responsible for conducting Privacy Impact Assessments (PIAs) for software that collects personal information, although DET provides numerous pre?populated PIAs to assist in this process, and assesses the privacy risks for software that it provides to schools.
7. We were satisfied that DET had a sound process for assessing privacy risks in the tools that it procured to provide to schools, but found that schools had difficulty in doing so for the tools the schools selected themselves. Some of the schools we met with were not aware that they were expected to complete PIAs. Some also noted that privacy was not the top priority when selecting software, and other considerations such as cost were a greater priority.
8. We suggest that DET provide additional guidance to schools on completing PIAs, and information about what apps and web?based learning tools may safely be used in the classroom. In practice it appears difficult for schools to assess privacy risks themselves, and that this is something that DET should consider having more direct involvement with.

How are parents and carers informed about the use of apps and web?based learning tools?

9. Schools are responsible for informing parents and carers about the use of apps and webbased learning tools via parent information notices and opt?out forms. We did see examples of schools sending information to parents, such as lists of apps and web?based learning tools intended to be used in the classroom to be installed on students’ devices. However, three out of the four schools we met with were not aware that DET expected them to do so for all apps and web?based learning tools that collected personal information.
10. We suggest that DET consider ways to provide further assistance to schools to inform parents and carers about apps and web?based learning tools in the classroom. We also suggest that DET expand the number of parent information notices and opt?out forms for apps and webbased learning tools that are provided to schools.

What support is being provided to schools in selecting and using software in the classroom?

11. DET provides a range of advice, policy, guidance, and training on privacy and managing personal information to schools and their employees. However, staff at the schools we met with were unaware of all the resources available to them, or had difficulty accessing them. Schools also noted that although the advice they received from DET’s privacy team was of a high quality, it sometimes took longer than expected to be provided.
12. We suggest that DET review the level of privacy support provided to schools. Increasing the level of support provided to schools would reduce the risk of breaches of the IPPs by schools.

Response from DET

13. Following completion of the examination, OVIC sought feedback from DET with respect to the issues outlined in this report. DET outlined steps it has recently taken or is in the process of taking to address matters raised in the report. DET informed OVIC that:
a. over the past 12 months DET has continued to revise the PIA template to make it more user?friendly for schools;
b. DET have expanded the privacy team and allocated additional resources to assist in responding to increased privacy enquiries; and
c. DET intends to review its current support model and investigate ways to streamline its approach and strengthen guidance.

Conclusions

14. In light of the issues identified in the examination, we consider that schools are at risk of breaching the IPPs when using apps and web?based learning tools that handle student personal information.
15. Whilst DET have accurate, clear and concise resources that are available to schools with respect to issues of privacy and data protection, some schools had difficulty accessing them.
16. Parents and carers are likely to assume that the privacy implications of apps and web?based learning tools used by their students have been considered before the tools are rolled out. Schools are required to ensure that they handle personal information in accordance with the IPPs. However, schools have numerous other responsibilities and their staff have high workloads. It may not be practical for school personnel to identify and manage the privacy risks of the many apps and web?based learning tools that are used in Victorian schools.
17. The Deputy Commissioner acknowledges that DET is taking steps to address the issues outlined in this report. However, these are complex and are not amenable to simple solutions. Ensuring that the privacy of students is protected is made all the more difficult in light of the COVID?19 pandemic, which has meant that schools rely more on online teaching and digital learning tools. The Deputy Commissioner considers that if greater support is provided by DET to schools, those schools will more confidently be able to select and use apps and web?based learning tools that support learning, while also protecting privacy.