The State of Privacy in Edtech
Privacy in edtech is absolutely critical to protecting our children’s identities and earning the trust and endorsement of edtech from parents. As a professional working in cyber security, I never think it is too early in the development process to consider security and privacy of edtech tools. I believe in security by design for all technology based solutions (security should be built in from the start). Sometimes, security by design is a challenging prospect and is often overlooked based on a desire to get to market more quickly and reduce development costs. This is not that. A recent study by EdTech Strategies suggests that edtech tools and technology usages at schools are failing to satisfy some of the most basic privacy controls. A few of those findings are discussed below.
Secure browsing is a critical aspect of privacy online. The federal government (amongst others) long ago recommended all sites implement HTTPS, the secure version of HTTP (the protocol most commonly used for browsing). Yet, even now, almost half of school related websites don’t support HTTPS and of the ones that do, many have it misconfigured. Supporting HTTPS and configuring it properly must be a priority for education technology departments. It is a simple way to ensure more privacy and more security.
A wildly disturbing trend in edtech is the number of advertising trackers deployed on school related sites. Everyone knows major tech companies that offer ‘free’ online services make their big dollars off of advertising but there is nothing requiring schools to allow tracking for ad purposes. Whether these trackers are implemented as part of a third party agreement or simply through integration of ad based services from Google, Facebook and Twitter, I encourage all parents to at least understand what, who and where information is being tracked.
In addition to the privacy study results, I would be remiss if I did not encourage use of Multi-Factor Authentication wherever possible. Multi-Factor Authentication (MFA) essentially means to login to a particular service you must provide multiple things to prove your identity. Typically, MFA uses 2 out of 3 of something you know (like a password), something you have (like a numeric code) and something you are (biometrics). The most common implementations, which are not perfect but are far better than not having MFA, would be to have a user sign in using a password and also put in a code they received in a text or email. Every major bank and other critical services are already doing MFA and many other services (Gmail, Twitter, Facebook etc) offer MFA as an option. All edtech solutions should, at the very least, have an option for MFA and any that contain private student information should enforce it.
It is absolutely imperative we begin to address security and privacy issues in education related technology. Edtech products and companies should be considering security and privacy first in all of their applications. If we continue down an insecure path, we risk parents losing faith in the benefits technology can bring into the classroom. Parents who fear negative impacts of technology will be far less likely to encourage edtech usage in classrooms and far less likely to encourage their children to pursue interests in STEM fields.