Privacy By Practice, Not Just By Policy: A System Administrator Advocating for Student Privacy
When Matt L. started to raise the alarm about educational technology in his school district, he knew it would ruffle some feathers.
As a system administrator (or sysadmin), Matt has had a front-row seat to the increasing use of technology in his rural, public school district. At first, the district only issued Chromebooks to students in guest “kiosk” mode for test-taking. Over time, though, each of the district’s 10,000 students got individual access to school-issued devices, from iPads for younger students who cannot yet type to Chromebooks and G-Suite for Education logins for students as young as third grade.
Matt and his sysadmin colleagues are at the center of deploying, configuring, and maintaining Google devices and software for the entire district. This gives Matt opportunities to identify privacy problems with ed tech implementation, and to propose solutions.
“All our eggs in one basket”
“I don’t want to say that Google or Chromebooks or any of this stuff is inherently bad,” Matt said. “Getting these tools into the hands of kids is hard to argue with. That’s why I got into technology.”
As the district has continued to expand its technology use, however, Matt has started to have concerns about consolidating students’ educational and personal information in one company. “We’re putting all our eggs in one basket that we’re not in control of,” he said. “We don’t know where this student data is going.”
On top of his privacy concerns, Matt observed students learning about only certain softwares without broader awareness of their technology choices. Having grown up experimenting with Linux and other open softwares, he was dismayed to see students being steered toward only Google services and away from other options.
“The beauty of technology is that it is so vast and deep, with so many choices. But we’re funnelling people into one situation, which is not our job,” he said. “We should be teaching concepts of computing, not specific software. We should be giving parents and kids a choice.”
Privacy by policy
After frustrating initial conversations with colleagues, it became clear to Matt that student privacy advocacy in his district could “get touchy pretty quick.” Even higher-up colleagues who might have been in a position to make district-level changes were hard to effectively approach.
“They like Chrome because it’s easy to use and they don’t have to worry much about the mechanics behind it,” he said. “So, I was constantly ridiculed when I brought up concerns about privacy.”
Colleagues also pointed out the cost-effectiveness of free Google services in response to Matt’s concerns. But Matt was not convinced.
“Nobody's asking why it's free," Matt said. “I thought it was common sense that, generally, if you're not paying for the app, you're the product.”
After repeated requests to talk more about student privacy issues, Matt’s boss and members of administration pointed him to the district’s as well as Google’s privacy policies. But this approach of ensuring “privacy by policy” did not lessen Matt’s concerns.
“We have privacy policies for our website, and for our student academic records, but not so much for students’ information in regards to what Google is collecting,” he said. “We can’t guarantee what Google is or is not doing with this information. It’s all pretty vague, and it’s not the kind of thing you want to be vague about.”
One of the biggest problems with such “privacy by policy” is that it relies on all staff members being up-to-date on complex, sometimes vague policies, and having the time and resources to comply with them consistently. Matt observed that many in his district—including his colleagues in system administration—see student privacy as a long-term issue rather than an active, ongoing project.
“Stuff like student privacy gets back-burnered,” Matt said. “It’s hard to look down the road at long-term projects when teachers’ day-to-day is consuming all of our department’s time and energy.”
Privacy by practice
Unsatisfied by the “privacy by policy” that his district usually practices, Matt is investigating how he can implement “privacy by practice”—that is, prioritizing student privacy with active safeguards to augment and ensure existing policy, like technical settings and opt-out options.
His first step has been to “crank down the lid” on privacy settings so that students use Google products as anonymously as possible by default, without associating their online profiles with identifying information. Ideally, technical controls like these will make it harder for teachers or third-party companies to collect student data, making privacy the default in students’ and teachers’ work.
He is also advocating for an opt-out policy. EFF helped Matt locate relevant examples of opt-out policies from other school districts to get conversations started. However, this advocacy process has brought up more questions than answers. Coworkers were concerned that giving students the option to opt out of Chromebooks and/or Google services will create more work for teachers and administrators, and it has been hard to build consensus around what classroom alternatives would be available when students choose to opt out.
Continuing to advocate
Matt’s conversations with colleagues have moved forward in fits and starts, and are constantly changing as the district’s technology situation changes. For example, a system-wide update gave Matt an opportunity to propose concurrent changes in ed tech implementation. But, soon after, discussions about abandoning local storage and migrating completely to Google Drive ran counter to Matt’s efforts to locally control student data and ensure their privacy.
In the meantime, Matt is thinking about stepping up student digital literacy education with more student-staff interactions on the topic. He has also brought up his concerns at professional conferences to learn from sysadmin in different schools and districts. Matt remains persistent and committed to advocating for more secure, more private student systems.
“It’s a really hard problem, but we need to come up with an answer,” Matt said.
Recent DeepLinks Posts
Apr 28, 2017
Apr 28, 2017
Apr 27, 2017
Apr 27, 2017
Apr 27, 2017
- Fair Use and Intellectual Property: Defending the Balance
- Free Speech
- UK Investigatory Powers Bill
- Know Your Rights
- Trade Agreements and Digital Rights
- State-Sponsored Malware
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Artificial Intelligence & Machine Learning
- Bloggers' Rights
- Border Searches
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Electronic Frontier Alliance
- Encrypting the Web
- Export Controls
- Eyes, Ears & Nodes Podcast
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2016 Copyright Review Process
- Genetic Information Privacy
- Government Hacking and Subversion of Digital Security
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- Mobile devices
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Offline : Imprisoned Bloggers and Technologists
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Reclaim Invention
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Shadow Regulation
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- Student Privacy
- Stupid Patent of the Month
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- TPP's Copyright Trap
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- Video Games