Amsterdam High School and National Student Privacy Concerns: A Disclosure of the Problems

To preface, the internet is truly an amazing tool. Not only does the internet allow us to stay connected with many people from far and wide, but it also enables us to discover new people that we can link up with and helps us uncover new information that otherwise would go unnoticed.

There is nothing like the internet. It has clearly emerged as a chief cultural landmark that millions can enjoy and use, and the amount of communication, knowledge, and skills that we have gained from the internet is profound. Even schools today, like ours, have been able to render useful the awesome power of the internet to serve the education and needs of thousands of students. It’s more important than ever during this pandemic that we stay connected, and thankfully the internet has accorded us this opportunity.

Today, these thousands of miles of cables connected to data are able to power all the services we use on a daily basis, and help upgrade our schools, businesses, and governments to new technological and social stages. In school systems, technology enables students to access information, collaborate on projects, and complete tasks, and also allows for teachers to develop greater connections with students and parents.

But what happens when it’s misused against the interests of the people, when the freedoms granted by the internet are governed, manipulated, and restricted by those in power?

The Elephant in the Room: The Student Privacy Issue

Unfortunately, it’s all too common. Schools often distribute technology to students, but remotely-activated spying software is embedded in these school-issued devices. To make matters worse, the pandemic has exacerbated this situation, with students mainly working at home and relying on devices given by schools which, at the same time, are being surreptitiously used against them.

As we analyze this issue, we will begin to see that legal precedents for this problem are often difficult to apply today. At least on the federal level. We know for a fact that on our school-issued devices, there is tons of pre-installed software to track and surveil us, both within and without school. Schools, by increasingly adopting nefarious surveillance technology to spy on students, are building huge databases that are not only vulnerable and unethical, but in some cases even questionable and a violation of our student rights.

At best, very few federal laws in the United States have been enacted that are said to protect and defend student privacy and data security. These laws consist of the Family Education Rights & Privacy Act (FERPA), the Children’s Online Privacy Protection Act (COPPA), and the Children’s Internet Protection Act (CIPA). There is, with addition, the noteworthy Protection of Pupil Rights Amendment (PPRA). Firstly, FERPA only deals with protecting the privacy and sanctity of student education records, safeguarding the confidentiality of student files by limiting who or what may access student records, while at the same giving students the right to see their records.

COPPA applies to online services and addresses data protection regulations, prohibiting deceptive practices that serve to undermine the collection and use of personal information obtained or stored online, but this concerns only children under the age of 13. Last, but not least, CIPA is a piece of controversial legislation that some argue is “riddled with constitutional problems.” That said, it limits children’s exposure to obscene content online, declaring that all schools are mandated to censor explicit digital content.

The Protection of Pupil Rights Amendment (PPRA) is a federal law that applies to the programs and activities of education agencies. Also called the Hatch Amendment, it is intended to protect students and parents regarding how education institutions conduct surveys or collect information for commercial purposes. When administering surveys or analysis funded by the Department of Education, parental approval must be granted in many cases regarding how data is mined or collected through these methods and how exactly that data will be used.

In New York, we possess the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which is a recent piece of state-wide legislation that offers expanded protection against data breaches affecting the private information of New York residents. Effective in 2019, any business or facility that owns computerized data that collects or includes private information is obligated to follow reasonable requirements on encryption and data security. Among the regulations, the law prohibits personally identifiable information from being sold or used for marketing purposes, and many districts (including ours) have sought to begin minimizing its collection, processing, and transmission of this sort of data in reaction to these provisions and amendments.

In case of data breach violations by companies or other entities, the state government has insisted that civil penalties up to awarding damages for costs or losses is permissible. Any deceptive practice to evade regulations is liable for a civil penalty up to $5,000 per violation.

What we infer from this is that internet privacy for students as we think of it today is not necessarily federally protected, even though state policy affects us differently. Schools seem to have the legal right to obtain and indeed, maintain, a wide range of student data, and this data can be collected if used as part of school activities, whether using school internet services (such as their private servers) or school-issued internet devices. But in New York, compliance with state law means safeguards must be in place against any data breach risks, including the unauthorized collection or transportation of data. It also forces entities to erase electronic media no longer in session or necessary so that it cannot be reconstructed or reused.

So while the federal government may be lackluster in these regards, we are lucky to have local restrictions imposed on schools regarding how all these chunks of data are contained and used. But just how extensive are these requirements foisted on schools by the state government in relation to us?

Amsterdam High School’s Present Capabilities and Actions

Our school has the ability, at this moment, to enact filters online. This is in accordance with federal law that compels the enactment of filtering tools in order to qualify for funding. Content-control software, which can be installed by anyone who owns and maintains a wireless network, aims to jeopardize the free spread of information and content online. When schools enforce filters to block media online, underblocks and overblocks become tremendous concerns, either failing to block access to explicit material altogether or blocking innocuous material that need not be suppressed. In summary, our system here has shortcomings to be addressed.

While we as students may see a threat that is gambling away our privacy to no good end, there are no legal grounds to argue anything on that behalf. According to all present information, what the school does is within their legal rights and are not legally-bound infringements of any nature.

In applying that lesson to Amsterdam High School, what do we learn? Again, it depends. We don’t just need to learn the full capabilities and scope of power the school has over our data and information, but also what exactly the school is doing with their software, especially with that said power in mind. It’s hard to proceed without first knowing and understanding all the known spyware that’s currently installed on our ChromeBooks.

For starters, our Chromebooks come preloaded with GoGuardian, which is relatively well-known by security experts, many of which have condemned the program for serious and severe violations to student privacy. It is a web-tracking application and a Chrome Extension that is force-installed on school-issued devices, but some of its features will sync and enforce administrator policies on home devices as well. Founded in 2014, the California-based company that operates GoGuardian is said to provide management software that “gives educators better control over how their technology is used.”

Using artificial intelligence and machine-learning technology, GoGuardian keeps archived the websites, and the content of those websites, a student visits when using their school-issued account. Even if the browsing history is deleted, a report is kept that provides a chronological timeline of the websites that students have visited, coupled with the amount of time spent on each particular site.

So what else can it do? After being installed on Chrome OS, it links to all Chrome accounts as per the orders of the school administrators. After which, it allows teachers and administrators to gain real-time access to student activity. This means it allows teachers to view students’ computer screens, open tabs remotely on a student’s browser, locate and see running applications, and direct student devices to a particular webpage.

Like Fortinet, another tool harnessed by the school, it also filters content on the internet — blocking whatever the federal government deems “inappropriate” or “subversive” — but it may also allow administrators to remotely access secure hardware, such as cameras and microphones. Fortunately, just because the option is there does not mean it is acted upon. Simply put, the school does not have the resources to incessantly monitor or observe this information, although teachers are still free to view student Chromebook screens at will with this program.

There is also CatchOn Insight, a data analytics tool also forced onto Chromebooks. The administrative gadget monitors all student digital engagement, furtively granting school districts the ability to gather “insightful data” in order to “make data-informed decisions about the apps and online tools their educators and students are using.” In the face of a pandemic and vast budget cuts to our school, it has become a monitoring tool over data usage more than anything else. It boasts itself on boosting productivity and paving the way for cost-effective (or reductive) measures, at the same time claiming to capture anonymized student data so as to gather that information.

The Google Privacy and Data Threat

Is it just the school we have to worry about? No, Big Brother is very much alive in Big Business. To elucidate this point, Google stores and harvests extreme amounts of data. Of the reams of data it has stolen from us, it knows where you’ve been, everything you’ve searched, and all the content you’ve downloaded. Google has exclusive access to our private and personal data, which is often used for profitable reasons. Google’s data storage and retention policies are regarded by many security entities to be absolutely abysmal. The company is alleged to collect scads of behavioral data about students and siphon browser data.  What we find is that Google is nothing more than a data-mining machine serving profitable interests, and this means the tracking of student data by such a company should be called into question.

Google has also enabled the school to have root access over the Chromebooks, telling them everything from the content of the websites we visit to our network addresses. I was informed by Superintendent Ruberti that this was with the intent of securing devices for educational purposes, and that the district was following through on federal and state policy on this manner.

To mitigate these concerns, Google Enterprise is purchased under contract, forcing Google to actively respond to privacy perturbation by agreeing to basic terms. The District has come out and said that third-party contractors (not excluding Google) must sign into a contract “including provisions requiring that confidentiality of shared student data or teacher or principal data be maintained in accordance with law, regulation, and District policy.” 

In the requirements, the vendor (Google, LLC.) is forced to “keep confidential all information and data,” meaning all student data, teacher/principal data, and any otherwise Personal, Private or Sensitive Information is kept private and cannot be “sold or released for any commercial purposes, nor shall it be sold or used for marketing purposes.”

Google, being a vendor known for extensive privacy violations, is ordained by state law to adopt practices pursuant to that law. If found flouting the law or district policy, Google will have overstepped boundaries and the partnership would ergo be void. While it is possible that Google may seek out loopholes, no guarantee is perfect. Serious civil penalties are in order if data access is not limited, kept private, and if disclosed to “any other party who is not an authorized representative.”

While this is a good thing to hear, for some, there is still an unnerving presence of the corporatization of schools by entities like Google, which may find loopholes now or in the future to circumvent restrictions placed on them by the government. This dread is understandable. But by having our devices and accounts managed by districts and schools specifically, with the force of the law behind them, some basic level of security has been guaranteed. While this may have come at the cost of privacy, considering many settings are mandated without our fully-acknowledged or fully-understood consent, both by students and parents, this simply is the only way for schools to proceed in this increasingly-technologized environment. 

A few may continue to cling to privacy puritanism and argue that with this blatant disregard has fermented an erosion of our privacy, now intensified in such conditions as the new pandemic reality, the truth is that this is how things are done in the real world today, whether we agree with the conditions or not. There is not much more that can be done to maintain reasonable security and balance out privacy if not done through legalism and activism.

Nonetheless, this does open up the question about whether or not we should allow schools to sacrifice privacy in exchange for maintaining stability, order, and security. That many students around the world have deficient power to choose or control their information and data is a serious loss that, in contrast to helping us, actually may cause considerable harm in the long-run. But in a digital world, it is unfortunate that nothing will ever be perfect. In the framework of that, the aforementioned agreement does hopefully outline that our data is kept hidden, accompanied by encryption technology, and that:

“In the event that a Parent or Eligible Student wishes to challenge the accuracy or the shared Data concerning that Student or Eligible Student that is maintained by Vendor, that challenge may be may be processed through the processed through the procedures provided by the licensed District for amendment of education records under the Family Educational Rights and Privacy Act (FERPA).”

On top of that, in case of the unauthorized release of data by the Vendor, it will “promptly reimburse” the District for such troubles. Moreover, in the event of an expiration of the agreement, Google pledges to securely purge any and all remaining data without delay beyond 180 days. This is a good incentive for Google to abide by the accord, at least temporarily as a successful breakture of the agreement and a potential lawsuit or criminal prosecution against them would cause further mistrust in the corporation and spiral into a much larger business catastrophe if necessary.

Having spoken with Eric Scholl, our Data Protection Officer, I was informed that: “Everything that we do here is as good as it’s gonna get.” 

The Enduring Fight for Student Privacy

In closing, you may ask what can be done to confront the tumultuous and tremendous challenge of student privacy and security in general. For some, it may seem too big to fight. Certainly, the technological organization of classrooms today is taking over at an unmatched speed. But although the Big Tech companies that are now seizing control of education may appear tough and strong, in reality, they’re all a paper tiger that we can tussle with if we raise our voices and demand action.

In New York, we can continue to strive for passing basic legislation that protects our rights. Even if that victory means meager reforms, it is still a worthwhile gain in the right direction. But, be reminded that the right direction isn’t the end-all, be-all of our goals; we shouldn’t let our guard down in the struggle.

Ultimately, it is up to students to choose the best course of action in this case. Sure there are ways to bypass these problems, such as by downloading proxies, using VPN services or Tor circuits, or even through the Titanium Network. That is all true, but it goes against school policy, is rarely compatible with Chromebooks, and doesn’t fair well to an overall movement to actively and proactively defend and safeguard student privacy, and the privacy of everyone, everywhere. Circumventing such a vast array of security measures in this fashion rarely fairs well for students.

The youth are the future, and the youth must be the social force in the world today that can find big solutions to big problems. We can all play a part and fight back. It will take dedication and hard work, but we can one day maximize and expand our rights to privacy at a national and perhaps even international level if we dare to struggle for it. The erosion of our privacy by government and corporate entities will only be stopped by us, and it’s becoming clearer that we can do this. A united front of all sorts of people, in all their bountiful talents, will be the only means by which we can begin to chart the uncharted course. Schools can protect student data and privacy only if we strive for it.

Together, we can do this — and if we’ve learned anything, it’s that we must do this, and quickly, if we’re to achieve anything positive. It’s time to reach out and share our concerns as students, even parents and teachers, so we can finally achieve something. We can absolutely be the generation to “reset the net,” but only if we work to that end. We need to get that train rolling today, and fast.

Important Resources:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s