If the Yahoo data breach that exposed upwards of 500 million customers taught us anything about digital privacy, it is that confidential information can never be assumed to be secure. As adults navigating the digital world, this is something that we can take into account as we weigh the risks and benefits of our online activity. Although school-age students are also citizens of the digital world, their data is collected in schools without their explicit consent. This type of data collection is increasingly ubiquitous, and poses a unique threat to student privacy.
In particular, the Common Core Standards require states to work on longitudinal databases to track student achievement. Such systems, funded by federal grants, already exist in 41 states and the District of Columbia, but their very existence poses an existential threat to student privacy. These databases do not merely include information like grades, but also sensitive demographic information like family income, and incredibly personal details including disciplinary records and health records.
Even if they were only used for reasonable purposes, the very existence of such databases posses an existential threat to student privacy in two ways. The first is a straightforward breach; since even sophisticated government actors and large corporations are vulnerable to hackers, educational agencies are certainly vulnerable. The second threat is perhaps even more insidious; the collection of student data provides permanent records linking all aspects of a student’s life.
While it is often said that those who have nothing to hide have nothing to fear from being watched, the true value of privacy is not so easy to dismiss. As Daniel Solve, the John Marshall Harlan Research Professor of Law at the George Washington University Law School, writes, “The potential future uses of any piece of personal information are vast, and without limits or accountability on how that information is used, it is hard for people to assess the dangers of the data being in the government’s control,” much less in the hands of a private corporation that is not accountable to students or their families in any way.
Even the promise of anonymity does little to guarantee meaningful privacy. Latanya Sweeney, a data scientist at Harvard University, convincingly demonstrated that simply removing clear personal markers like names, addresses and social security numbers is not enough to render data truly anonymous. In a disconcerting feat, she and her team were able to identify 40 percent of the people who had anonymously contributed their DNA and medical records to the Personal Genome Project. Using information as general as birthdate, zip code, and gender, she was able to link “anonymous” data to public records like voter registration records, which are publicly available.
The Family Educational Rights and Privacy Act (FERPA) is over 40 years old, and does not address the concerns raised by the massive collection and storage of student data. Fortunately, many states have begun to take matters into their own hands, passing laws to protect student’s digital privacy. In particular, California has banned the monetization and direct sale of student data, as happened last year in 2014 with bankruptcy of connectEDU and the subsequent liquidation of its assets. However, there is still much to be done.
Since the partisan deadlock plaguing Congress in unlikely to abate any time soon, it may be that the greatest hope for ensuring student’s digital privacy lies with the states. We must take the staggering scale of the Yahoo breach as a reminder that the privacy of our digital lives is anything but certain, and issue a call to action to protect the privacy of k-12 students.