A Security Checklist for School-Provided Technology

As government leaders, policymakers, and technology companies continue to navigate the global coronavirus pandemic, CDT is actively monitoring the latest responses and working to ensure they are grounded in civil rights and liberties. Our policy teams aim to help leaders craft solutions that balance the unique needs of the moment, while still respecting and upholding individual human rights. Find more of our work at cdt.org/coronavirus.

As schools continue to find ways to deliver education in the midst of a pandemic, one additional challenge they face is grappling with the country’s “digital divide”: Not every student has equal access to the devices and internet connections they need for remote or semi-remote learning  [see also]. One way schools and districts are approaching this problem is by providing students and families with devices, and trying to get their students and families access to internet connections.

While these steps will likely have benefits for students’ educations, the families who receive these devices or services may be unfamiliar with them, and need assistance to make sure they are using them in the safest way possible. This checklist will give students and families a set of actions to take to protect themselves while using their new devices.

For school-provided laptops and tablets:

• Ask the school for policies surrounding the devices: Devices owned by the school might be remotely accessed or controlled by the school. Things like which apps you use and for how long and what you browse on the internet could all be visible to the school’s administration or IT staff, though some states might have laws that impact when and how the school can access the device. Additionally, the school should be able to tell you who to go to if you need assistance with your machine, such as if it gets infected with malware, or if it is lost and needs to be remotely wiped.
• Back up important or personal data: The school may have the ability to erase the device remotely or request it be returned on short notice. Consequently, any data that you want to make sure you have access to should be backed up either on an external hard drive, or to a cloud service like Dropbox or Google Drive. (However, remember that depending on their policies, the school might be able to see anything you look at on the device, even if it is personal.)
• Password protect the device and the accounts you access on it: If possible, put a password on the device, so you can make sure no one except for the school can access it without your knowledge. This can also help keep your data safe if the device is stolen or lost. (Extra tip: using a password manager like Lastpass or One Password can help you use stronger, more secure passwords without having to remember them all. Using the build-in password saving feature in your browser might not be a good idea if the school has remote access to your device, since they may be able to see those passwords.)
• Update the software: Depending on your school’s policy, this might be out of your hands. But if the school allows it, you should update software on your device regularly or, better yet, turn on automatic updates. Software updates often contain important security improvements to help keep your device and data safe.
• Low-tech stickers: If your school allows it, putting a sticker or two on your device can make it easier to keep track of, and help avoid someone else accidentally wandering away with your device instead of their own. This could be useful if your school is using a hybrid approach for reopening, and you are in school with other students with the same device.

For school-provided hotspots or new internet connections:

• Password protect the network: Putting a strong password on the network does two things: first, it keeps other people from eating up the bandwidth you need, and second, it helps protect your data and device. Devices on the same network can communicate with each other. An unsecured network can be like an unlocked window for a malicious person, so think of adding a password like locking your window. Some networks come with a default password, but it’s not always a strong as it should be. So if the default password is something simple like “adminpassword,” change it to something more secure. (Many password managers will help you generate secure passwords to use.)
• Ask the school or provider for policies: Much like laptops and tablets, whoever is providing the network might be able to see some data about how you use the network. In some cases you can opt out of this collection, though it can take some work to do. For a new home internet connection, try searching the web for the name of your provider (like Comcast or Charter) plus “opt out of data collection,” or contacting your new provider.

General privacy and security advice:

• Don’t click on suspicious links: Email, social media, and other messaging apps are sometimes used to send what are called “phishing” links, which actually download malware to your device or try to get you to give up your password. Sometimes these messages come from someone you know, which can happen if they got phished first, or someone broke into their account another way. If anything seems off about a message, or a link in a message (like you haven’t talked to the sender in a while or the message doesn’t sound like them), don’t click the link. If you are worried about missing something, try to get in touch with the person a different way to ask about it. 

Additional resources:

This guide covers some basic security tips, but there’s definitely more to do if you have a bit more time to dedicate to the issue. Here are some additional guides that offer more advice about using devices and the internet safely. (Not all of these pieces of advice will make sense for every person, so don’t worry too much or feel guilty if something doesn’t make sense for you.)

• This guide from CDT offers some more general tips, in addition to the tips for school-issued devices offered above. https://cdt.org/insights/10-tips-for-protecting-your-digital-privacy/
• Virtual Private Networks (VPNs) can be another way to keep your internet service provider from collecting your data, but if you use one you are placing a lot of trust in the VPN provider that they won’t go ahead and collect your information. Additionally, your school might have a policy about whether or not you can use a VPN on your school issue device. If you do decide to use a VPN, CDT has some guidance about how to evaluate and select one. https://cdt.org/press/helping-consumers-choose-a-trustworthy-vpn/ 
• The Electronic Frontier foundation has some extra tips, including some more advanced options for using a VPN (make sure it’s one you trust, and that the school allows it on your device), or using the Tor browser. https://www.eff.org/deeplinks/2017/04/heres-how-protect-your-privacy-your-internet-service-provider
• The U.S. Securities and Exchange Commission offers some security guidance, ranging from more involved approaches like using security tokens to more general advice like being cautious with the links you click. https://www.sec.gov/spotlight/katrina/protectyourselfonline.htm
• Opting out of your internet service provider’s data collection can be complicated, so this post from Bret Carmichael offers some information for how to go about opting out for a few different providers, including links to some helpful pages.  https://www.bretcarmichael.com/posts/how-to-opt-out-of-your-isps-data-collection