A Year in Review: Student Privacy Issues Through a Season of Unprecedented Change

To say that 2020 will be remembered as one of the most impactful years in education history is an understatement. The onset of COVID-19 and its subsequent transformation of U.S. education can be felt simply in the lexicon used to describe this new reality — distance learning, reopening, Zoombombing, contact tracing, and learning pods are just a few terms unheard of in their current form at this time last year, but have now become common parlance in the education community. 

2020 may also be remembered as the year that student privacy issues permanently entered the mainstream education dialogue. High-profile trends in privacy issues such ransomware attacks, test-proctoring software, and the aforementioned Zoombombing coincided with educators’ increased reliance on technology to perform basic school services. This year has challenged the education community to navigate a nuanced complexity: the critical value of education technology cannot be ignored, nor can the importance of corresponding privacy considerations. Education practitioners must engage with both considerations in order to continue providing education during the pandemic and beyond. Below, we reflect on a few trends that have shaped student privacy in 2020. We highlight some of the challenges—and bright spots—in the K-12 education community’s experiences in responding to these trends, and note some of the issues we’ll be watching as we enter 2021.

Adopting New Technologies to Accommodate for COVID-19

COVID-19 has necessitated greater reliance on technological solutions to facilitate distance learning, in many cases far beyond schools’ previous levels of capacity. Of teachers whose schools provided technology guidance, our research found that 86 percent had begun using new technology as of June—and this number has likely grown. From a privacy perspective, some tools and technologies carry more risks than others, and schools have faced tensions between solving an urgent need quickly and applying adequate rigor in making selections. 

How have schools performed in making these decisions? The track record from this past year is mixed. We’ve seen many encouraging examples of schools applying holistic assessments to technology adoption decisions, weighing privacy, security, safety, equity, and accessibility concerns side by side. For one such example, see our recent story on DSST Public Schools. Unfortunately, we have also seen the use of some particularly problematic technologies increase over the past year—automated test-proctoring software, on-campus surveillance technology, and online student behavior monitoring services all come to mind. In 2021, we’ll be watching whether this trend continues, and how schools and education agencies factor privacy and digital safety into their technology decisions.

Creating Robust Technology Governance Structures

One of the most striking lessons demonstrated this year is that processes for how new technology is selected and implemented matter just as much as which technology is being chosen. Whose voices are consulted when making technology decisions? How are new systems configured and integrated into schools’ existing technology platforms? What training and communications practices surround the new tool’s rollout? These questions are all functions of the administrative governance frameworks of an educational institution. 

The pandemic has illustrated the benefits of both privacy protection and effective education delivery when good governance practices are followed. Steve Langford, Chief Information Officer at the Beaverton School District, credits Beaverton’s relatively smooth transition online to its well-established process for vetting and integrating new education technology, which gave it a head start in navigating these issues. The theme was repeated throughout our research: schools and districts that had technology governance structures already in place were better prepared to address privacy issues proactively rather than reactively.

As we enter 2021, we will be watching to see how education institutions rely on these practices to adopt and implement new technologies for the spring and fall. We are also paying attention to how technology no longer in use will be decommissioned, which is often more complicated than simply switching off the program.

Addressing the Homework Gap

As schools moved online, it became apparent that not all students had equitable access to the technology and connectivity necessary for remote learning, a disparity labeled the “homework gap.” While that disparity is not new, the homework gap took on new urgency as a vast majority of students connected with their education online. The homework gap disproportionately affects students from marginalized families, and failure to support students’ technology and connectivity needs “is akin to barring them from school altogether.” Students without adequate connections have consequently “disappeared” from their digital classrooms. 

Schools have addressed the homework gap during the pandemic in a myriad of ways, including deploying solar-powered Wi-Fi hubs or Wi-Fi enabled buses, distributing mobile Wi-Fi hotspots, and loaning students laptops and tablets. Those measures, however, carry privacy concerns. Schools are collecting new data on students to help identify those with connectivity needs and sharing it with telecommunications partners. School-issued devices may include monitoring software, schools may scan student communications for keywords, and laptop cameras may permit school officials unprecedented glimpses into students’ homes. As schools and their partners work to connect students at home and in the classroom, we will work in 2021 to ensure those privacy concerns are addressed alongside the homework gap.

Cybersecurity Incidents on the Rise

Another prominent trend in 2020 was a surge in hacks and cybersecurity attacks against schools. There were signs of this trend before the COVID-19 pandemic, but the pandemic’s push to online learning exacerbated the issue and broadened the attack surface. 

For one, schools’ rapid adoption of unfamiliar technologies presented far more opportunities for attackers. Moreover, the online nature of learning this year left schools exceptionally vulnerable to ransomware attacks. These attacks, in which hackers lock victims out of their systems and data and in some cases exfiltrate that data as well, meant that schools were incapable of delivering online instruction. As a result, students lost significant class time in an already heavily disrupted year, in addition to being exposed to the financial and personal harms of having their data sold or exposed.

Although the trend of increasing cyberattacks on schools was worsened by the pandemic, it’s unlikely that it will go away in a post-pandemic world. Ransomware attacks may not completely shut down learning, but they can still deny schools access to essential systems and information like administrative and records systems, learning management systems, and other EdTech. Schools will still be holding plenty of sensitive information about their students that makes them an attractive target for hackers. 

Given that the threat isn’t likely to go away anytime soon, schools will need to strengthen their cybersecurity stance going forward. We aim to help them in that in 2021 by developing resources for cybersecurity in the school context, such as trainings for faculty and staff, and preparation and response plans for ransomware. 

*****

EdTech adoption, technology governance, the digital divide, and cybersecurity awareness are a few of the issues that CDT’s Student Privacy team will continue monitoring into 2021. The spring and fall semesters will likely bring more privacy challenges related to the dynamic public health landscape, as well as more opportunities to take positive steps toward protecting student privacy.