CDT Calls for Congress to Clarify the Privacy Impacts of CIPA

The Center for Democracy & Technology and fellow education and civil rights advocates recently called on Congress to clarify the meaning of a federal law that is spurring schools to adopt invasive surveillance technologies to monitor students’ lives online. Last week, CDT released two research reports detailing the impact of student activity monitoring software on students and families. Student activity monitoring software can allow schools to remotely view students’ computer screens, open applications, block sites, scan student communications, and view browsing histories. CDT’s new reports draw from polls of students, parents, and teachers, and interviews with school technology leaders. The reports demonstrate that schools are widely using student activity monitoring software, raising concerns among parents and teachers, and chilling students’ expression online. One key finding of the reports is that school technology leaders have adopted broad, invasive monitoring software at least in part because they believe that it is required by the Children’s Internet Protection Act, a federal law passed in 2000. 

CIPA states that schools receiving federal funds for internet connections should have a policy for “monitoring the online activities of minors.” However, Congress likely did not intend for CIPA to require constant surveillance of students. CIPA does not define the term “monitoring,” and statements during debate over the bill show that Congress thought it required only supervision — teachers and parents “looking over [a student’s] shoulder saying: What are you looking at?” Critically, many of the most concerning aspects of some student activity monitoring software — such as algorithmic technology that scans students’ messages and documents in the cloud — were developed long after Congress passed CIPA. 

Regardless of Congress’s intent in 2000, perceptions about CIPA are spurring the adoption of monitoring software today. To correct this trajectory, CDT and its partners have called on Congress to clarify CIPA’s monitoring requirement or direct the FCC to do so. In particular, “monitoring” should be limited to the minimal amount of data collection needed to achieve CIPA’s goals, both on- and off-campus, and not encompass continuous, individualized monitoring of students’ online activities. For example, schools may limit the data they obtain by collecting only aggregate information whenever possible and minimizing where and when monitoring occurs, such as by monitoring aggregate traffic on the school network, rather than over individual devices. 

Systematic monitoring of online activity can reveal sensitive information about students’ personal lives, such as their sexual orientation, or cause a chilling effect on their free expression, political organizing, or discussion of sensitive issues such as mental health. These harms likely fall disproportionately on already vulnerable, over-policed, and over-disciplined communities and may be exacerbated when monitoring occurs on devices and services used off-campus, including in students’ homes. Congress should safeguard against these harms by clarifying CIPA’s requirement, allowing students and families to take advantage of the benefits of technology while protecting their privacy.