For Remote Learning, Privacy Challenges Go Beyond Zoombombing

As government leaders, policymakers, and technology companies continue to navigate the global coronavirus pandemic, CDT is actively monitoring the latest responses and working to ensure they are grounded in civil rights and liberties. Our policy teams aim to help leaders craft solutions that balance the unique needs of the moment, while still respecting and upholding individual human rights. Find more of our work at cdt.org/coronavirus.

This week, the Center for Democracy & Technology is releasing guidance for schools as they prepare for the beginning of the academic year. In most years, July would signal the turning point in the summer, as students and teachers prepare to return to school. This year, however, a full, physical return to school is unlikely. After a spring of remote learning, physical distancing is likely to continue well into the fall, mandating smaller class sizes, alternative schedules, and “hybrid” learning, where part of the student body learns remotely while the other learns in-person. The fall semester may even have to begin or end remotely. For most students and teachers, remote learning is going to play some part of the upcoming school year.

Consequently, the last few weeks of summer provide schools and educators an opportunity to evaluate how remote learning unfolded this spring. Remote learning relied on many different platforms, each of which carried unique privacy challenges that can now be better anticipated and addressed. CDT’s latest report will help walk schools and educators through that evaluation.

What Did Remote Learning Look Like This Spring?

Surveys of teachers and administrators reveal differing views of the tools used during remote learning, especially the use of video conferencing platforms. During the pandemic, national coverage of remote learning focused largely on teachers’ use of group video conferencing platforms, such as Zoom, to host classes.  Although there is no single, authoritative set of statistics, some surveys have suggested that video conferencing platforms were actually not widely used during remote learning. For example, a survey conducted by EdWeek in early April found that 58% of teachers were using online video conferencing. A separate review by the American Enterprise Institute of school district policies at the end of May found that just 44% of schools used videoconferencing or similar “synchronous” platforms. Other surveys, however, showed a much higher adoption of video conferencing. In a survey by Ipsos, 74% of teachers reported teaching through “live, in real-time” video platforms, while in a survey by the AASA, 89% of superintendents reported that their districts provided instruction through “video casts/webinars.”

Despite differing figures for video conferencing, each of those surveys showed that a variety of technologies were widely used during remote learning. In the Edweek survey, 86% of teachers said they used email to contact students and 69% posted written messages. A total of  fourteen different technologies were used by at least 10% of teachers. The AEI survey similarly found that 62% of districts offered virtual supplemental content such as videos from Khan Academy, 83% provided instructional packets, and 86% used “asynchronous” online tools such as posting pre-recorded videos on YouTube. In the Ipsos poll, sizeable portions of teachers reported that they used “software” or “pre-recorded videos” (71%) or even paper packets (51%), while superintendents reported to the AASA that their districts used text messages and phone calls (91%), paper packets (82%), classroom blogs (52%), and podcasts (23%).

Two points are important in making sense of these seemingly conflicting survey results.  First, the surveys showing lower adoption of video conferencing are consistent with the extent of the digital divide in this country. Research from the Pew Foundation shows that only 73% of U.S. adults have broadband access at home, which suggests that a quarter or more of students likely do not have sufficient broadband to connect to online video conferencing. Second, even if most teachers were successfully using video conferencing for large-group instruction, all surveys agree that teachers are still using a wide variety of tools to reach their students. Consequently, the risks to student privacy extend beyond video conferencing.

What Were the Privacy Risks?

Each of the tools used by students and educators carries benefits as well as privacy risks. For example, platforms may not meet legal requirements for student privacy. Some remote learning took place on social media and other platforms not designed for education.  Even edtech purportedly designed for education has been alleged to have practices that may not comply with federal or state children’s privacy law, such as collecting or sharing data about children and students without parental consent.

Other platforms may be susceptible to abuse, harassment, and bullying. Group video conferencing became infamous for “Zoombombing,” in which strangers intruded on live classes and displayed racist tattoos or child sexual abuse material. Likewise, in a first attempt by schools in Fairfax, Virginia to use a learning management system called Blackboard, students took advantage of security gaps to post homophobic and racist messages and to record group chats. Switching to Google Classroom simply shifted the problem, as harassment moved onto private chats or even commenting features built into the system, out of teachers’ sight.

Finally, other platforms may inadvertently disclose sensitive information. Privacy invasions may be inflicted by oversights as simple as the coding of fields in student records. One organization, for example, sought to protect students from having their transgender status revealed without their consent because an online learning platform automatically populated fields with legal names the students no longer identify with. Likewise, one-on-one video chats permit teachers to see into students’ homes. Schools have also used video to remotely surveil students and have required them to grant strangers remote access to their computers, all in pursuit of proctoring exams. Each of these privacy concerns requires careful attention from schools.

Reopening More Privacy Conscious Schools

Although the laws and principles underlying student privacy have not changed, the school environment has, and in unprecedented ways. The last few weeks of summer will allow schools to assess how to maintain student privacy over continued remote learning. Schools should provide students and teachers with specific guidance on how to teach and learn online, adjust settings on edtech to protect student privacy, and select platforms with privacy protective policies.

Five additional processes may help schools ensure that their remote learning appropriately safeguards student privacy:

• Designate an official to be the point person for managing student privacy during remote learning, even if the school does not have a specific chief privacy officer. Ensure that the point person has the time and resources to manage the school’s edtech inventory.
• Inventory edtech that was used for remote learning by surveying teachers and other staff. The survey should be open and non-punitive, to ensure accurate reporting of the tools that teachers utilized to reach their students this spring.
• Evaluate edtech adopted during remote learning for compliance with legal requirements, district and school policies, and best privacy and security practices.
• Incorporate the edtech that the school or district wishes to keep into existing systems, including by establishing interoperability with those systems. This may mean ensuring that student work may be downloaded, that data may be exported to student information systems, and that data is in a format that may be shared with partner agencies.
• Finally, decommission edtech the school wishes to terminate. Schools should be sure to download any information it normally retains, such as evaluations of student work, and ensure that student data is deleted from the decommissioned system. Unfortunately, this may not be as simple as the teacher deleting the account, as some tools will still retain the data, such as for marketing or product improvement. The tool’s terms of service may provide more information about how to truly delete user data.

CDT’s latest guidance will help schools and educators navigate the privacy risks that come with the benefits of remote learning and edtech. The report also addresses the privacy implications of the other side of hybrid schooling: in-person learning and its accompanying health screenings and information sharing with health agencies. The complete guidance can be found below.