Protecting Connected Students from Tracking by Internet Service Providers

As government leaders, policymakers, and technology companies continue to navigate the global coronavirus pandemic, CDT is actively monitoring the latest responses and working to ensure they are grounded in civil rights and liberties. Our policy teams aim to help leaders craft solutions that balance the unique needs of the moment, while still respecting and upholding individual human rights. Find more of our work at cdt.org/coronavirus.

In our previous posts on student privacy and the homework gap, we saw how schools’ efforts to connect students at home comes with both benefits and potential privacy harms, including digital intrusions through hate speech and harassment. The privacy harms for newly connected students, however, are not just limited to intrusive content – but also include tracking by the internet service providers (ISPs) that connect students to their remote lessons. Schools should take steps where they can to help protect students’ privacy—especially on connections funded by the school. Schools’ tools, however, are limited, and it’s ultimately up to policymakers to ensure that students’ data are not commodified by the infrastructure they rely on to connect with their education.

ISPs have the ability to track their customers across a wide range of data, including billing information, location data, and – perhaps most prominently – browsing history. Browsing history gives ISPs a detailed understanding of their customers’ lives, revealing everything from medical conditions to financial problems. That history is almost unique to each person and can be visible to ISPs even when users encrypt the data they transmit over the Internet. Information about students connecting through school-provided connections is no different.

Previous broadband privacy rules limited ISPs’ ability to use or share customer information other than to provide broadband services. In 2017, however, Congress repealed those rules. Since then, ISPs have largely been unregulated in their collection and use of their users’ data. Although many providers have disclaimed selling user data, their privacy policies contain capacious language that permits collecting data like browsing history. That data may then be used for injecting targeted ads into users’ services or tracking users across devices.

Unfortunately, federal laws designed to protect students and children may not fill the gap left by the repealed rules.

For example, ISPs’ collection of students’ browsing history would likely not be “for” an educational institution, and therefore may not be constrained by the Family Educational Rights and Privacy Act (FERPA). FERPA applies only to personal information from “education records” maintained by an educational institution or “a party acting for” the institution. According to the Supreme Court, the “usual understanding” of the term “acting for” an educational institution “connotes agents of the school, such as teachers, administrators, and other school employees.” If an educational institution has not directed an ISP to collect students’ browsing history and the ISP is doing so only for its own benefit, it may not be an “agent” acting for the institution and FERPA may not constrain its collection or use.

Likewise, even though the Children’s Online Privacy Protection Act (COPPA) is meant to prohibit “a website or online service” from “collect[ing] personal information from a child” under 13, it may not include tracking by ISPs. The FTC has hinted it would enforce COPPA against broadband providers that “knowingly” collect information from children, but broadband providers fall outside the types of online services “traditionally” subject to COPPA – and tellingly, in almost twenty years of COPPA enforcement, the FTC has never brought a case against an ISP. In addition, COPPA’s protections are limited to children under 13, leaving students in middle and high school subject to tracking by ISPs.

Despite the potential gaps under federal law, schools have some options to help protect students from tracking by ISPs. For the connections that schools provide to students such as Wi-Fi hotspots or subsidized connections, schools may leverage the contracts they enter with ISPs. Schools are often relatively large subscribers, especially in rural areas, and thus should not hesitate to use their negotiating leverage to gain additional protections for their students. Negotiations might be aimed at garnering terms that require ISPs to disclose their collection practices in plain language, require the deletion of data collected from school-funded hotspots and connections, or prohibit the collection, use, and/or sharing of certain data.

This strategy, however, faces limitations. Schools may lack leverage if there is only a single ISP in the area—a fact that is often true in many broadband markets. Likewise, any terms a school negotiates will not benefit students using connections not provided by the school, such as the family’s own broadband.

ISPs could rise to this moment and voluntarily provide some of those same protections by providing clear notice about how they process and use customers’ data, and limiting certain uses and sharing of data not required to provide broadband services. These voluntary protections should include affirmations that they will not use or share students’ browsing history, but ultimately, regulators bear the responsibility of ensuring that students’ privacy is protected after they are connected online. As described above, federal law protects children’s privacy in school and from online services, but not necessarily from the providers that connect them. Congress could address these potential gaps by passing comprehensive privacy legislation, such as that proposed by CDT, which applies to ISPs. Outside that more-comprehensive approach, Congress has the opportunity to address student privacy in the school funding and broadband infrastructure bills it is currently considering. Any bill providing funds to connect students remotely should ensure that ISPs receiving those funds adequately protect student privacy. Similar to what school districts may negotiate in their agreements, those protections could require ISPs to fully disclose their data collection practices, adhere to deletion requirements, or even prohibit collection or uses beyond what is needed to provide the service.

As schools are reopening, we face a dual challenge: connecting students, without unduly impacting their privacy. We believe that we can and must do both.