CDT Research, Equity in Civic Technology, Privacy & Data
Student Activity Monitoring Software and the Risks to Privacy
By L. Holden Williams
Schools are increasingly adopting technology to monitor students’ activity online, and without adequate safeguards, these tools can pose risks to student privacy.
The Center for Democracy & Technology (CDT) highlights the privacy concerns associated with closing the homework gap in its newly released report, Online and Observed: Student Privacy Implications of School-Issued Devices and Student Activity Monitoring Software. In their efforts to close the homework gap, schools have adopted a number of digital learning tools, including monitoring software that can track student’s online activities on devices in real time.
Publicly available information collected from thirty common monitoring software companies reveal two main technology types:
- Monitoring software installed directly on a device, which has access to more of the device’s information; and
- Browser-based software, which monitors student content and web activity and is stored by an online service.
Device monitoring is more pervasive than browser-based monitoring which is why it presents a greater risk to students, especially those who are more likely to depend on school-issued devices, including low-income students.
What is Student Activity Monitoring Software?
Student activity monitoring software provides school districts with data about how and when individual students are using their devices. Broadly speaking, “monitoring” can encompass any technology that collects data on individual students, such as a learning management system logging when students use the system or a webapp scanning students’ email messages. Monitoring can also be defined in narrow terms as software on school-issued devices that allows for real-time features such as viewing students’ screens or switching which applications they have open.
The Potential Disparity in Privacy Risks with Continuous Monitoring Software
Both device- and browser-based monitoring software present privacy risks, although level of risk and types of threats may differ.
Device-Based Monitoring
Device monitoring can provide school administrators with the means to monitor usage data, identify needed repairs, and prevent device misuse. Unlike browser-based monitoring, device monitoring requires more access and permissions to a device’s operating system so as to obtain detailed information about a device. The access to the device hardware needed to abstract such granular information can potentially invade a student’s privacy. For example, district officials can access more precise location data, can record application usage, or provide teachers with the means to remotely shutdown, restart, and log-in to a student’s school-issued device.
Different student activity monitoring software products will interact with operating systems and device permissions— including access to keystrokes, content on the device screen, and input devices like cameras and microphones— in different ways. If the operating system for a specific device is compatible with a particular monitoring tool, users may find they have access to more monitoring features for those devices. Some software monitoring tools cannot be installed, or are less effective, with particular operating systems, which reduces the monitoring capabilities of the software.
Browser-Based Monitoring
Browser-based monitoring is not as dependent on operating system compatibility as device monitoring because the former is designed to function on relatively standardized browsers, rather than interacting directly with the operating system. Browser-based monitoring is focused on a student’s online activity, such as a student’s messages and documents stored online or browsing history and searches. However, browser-based monitoring is sometimes contingent on students using a certain browser or signing into a browser with school credentials. This dependency between some browser-based monitoring and use of a specific browser would give students using a personal device the means to circumvent monitoring by selecting a different browser.
For students using certain types of school-issued devices, browser-based monitoring can be impossible to avoid because the device itself may be limited in its ability to function outside of the browser interface and may not allow installation of an alternative browser. In order to address threats to student privacy on these types of devices, district administrators can minimize the data collected by limiting what activities are monitored, among other things.
Regardless of the means through which student activity is being monitored, the privacy risks are not distributed equally among students due to disparities in personal device ownership. As our recent research uncovered, students who attend school in wealthier districts are more likely to have a personal device and therefore avoid much student activity monitoring. As a result, it is possible that students’ reliant on school-issued devices could be unfairly disciplined and restricted, or could feel restricted in their self-expression because of constant monitoring. Parents, teachers, and other school community members are also concerned about these issues. CDT’s survey research showed that the majority of teachers (57%) and parents (61%) are concerned that online monitoring could harm students if it is used to discipline them or is shared and used out of context.
CDT has called on school districts to ensure they protect student privacy in their efforts to close the homework gap, including addressing the privacy and equity concerns that arise when student activity monitoring occurs in students’ homes. CDT is committed to exploring and supporting further research on this topic to better understand the relationship between students, school-issued devices, and student activity monitoring software, and in the meantime has offered guidance to school district administrators on how to minimize the potential harms that arise with student activity monitoring software.
L. Holden Williams was a spring 2021 extern on CDT’s Research Team, where his work focused on student surveillance issues. Holden graduated in the class of 2021 from the Masters in Law and Technology program at the Georgetown University Law Center. He is now a Technology Policy Fellow at the International Digital Accountability Council (IDAC).