Sunday, December 8, 2013

ALEC's student privacy bill and the hydra-headed data predators

Additional UPDATE:  According to Hadi Partovi, founder of, Mark Zuckerberg had nothing to do with starting the organization.  Hadi is also in the process of revising the privacy agreement for

UPDATE: Turns out NYC DOE intends to work with with (see below) whose sample contract demands 4-6 years of personal student data.  

The huge number of well-funded private interests eager to pirate your child's data or enable others to do so is a many headed hydra which seems to grow new heads every time another is chopped off.

As recently reported in Education Week , the American Legislative Exchange Council (or ALEC), the conservative advocacy group, is jumping on the student privacy bandwagon and has written a “model” bill for state legislators to adopt, based on an Oklahoma privacy bill that was recently passed.  

Even at first glance, I realized this bill was inadequate because it doesn’t provide for any parental consent before children’s personal data is handed over to vendors, and noted this to the EdWeek reporter:

Leonie Haimson, a New York City-based parent and public schools advocate, also questioned the wisdom of not providing families more say in whether and how their children’s information is being shared.
“To me, it sounds like [the bill is intended] to assuage the fears of parents who want there to be something done to protect their children’s data, but who aren’t really informed about the issues,” Ms. Haimson said.

Bills that contain more specifics but don’t take as comprehensive an approach have gained some traction in other states. In New York, for example, Ms. Haimson and her nonprofit organization, Class Size Matters, have helped push more-targeted bills crafted to stop the release of sensitive student information without parental consent and to allow parents the opportunity to opt out of data-sharing efforts involving third-party vendors.

Even State Rep. David Brumbaugh, the author of the Oklahoma student privacy bill, admitted as such in the article:

For his part, Mr. Brumbaugh, the Oklahoma lawmaker, said his state’s efforts should be construed as a first step. “We want to shore [students’ privacy] up even more,” he said, pointing to parental-consent provisions as one area where the state could see further action. “This is all new territory.” 

Any bill that doesn’t require parental consent before personal student data is shared should not be acceptable to either conservatives or liberals; this is what the federal student privacy protection act known as FERPA required before the US Department of Education rewrote and eviscerated its protections in 2008 and 2011.  

Since then I have taken a closer look at the ALEC privacy bill, and see other weaknesses:
  • ·         It wouldn’t prevent states from sharing personal student data with contractors or between agencies without consent;
  • ·         It would enable states to make whatever personal data they please available to researchers;
  • ·         It calls for only such parental notification already required under federal or state law;
  • ·         It would allow for all sorts of involuntary data disclosures for students transferring out of state or “taking a national or multistate assessment”;
  • ·         It would encourage the outsourcing of data to private vendors or organizations, as long as there are unspecified provisions made to “safeguard privacy and security and include penalties for noncompliance”.

Though the bill also bars disclosure of medical and criminal records, it would NOT bar the involuntary disclosure of highly sensitive disciplinary or most likely children’s disabilities and health conditions, as specified in their 504 designations and accommodations. 

In short, nothing in this bill would prevent agencies from doing everything the NY State Education is currently planning, in sharing extremely confidential student data with inBloom Inc., without parental consent.

In short, I suspect that ALEC is merely acting to try to pre-empt stronger bills that would actually protect student privacy, such as A.6059A and A.7872 passed by the NY State Assembly last session, and introduced this year in the Senate as  S. 5932 and S. 5930 .This suspicion is reinforced by other draft education bills being proposed by ALEC this year that would instead encourage and expand such risky data practices.

See for example, in this list of draft ALEC bills, the “Student Achievement Backpack Act”:  Though it is promoted as “providing access” to parents of a student’s education records from K-12, it would provide “a complete learner profile” to schools and districts, stored on a data cloud and “managed by the State Office of Education” which would follow “the student from school to school.” Parents would have no authority over who accessed their children’s data but instead this would be controlled by the state and district, who could make it available to anyone they chose “via a web browser.” 

The “Student Futures Program Act” is even more nightmarish -- a “career planning program” that seems designed to steer students to appropriate jobs based upon their test scores and other academic data.  An Orwellian Student Futures Steering Committee" made up of individuals appointed by the Governor, would “administer and manage Student Futures in collaboration with the Department of Workforce Services, the State Board of Regents, and the State Board of Education.”  

Then “education providers” and businesses would be allowed access to an online website that stores the student data, enabling them  to “research and find student users” to whom they can “promote” their programs” and “market jobs."  No mention of any need for consent, limitations on access to this data, or security or privacy protections.  In fact, the language calls for giving the Student Futures Committee authority to "control all user data within the system.”

ALEC is also proposing questionable bills to require states adopt “interactive” [read: data-mining] software programs, online testing and data collection of young children starting in Kindergarten, with innocuous titles like “Early Intervention Program Act” and “Technology-Based Reading Intervention for English Learners Act.”

Even though we have up till now focused largely on the dangers represented by the inBloom mega-data sharing project, it is impossible to ignore that a huge number of software vendors who are eager to jump into the highly profitable data-mining arena, with or without inBloom.  

For example, a company called, founded by Mark Zuckerberg of Facebook fame as well as other technology luminaries, is offering free coursework in computer programming and teacher training to schools in return for four to six years of personal student data:

What restrictions apply? Few if any:

Use or access to any protected data obtained as a result of these studies will be limited to representatives with a legitimate interest in accessing this data, which will include the Entity Coordinator, school administrators, and other persons who are specifically authorized by the Entity [] as having a legitimate interest in receiving the data.

For more on, see ValleyWag, and this promotional video, complete with Bill Gates, the original data pirate himself. UPDATE: see above, Hadi Partovi is revising the privacy agreement.

Meanwhile, according to Politico, Kris Amundson, formerly of Education Sector, a Gates-funded think tank, now at the National Association of State Boards of Education, urged state legislators last week "to be out in front of that [data privacy] issue before it comes back to bite you," adding that restricting the collection of this data is "a proxy to defeat higher standards and better testing" and "could really have legs.”

It will be our job as parents and advocates to ensure that the fight against excessive personal data collection and disclosure does have legs, until the right of parents to have their children’s information protected from data predators is secured.


Anonymous said...

Hi, can you provide some more detail about the wording you posted from I am not seeing that wording in their TOS or Privacy Policy. Where does it come from? A few links would be appreciated. Thanks.

Leonie Haimson said...

the sample contract is here:

more on this at slashdot is here:

Unknown said...

Leonie, you wrote:

[in short, I suspect that ALEC is merely acting to try to pre-empt stronger bills that would actually protect student privacy, such as A.6059A and A.7872 passed by the NY State Assembly last session, and introduced this year in the Senate as S. 5932 and S. 5930]

The Senate bills were introduced the same year as the Assembly bills. And for the record, the Senate has had a student privacy bills going back to 2010/11 The Assembly's interest in student privacy was a couple of years later.

You don't like the ALEC CPO bill however you haven't commented on the CPO for Education Act.

Also, I like the coding courses & not concerned about the data collected.

Unknown said...

Here's a link to my testimony before the Assembly. The student privacy bills currently in the legislature are discussed as well as the need for a state CPO for Education backed up by Joel Reidenberg's testimony before Congress.

Anonymous said...

Thanks for posting the links, Leonie. I am not sure I am concerned about the example. I think there is a big difference between actually signing up a school to be a 2-year "partner" v. just using the valuable resources found on their site for free and without having to supply PII. There is no such thing as a free lunch, so any school who signs up to obtain the full package of curriculum materials has to assume they will need to send something back in return. Now, what I'd add is in that case parents should be informed as to exactly what is taking place, what data needs to be sent to, etc. and an opt in/out should be presented to parents. Or, schools can simply find a different set of curriculum. Still have to dig into this a bit more as I do like the resources available from the organization, but am concerned about this "contract". Not overly concerned because it is not some state wide initiative, but somewhat concerned.

Anonymous said...

I know this is an old topic but is really crap.

The other thing with the privacy and data collection is that they were collecting data they didn't need to collect. You know the demographics of the school why do you need it for that specific student to let them play a game for an hour?

Hadi had/has a company to build a personalized learning platform with Zuckerberg (his announcement this week makes this more interesting) and was a way to collect the data. Ashton Kutcher was also an investor. But after the privacy debacle they shelved it - or did they?

There are a lot of districts that signed an agreement with who didn't have signing authority. The teacher can't sign this she's not empowered too. And what is going to do if someone says they don't have time for their kids to play a game? Are they going to sue them?