Our concerns
about the open-ended data sharing of the Summit/Facebook software platform was
featured on the front
page of the Washington Post. This software is in 100 schools
nationwide, about two thirds of them public schools. The list is
here. Two of the schools are in NYC: the Bronx Writing Academy in District 9; and
J.H.S. 088 Peter Rouget in District 15 in Brooklyn.
Summit is sharing
the student personal data with Facebook, Google, Clever and whomever else they
please – through an open-ended consent form that they have demanded parents sign. A copy of the consent form is here.
I have never seen
such a wholesale demand from any company for personal student data, and can
imagine many ways it could be abused. Among other things, Summit/Facebook
claims they will have the right to use the personal data “to improve their
products and services,” to “conduct surveys, studies” and “perform any other
activities requested by the school. ”
Here is an
excerpt:
Summit may
collect information that you provide or your child provides directly to Summit,
such as contact information, coursework, testing, and grades. Summit also may
collect information automatically from browsers, computers, and devices (such
as information from cookies and browser and device identifiers in order to
remember your preferences)..... Summit may use your child’s information to
conduct surveys and studies; develop new features, products, and services; and
otherwise as requested by your school or consistent with your consent. ...
Summit also may disclose information to third-party service providers and
partners as directed or authorized by the school. For example, Summit uses
Clever, Facebook, and Google to help develop and improve the personalized
learning plan software or to provide related educational services on Summit’s
behalf.
They claim they
won’t use the child's personal data for targeted ads (as would be banned anyway
in the CA law called SOPIPA) but this is among the only restriction. They say
they can sell the data "in connection with a corporate transaction, such
as the sale of our Services, a merger, consolidation, asset sale." The one-sided Terms of Service is here; the Privacy Policy is here.
The Summit
platform has never been independently vetted for security protections – or
shown to yield any educational benefits, and I believe is a very radical way to
outsource instruction and student data to private companies.
Other reasons that
teachers as well as parents should be concerned:
The Terms of Service claims the right
to use the intellectual property of teachers in these schools,
including course
assignments, etc. and even student work without any recompense: “You Grant
Us a non--‐exclusive, perpetual, transferable, sub--‐licensable,
royalty--‐free, worldwide License to use content that you post on or in
connection with the Services in any manner, media, form, and modes of uses, now
known or later developed.”
--Though I’m not
an attorney, the Terms of Service seems to explicitly and repeatedly waive any
liability that Summit or FB or any of its partners may have for
protecting the data against breaches, complying with state or federal law,
or abiding by their own Terms of Service;
-- As the Washington Post article
points out, the TOS would force any school or party to the agreement (including
teachers) to give up their right to sue in court if they believe their rights
or the law has been violated, and limits the dispute to binding arbitration in
San Mateo CA - in the midst of Silicon Valley, where Facebook and Google
presumably call the shots. This is the same sort of abuse of consumer
rights that that banks and credit card companies have included in their TOS and
that the federal Consumer Financial Protection Bureau is now trying to ban.
--The CEO of
Summit charters, Diane Tavenner, is also the head of the board of the
California Charter School Association, which has aggressively tried to get
pro-privatization allies elected to California school boards and state office,
and has lobbied against any real regulations or oversight to curb charter
school abuses in that state.
- - Summit
says they won't sign individual contracts with school districts or schools, for
the following ostensible reasons, and suggests a
legal loophole for states and districts that require such contracts:
Summit
Public Schools is unable to sign contracts, MOUs, or other legal documents from
other districts, CMOs, or individual schools. Straying from our Summit
Partnership contracts would add immeasurable risk to our organization as we are
unable to acquire third party validation on different contracts in the way that
we did for our own participation agreement. It would not be legally sound for
us to enter into two legal contracts with two sets of potentially conflicting
commitments for one program.
Some
districts that have policies where all third party vendors need to sign one
designated contract were able to bypass that requirement given the status of
Summit Public Schools as an educational organization rather than a vendor and
the nature of the partnership as a free exchange of ideas and services rather
than a paid service relationship.
And then they add
– presumably to assuage the fears of parents or school administrators:
In order to
ensure that our legal agreement meets the high quality demanded by school
organizations across the U.S., Summit Public Schools has gone the extra mile to
work with one of the best legal teams in the country to draft this agreement.
We worked with Jules Polonetsky - CEO of the Future of Privacy Forum, a
Washington, D.C.-based think tank that seeks to advance responsible data
practices - and his team to review our privacy policies and provide his 3rd
party stamp of approval. Straying from the language in our participation
agreement would add risk as we are unable to also acquire third party
validation on different contracts.
What they don't reveal is that the Future of Privacy Forum is largely
funded by the technology industry and the Gates Foundation, and Polonetsky was a big supporter of inBloom.
(Nevertheless, the sample contract they apparently offered to
Kentucky schools did not include the binding arbitration clause, though it
limits Summit's liability to $10,000.)
For these and
other reasons, I think parents and students should be VERY
concerned.
In my view and
that of many other parents, the explosion of ed tech and the outsourcing of
student personal data to private corporations without restriction, like this
current Summit/Facebook venture, is as risky for students and teachers as the
privatization of public education through charter school expansion. In
this case, the risk is multiplied, since the data is going straight into the
hands of a powerful charter school CEO - closely linked to Gates, Zuckerberg
and Laurene Powell Jobs, among the three wealthiest plutocrats on the
planet.
Gates has praised Summit to the skies, has given the chain $11 million, and has made special efforts to get it ensconced in his state
of Washington; Zuckerberg is obviously closely entrenched in this initiative,
and Laurene Powell Jobs has just granted the chain $10 million to launch a new charter school in
Oakland.
I sent the
following list of questions to Summit at info@summitbasecamp.org
nine days ago, but have received no response. Others -- especially parents
at these schools and/or privacy advocates -- might like to send their own
questions or resend mine as well. And if you are a parent or a teacher at
one of these schools, please contact me ASAP at leonie@classsizematters.org
Thanks! Leonie
Questions for
Summit:
1.
1. What is Summit’s definition of “reasonable and
comprehensive data protection and security protocols to protect student data”?
What does that specifically include in terms of encryption, independent
audits, security training, etc? And where is that in writing?
2. 2.
If my child’s data does breach, what rights would I
have as a parent to secure damages?
3. 3.
Does Summit claim unlimited rights to share or
utilize my child’s homework and intellectual property without notice or
compensation that they are claiming with teacher work in the TOS?
4. 4. Can Summit specifically itemize the
companies/organizations that they will share my child’s data with, aside from
those mentioned below?
5. 5.
Are each of these third parties barred from making
further redisclosures of my child’s data?
6. 6.
Are each of these third parties, and any other
organizations or companies or individuals they redisclose to, legally required
to abide by the same restrictions as listed under your TOS and PP, including
being prevented from using targeted or non-targeted advertising, and/or selling
of data, and using the same security protections?
7.
7. Does Summit promise to inform parents over the course
of the year all the additional third parties the company plans to disclose my
child’s data to?
8.
8. What is the comprehensive list of personal data
Summit is collecting and potentially sharing from my child? You mention a
limited list below, but does it also include my child’s homework, grades, test
scores, economic status, disability, English proficiency status and/or race as
well?
9. 9.
The TOS mentions survey data. Is there any
personal data from my child that Summit promises NOT to collect via a survey or
otherwise? Will parents have the right to see these surveys before they
are given and opt out of them, or does signing this consent form basically mean
a parent is giving up all their rights under the PPRA?
10. Why can’t Summit simply give the software platform to
schools to use if it is beneficial, along with links to instructional
materials, rather than demand as “payment” in the form of all the student
information as well?
1 11. Do you promise not to use the information gained to
market products directly to students and/or their parents, and are all your
partners and/or those they disclose the information to barred from doing so as
well?
1 12.
The PP says you will use my child’s personal
data to develop new educational “products” – what does that mean? Why
can’t you use de-identified data for this purpose?
13. It also says you will use this data to “communicate with
students, parents, and other users.” What does that mean? What kind of
communications will you engage in with my child or with me?
14. The PP states a parent can “review, correct or have deleted certain personal
information”. Which kind of personal information can I delete, how will I
be able to do that and will that stop my child from using the platform?
1 15. The PP also says you will share the data with anyone “otherwise directed or
authorized by the school.” What does that mean? Does my signing a consent
form mean that the school can authorize to share this information with ANYONE
else, without specifying the sort of third party, for what reason, or without
limitation, without informing me or asking for my further consent?
1 16. It says it will send notice of proposed changes to the PP ahead of time to the
participating schools; why not parents if you have their contact info?
Shouldn’t they hear this directly from you and immediately if you are
considering changes?
17.
Does Summit consider this parent consent form to mean that parents are waiving
the privacy rights of their children under all three federal student privacy
laws, including FERPA, COPPA and PPRA?
1 18. The PP says that “FERPA permits schools to share students' information
in certain circumstances, including where the school has gotten a parent's'
consent or where the organization receiving the student data operates as a
“school official.” Summit Public Schools operates as a “school official”
consistent with the Department of Education's guidance under FERPA.”
If this is true, why does Summit need to ask for parental consent? What
additional rights does my consent afford Summit that you would not have without
consent in terms of the collection, use and disclosure of a student’s personal
information?
19. Summit says that “Participating schools and
individual teachers own, and are responsible for, student data provided through
the Summit Personalized Learning Platform.” Why don’t students own their own
data?
20. This raises another related question: the Summit Privacy Policy and Terms of Service grants schools and teachers some
rights (however limited.) What rights do parents and students have under these
conditions?
21. The TOS says that if schools believe Summit has violated its promises or
complied with the law, instead of suing they must submit to binding arbitration
in San Mateo CA and are barred from filing class action complaints. This
type of provision has been heavily criticized when banks and credit card
companies have included in their consumer agreements, and the Consumer Financial Protection Board is
considering restricting their use. Why is this clause any more acceptable in
your TOS?
22. What legal recourse do schools, teachers or parents have if Summit violates the
law or its TOS, for example if Summit decides to sell or give away or
carelessly store the data given that the TOS says “UNDER NO
CIRCUMSTANCES, INCLUDING WITHOUT LIMITATION, NEGLIGENCE, WILL SUMMIT, ITS
AFFILIATES, OR ANY PARTY INVOLVED IN CREATING, PRODUCING, OR DELIVERING THE
SERVICES BE LIABLE FOR DAMAGES OR LOSSES” in any case?
23. In yet another clause of the TOS, Summit requires schools to “agree to
indemnify, hold harmless, and defend Summit, and its affiliates, licensors, and
service providers, and each of their respective officers, directors,
contractors, agents…etc.et. against any and all demands, claims, liabilities,
judgements, fines, interest, penalties… etc. including attorneys’ fees etc.”
Why the need for so many layers of self-protection and disclaimers of
liability?
24.
What rights does a parent have in general if Summit
violates the TOS or the PP? Are they bound to the binding arbitration
clause in the TOS that the school must agree to?
25. In another FAQ here, Summit says that it will not sign
contracts or written agreements with individual school districts, and if the
state requires this under law, districts or schools should try to “bypass that
requirement" by claiming that a) Summit is not subject to the law
because it is not a “vendor” but an “educational organization” and b) that
they should not have to sign a contract because of the “nature of the
partnership as a free exchange of ideas and services rather than a paid service
relationship.” But if you are gaining potential economic and programmatic
benefits from your access to student data, including using it to build new and
better “products” as the TOS states, why isn’t this a commercial relationship
bound by state law? And if this relationship is truly a “partnership”
with a free exchange of ideas, why is the TOS so one-sided and seems to protect
Summit from any possible liability, and not the school?