Monday, January 17, 2022

Serious student privacy risks from Naviance and Skedula/Pupil Path: data systems that hold a wealth of personal student information


Two events recently occurred that reveal the serious risk to student privacy in NYC and elsewhere.  

The first is a series of mind-boggling articles in The Markup here and here, that reveal how Naviance, a program used in thousands of schools throughout the country, including many NYC schools, uses personal data to send students targeted ads paid for by their customers, including some colleges who choose to recruit students according to their race. Some of this personal data gathered through school information systems and student surveys is also used to create risk-assessment algorithms that claim to predict chances of students’  success.

Naviance is owned by PowerSchool, which states that "Naviance is the leading college, career, and life readiness (CCLR) platform, equipping over 10 million students in 40% of U.S. high schools with the skills they need to reach their future goals."  In turn, a hedge fund called Vista Equity Partners has acquired controlling ownership in PowerSchool,

website run by Naviance explains that their customers can use their data to “find students who fit specific demographic variables (race, ethnicity, geography, class year, attendance at an under-represented school) and present messages about your institution to students who possess those characteristics.”

Many schools assign students to take Naviance surveys, starting in as early as the third grade, that collect data and use proprietary, black-box algorithms to steer students towards specific courses and careers. The huge amount of personal student data collected directly from schools and students include the following:

" ...citizenship status, religious affiliation, school disciplinary records, medical diagnoses, what speed they read and type at, the full text of answers they give on tests, the pictures they draw for assignments, whether they live in a two-parent household, whether they’ve used drugs, been the victim of a crime, or expressed interest in LGBTQ+ groups, among hundreds of other data points." 

Several of these data points  should legally trigger the federal law Protection of Pupil Rights Amendment,  which requires that parents must be given notice in advance of surveys that ask questions about sensitive issues like religion or self-incriminating information,  be allowed to view these surveys, and either consent or opt out, depending on whether they are mandatory or not. And yet when parents have asked their districts to see Naviance surveys, and/or request a copy of the data that the company holds for their children, they are denied this right, and told that the questions are secret, based on intellectual property.

NY State has a rather strict student privacy law, Education Law 2-d, that prohibits school vendors from selling student data or using it for commercial purposes, and also requires  that their contracts with districts must specify this in an Supplementary Appendix called a "Parent Bill of Rights" posted on the district website.

An analysis of the data in CheckbookNYC shows that DOE has spent more than $1.6 million on Naviance since Jan. 2020. And yet there is no information posted for the company on the relevant DOE webpage, in violation of the state law and the regulations.  Ed law 2-d also requires that parents have the right to see any and all the personal data that any school vendor holds for their children. If you are a parent whose child's school uses Naviance, please email us at info@studentprivacy.org  

The other concerning event is the Skedula and Pupil Path outage that lasted for more for than a week --  student information systems in which teachers record grades, assignments, and observations of their students, as well as contact info for families.  Many teachers have spoken out on twitter how this outage has prevented their ability to communicate with families, especially critical given the sky-high current absentee rates, and also made it impossible to calculate their grades at the end of the semester. 

This Skedula outage has been reported by numerous news outlets including the Daily News, Chalkbeat and the NY Times.   The Daily News article features comments by data security expert, Doug Levin, who is quoted as saying,

“Based on my experience tracking K12 cyber incidents since 2016, it seems a reasonable assumption that a security-related disruption of this length could be ransomware,” said Doug Levin, the national director of K12 Security Information Exchange, a group that tracks cyberattacks targeting schools and education platforms.

Indeed, the outage  has all the hallmarks of a DDOS, or Distributed Denial of Service attack, that often includes ransomware, in which hackers penetrate and freeze a data system and ask for money in exchange for a promise not to expose the personal data or unfreeze the system.

As I am quoted in the NY Post , if the data that is held in Skedula/Pupil Path is breached, that “would be terrible.  Teachers often use the system to record very sensitive information about a student’s emotional state or behavior, and to recommend counseling or other intervention services."

Skedula was originally invented by NYC teachers, who started a company called Datacation that was later sold to IO Education, which in turn was bought by Illuminate Education.  According to the NY Post, the company has received more than $16 million from DOE in the last three years for the use of these programs.  Abram Jiminez, who was hired by ex-Chancellor Carranza to lead a school improvement office, had previously worked at Illuminate and held stock in the company.  He was later forced to quit after the conflict-of-interest was exposed,  as well as other past scandals emerged.

Today, a Skedula status page says some applications are working and many are not.

Whether any data was breached is not reported.

The supplementary privacy  information for Illuminate's contract is posted on the DOE's website here.  It says the following:

All PISI [personal identifiable student information] is hosted primarily with Amazon Web Services, and there are select products hosted with Google Cloud Platform, which are being migrated to AWS. AWS hosts the data in the United States. Either provider’s SOC2 [Service Organization Control 2] report is available upon request or can be accessed by contacting AWS or GCP directly.

Yesterday, the NY Times reporter tweeted that she had gotten the following message from the company:

 Does that mean that the previous environment in which its data was being stored was not secure?

All this points out how the growing use of third party programs and apps in classrooms pose serious risks to student privacy. All districts including NYC must redouble their efforts to minimize the use of these apps, and if they must be utilized, to ensure they provide rigorous data security and privacy measures, and comply with federal and state laws. 

No comments: