NEW video about how NYC Dept of Health is enabling Talkspace to share teen personal data with social media platforms, undermining their mental health

 

Please watch the brief video above about how the online mental health company Talkspace, which has a $26M contract with the NYC Department of Health, continues to share NYC teen data with ad trackers and social media companies -- the very same companies NYC is suing for undermining their mental health. 

This is despite our repeated letters to the Department of Health, raising our privacy concerns starting last September. Also, check out this recent piece in Gizmodo, that reports that now Seattle and Baltimore schools also have similar contracts with Talkspace to provide free mental health to teens, with likely similar data privacy violations. 

Moreover, as the Gizmodo article revealed, Talkspace is now developing a “Personalized Podcast” created through AI, that harvests patients' personal mental health info from their therapy sessions and feeds it back to them in the form of a sound file. One can only imagine the damage this could cause to vulnerable teens if someone got hold of the sound files on their phones or they themselves played them back inadvertently in public. Not even considering how the use of AI chatbots can itself be perilous, as shown by the recent lawsuit filed by parents who allege that a chatbot caused their son to commit suicide. 

One clarification: though the Gizmodo article notes that after we brought attention to this issue, ad-trackers were removed from the NYC Teenspace landing page, we found many other pages on its website are still collecting and disclosing teens' personal data,  as our video explains above, including the page featuring the new supposedly improved Teenspace Privacy Policy.  We wrote about our findings in our most recent letter sent to the NYC Department of Health more than a month ago, and yet have gotten no response.  

Parents: If your child has visited the Teenspace website or has signed up for their services, please contact us at info@studentprivacymatters.org as soon as possible.

New and Emerging Threats to Student & Teacher Data Privacy

On May 6, the NY Post revealed that about two million students in NY State alone may have had their privacy violated by the massive Illuminate data breach; students in CT and CO were also affected.

This is an update from reporting in The Journal, based on FOILed records from NYSED that found at least one million students affected, across 24 school districts and 18 charter schools in New York, plus one Board of Cooperative Educational Service.

The NY State Education Dept. and the NYC DOE needs to do a far better job protecting personal student data and complying with the NY State Student privacy law 2D, which was passed in 2014, and to minimize the sharing of student data, ensuring strict security standards including encryption, and requiring that vendors delete it as soon as possible and at the very least when students graduate, none of which happened here.

Illuminate has reported that the hackers accessed a "database storing some information in the unencrypted format", according to The Record news site, and that the data may have included student and parent names, email addresses, grades, attendance, birth dates, ID numbers, genders, race and ethnicity, languages spoken at home, Title I and disability status and more.  Data from the records of students in Colorado and Connecticut may also have been breached.

Two weekends ago, Leonie Haimson, co-chair of the Parent Coalition for Student Privacy, and Doug Levin, Co-Founder and National Director of K12 Security Information Exchange and a national expert on student data breaches, gave presentations at the Network for Public Education national conference in Philadelphia, in which we discussed the Illuminate Breach and the how districts and schools can better protect the privacy of their students and teachers.

Please follow the following links for videos of this session, separated into Part I and Part II, along with questions and comments from the audience.

Please vote now to send Parent Coalition for Student Privacy and other grassroots privacy activists to SXSWEdu!

Cross-posted at Student Privacy Matters 

Each spring, thousands of edtech entrepreneurs, and advocates funded by the edtech industry, descend upon Austin’s SXSWEdu conference to promote their products and publicize their point of view.

For example, it’s where Bill Gates launched inBloom Inc. in 2013, to push the expansion of data-mining student personal information and online learning. Rarely do you bump into any classroom teachers, parent leaders or grassroots education activists attending, much less find one on stage. We hope to change that in 2018.

Please help us by voting for our panel proposal “Shielding data privacy and resisting online learning.” Our panelists include attorney and privacy activist Bradley Shear, creator of the  annual National Student Data Deletion Day, research associate Faith Boninger, who has just co-authored a terrific new report on student privacy for the National Education Policy Center, Marla Kilfoyle, the Executive Director of Badass Teachers Association (BATS)  and me.


The BATs NEA Caucus supported, and pushed for several pro-privacy and anti-online learning resolutions that were adopted at the recent NEA Representative Assembly.

To submit your vote:
1.     Simply fill out this form.
2.     Sign in and select “PANELPICKER.”
3.     Search for our panel name “Shielding data privacy and resisting online learning.”
4.     Click on “Vote Up.”

The more votes we get, the better our chances of being selected – so please vote today and ask your friends to vote too! The voting window closes Friday, August 25th.

---

Background

In spring of 2013, Bill Gates took the stage at SXSWEdu to unveil inBloom, his foundation’s $100 million student data collection project which was being piloted in nine states and school districts across the nation. inBloom surfaced in every corner of the conference that year with parties, meet-ups, and a code-a-thon where cash “bounties” were awarded to teams who developed the best apps using the inBloom data store.

At the same time, parents whose children’s data was going to be ensnared in the project were raising their voices in opposition – concerned about how inBloom threatened student privacy and could accelerate the use of online learning. After considerable parental backlash, inBloom shuttered its doors in 2014. Shortly after, parents involved in the fight formed the Parent Coalition for Student Privacy.

Since then, student data privacy has gained national attention and SXSWEdu has featured countless workshops and presentations on the subject – including on the reasons for inBloom’s demise, without inviting a single parent involved in the fight to explain their opposition. We want to change that next year by going directly to the belly of the beast, and inviting others who are active in the resistance movement on the ground to protect student privacy and prevent the expansion of online learning to join with us. You can help by casting your vote in support of our panel here!

Parents and Advocates Release Parent Toolkit For Student Privacy

The toolkit was covered today in Education Week , Washington Post Answer Sheet,   Common Dreams EdSurge and Morning Education Politico.  You can sign up for our May 23 webinar here. 

For more information:

Rachael Stickland, (303) 204-1272 rachael@studentprivacymatters.org
Josh Golin, (617) 896-9369, josh@commercialfreechildhood.org

Tuesday, May 16, 2017 – Amid growing concerns about data privacy and surveillance, the Parent Coalition for Student Privacy (PCSP) and the Campaign for a Commercial-Free Childhood (CCFC) have created an important resource for parents to understand and safeguard students’ personal information.

The Parent Toolkit for Student Privacy: A Practical Guide for Protecting Your Child’s Sensitive School Data from Snoops, Hackers, and Marketers is a vital resource in an age where nearly all school records are stored digitally, and where learning, homework, and administrative tasks are increasingly conducted online. Available free to parents on CCFC and PCSP’s websites, the Toolkit offers clear guidance about federal laws that do—and don’t—protect students’ privacy, helps parents ask the right questions about their schools’ data policies, and offers simple steps parents can take to advocate for better privacy policies and practices in their children’s schools.

Rachael Stickland, Co-chair of the Parent Coalition for Student Privacy, explained that many parents are under the false impression that sensitive student records are stored securely in a paper file under lock and key in the principal’s office. “As a parent of two school-aged children, I know first-hand how difficult it is to comprehend the sheer amount of digital data students generate during the course of a normal school day and what that means for our children’s future. With districts outsourcing operations like bus, cafeteria, and instructional services to vendors who store student personal data in the ‘cloud’ and share it with third parties, including state and federal agencies, it’s more important than ever for parents to take some control over their children’s information. It’s not too late to take action when it comes to protecting our children’s privacy.”

A new report issued by the Electronic Frontier Foundation found that students’ activities and information are being monitored by tech companies through devices and software used in classrooms. The data collected by schools and technology vendors often include kids’ names, birth dates, browsing histories, grades, test scores, disabilities, disciplinary records, and more, without adequate privacy and security protections or the consent of parents. Yet few guides exist to help parents navigate the confusing patchwork of laws and regulations that govern student privacy, or help them promote stronger protections.

Other currently available resources are overly technical, filled with jargon, or skewed to the interests of educational technology companies rather than parents and students. CCFC and PCSCP’s new Toolkit, designed with input from experts in education, data privacy, and federal law, is designed to put the needs of families first.

“You shouldn’t need a PhD or law degree to ensure that your child’s sensitive student data isn’t shared with commercial entities,” said Josh Golin, Executive Director of the Campaign for a Commercial-Free Childhood. “Our Toolkit demystifies student privacy and empowers parents to set limits on who accesses the information collected by schools and other third parties about their children.”

Stefanie Fuhr, a Minnesota mother of three, said, “I will be sharing the Parent Toolkit for Student Privacy with parents, teachers, and school administrators, because I don’t think many are aware of the use and potential misuse of a child’s educational data, which can have a profound impact on a child’s future prospects. I plan to meet with my school’s principal with a copy of the Toolkit in hand, and start the conversation with the suggested questions it provides.”

“The Toolkit is comprehensive and quite informative,” said Tim Farley, a father and high school principal in New York. “It is appealing to the eye, written in a manner that’s easy to understand by most parents, and it has the information parents need to protect their children’s privacy.”

Education and privacy advocates are hailing this unique new resource. Faith Boninger of the National Education Policy Center, University of Colorado Boulder, said, “The toolkit is a great resource. It walks parents through the many ways that children’s data may be collected and used without their knowledge or consent, and explains what they can do about it. It explains federal student privacy law in plain English. And it includes specific, useful models for advocacy, like questions that parents can ask teachers and principals, and letters to opt out of specific types of data-sharing.”

“The Parent Toolkit for Student Privacy is a powerhouse resource for parents, educators and school districts,” said Laura Bowman, President of the PAA-Roanoke Valley chapter of the public education advocacy group Parents Across America. “By providing easily understood explanations of laws and legal rights, best practices, questions to ask, and ways to advocate for their children, the Toolkit empowers parents with the information they need to ensure their child’s sensitive information is safeguarded.”

Phyllis Bush, Co-founder of Northeast Indiana Friends of Public Education, and a Board member of the Network for Public Education, said “Technology has made information readily available with a click, but what do our children pay in the loss of privacy? Reading through the Parent Toolkit for Student Privacy, and following the typical journey of a child through a data-mined school experience, is a stark reminder of the perils that lie before our children. The Toolkit will give parents the tools to pushback against the assault on our children’s privacy.”

The Parent Toolkit for Student Privacy can be downloaded at www.studentprivacymatters.org/toolkit. PCSP and CCFC will co-sponsor a webinar on May 23, 2017, to help parents effectively use the toolkit’s resources.

The Parent Toolkit for Student Privacy was made possible by a grant from the Rose Foundation for Communities and the Environment.

More grounds for removal of Paladino: violating student privacy

Austin Harig and Carl Paladino

On  June 22, Commissioner MaryEllen Elia will hold a hearing on the legal petition of the Buffalo Board of Education to remove Carl Paladino from his seat on the Board.

Though Paladino has made many outrageous and even racist comments, including most recently about former President Obama and his wife Michelle, the best legal grounds for removing him, according to the Board's attorney, is for violating law or specific Board policies.  Thus the Board is focusing its appeal on the basis of Paladino's breaching the confidentiality of discussions while the Board was in Executive Session.

Yet unmentioned so far in terms of these proceedings is how last spring, Paladino violated several student privacy laws, both federal and state, in breaching the privacy of a Buffalo high school student, Austin Harig, who ran against him in the School Board elections and lost by only 132 votes.  On election night, Paladino revealed to the media that Harig had been recently suspended, which is personal student information barred from disclosure by education officials such as Paladino by the federal law known as FERPA as well as two state laws.

See the letter below that we sent yesterday to the Buffalo Board President, Dr. Nevergold, on this issue, on behalf of the Parent Coalition for Student Privacy and NYS Allies for Public Education.

___

Dr. Barbara Seals Nevergold
President, Buffalo Board of Education

By email: BANevergold@buffaloschools.org

April 21, 2017    

Dear Dr. Nevergold and the Buffalo Board of Education:

We support your efforts to remove Carl P. Paladino from the Buffalo Board of Education for official misconduct in breaching confidential discussions that occurred in the Board’s executive sessions.

We would like to add that Mr. Paladino breached the confidentiality of education records when he announced to the media that his opponent in the recent school board elections, Austin Harig, an 18-year-old high school student, had recently been “suspended from school for tardiness and not showing up while he is running for office.” ^[1]

This disclosure is a clear violation of student privacy, by revealing sensitive information from education records for unauthorized purposes and without the consent of the student or his parents. 

As an education official, Mr. Paladino’s disclosure of this information to the media is a violation of the federal Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) passed in 1974, as well as the NY Personal Privacy Protection Law (Public Officers Law, Article 6-A, sections 91-99) passed in 1984, and the Student Privacy law approved as part of the New York budget in 2014 (Education Law SB 6356 § 2-d. Unauthorized release of personally identifiable information.)

We urge you to include this egregious violation of student privacy and of federal and state law in your testimony and legal appeal to the Commissioner for Mr. Paladino’s removal. 

We also strongly support the thousands of Buffalo community members and New Yorkers who are calling for his removal based on his many racist statements, including his comments about the former President and First Lady. 

Yours sincerely,

Leonie Haimson, co-chair, Parent Coalition for Student Privacy

Lisa Rudley, Executive Director, NYS Allies for Public Education

CC: Buffalo Board of Education members: ppierce@buffaloschools.org, quinn@buffaloschools.org, sbelton-cottman@buffaloschools.org, TAHarris-Tigg@buffaloschools.org, HJay@buffaloschools.org, JMecozzi@buffaloschools.org, PWoods@buffaloschools.org

Commissioner Maryellen Elia: Commissioner@nysed.gov

Chancellor Betty Rosa at Regent.Rosa@nysed.gov  

Frank W. Miller Esq. at fmiller@fwmillerlawfirm.com   

---

^[1] http://news.wbfo.org/post/teen-threatens-sue-paladino ; see also http://www.nystateofpolitics.com/2016/05/paladino-not-celebrating-narrow-school-board-re-election/

Back to school tip: Take control of how your school shares your child’s “directory information”

This is reblogged from the Parent Coalition for Student Privacy website.  Feel free to share with other parents!  You can subscribe to our PCSP mailing list here.

Back to school season can be a busy or even stressful time for both parents and children. As the days grow shorter, the “to-do” list grows longer. Number one on the list – because of its importance and time sensitivity – should be to opt out your child from directory information sharing at school.

What is directory information? 

According to the U.S. Department of Education, directory information is a limited set of personal “information that is generally not considered harmful or an invasion of privacy if released” and often includes a student’s name, address, telephone number, email address, photograph, date and place of birth, etc.

It does NOT include even more intimate and sensitive personal information like test scores, grades, disability or disciplinary records that schools can legally share with companies, contractors and other third parties without parental knowledge or consent for operational, evaluation, and research purposes. The federal government has allowed these growing number of exceptions through regulatory amendments over the last decade or more, described in detail here and here.

The federal law known as the Family Educational Rights and Privacy Act (FERPA) enables schools or school districts to share directory information with any person or organization outside the school/district without parental consent — but only when the school/district provides public notice to parents first. Notice must include:

• The types of student information that the school/district has designated as directory information;
• Details about a parent’s right to refuse to allow the school/district to designate any or all of those types of information as directory information; and
• The amount of time the parent has to notify the school/district in writing that he or she does not want any or all of this information shared with others outside the school.

FERPA allows schools/districts to adopt their own directory information policies, but if they choose to provide students’ directory information to a limited number of third parties, their public notice to parents must specify the individuals, groups or companies who may receive directory information and/or for what purposes. Unfortunately, this public notice may not always be provided, and when it is, it is often difficult to find because it may be buried in hundreds of pages of information during registration, in a student handbook, a parent newsletter, school announcement, local newspaper, or website.

Most schools/districts give parents only ten to thirty days from the start of the school year to exercise their right with regard to directory information, and most offer parents a limited choice between two options:

1) Allow schools and districts to share students’ directory information with anyone including marketing companies and the media — often referred to as “opting in” to sharing directory information; or
2) Refuse to allow schools and districts from sharing directory information with anyone, including parent organizations for purposes of creating school phone directories, graduation brochures, or companies who publish yearbooks — often referred to “opting out” of sharing directory information.
This type of “all-or-nothing” approach presents a huge challenge for many parents. On the one hand, parents don’t want their children’s private information shared with anyone who requests it. On the other hand, most parents would like their children to be included in school-related publications like yearbooks, directories, brochures, and newsletters.

While FERPA doesn’t require schools to allow parents the option to select which types of directory information can be shared with whom, some privacy-minded school districts in Maryland, Montana, and North Carolina, for example, have abandoned the “all-or-nothing” approach for a “menu selection” which gives parents more control over their student’s directory information.

The Parent Coalition for Student Privacy and the Campaign for a Commercial-Free Childhood have prepared a model Directory Information Opt Out form as an editable word doc;  or as a pdf  that parents can fill out and submit to their schools at the start of the school year.  We will be releasing our more comprehensive privacy toolkit t soon, via a grant from the Rose Foundation.  Our opt out form is designed to respect the ability of parents to choose what information they would like shared for what purposes, while also protecting their children’s privacy.

Why should parents opt out?

FERPA became law in 1974 at a time when students’ directory information was used primarily in school-sponsored publications like yearbooks, and to identify student athletes for local newspaper articles. Over the last forty years, individuals, groups and companies have recognized the value of this student information – especially with the creation and growth of the Internet – for commercial and non-educational purposes. Companies who access students’ directory information can sell it to others or use it to market products directly to students, political offices can use it to build their voter tracking systems, thieves can use it to steal identities, and perpetrators can use it to stalk students or commit other crimes.

How can parents opt out?

1. Ask the school or school district for its “directory information” policy.
2. If the school/district has a policy, read it carefully to find out which personal details are considered directory information and with whom it can or will be shared.
3. If the policy forces parents to choose between opting in or opting out of all sharing of directory information, parents should opt out to protect their children’s privacy. However, doing so could mean that their children’s names and pictures will not be listed in the yearbook or other school-related publications.
4. Share the model Directory Information Opt Out form we have prepared with the school’s principal or other school officials and encourage them to adopt a new policy giving parents more control over their children’s information.
5. If the school/district does not have a directory information policy, ask if they will be sharing student’s directory information with third parties outside of the school. If the answer is yes, explain that FERPA requires that parents must be given public notice as described above, then complete the model Directory Information Opt Out form and submit it to the school/district. Follow-up in writing to ensure that the request will be honored.

Download the Directory Information Opt Out form here (.docx) or here (.pdf).

Disclaimer: This commentary does not constitute legal advice. Consult a private lawyer or call your local ACLU should you have specific questions.