District leaders and technology staff need to understand the risks involved with using edtech applications and make informed decisions to protect student data privacy
Data privacy is high on everyone’s mind. The heightened attention from Data Privacy Week across sectors is putting student data privacy top-of-mind for K-12 schools. Edtech data privacy is a major reason why student data privacy is essential.
There are a variety of school data privacy risks that technology teams and district administrators must understand. In my opinion, the fact that there is no data privacy without data security should be at the very top of that understanding.
While district leaders tend to focus on the data use segment of edtech data privacy, edtech security risks play a considerable role in keeping students’ data private.
5 EdTech Data Privacy Risks Impacting Your Schools
Let’s take a closer look at the top five edtech data privacy and security risks that are likely impacting your schools. As a cloud application security platform for K-12 schools, we see districts struggling with these privacy and security risks every day.
1. Inappropriate use of student data by vendors
This tends to be the top edtech data privacy risk that district administrators and state laws focus on.
Schools, students, and parents/guardians are rightfully concerned about how all these third-party vendors are using the data that their edtech platforms are collecting. Among the top edtech data privacy concerns related to how vendors use student data include:
- Using the data to serve advertisements to students—particularly minors
- Packaging and selling, renting or sharing student data to other companies, organizations, etc. for unknown purposes
- Creating student profiles over time using data collected that can be used for reasons such as discipline, college acceptance, discrimination, and/or other potentially harmful purposes
- Storing student data that has the potential to be used against them in their future careers, such as if the student runs for public office
Many states have passed edtech regulations requiring that vendors certify that any student data collected will only be used for educational purposes. Several states have also passed laws that require districts to publicly document the edtech platforms they have contracts with that collect or otherwise access student data.
2. Insecure data transfer and/or storage impacts edtech data privacy
Among the less understood edtech data privacy risks is the security of underlying technology. Data needs to be secured both “in transit” and “at rest” to prevent data loss and, therefore, protect students’ data privacy.
“In transit” means when the data is passed between two locations. “At rest” refers to when the data is being stored untouched. When vendors develop an application, they need to incorporate data security measures at both an infrastructure and application level to keep data in both types of states secure from accidental leaks or malicious data breaches.
3. Edtech application & vendor data breaches
How secure 3rd party apps are from hijacking also impacts edtech data privacy.
K12 SIX’s State of K-12 Cybersecurity 2020 Year in Review Report found that at least 75% of all data breaches impacting K-12 schools in the U.S. resulted from security incidents involving their vendors and other partners.
The report goes on to quote the Government Accountability Office’s (GAO) conclusion regarding vendor vulnerability and K-12 data security: “cyberattacks carried out directly against ed-tech vendors…tend to have an especially severe impact on K-12 because they affect a large swath of students across multiple school districts at the same time.”
4. Risky OAuth access to district Google and/or Microsoft 365 domains
A relatively new and not well-understood cloud data breach risk uses OAuth to get around traditional security controls.
OAuth is a popular open-standard authorization framework that allows the free movement of data and controls between your Google and/or Microsoft 365 apps and 3rd party apps. It’s common use is for easy login access between various applications (for example, logging in to an app using your Google account).
Depending on the type of 3rd party app and its functions, it might also allow the app to do things like read, write, and send emails out of your Gmail/Outlook account on your behalf. In addition, it might allow an app access to all an account’s contacts, profile data, photos, documents, and more. Some even require administrative access.
While none of these are inherently bad, the user needs to apply a bit of informed consent when it comes to allowing these permissions. Unfortunately, many of us accept the permissions when it pops up initially without reading them—and certainly without thinking about the possible consequences.
OAuth security risks are relatively new, and they’re notoriously difficult to detect and manage. Incidents occur when a hacker gains access to a 3rd party app. They can use the app’s OAuth permissions to effectively take over a user account without ever needing to break into your domain. For example, they can use the app’s read, write, and send emails permissions to send emails containing phishing links to all of the account’s contacts. Since the email is coming from a trusted email account, it’s less likely to get flagged by phishing filters and more likely to be clicked on by recipients.
5. Malicious 3rd Party Applications
Malicious 3rd party applications impact student data security and privacy in the same ways that #4 above does.
The main difference is that malicious apps are created to trick end-users into thinking they are legitimate apps. In some cases, they are marketing a fun game or other types of “lifestyle” apps. They are developed and marketed to look extremely similar to well-known legitimate apps in other cases.
Once they’ve successfully tricked a user into installing the application and allowing it to access permissions, attackers can use those permissions in the same ways described above. That access looks completely legitimate to native security controls and perimeter-based security tools because the user has given their permission to access certain areas and take action.
EdTech Data Privacy & Student Data Security
While student data privacy laws tend to focus on how students’ data are used by vendors (rightly so), lawmakers, district leaders, and technology staff need to fully understand the security risks and implications of partnering with edtech providers and other vendors. This understanding will allow your district to make informed decisions about who you decide to partner with and how you monitor and control how your data is being accessed, used, and secured by those vendors.