March 28, 2017 | By Gennie Gebhart

When Matt L. started to raise the alarm about educational technology in his school district, he knew it would ruffle some feathers.

As a system administrator (or sysadmin), Matt has had a front-row seat to the increasing use of technology in his rural, public school district. At first, the district only issued Chromebooks to students in guest “kiosk” mode for test-taking. Over time, though, each of the district’s 10,000 students got individual access to school-issued devices, from iPads for younger students who cannot yet type to Chromebooks and G-Suite for Education logins for students as young as third grade.

Matt and his sysadmin colleagues are at the center of deploying, configuring, and maintaining Google devices and software for the entire district. This gives Matt opportunities to identify privacy problems with ed tech implementation, and to propose solutions.

“All our eggs in one basket”

“I don’t want to say that Google or Chromebooks or any of this stuff is inherently bad,” Matt said. “Getting these tools into the hands of kids is hard to argue with. That’s why I got into technology.”

As the district has continued to expand its technology use, however, Matt has started to have concerns about consolidating students’ educational and personal information in one company. “We’re putting all our eggs in one basket that we’re not in control of,” he said. “We don’t know where this student data is going.”

On top of his privacy concerns, Matt observed students learning about only certain softwares without broader awareness of their technology choices. Having grown up experimenting with Linux and other open softwares, he was dismayed to see students being steered toward only Google services and away from other options.

“The beauty of technology is that it is so vast and deep, with so many choices. But we’re funnelling people into one situation, which is not our job,” he said. “We should be teaching concepts of computing, not specific software. We should be giving parents and kids a choice.”

Privacy by policy

After frustrating initial conversations with colleagues, it became clear to Matt that student privacy advocacy in his district could “get touchy pretty quick.” Even higher-up colleagues who might have been in a position to make district-level changes were hard to effectively approach.

“They like Chrome because it’s easy to use and they don’t have to worry much about the mechanics behind it,” he said. “So, I was constantly ridiculed when I brought up concerns about privacy.”

Colleagues also pointed out the cost-effectiveness of free Google services in response to Matt’s concerns. But Matt was not convinced.

“Nobody’s asking why it’s free,” Matt said. “I thought it was common sense that, generally, if you’re not paying for the app, you’re the product.”

After repeated requests to talk more about student privacy issues, Matt’s boss and members of administration pointed him to the district’s as well as Google’s privacy policies. But this approach of ensuring “privacy by policy” did not lessen Matt’s concerns.

“We have privacy policies for our website, and for our student academic records, but not so much for students’ information in regards to what Google is collecting,” he said. “We can’t guarantee what Google is or is not doing with this information. It’s all pretty vague, and it’s not the kind of thing you want to be vague about.”

One of the biggest problems with such “privacy by policy” is that it relies on all staff members being up-to-date on complex, sometimes vague policies, and having the time and resources to comply with them consistently. Matt observed that many in his district—including his colleagues in system administration—see student privacy as a long-term issue rather than an active, ongoing project.

“Stuff like student privacy gets back-burnered,” Matt said. “It’s hard to look down the road at long-term projects when teachers’ day-to-day is consuming all of our department’s time and energy.”

Privacy by practice

Unsatisfied by the “privacy by policy” that his district usually practices, Matt is investigating how he can implement “privacy by practice”—that is, prioritizing student privacy with active safeguards to augment and ensure existing policy, like technical settings and opt-out options.

His first step has been to “crank down the lid” on privacy settings so that students use Google products as anonymously as possible by default, without associating their online profiles with identifying information. Ideally, technical controls like these will make it harder for teachers or third-party companies to collect student data, making privacy the default in students’ and teachers’ work.

He is also advocating for an opt-out policy. EFF helped Matt locate relevant examples of opt-out policies from other school districts to get conversations started. However, this advocacy process has brought up more questions than answers. Coworkers were concerned that giving students the option to opt out of Chromebooks and/or Google services will create more work for teachers and administrators, and it has been hard to build consensus around what classroom alternatives would be available when students choose to opt out.

Continuing to advocate

Matt’s conversations with colleagues have moved forward in fits and starts, and are constantly changing as the district’s technology situation changes. For example, a system-wide update gave Matt an opportunity to propose concurrent changes in ed tech implementation. But, soon after, discussions about abandoning local storage and migrating completely to Google Drive ran counter to Matt’s efforts to locally control student data and ensure their privacy.

In the meantime, Matt is thinking about stepping up student digital literacy education with more student-staff interactions on the topic. He has also brought up his concerns at professional conferences to learn from sysadmin in different schools and districts. Matt remains persistent and committed to advocating for more secure, more private student systems.

“It’s a really hard problem, but we need to come up with an answer,” Matt said.

Privacy By Practice, Not Just By Policy: A System Administrator Advocating for Student Privacy

2 thoughts on “Privacy By Practice, Not Just By Policy: A System Administrator Advocating for Student Privacy

  • March 30, 2017 at 8:07 am
    Permalink

    Great Article ~ Do you think this will shape our district policy in the future?

  • March 30, 2017 at 8:10 am
    Permalink

    A timely article considering the direction the FCC is going in favor of ISPs gathering and selling client data. What’s the alternative? VPNs could be, but even they could mine and sell data. As Matt L says, this highlights the need for users to understand how all of this works; “We should be teaching concepts of computing, not specific software. We should be giving parents and kids a choice.” Greater understanding of these subjects could lead to better practices or at least more opportunities for alternatives.

Leave a Reply