In a recent post about agency and domains I suggested that when it comes to third party services tracking student data at universities and colleges, I’m fairly certain that most folks involved in securing those products have little to no idea of what data is actually being tracked:
I would bet there has been little to no transparency about what student data universities are tracking, and whom they are sharing it with. Hell, I’m sure a number of universities aren’t even aware themselves of what data these third party applications are collecting.
This is an idea that a few folks picked up on, and called me out on in comments such as this one:
I don’t know where you work or where (or even if) you went to college. There is a law called FERPA that regulates the sharing of academic records within the institution and with outside parties. Colleges and universities hire many lawyers to comply with FERPA. There may be little transparency to the student, but there is plenty of transparency within the institution, to the government and to accrediting bodies.
Despite the fact that FERPA was supposedly designed to give students control over who sees certain education records publicly*—making the lack of transparency to students antithetical to FERPA—the fear and loathing bat that FERPA has become is usually good for a quick, silence-inspiring win. But for all the energy expended conjuring the evil spirits of FERPA to prevent anything interesting from happening on campus when it comes to edtech and the web, it seems that it has little to no impact on the tech giants to which many K-12 schools, colleges, and universities blissfully outsource their innovation. My suggestion that schools have little or no idea of what data is being collected was echoed in this article by Andrea Peterson in today’s Washington Post about Google’s tracking of student data through their various applications:
Fewer than a quarter of service agreements spelled out why the school district was disclosing student information to a vendor and less than 7 percent restricted vendors from selling or marketing data about students, according to the study.
“I think officials in most school districts in the U.S. are completely ignorant about the information they are giving out about their kids,” said Joel Reidenberg, a Fordham University law professor and one of the authors of the study.
Let’s repeat that, “Completely ignorant about the information they are giving out about their kids!” It’s a far stronger statement than the one I made, but it does seem to accurately highlight the almost schizophrenic distinctions between the hostile environments so many experience when it comes to experimenting locally with ed-tech versus an almost infantile trust in our corporate overlords when it comes to outsourcing. It also points to deeper issues of a culture of education that is driven not by exploration, freedom, and possibility, but an ever-increasing risk-averse, technocratic environment that not only chokes out innovation, but begins to erode its community’s welfare through ignorance and inaction.
- What constitutes an education record is a bit blurry, making FERPA the bat it has become internally to shut down most conversations about sharing publicly on the web.
Where I work, and your mileage may vary,… At most I’ve seen FERPA compliance along with other federal laws force us to stop using Soc.Security numbers as unique identifiers for students in record keeping systems. That’s the sum total of what it seems to be protecting here. Beyond that? Who knows.
Exactly, and the who knows is the issue. The think that gets me is you never hear about it until it is being used as an excuse not to do something.
My institution seems to know what’s being shared (probably as a result of initially getting it wrong). For example, we test LMS integrations to see what data they pass before installing them for all users. i guess I’m more concerned with the competence of our edtech employees. For every outstanding person there are several who are either mediocre or don’t care anymore so long as they keep their jobs. The outstanding people who could keep us from having to outsource innovation leave and do something else (ahem) before their souls get sucked dry. There is no swift fix to the culture.
I think you nailed it when you say that what counts as an “education record” and therefore protected by FERPA is really unclear. Here’s the Department of Education’s completely unhelpful definition: “The term ‘education records’ is defined as those records that contain information directly related to a student and which are maintained by an educational agency or institution or by a party acting for the agency or institution.” I think we recognize that this includes transcripts, grades, and so on. But does an education record include metadata about how frequently a student uses a piece of software? Does it include their IP address?
Schools and their vendors are allowed to collect and share data if it has an “educational purpose” but WTF is that? With our current obsession with educational data, I can see people arguing that every click a student makes on a computer has an “educational purpose.”
FERPA purportedly prevents the disclosure of personally identifiable information without consent. Clicking “I agree” to the Terms of Service does count as consent, and I highly doubt students (or their professors) read what they’ve agreed to. Companies can also claim that the data they’re collecting is not personally identifiable. Again, these definitions — and how they’re full of weasel words — matter.