“An ounce of prevention is worth a pound of cure.” Benjamin Franklin was addressing fire safety when he coined this familiar axiom, but the analogy to Internet safety isn’t a bad one. Just as we wouldn’t let a live spark go untended, so we need to take sensible steps to guard sensitive information—our own and our students’—online.
A recent public service announcement from the FBI encourages public awareness of cyber threat concerns related to K–12 students. “Malicious use of sensitive data could result in social engineering, bullying, tracking, identity theft, or other means for targeting children,” the FBI release states. “Therefore, the FBI is providing awareness to schools and parents of the important role cybersecurity plays in the securing of student information and devices.” Heightened awareness, paired with a wealth of publicly available resources to help schools and districts address these concerns, is good news for educators, parents, and students.
Unlike other industries, which have the means to invest in sophisticated programs to protect against cyber threats, the budget constraints most districts face mean that there are fewer resources for IT security. While this lack of funding is a significant concern, there’s a lot that schools working with limited resources can be doing to help prevent threats from becoming a reality.
The Future of Privacy Forum (FPF) notes, for example, that most student data disclosures are caused by human error—like clicking a false attachment in an email or using a weak password. Few districts have the funding or resources to train staff to protect student data, but there are free online materials districts can use to help equip everyone to avoid common—and sometimes disastrous—mistakes.
The FPF’s education privacy resource site, FERPA|Sherpa (ferpasherpa.org), is a goldmine of resources and information. Parents, educators, and students can find links to over 450 resources, including models from districts, training materials, and information on student privacy from experts at the Department of Education’s Privacy Technical Assistance Center (PTAC), CoSN, the Council of School Attorneys (COSA), the Student Data Privacy Consortium (SDPC), and the Software and Information Industry Association (SIIA).
Invaluable free resources on ferpasherpa.org include:
■ “The Educator’s Guide to Student Data Privacy”—a concise and comprehensive introduction that explains: why it’s important that teachers understand and care about student data privacy; what constitutes student data; the relevant state and federal laws; and more
■ Tips on best privacy practices for using apps in the classroom, including a link to a short YouTube video called “Ask Before You App” produced by the California Educational Technology Professionals Association (CETPA) and Common Sense Education
■ Links to webinars and other training materials from the model Student Data Privacy program run by the Utah State Board of Education
■ A model student data policy (from Howard County Public Schools in Maryland)
■ Model contracts, such as the California Student Data Privacy Agreement, that the SDPC urges companies to sign
■ Lists of the steps recommended by the Department of Homeland Security and of resources available from the FTC
■ Guides for parents and educators, created with ConnectSafely and the National PTA, on student data privacy issues
■ Resources to help parents talk with their children about being safe online
■ Up-to-date and user-friendly information on federal and new state laws, compliance, and helpful initiatives from edtech companies.
As “The Educator’s Guide to Student Data Privacy” reminds us, “as we adopt new technologies, we must think about how they affect the safety, security, and privacy of all stakeholders—especially our students. … But it’s also our responsibility as educators to embrace innovation and encourage our students and our colleagues to try new approaches and embrace new tools. It’s a challenge, but it’s not beyond our reach.”
For more information go to https://ferpasherpa.org/fbipsa/
GRANTS GALORE: SCHOOLS RECEIVE STATE AND FEDERAL FUNDING TO UPGRADE SECURITY SYSTEMS
The good news for districts feeling overwhelmed by the costs of implementing measures to protect the physical safety of students and staff is that lots of government grants are being made available for this purpose. The Stop School Violence Act of 2018, for example, provided funding for grants to help with threat assessment and the creation of technology solutions to increase anonymous reporting options. The $70 million in STOP grants will provide funding that can be used to develop, design, staff, and operate a variety of programs, applications, hotlines, websites, intervention teams, and training methods to prevent violence against school children.
In Virginia, Governor Ralph Northam has awarded $6 million in school security equipment grants. The grants will pay for video monitoring systems, metal detectors, classroom locks, electronic-access controls, visitor identification systems, direct communications links between schools and law enforcement agencies, and other security upgrades in 443 schools and other instructional facilities.
Likewise, the Minnesota Department of Education has announced that 123 schools will benefit from $25 million in state grants to improve school security systems. The department classified entrance and communication system upgrades as priorities and limited requests to $500,000.
The state received nearly 1,200 grant applications seeking nearly $256 million—over 10 times the available funding. Minnesota Department of Education Commissioner Brenda Cassellius said the high demand for grants indicates that the state urgently needs to fund a more comprehensive school safety initiative. “Students and teachers clearly need more support to ensure our kids are safe,” she said. “The school safety grants … only scratch the surface.”
While districts are facing increased threats, the technology to help counteract these threats is also advancing rapidly. As with all new technology, it’s important to ask questions and to continually assess and measure the impact (including any unintended consequences) of implementation.
FACIAL RECOGNITION SOFTWARE CAUSES OUTCRY
A new school security system based on facial and object recognition, called Aegis, has fueled an outcry from the New York Civil Liberties Union. The NYCLU warned that the system was being implemented without sufficient clarity concerning how students’ and teachers’ privacy and related rights would be protected. The software, by Canadian firm SN Technologies, was designed to monitor schools for individuals on watch lists, and to scan for dangerous objects such as guns. The NYCLU pointed specifically to a danger that the facial recognition technology could be used to report the non-citizen children to ICE and other law enforcement authorities, and that the data of very young children would be stored in a database. The New York State Department of Education reports that it is working with the district to determine the best practices and protocols that should be implemented to ensure that it complies with the law and protects students’ personal information.
This outcry echoes a larger debate about the growing prevalence of facial recognition technology in everyday life, with national rights groups like the ACLU having vigorously contested border authorities’ use of this technology at airports and other checkpoints.
PANIC BUTTONS CONNECT WITH IOT DEVICES TO COMMUNICATE EMERGENCIES
The first day of school at Lovejoy (TX) ISD this year also marked another first as more than 600 employees became the first educators to use MadeSafe technology from Enseo. Staff members are wearing the buttons, that can immediately notify school resource officers of an emergency or threat on campus, around their necks. The wearables contain personal locator devices that communicate with Enseo’s Internet of Things devices.
The beacons use a trilateration algorithm to find the teacher’s exact location and continue to track the teacher’s location if they move around the campus. Next year, Enseo could expand its services so that whenever a MadeSafe button is pushed, the school resource officer can immediately tap into the video surveillance cameras in that vicinity.
Vanessa Ogle, founder and CEO of Enseo as well as an LISD parent, hopes other districts will utilize the technology. The IoT beacons, cloud computing, and networking are high-tech, but Enseo keeps the cost down by using the existing coaxil cables that most school districts already have.
That means schools don’t have to pay to install more expensive fiber optic lines. A side benefit, she says, is a better wireless network at the school.
SAFETY DEPENDS ON THE THOUGHTFUL IMPLEMENTATION OF PROPER POLICIES
As districts wrestle with all of these complex questions and navigate a wise and sensible path through the unknown, the discussions need to begin with establishing proper policy.
Take cell phones, for example. In general, cell phone policies in K–12 schools have become more complicated as technology has advanced. While students can use their phones for important communication during emergency situations, in the chaos of a crisis students can inadvertently be spreading rumors or false information. And in non-emergency situations, incorrect information can create unwarranted fear or anxiety. As Ken Trump, President of National School Safety and Security Services, told SchoolSecurity. org, “We are now dealing with ‘Generation Text’ instead of ‘Generation X.’ The rumors typically become greater than the issue, problem, or incident itself.”
If a school’s cell phone policy allows student use during emergency situations, school administrators can avoid difficulties by making sure rules on their usage are clear from the beginning. During drills, phone use should be part of the conversation around best safety practices.
There are a few additional practices schools can include in the crisis management plans to optimize cell phones as a safety tool. A mass notification system linked to cell phones can keep students, faculty, and staff members reliably informed so they can act appropriately during an emergency, and a panic button app can also relay necessary information instantly and inform everyone on the network of the alert.
The safety of everyone in our schools, both virtual and physical, depends on thoughtful discussions among all stakeholders, gathering expert resources, proper training, and the clear communication of policies. The hope is that we’ll never need to put them to the test. But as with Benjamin Franklin’s ounce of prevention, it’s better to be on the safe side.
Seven Basic Security Checks for Evaluating Educational Platforms
While there’s no “one size fits all” solution, FPF has produced this checklist to help schools do some simple tests to assess the basics of security standards on new edtech products and services.
The seven steps include:
1. Look for an encrypted connection
2. Ensure that applications use TLS between email servers
3. Ensure that URLs do not contain sensitive information
4. Ensure sensitive information is not stored in the cache or browser history
5. Ensure that passwords are protected
6. Ensure that the login and password recovery mechanisms do not reveal unnecessary information (e.g., the existence of an account)
7. Be watchful for “information leakage.”
For each of these steps, FPF provides a step-by-step process to evaluate the area in question as well as additional security resources for those looking for more detailed guidance.
For more information go to: https://fpf.org/wp-content/uploads/2016/11/Seven-Basic-Security-Steps-Final.pdf
PRIVACY AGREEMENTS: WHERE DO YOU BEGIN?
The focus of the Privacy Contract Framework, a project of the California Student Privacy Alliance (CSPA), is helping schools, districts, states, and vendors to find resources that they can adapt to their unique contexts to implement needed protections. The project provides resources, expertise, and tools to help districts streamline the application contract process with vendors.
The Contract Builder, for example, is a build-your-own-contract tool. Users can review numerous other contract clauses, including those from the US Department of Education, to “mix and match” clauses that best fit their contract needs.
The SDPC Application Registry, originally built by Cambridge Public Schools, is a tool that enables users to streamline, standardize, and manage contracts and applications.
For more information go to: https://privacy.a4l.org/privacy-contract-framework/
THE SEVEN MOST IMPORTANT QUESTIONS PARENTS SHOULD ASK (AND SCHOOLS SHOULD BE READY TO ANSWER) ABOUT STUDENT PRIVACY
1. Which websites, services, and apps will my child’s classroom use this year?
2. How does my school handle directory information?
3. What is my school’s approach to school safety, and what does it mean for my child’s privacy?
4. Does my child’s school administer surveys?
5. What are the rules for recording devices in my child’s school?
6. How is my child’s information secured?
7. How does the school train teachers and staff to protect student information? It’s not necessarily a cause for concern if a school doesn’t have all the answers to these questions, but FPF underlines the vital importance of communication between parents and schools as they work together to protect children’s information.
For more go to: https://ferpasherpa.org/parentqa2018/