Critical Thinking and the Student Privacy Debate

In my work at a large school district I spend much of my time testing education technology products to make sure that they are safe, secure and private. I read a lot of privacy policies and regularly push back on vendors to hold them accountable for what their policy say and their products do. In recent years privacy advocacy groups have played an important role in keeping the conversation about the importance of student data privacy in the public eye, but sometimes it is also necessary to apply the same “critical thinking” to the claims of both sides.

On December 1st, the Electronic Frontier Foundation (EFF) submitted a complaint* to the Federal Trade Commission (FTC) alleging ( ) that Google had violated assurances that it made when signing the Student Privacy Pledge As an advocacy group the EFF has been a strong voice for privacy for all, including students and provided information to teachers on a balance approach to copyright ( and produced important privacy enhancing technologies (HTTPS Everywhere, Privacy Badger, Lets Encrypt).

The EFF complaint raises three allegations but for this discussion the first and third are best considered together, and they are that…

  1. When students are logged in to their Google for Education accounts (GAfE), student personal information in the form of data about their use of non-educational Google services is collected, maintained, and used by Google for its own benefit, unrelated to authorized educational or school purposes.
  1. Google Collects Student Personal Information Through Changeable Administrative Settings In Chrome and Google Apps for Education Accounts

Regardless of IF the privacy pledge just covers education tools (as the creators of the pledge have indicated, and is the case with SOPIPA, widely regarded as the best of the current crop of student privacy laws),

I think it is important to ask whose responsible (and accountable) for the decision to enable or disable a service outside of the “core” google apps for Education tools. For me it is not Google, it is the school. That is our job, and our responsibility.  When I log into the Google Admin Console, it is very clear what is and is not part of google apps as shown in  this image from Google’s help section

SAML blog


And even more clear when I drill down into a specific service (Chrome Sync), which is the one that is the 2nd of the 3 complaints.





This concept, that the school has “direct control”, in this case the ability to turn on and off services, seems to be fundamental to the idea of outsourcing specific technical functions to Google, as a “school official”. So in the absence of a solid assurance from Google that an “additional google service” is not collecting, using or sharing data for purposes other than providing a service to a user, schools should turn off (or not turn on) the tool, OR get parent permission before turning it on, as some schools do for a variety of “web 2.0” tools . So let’s see if we focus on what is needed., which is…


  1. Making sure the people in schools that have the responsibility for this, have the training (and the backing from school leadership) to do this, and
  2. Making sure that that vendors (all vendors, not just the ones the media, legislators, advocacy groups and competitors fixate on) provide accurate, clear information about what information is collected, used and shared, (not just if it is used for ads). Senator Franken’s letter ( to Google is a good example of questions some school leaders may have, and that should be asked of ANY EdTech vendor.

Digging Deeper into FERPA Directory Information

Earlier this month Bill Fitzgerald posted a thoughtful piece on potential issues with FERPA’s “Directory Information” exception  among the excellent points made were that there is  disconnect between what FERPA data that would not generally be considered harmful if released and how if a another organization unintentionally released this type of data (name, email, address, height, weight) the average person might consider that a data breach.

Like anything related to FERPA, there is always more to say, and I thought I would add a few thoughts.

1)      There is a lot of confusion around what “opt-out” means. Schools are required to notify parents of their FEPRA policies annual and give them the opportunity to opt out. I have seen some cases where parents assumed that this meant that they were opting out of school sending their child’s data to ANY 3rd party under other FERPA exceptions. This is not the case, directory information is a relatively useless exception for creating student accounts, one because parents can opt out and two because of the next point.

2)      Schools can’t use the directory information exception to create student accounts in a 3rd party service. I have heard people say that “it is OK to use X service, we are sending them an excel file with just directory information so they can create student account.” Once the students log in they will be creating “education records” so you’d better be thinking about the “School Official” exception instead.

3)      Lastly, I think that that the objections to directory information come when parents are unclear about who the information can be shared with, or that it could be used for non-school purposes such as marketing. There is a path within FERPA for a more privacy-friendly approach to directory information and it is called limited directory information.  The looking at the 2011 Federal register final rule changes to FERPA  there is a reference to “limited directory information policy” (§ 99.37(d))   The basis for the clarification goes to some of Bill’s points (“concerns about the potential misuse by members of the public of personally identifiable information about students, including potential identity theft.”) and states that

 “an educational agency or institution may specify in the public notice it provides to parents and eligible students in attendance provided under § 99.37(a) that disclosure of directory information will be limited to specific parties, for specific purposes, or both.

The full input  can be found here

In a cursory internet search this afternoon I found a number of school districts that have adopted this approach for some or all data elements.

This says to me that there is an opportunity (and a need) for schools to better understand how to provide more clear and privacy friendly choices to parents within existing FERPA rules.