Survey of CMS use on Virginia School District Websites

I recently had a need to get some hard data on the use of Content Management Systems . What I found was, what most anyone working in K12 would expect, a majority of schools are using 3rd parties services to host their sites. This trend of outsourcing the public websites parallels the trend in K12 to move other “line of business” applications  applications that store and manage student information to “the Cloud”.

To create the data I took the information provided on the Virginia department of education’s website and examined the headers and page code to look for “markers” of well known content management systems(CMS)

More than 57% use a CMS that is built and marketed primarily to the K12 market. (not including Google Sites) and 38.52% of all VA districts are either Blackboard’s Centricity, or School Messenger’s Presence systems.





FERPA, COPPA and the myths we tell each other

This Sunday is Data Privacy Day., so I thought I would list some of the more “interesting” interpretations I have heard (and read) about COPPA, FERPA and how schools approve educational services.

I eventually plan to write up an annotated version of this list, so if you have additions, please tweet them to me @jsiegl


Laws and Consent: COPPA, FERPA et al.

  1. If a vendor says they are “FERPA compliant”, that means something,
  2. A vendor can designate themselves as a “school official” by saying so in their terms.
  3. If an online services requests “only” directory information to sign up, it is OK for schools to sign students up, or have them sign up.
  4. If it involves student health information, you have to comply with HIPAA,
  5. COPPA covers information collected about children under 13,
  6. If the student is 13 or over, as a teacher, I don’t need to get parental consent,
  7. “COPPA compliant” means the information is kept private,
  8. As a vendor, you can comply with COPPA if you just say “this site is not for children, if you are under 13 you may not access this site” , regardless of anything else,
  9. It is a valid COPPA workaround for a vendor, in their terms, to tell a teacher that to comply with COPPA, for them to sign up the student, or create an account using their email address,
  10. Vendors can say in their Terms of Service that schools are responsible for complying with COPPA.
  11. “In Loco Parentis” means schools/teachers can consent to students use of any online services on parent’s behalf,
  12. I only have to get permission if I am creating student accounts/the student is logging in,
  13. Vendors can delegate collecting and managing parental permission to schools even if the school is not “contracting with the vendor to perform an educational purpose”,

Privacy Policies

  1. A privacy policy means the site protects your privacy,
  2. If it is in the vendor’s policy/terms, then it must be true,
  3. Not private by default is fine, because students and teachers can just change it to be private,
  4. A tool that only offers the option of public posting is OK as long as you get permission, (“privacy as a premium”)
  5. Related-A tool that only offers the option of public posting is OK as long as long as students are over 13…., (“privacy as a premium”)

Security and Confidentiality

  1. It does not matter if a password protected site is secure if it does not collect any sensitive data.
  2. If the site uses https, it means the product is secure,
  3. “Security by obscurity” is security,
  4. Student IDs are not confidential, so are a good choice for student usernames/email addresses,
  5. Student IDs are not confidential, and can be used to pay for lunches or to post grades,
  6. Anonymized and Aggregated data are the same thing,
  7. Anonymous and Pseudonymous are the same thing,
  8. Related-Creating Pseudonymous accounts (e.g. usernames that do not have the student’s full name or ID) is a valid “workaround” to avoid the challenges of complying with FERPA or COPPA,

3rd Party Data Collection and Signon

  1. Ad networks and data brokers are same thing,
  2. Related-Ad networks sell or trade user data
  3. Ad networks and analytics are same thing,
  4. Social Login, (that “Login with X” button e.g. twitter, O365, Google Facebook etc.) means you are just logging in and not really creating an account on the site,
  5. Related-“Login with X” means that you are “just” creating an account,

Happy Data Privacy Day

Plagiarism, Precedence and the Agora Letter

Earlier today the US Department of Education released a letter outlining their findings against Agora Cyber Charter schools. The letter, and Future of Privacy Forum’s commentary are worth devoting some quiet time to parse through.  The primary evidence for Dept. of Ed’s finding of Agora’s violation of the parent’s FERPA rights was based on the requirement that the parent consent to K12’s terms of service, and specifically this sentence

“…you grant <vendor> and its affiliates and licensees the right to use, reproduce, display, perform, adapt, modify, distribute, have distributed, and promote the content in any form, anywhere and for any purpose.”

It appears that K12 has since updated their terms to add a qualifying clause.” ..only to the extent consistent with the Family Educational Rights and Privacy Act;” on their main site as well as the related sites of fueleducation and icademy.

Two things struck me as significant about this clause that have not yet been part of the discussion.

First is that like most language in Privacy Policies and Terms of Service, the language is not unique. A simple Google search for this exact phrase turns up 597 results (with a startlingly high concentration in the racetrack industry) .  Anyone that spends a lot of time reading through vendor policies knows that there is a lot of copied content. One of the first things I do when evaluating a new product is to pick three sentences at random from a policy and google them.

Why does this matter? When the content of privacy policy does not originate from the creator of the product it raise questions as to if the terms accurately reflect the behavior of the vendor. Even with just a cursory web search for the clause, I found the phrase in use on six sites in the education sector.

Second, is that the parent had to accept a set of terms and conditions for a vendor that was presumably operating within the framework of the “School Official” exception of FERPA, meaning among other things, that they are under the direct control of the school.

If a vendor can have a valid agreement on the use of data with a parent separate from the agreement with the school, it raises several questions.

  • If they contradict, does this break their status as a valid “school official”?
  • In the absence of any other evidence, does one take precedence over the other?
  • Did the agreement with the school contain any language about precedence?

An example of how one large Edtech vendor attempts to deal with the issue of conflict and precedence of terms is seen in Google’s G Suite for Education privacy notice.

“Where there are terms that differ, as with the limitations on advertising in G Suite for Education, the G Suite for Education agreement (as amended) takes precedence, followed by this Privacy Notice and then the Google Privacy Policy.”

Determining if a vendor’s terms accurately reflect their practice and untangling conflict between school and end user terms are not simple questions and they don’t have simple answers. I look forward to the conversations our industry will be having over the next few months in light of the Agora letter.

Common Sense Media Misses the Mark on COPPA

Recently Common Sense Media posted a summary of COPPA, the Children’s Online Privacy Protection Act, and unfortunately the piece had a number of fundamental misunderstandings about this key piece of privacy legislation.

Schools rightfully have a high regard for the information that Common Sense education publishes about student safety and digital citizenship, and are likely to presume that all of the privacy content from the education group is of similar quality. That is not always the case for privacy information. I know Common Sense Media has several very knowledgeable experts on data privacy and it is unfortunate that this expertise does not always seem to be used when editorial information on privacy is published.

First the article refers to COPPA as “a law dealing with how websites….collect data and personal information about kids under the age of 13.” This is incorrect, COPPA deals with information collected from children under the age of 13. (By contrast FERPA covers data directly about a student, maintained by the school or school’s agent).

Second, in listing three things about COPPA, the article states that under COPPA a vendor must “Not use kids’ data for marketing-related purposes.” COPPA says no such thing, in fact COPPA specifically provides mechanisms where parents approve this collection and use-that is kind of the whole point of COPPA.

Lastly the article suggests that “COPPA compliance might depend more on how teachers and students actually use the tool at the classroom level”. There is no basis in the COPPA regulation or FAQ that would give the impression that COPPA compliance is dependent on individual use. Determination is based on if a site is “child directed” or if the vendor has actual knowledge.

Rather that citing any primary sources on COPPA, the article attempts to summarize a very complex point about school consent made in EdWeek’s “COPPA and Schools: The (Other) Federal Student Privacy Law, Explained.”  In doing this it fails and ends up providing misleading information through incomplete summarization.

What Do Schools Really Need to Know About COPPA?

  1. Schools should think of COPPA as a subset of their overall privacy responsibilities.  I would argue that schools should prioritize overall privacy for students of all ages, and compliance with FERPA. There are few cases where paying attention to this would not also aid in the schools’ role in vendors’ COPPA compliance.
  2. There are only a very narrow set of circumstances where a school can provide consent on behalf of the parent (for COPPA) and they are described in the COPPA FAQ as
    • Where the school is contracting for a service solely for the benefit of their students and for the school.
      • In my opinion, contracting means there is a legal and direct relationship between the school and the vendor and would likely not mean cases where the student signs up directly with the vendor and the school has no control and solely for the benefit means among other things, no commercial use
    • The operator has provided the school with all the notices required under COPPA, including a description of the types of personal information collected and  full notice of its collection, use, and disclosure practices. Based on these notices, the school should be able to answer these questions
      • What types of personal information will the operator collect from students?
      • How does the operator use this personal information?
      • What measures does the operator take to protect the security, confidentiality, and integrity of the personal information that it collects?
      • What are the operator’s data retention and deletion policies for children’s personal information?
      • Does the operator use or share the information for commercial purposes not related to the provision of the online services requested by the school? For instance, does it use the students’ personal information in connection with online behavioral advertising, or building user profiles for commercial purposes not related to the provision of the online service? If so, the school cannot consent on behalf of the parent.
      • Does the operator enable the school to review, prevent further collection and have deleted the personal information collected from their students? If not, the school cannot consent on behalf of the parent.





Google Adds Chrome Sync to gSuite for Education Core Services

Recently Google quietly made a change to include “Chrome Sync” in the list of “Core” tools in gSuite for Education. Chrome Sync provides the ability (when you sign in to Chrome or by default on a Chromebook), to sync Chrome data to your Google Account and to any other supported ChromeOS/browser that is signed in. Synced data includes chrome apps, autofill settings, bookmarks, chrome extensions, browser history, passwords, chrome settings, themes, wallpaper, open tabs and google payment data*

This change should provide official clarity as to how data in Chrome Sync is used, as described in the Education Privacy Notice.

This change also provides an opportunity for District g Suite Admins to remind users that they have the option to add an additional layer of privacy by setting a Chrome Sync passphrase. A sync passphrase encrypts all synced data at rest. If you set a passphrase, you can use Google’s cloud to store and sync your data without letting Google read it.

Users also have the ability to selectively disable syncing of some or all of elements that are synced.

The G Suite Services Summary page now includes the following text:

G Suite for Education” is an edition of G Suite comprised of the G Suite Core Services, excluding Google+ and Google Cloud Search. …. This edition also includes Classroom and Chrome Sync as G Suite Core Services.

  • Classroom” is a web-based service that allows End Users to create and participate in classroom groups. Using Classroom, students can view assignments, submit homework, and receive grades from teachers.
  • Chrome Sync” is a feature that allows End Users to synchronize bookmarks, history, passwords, and other settings across all the devices where they are signed in to Chrome.

And the G Suite for Education Core and Services Admin help page is updated to say:

G Suite Core Services are Gmail (including Inbox by Gmail), Calendar, Chrome Sync, Classroom, Contacts, Drive, Docs, Forms, Groups, Sheets, Sites, Slides, Talk/Hangouts and Vault.

Prior to this change, Google offered this statement, about the use of Chrome Sync data in response to a request for information from Sen. Al Franken.

Users who have Chrome Sync enabled (whether on a Chromebook or using the Chrome
browser) will have additional information about their browser settings stored in their Google Account, including browsing history, any saved apps, extensions, bookmarks, and passwords. ….. If any of this data is associated with a student’s GAFE account — which is the case when a student is logged into a Chromebook with Chrome Sync enabled with their GAFE account — we consider this data to be the student’s personal information and do not use it to target ads.

Google stated that it “collects, maintains, and uses information via Chrome Sync (in aggregated and anonymized form) for the purpose of improving Google products”. For context, this is comparable to similar language and use by Apple who states that …

“We may collect and store details of how you use our services, including search queries. This information may be used to improve the relevancy of results provided by our services”

And with Microsoft’s Cortana service, which states that

“Microsoft uses your voice data to improve Cortana’s understanding of how you speak to keep improving Cortana’s recognition and responses, and to improve other Microsoft products and services that use speech recognition and intent understanding”


*Google payment data is a non-core service, only available to users 13 and older. Schools are required to get parental permission if this is enabled for users 13-18.


Testing – New Google Search “Personal” Tab absent in gSuite for Education

This weekend Google rolled out a change to search to add a “personal” tab described by cmswire as…

“results come directly from your Google accounts. According to reports, personal ads may also appear in these results. The tab can be found under the ‘More’ option on the search page and surfaces everything related to a keyword in email messages, calendar events and photos.”

Recently I’ve been testing the differences between Consumer Google Accounts and gSuite for Education accounts, so I thought it would be good to check if this feature was rolled out to gSuite users.

Short answer, it is currently not. 

Google features often appear the consumer version first and move to gSuite but Google has to announced any plans to move the feature into gSuite for Education.

Here is my consumer gmail account, with the “personal” tab highlighted and the “more” menu shows videos, shopping, books and flights

consumer google search

Here is my gSuite for Education account, with  videos highlighted, no “personal” tab and the drop down only shows books and flights

gSuiteGoogle search

Tracking Google and Microsoft Adoption in Higher ED

Earlier this month, New York Times columnist Natasha Singer wrote How Google Took Over the Classroom, a detailed look at the rise of Google in primary and secondary education. (Also worth a listen is the NPR interview on All Sides with Ann Fisher).

The article did not address Google at the post-secondary level, but Joshua Kim of Inside Higher ED asked “I’ve been looking for recent data on the Google vs. Microsoft enterprise e-mail battle – but I can’t find anything recent. Can you help?”

Challenge Accepted.

I have a history (or a mild obsession) of tracking edtech. Back in 2010 and for a few years after, Forbes blogger Eric Lai and I tracked the growth of the iPad in K12, Higher Ed and the enterprise. I have been tracking the growth of Google Apps (now gSuite) and Office 365 in K12 and to a lesser extent Higher Ed since 2014.

Back in December, I posted a domain / DNS analysis of adoption in K12 for O365 and gSuite, so I thought it would be a good time to update the numbers for Higher ED.

The methodology is the same as I used for K12 districts, a scan of DNS records, looking for specific known markers in MX, TXT and other records. However, for Higher Ed the data is likely more accurate given that the root domains are well know (.EDU)

For this analysis, I pulled the US based listing from a list of EDU domains on GitHub. The list included only the root EDU domain, and individual colleges or campuses (sub-domains) may run different email systems than what is used on the primary domain but this approach of  using a large data set provides an overview of the adoption of Google and Microsoft email systems.

I scanned the DNS records of 2,276 US EDU domains and got the following results for domains that had DNS MX records that indicated they were routing mail directly through Google or Microsoft servers. The Google numbers are lower than I had expected.

Google MX Records  18.31%
Microsoft MX Records  40.84%


One result worth noting was that 30.96% of the sites returned DNS markers that were indicative of a domain that had started the process of verifying domain ownership with Google . Take together with the 18.31% of domains that are actively routing mail through Google, this would strongly indicate that  12.65% of root EDU domains had either started or were using Google and are now not using Google for mail.