- Nearly all top ed tech sites use “extensive” tracking technologies, according to an analysis of sites endorsed and scraped from 15,573 school domains by researchers at the University of Chicago and New York University.
- In interviews with 18 school district officials and IT personnel, the study found the districts lack resources to handle privacy and security issues generally when it comes to ed tech, because there is so little district training available. Additionally, researchers said those deciding which ed tech to use often lack room to negotiate their contracts over potential privacy and security concerns.
The Chicago-NYC study follows a January report by Internet Safety Labs that found 96% of apps used or recommended by schools share students’ personal information with third parties.
According to the latest study, the top 10 ed tech domains districts referred to online were Zoom, Scholastic, College Board, PowerSchool, Khan Academy, Frontline Education, ACT, Smore, Starfall and Clever.
School district leaders often are either not aware or do not have enough sway in negotiating privacy and security measures in ed tech contracts, said Marshini Chetty, a study co-author and an associate professor in the computer science department at the University of Chicago.
Collection of this kind of data by ed tech vendors may pose cybersecurity risks to schools, too, Chetty said.
Yet schools are also often not prepared to handle cyberattacks, given they are typically understaffed in the field.
“If a school doesn’t have good cybersecurity staff, then they just don’t know how to deal with those incidents,” Chetty said. “The shortage of cybersecurity professionals makes a huge difference in terms of making and keeping schools secure.”
At the federal level, there haven’t been many recent updates to student privacy data protections, Chetty said. Better definitions are also needed for ed tech — and how those technologies need different regulations compared to other tech companies, she said.
Recently, the White House released a National Cybersecurity Strategy, which aims to shift cybersecurity responsibilities away from local governments and underresourced customers to major technology companies. School district vendors have been found “responsible” as the entry point for 55% of K-12 data breaches between 2016 and 2021, according to a 2022 report by the nonprofit K12 Security Information Exchange.