Is Ed Tech Failing to Keep Our Kids Safe?

Is Ed Tech Failing to Keep Our Kids Safe?

By Molly Fosco

Students at Newton Bateman Elementary School in Chicago use Google-powered laptops and Google education apps for classwork.
SourceWhitten Sabattini/New York Times/Redux


Popular education technology platforms tick the boxes for education, but for privacy and security? Not so much.

By Molly Fosco

Rachel Stickland’s two children have been the victims of data breaches — not once, but twice. Last year, their information was stolen when the Free Application for Federal Student Aid (FAFSA) was hacked. One month later, it happened again when the education technology platform Edmodo was penetrated. Stickland was particularly upset about the Edmodo incident because she found out about it from a news report, rather than from the company or her children’s school. The Colorado mother believes it was only her kids’ names and email addresses that were accessed, but the fact that cybercriminals can see them is disturbing.

When it comes to cyber hacks, other children haven’t been so lucky. More than 1 million children were victims of identity theft in 2017, resulting in $2.6 billion in losses, according to Javelin Strategy & Research. Children have no prior credit — just clean slates — so their identity is much more valuable than an adult’s to criminals. And because the Social Security Administration began using a “randomization” method in 2011, a child’s assigned social security number (SSN) is no longer tied to his or her date of birth and geographic location. This allows thieves to create an entirely synthetic identity with a child’s SSN, signing up for credit cards, obtaining loans or even mortgages and filing fraudulent tax returns. Many times parents don’t find out what has happened until their children turn 18, at which point their credit scores are ruined.

As technology becomes increasingly common in the classroom, the challenge of protecting data there grows even more daunting. Security and privacy within education technology platforms are critical to protecting children from identity theft, in addition to a number of other risks. Spurred by the urgency of the problem, Common Sense Media, a San Francisco–based nonprofit that promotes safe media for children, recently conducted a survey of American ed tech applications. The results showed that:

Half of the 100-plus most used ed tech apps allow children’s information to be viewed publicly online. 

They also found that only 10 percent of these companies, which were anonymous in the survey, met the minimum criteria for transparency and quality in their policies. Common Sense distributed the survey to their cohort of teachers and district leaders, who answered questions about the ed tech software they use most frequently in the classroom. The three-year examination found that nearly all applications evaluated do not clearly define safeguards to protect student information, do not support encryption or lack consistent privacy and security practices.

“I wasn’t expecting the industry to have such a lack of transparency in a lot of these areas,” says Girard Kelly, the counsel and director of privacy review at Common Sense who led the survey. “We found many issues with the way data is collected and used.” In 2017, popular ed tech app Edmodo was hacked and millions of children’s information was put up for sale on the dark web. While it’s unclear which other platforms have fallen victim, Kelly says the problem of children’s identity information being accessed through ed tech software is ongoing.

In addition to privacy issues, the survey also found that 37 percent of the ed tech platforms evaluated collect information that can be used by tracking technologies and third-party advertisers, 40 percent display contextual advertising and 74 percent maintain the right to transfer a user’s personal information if the company is acquired, merged or files for bankruptcy. Only 14 percent review the platform to remove any content related to alcohol, gambling, violence or sexuality.

Most ed tech platforms that allow ads don’t filter the content.

But the explosion of corporate hacks in recent years, with enormous breaches at companies like Uber, Yahoo and Equifax compromising the data of millions of customers, has prompted some ed tech organizations to take cybersecurity seriously — particularly because they serve a vulnerable population. CodeMonkey, an ed tech app that teaches kids how to code with both Javascript and python script by building their own video game, doesn’t allow students under age 13 to sign up with their full name, email address or real photo.

The platform allows students older than 13 to link their Facebook or Google account, which means an email address is required for sign-up. This information could be accessed by a hacker but the risk is low, says Boaz Zaionce, CEO of CodeMonkey. “There is no financial information of any kind stored on our servers,” he says. “Ed tech isn’t that interesting to hackers — most of the time it’s not worth the hassle.” But the company has a system at the ready just in case. Servers are hosted on Amazon and, in the event of a breach, the company can shut down the compromised server and activate a backup. If a hacker gets in through Facebook or Google, they can kill the connection.

ClassDojo, an app that facilitates communication between parents and teachers, is also highly aware of protecting student information. The platform is a private ecosystem, meaning only teachers, parents and students connected to a classroom or school can see what’s being shared. Each individual student’s personal information is only visible to parents and teachers. “ClassDojo is a much safer way to share information than alternative methods like online newsletters or blogs, which can be visible to anyone,” says Lindsay McKinley, head of communications at ClassDojo. The organization regularly works with top privacy experts to develop their policies and practices, and they never share student information with advertisers or marketers.

Still, Kelly says more ed tech companies need to prioritize transparency. Another issue: Ads on ed tech platforms aren’t common, but most that do allow ads don’t filter the content. “If they’re not filtered, you could be showing an 18-plus ad to a young kid,” says Kelly. But the platform may not recognize the user is a child, which is why “more transparency is key,” he says.

Common Sense is making increased security and privacy in ed tech a top priority by conducting their survey annually. Next year, they plan to include at least 200 participants. They hope that increased awareness will help more ed tech companies recognize the urgency of protecting children’s information online.