All posts in data security

Additional Questions About How inBloom, Schools, Districts, and States Store Data

Posted April 1st, 2013 by Bill

Over the last few days, I spent a little time looking over the inBloom Data Store Logical Model. Based on what I have seen there, I have some additional questions and observations about the data that is stored within the system. The questions included here are not comprehensive by any means. Rather, this is a short list compiled after spending around an hour reviewing the data model.

A. inBloom Could Be Used to Screen Immigration Status

inBloom can store information about how a person verifies their identity. The values used here could be used as a screen to check immigration status. Given some of the laws passed at the state level, I would hope that schools would not be passing on this information. What educational goals are supported by collecting this data?

-------------

I also like how "Family Bible" is included as a proof of ID.

B. Getting Ready For People to Opt Out

inBloom appears be anticipating that people will opt out of tests. The Reason Not Tested list includes parental waivers, and parents opting out.

-------------

Using this data, people or organizations with access to data stored in inBloom could create a rolodex of parents - complete with addresses, emails, and contact info - who are opting out of testing.

C. Getting Ready To Restrain

inBloom has the capacity to track when students are restrained.

-------------

However, inBloom makes no similar accomodations for tracking students that are subject to corporal punishment. According to congressional testimony (quoted below), there are between 2 and 3 million occurrences of students being hit in school each year, and corporal punishment is legal in 30 states. Given how inBloom supports tracking other disciplinary actions, this seems like an odd and unnecessary omission.

The prevalence of corporal punishment of children in schools remains high in the United States. In spite of many education and other national groups calling for corporal punishment in schools to be banned, the United States remains one of the few industrialized countries allowing corporal punishment in 30 states.\2,21\ According to the Office of Civil Rights (2007), school officials, including teachers, administered corporal punishment to 223,190 school children across the nation during the 2006-2007 school year.\8,12\ Experts note that there are about 1.5 million reported cases of physical punishment in school each year, but calculate the actual number to be at least 2-3 million; as a result of such punishment, 10,000-20,000 students request subsequent medical treatment each year.\8,9,12\ During this same period, the top ten states for students being hit were, in order of highest to lowest frequency: Mississippi, Arkansas, Alabama, Oklahoma, Louisiana, Tennessee, Oklahoma, Texas, Georgia, Missouri, and Florida.

D. What Student Characteristics Really Matter?

inBloom supports the ability for schools to track Student Characteristics

-------------

Apparently, "Immigrant" and "Single mother" are "conditions" that get recorded. See point A, above, about how inBloom could be used to target families based on immigration status.

E. Collecting Social Security Numbers

According to the enumerations, Social Security Numbers are among the ID's stored by inBloom for both Staff and Students.

-------------

Additionally, inBloom's FAQ states that social security numbers will be stored if everyone agrees that they should:

inBloom discourages storing social security numbers in its data service, but legally school districts and state may record student social security numbers. inBloom prohibits storage of social security numbers in the data store unless agreed to by both inBloom and the state/district on a case-by-case basis.

However, less than a month ago, Iwan Streichenberger, the CEO of inBloom appeared to say (via Twitter) that inBloom does not store Social Security numbers. As I asked a couple days ago, however, it looks like inBloom defers to states and/or districts, and that they will store what they are provided.

Closing Thoughts

In many ways, inBloom is helping to bring visibility to the issue of data collection, data storage, and data sharing. inBloom is a data store, collecting data from many sources into one location. inBloom is different than other past efforts for its scale and partnership efforts. It would be great to see inBloom and the various agencies collecting data be more proactive about how data is collected, when the collected data can be reviewed by students, teachers, and parents, and how inaccurate date in the system can be reviewed or deleted. Right now, inBloom appears pretty silent on most of these questions, which does nothing to dispel concerns about how - and by whom - the data will be used.

When data is collected at scale, on a large number of people, over time, the role of for-profit companies in the ecosystem needs to be blatantly, obviously clear. When a data set is large enough, even a small number of data points from within that data set can be used to target and identify individuals within that data set. Given the value of student data, and the lack of transparency around how that data is used once it has been handed over, both inBloom and any schools, districts, and states collecting data need to clarify the rules, and how people can be certain these rules are being followed. In the absence of guarantees, students and parents need to be given access to their data so they can review and correct it as needed.

As we have seen, sometimes data is completely worthless. Moreover, if a student is at a school where corporal punishment is practiced, how much can we trust a discipline report from the same person who hits kids in the name of education? There are lot of open questions here, and these open questions undermine the value of any data that would be collected at scale.

Most importantly, kids aren't going to school to provide researchers with data points. The purpose of school isn't to get people comfortable with life under constant observation. The endless efforts at data collection to capture what "works" with learning have the potential to disrupt the learning they are trying to capture. Learning requires trust; treating students like subjects - rather than people - is a surefire way to erode trust before it has a chance to get started. Without clear, obvious, and fully transparent rules around data collection and how that data is managed, we run the risk of observing our public education system into irrelevance.

The inBloom Data Model: What Is A Unique State Identifier?

Posted March 29th, 2013 by Bill

In the inBloom data model, there are four instances where people are tied to what is called a Unique State Identifier.

A Unique State Identifier is defined as:

A unique numeric code assigned to a person by a state education agency.

The people identified by the Unique State Identifier are:

Clearly, inBloom is storing an incredibly large amount of personal data about students, parents, teachers, and staff (and that alone makes me wonder - how would bankers feel if we pushed that much data about their daily activities into a datastore, and then allowed for-profit companies to access that information to make banking more efficient? But I digress). At various points, it has been reported that inBloom is storing Social Security Numbers. inBloom has denied that.

But, after reading through the spec (where there is no mention of Social Security Numbers) it seems like the main unique ID for parents, staff, students, and teachers is this Unique State Identifier. My question is: how many states, if any, use a person's social security number for this? It seems like inBloom is deferring to states on this, but if states are using social security numbers for their unique ids, that changes the conversation.

Does anyone have accurate information on this? Please, if this is completely wrong or off base, let me know.

Social Media and Cooperative Surveillance

Posted June 20th, 2011 by Bill

So the Bruins won the Super Bowl. Or something like that.

And in the aftermath, people rioted in Vancouver. And in those riots, pictures and videos were taken.

And some people took it upon themselves to identify the rioters.

And after the aftermath - with nearly 170 people treated in hospitals, volunteers cleaning up the city, people began to ask questions about surveillance and the role of social media.

In the comments of her post linked above, Alexandra Samuel extends her original thoughts to include the "slippery slope" argument:

I don't see how we can claim to be uncomfortable with mass surveillance -- to fear Big Brother -- but then make exceptions when it's convenient, or feels important. This is a slippery slope and we can't draw too many simple lines -- even a line based on exposing illegal behaviour (as opposed to legal but controversial). Remember that there are places where it's illegal to smoke dope, or criticize the government, or hold hands with someone who is the same gender as you. Do we accept social media surveillance in those contexts?

To start, it's worth pointing out that most slippery slope arguments aren't worth the air required to set them loose. A "slippery slope" argument assumes that we live in a world with moral absolutes, and that making a "wrong" choice plunges us into the abyss of uncertainty and ambiguity.

But with that said, to all those who argue that using social media to identify rioters to the state are engaging in community surveillance/crowdsourcing big brother/engaging in nefarious deeds to further the expansion of the omnipresent nanny state: you are late to the game. That ship has sailed. People are reporting on one another, and have been for years, well before the advent of the social web. Perversely enough, people using Facebook are complicit in building their own Panopticon. And, in using sites like Facebook - where people throw their contact information, their interests, the places they like to go, the people they like and dislike, things they buy, games they play (and how they play them), what they look like, what their friends look like, etc, etc - people leave a broad data trail. Even rough data shows a lot about individuals; more sophisticated datasets allow for more sophisticated predictions.

It would be interesting to look at what could be discerned from a person's datastream on Facebook, combined with the data accessible via the phones and laptops we use, and how close that woud come to supporting the data needed to make the Information Awareness Office a reality.

But to return to the argument of what constitutes an appropriate use for social media, and what level of privacy is reasonable to expect: we need to ground these conversations within the historical reality that people have been disagreeing, behaving badly, attempting to avoid responsibility - and then talking about it - for centuries (as an aside, Augustine would have had an AWESOME twitter feed). Social media just lets us get the word out faster.

And, if you are now concerned about privacy, and the relationship between surveillance, privacy, and the state, there is one thing you can do right now to make it better: stop using Facebook, Foursquare, Twitter, etc, as outreach and communication tools. To use social media is to participate in a continuous act of cooperative surveillance: sometimes we're watching ourselves, sometimes we're watching others, sometimes we're being watched, but the difference between sharing and observing is largely a matter of the side of the window you're on.

For the many self-proclaimed "social media consultants": stop advocating an expanded use of Facebook, Twitter, etc, to the detriment of an organization's primary web site. If you have engaged in such unseemly behavior in the past, it's never too late to admit your mistakes. Just stop repeating them. And if you have been working in social media for more than 15 minutes and are actually surprised by privacy implications, you can always go back to selling cars.

Seriously, though, if you are giving advice to an organization that does social justice work, be very careful of the relationships you encourage them to foster on external social sites. Given Facebook's unclear direction in China, the ease in which apps can access and store user data, the way bugs leak private data, and Facebook's own hamfisted "privacy" efforts (from Beacon to facial recognition and everything in between), encouraging social justice-oriented groups to work on Facebook could be putting people at unnecessary risk.

As we talk about privacy and surveillance, we need to remember that a key difference between a surveillance tool and a tool for individual or collective empowerment is who controls the data, and how that data is used.

Image Credit: "Patrice Bergeron" taken by slidingsideways, published under an Attribution Non-Commercial No Derivatives license.

Google and Data Collection

Posted October 24th, 2010 by Bill

Last May, Google announced that it had accidentally collected personally identifiable information as part of capturing data for the Street View functionality of Google Maps.

A look at the technical aspects of what was collected, and why, tends to support Google's explanation that this was accidental, and not anywhere near as big a deal as people wanted it to be.

Please don't misunderstand - Google has plenty of issues with user privacy, and the ramifications for student privacy as more K-12 schools transition to Google Apps are mind-boggling. But, the kerfuffle over data collected for Street View is overblown.

Moreover, Google appears to be taking steps to mitigate this, and they are candid about their role in the failure, and clear about the steps they are taking to improve it. Other companies with widespread privacy issues (cough cough Facebook cough cough) could learn from how Google is handling this.

Image Credit: Photo "New 'Camera'" taken by Sherman Tan, published under an Attribution license.

Have Fun Explaining This To Parents As Your School Transitions To Google Apps

Posted September 14th, 2010 by Bill

While this is likely an isolated incident, it certainly raises questions about what happens to a student's personal information (also known as their thoughts, and portions of the intellectual explorations that make up their life) when it is sent to a large company. In this case, an engineer at Google was allegedly fired for accessing the accounts of minors:

In other cases involving teens of both sexes, Barksdale exhibited a similar pattern of aggressively violating others' privacy, according to our source. He accessed contact lists and chat transcripts, and in one case quoted from an IM that he'd looked up behind the person's back. (He later apologized to one for retrieving the information without her knowledge.) In another incident, Barksdale unblocked himself from a Gtalk buddy list even though the teen in question had taken steps to cut communications with the Google engineer.

So, as schools make decisions to outsource essential services to external companies (aka the cloud), it's worth remembering that there are people working around the clock to keep the cloud running. Most of these people do the right thing all of the time, but for schools rolling these services out (and requiring students to use them as part of their school work) what recourse would you have if your student's privacy was violated? More to the point, how would you know? Is there even any guarantee that you would be told?

At what point does convenience trump the ability to guarantee your students and your parents that you have taken reasonable steps to ensure the privacy and integrity of work done within your school?

There Is No Such Thing As A Privacy Setting On Facebook

Posted December 17th, 2009 by Bill

All of the recent discussion about Facebook's change to its privacy policy obscures one frequently minimized point: privacy doesn't really exist on Facebook. While there is minimal control over what appears onscreen, this should not be confused with real, actual privacy, or the ability to control what is known about you. Facebook has your information, and by virtue of using their site, you have provided them a degree of control over your personal information.

This becomes particularly apparent when looking at Third Party Application developers. These external applications can access data in ways that are not immediately obvious to the end user, and in some cases this seems to work against people's obvious desires. In short: third party applications get the same access as the account that installed them, so if your privacy settings are set to friends only, and a third party app installed by a friend requests your information, it can get it. So, your privacy is as good as your least discrete friend's judgment.

But issues around abusing privacy aren't new for Facebook. They have these types of issues a few times a year, every year. Flash back to the launch of Beacon:

"Facebook still collects your data. Whether or not they show it onscreen or not is only marginally relevant. They have records of how you have used their site, and that information is valuable to people who want to sell you things."

Facebook has a well worn track record of disastrous handling of user data. In the beginning of 2009, Facebook pre-emptively changed their ToS. People were not happy, but people should not be surprised, as this is normal behavior for Facebook.

And Facebook's current "privacy policy" has some gems -- really, there are too many to list, but my favorite is probably from Section 3: Information You Share With Third Parties: "We take steps to ensure that others use information that you share on Facebook in a manner consistent with your privacy settings, but we cannot guarantee that they will follow our rules." Translation: People will get your information through our site, and we don't really have much/any control over what they do with your information.

And, of course, Facebook can change their privacy settings at will, thus eliminating the illusory value of these settings in the first place, as illustrated by this very conversation.

Some other good reads on this:

The Facebook Blog: http://blog.facebook.com/blog.php?post=197943902130
Electronic Frontier Foundation: http://www.eff.org/deeplinks/2009/12/facebooks-new-privacy-changes-good-...
From ReadWriteWeb: http://www.readwriteweb.com/archives/facebooks_privacy_move_violates_con...

Google Apps, and Privacy

Posted March 12th, 2009 by Bill

I came across another discussion on the use of Google Apps within K12 organizations -- this is a lightly edited version of my reply in that thread:

With Google Apps, the real value for Google isn't in "owning" your content. The value for them is in mining it, and then using that information to hone their business selling ads and working with affiliate advertisers -- and their privacy policy expressly states that your data will be used in this way.

From Google's Privacy Policy, at http://www.google.com/privacypolicy.html

Log information – When you access Google services, our servers automatically record information that your browser sends whenever you visit a website. These server logs may include information such as your web request, Internet Protocol address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser.

So, they can track a request for a specific web site to a specific user, and can keep track of what an individual does over time.

Affiliated Google Services on other sites – We offer some of our services on or through other web sites. Personal information that you provide to those sites may be sent to Google in order to deliver the service. We process such information under this Privacy Policy. The affiliated sites through which our services are offered may have different privacy practices and we encourage you to read their privacy policies.

The approximate translation: when using Google Apps, you might get sent to another site, and this site might have a different privacy policy, and this site might share a different set of your private information with us. You may or may not know when this is happening, but it's your responsibility to know when to check for the privacy policy of these sites.

Then, the policy goes on to list why Google is collecting this information:

Providing our services, including the display of customized content and advertising;

Auditing, research and analysis in order to maintain, protect and improve our services;

I've chosen a very small section of the privacy policy here, but the full policy goes into much more detail, including info about geographical data.

For a sense of what can be inferred from even very rough user data, take a look at the fallout that occurred when AOL released search data from it's userbase. This search data is nowhere near as precise as what Google collects, but it still revealed an astonishing range of information about its users.

So, when schools are using Google Apps, every member of that community is participating in unpaid marketing research. If you are buying Google Apps as part of a service, you are paying to participate in market research.

As a closing thought, I'd like to hear the conversation that ensued if a person walked into the head of school's/principal's office and said the following:

"I'd like to enroll all of our Middle School students in an unpaid marketing research program. They'll never know it's going on, and every facet of their online collaboration will be tracked as part of the study. Oh, and it comes with email."

It Hurts. Please, Make It Stop.

Posted February 21st, 2009 by Bill

Recently, via a listserv where I participate, I learned about a site called StudyBlue. This site was touted as part of a new set of tools supporting networked learning; my response is reposted below.

My response

Hello, all,

At the risk of being a curmudgeon, we need to look at the terms of use of the services we are using/promoting.

The Terms of Use of StudyBlue, available at http://www.studyblue.com/Terms.htm, contain the following language:

"By posting Member Content to any part of the Web site, you automatically grant, and you represent and warrant that you have the right to grant, to the Company an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to use, copy, perform, display, reformat, translate, excerpt (in whole or in part) and distribute such information and content and to prepare derivative works of, or incorporate into other works, such information and content, and to grant and authorize sublicenses of the foregoing."

However, this site is one of the rare cases that has Terms that are worse than Facebook's (who at least pay lip service to respecting user's privacy decisions).

From the StudyBlue terms of service, from the link above:

"When you upload Member Content as Private the Company will not post the information to any other Member without your permission. However, upon leaving a class or course, any Member Content left uploaded as Private will be made Public for the life of the Web site. You may remove your Private Member Content from the Web site before you leave a class or course. If you choose to remove your Private Member Content before leaving a class or course , the license granted above will automatically expire. If you do not remove your Private Member Content from the Web site before you leave a class or course, the license granted above will not expire and will continue indefinitely."

So, if you create private content in a course/group, it will become public if you leave the course without deleting it. Moreover, on a quick read through, these terms say nothing about what happens if a user wants to delete their account. Under these terms, there seems to be no way for a user to delete their content, which is, according to these terms, licensed in perpetuity to StudyBlue.

Facebook recently enraged a portion of their user base by similar behavior: http://consumerist.com/5150175/facebooks-new-terms-of-service-we-can-do-... or http://is.gd/jDf4

The web opens up an array of options for teaching, learning, and connecting, but we need to remember that learning should be organized around the needs of the student/learner. The cost of joining a website should not be complete loss of control over your content, and as technology advocates we need to become more aware of the ramifications of data control and data portability within networked learning environments. In short, learners deserve better than the terms offered at StudyBlue, Facebook, Ning, etc. Why should a prerequisite of social learning be the loss of control over how your work is used/reused? By promoting sites that are predicated on an intellectual land grab of learner-created content, we perpetuate the lie that this is acceptable behavior.

Hands Off

Posted February 20th, 2009 by Bill

In an earlier post this year, I held out hope that 2009 would finally be the year where people started taking data ownership and data portability seriously.

As Facebook often does, they help illustrate why this is relevant, and why this is something people should care about.

The fun began a few weeks ago, when Facebook changed their Terms of Service. Last weekend, Consumerist described the specifics of the changes:

Facebook's terms of service (TOS) used to say that when you closed an account on their network, any rights they claimed to the original content you uploaded would expire. Not anymore.

Now, anything you upload to Facebook can be used by Facebook in any way they deem fit, forever, no matter what you do later. Want to close your account? Good for you, but Facebook still has the right to do whatever it wants with your old content. They can even sublicense it if they want.

To summarize, the old version of Facebook's Terms of Service used to specify that, when a person deleted their account, their content went with them (and never mind that the process of deleting an account has proven, well, troublesome for some).

Facebook founder Mark Zuckerberg initially defended the change (does this remind anyone else of the response to Beacon?), but 24 hours later Facebook announced that they would revert to the original terms of service.

But really, the hue and cry over Facebook's terms of service misses the larger point: when you put your data into a hosted service, you are allowing it to slide outside of your control. This is true of most hosted services, including Facebook, Ning, MySpace, etc. Facebook's change of the license terms illustrates a larger point: they control your data. More importantly, sites like Facebook and Ning allow people who have no ties to either company to access your data via third party apps. A quick read through the Developers Terms of Service for both Facebook and Ning show that developers of these apps can access user data and content, but this creates an enormous gray area: if someone deletes their account, what happens to any data collected by these third party application developers? I would love to hear of the mechanisms in place that measure how application developers abide by the rules concerning user data.

So, when evaluating a platform for use by you, by your class, or within your school, department, district, or organization, make sure to read the privacy policy, terms of service, and any applicable third party developer terms of service. All of these affect how the work of people within your site will be treated, and potentially used -- which is especially relevant given that most of these sites include terms that allow for indiscriminate resuse and republication of content posted in the site.

At the risk of stating the obvious, none of these are concerns for sites built using open source tools.

And for those curious about where this ends, it looks like Facebook's interest in user data extends beyond the grave.

The More Things Close, the More They Stay the Same

Posted January 15th, 2009 by Bill

Like I said earlier, maybe 2009 will be the year that people start taking data ownership seriously.

A spate of closings from Google, and the elimination of any free version of Sprout Builder should go a ways toward reinforcing what should have been obvious for a long time: when you rely on a free service, you are ceding control.

And, services close. License terms change. We don't need to look very hard to see examples of what happens when these services go away. Personally, I'd rather take on the work of archiving my own work (aka, keeping track of my own stuff) than trying to rebuild large pieces of my own work. And yes, Open Source tools help us have more control of our own work.

RE services closing, this should not be surprising. Really, I'm more surprised that anyone would actually be surprised.

And, a ht to Stephen Downes for continuing to highlight these issues, and Brian Lamb and Cole Camplese say more intelligent things about this.

All posts in data security

Additional Questions About How inBloom, Schools, Districts, and States Store Data

A. inBloom Could Be Used to Screen Immigration Status

B. Getting Ready For People to Opt Out

C. Getting Ready To Restrain

D. What Student Characteristics Really Matter?

E. Collecting Social Security Numbers

Closing Thoughts

The inBloom Data Model: What Is A Unique State Identifier?

Social Media and Cooperative Surveillance

Google and Data Collection

Have Fun Explaining This To Parents As Your School Transitions To Google Apps

There Is No Such Thing As A Privacy Setting On Facebook

Google Apps, and Privacy

It Hurts. Please, Make It Stop.

My response

Hands Off

The More Things Close, the More They Stay the Same

Browse the Site

Blog

On Our Mind