It's not like the Experian data breach was ongoing for 2 years. #waitaminute

15 million customers had their data accessed from the credit monitor Experian.

What Peeple Tells Us About Privacy

2 min read

The latest Internet furor-de-jour is over an app called Peeple. This post is not going to get into the details or problems with the app, as other people have already done a great job with that.

In brief, the app allows anyone with a Facebook account to rate anyone else. No consent is needed, or asked. All a person needs to rate another person is their phone number.

As seen in the links above (and in a growing angry mob on Twitter), people are pointing out many of the obvious weaknesses in this concept.

The reason many people are justifiably furious about Peeple is that it allows strangers to rate us, and makes that rating visible as a judgment we potentially need to account for in our lives. However, what Peeple aims to do - in a visible and public way - is a small subset of the ways we are rated and categorized every day by by data brokers, marketers, human resources software, credit ratings agencies, and other "data driven" processes. These judgements - anonymous, silent, and invisible - affect us unpredictably, and when they affect us we often don't know about it until much later, if at all.

While Peeple is likely just a really bad idea brought to life by people with more money and time than sense, I'm still holding out hope that Peeple is a large scale trolling experiment designed to highlight the need for increased personal privacy protections.

Some Tips For Vendors When Looking At Your Privacy Policies

4 min read

This post is the result of many conversations over the last several years with Jeff Graham. It highlights some things that we have seen in our work on privacy and open educational resources. This post focuses on privacy, but the general lesson - that bad markup gets in the way of good content - holds true in both the OER and the privacy space.

When looking at privacy policies and terms of service, the most important element is the content of the policy. However, these policies are generally delivered over the web, so it's important to look at how the pages containing these policies perform on the web. Toward that end, here are some simple things that vendors should be doing to ensure that their policies are as accessible as possible to as many people as possible, with as few barriers as possible.

Toward that end, here are four things that vendors should be doing to test the technical performance of their policies.

  • View the source. In a web browser, use the "view source" option. Does the text of your policy appear in the "main content" area of your page, or some semantic equivalent? Are you using h1-h6 tags appropriately? These are simple things to fix or do right.
  • Google your privacy policy and terms of service, and see what comes up. First, use the string "privacy policy OR terms of service [your_product_name]". See what comes up. Then, use the more focused "privacy policy OR terms of service" - in this search, be sure to omit the initial "www" so that your search picks up any subdomains.
  • Use an automated tool (like PhantomJS) to capture screenshots of your policies. If PhantomJS has issues grabbing a screenshot of your page, it's a sign that you have issues with the markup on your page.
  • Use a screenreader to read your page. Listen to how or if it works. Where we have observed issues with a page failing to behave in a screenreader, it's frequently due to faulty markup, or the page being loaded dynamically via javascript.

To people working on the web or in software development, these checks probably sound rudimentary - and they are. They are the technical equivalent of being able to tie your shoes, or walking and chewing gum at the same time.

In our research and analysis of privacy policies, we have seen the following issues repeated in many places; some of these issues are present on the sites of large companies. Also worth noting: this is a short list, highlighting only the most basic issues.

  • Pages where the policies are all wrapped in a form tag. For readers unfamiliar with html, the form tag is used to create forms to collect data.
  • Pages where, according to the markup, the policies are part of the footer.
  • Pages where, according to character count, the actual policies only account for 3% of the content on the page, with the other 97% being markup and scripts.
  • Sites where Google couldn't pick up the text of the policy and was only able to index the script that is supposed to load it.

We are not going to be naming names or pointing fingers, at least not yet, and hopefully never. These issues are easy to fix, and require skills that can be found in a technically savvy middle schooler. Vendors can and should be doing these reviews on their own. The fix for these issues is simple: use standard html for your policies.

We hear a lot of talk in the privacy world about how privacy concerns could stifle innovation - that's a separate conversation that will almost certainly be the topic of a different post, but it's also relevant here. When the people claiming to be the innovators have basic, demonstrable problems mastering html, it doesn't speak well to their ability to solve more complex issues. Let's walk before we run.

Breakdown, by state, of how voter registration info and history is sold. #privacy

A state by state breakdown of how voter information and history is sold.

MySchoolBucks, or Getting Lunch with a Side of Targeted Adverising

6 min read is an application that is part of services offered by Heartland Payment Systems, Inc, a company in New Jersey. MySchoolBucks processes payments from parents for school lunches.

Before we proceed any further, we must highlight one thing here: this post IS NOT about the federal, state, or local school lunch programs. This post addresses a vendor that has inserted itself between students, schools, and lunches.

The premise of MySchoolBucks is pretty simple. Parents put money into an account on the site. Accounts are tied to a card used by the student to pay for lunch, and the system keeps track of how much money families have in their accounts.

To make this system work, MySchoolBucks collects a parent name, the name of any children enrolled in school, and the school they attend. Parents add money to their MySchoolBucks account via credit card, so MySchoolBucks also processes credit card payments.

However, reading the Privacy Policy of MySchoolBucks shows some oddities that have nothing to do with supporting parents, students, or schools with lunch. It's also worth noting that MySchoolBucks has a "feature" I have never seen before on any other policy: after six or seven minutes, the privacy policy page automatically redirects you to the home page. It's almost like the company doesn't want you to read their privacy policy at all.

But, for those of use who persevere, we discover some oddness in this policy.

In the opening "Glossary" section, MySchoolBucks defines a Business Partner as follows:

"Business Partners" means, collectively, third parties with whom we conduct business, such as merchants, marketers or other companies.

Then, in Section 4, MySchoolBucks states:

We (or our Vendors on our behalf) may share your Personal Information ... with relevant Business Partners to facilitate a direct relationship with you.

So, business partners include marketers, and marketers can be given personal information. As noted above, the personal information collected in this application includes parent name, child's name, and the child's school.

Taking a look back at at the glossary, we get this definition of non-identifying information:

"Non-Identifying Information" means information that alone cannot identify you, including data from Cookies, Pixel Tags and Web Beacons, and Device Data. Non-Identifying Information may be derived from Personal Information.

This definition omits that many of these elements can be used to identify you. Thousands of web sites collect this information, which means that there is a large dataset of what this vendor inaccurately calls "non-identifying information."

Further down in the policy, MySchoolBucks states that they share "non-identifying information" pretty freely.

We may disclose Non-Identifiable Information which does not include Protected Data:

  • with Business Partners for their own analysis and research; or
  • to facilitate targeted content and advertisements.

Because Heartland Payment Systems shares what they misleadingly call "non-identifying information" with marketers and 3rd party ad servers with no prohibitions on how it can be used, this "non-identifying" data can be combined with other data sets, and then tied to your precise identity.

Accordingly, the claim of "non-identifying" data is probably accurate from a very narrow legal perspective, but it does not represent the reality of what is possible when data from multiple datasets are combined and mined.

MySchoolBucks also supports login via Facebook, which creates additional problems:

You may register to use our Services using your existing Facebook account. If you opt to use your Facebook account to register to use our Services, you authorize Heartland to collect, store, and use, in accordance with this Privacy Policy, any and all information that you agreed that Facebook, Inc. ("Facebook") could provide to Heartland or Heartland's third party authentication agent through Facebook's Application Programming Interface ("API"). Such information may include, without limitation, your first and last name, Facebook username, unique Facebook identifier and access token, and e-mail address.

The inclusion of the unique Facebook identifier, combined with a device ID (which is likely collected as part of the "non-identifying information") would be sufficient to tie a precise identity to many occasions where a person clicked a "like" link, or shared a link on Facebook. If someone could explain why this information is needed to pay for a 2nd grader's lunch, I'm all ears.

There are other issues with the privacy policy and terms of service of MySchoolBucks, but getting into the deep weeds of every single issue with the policies obscures the larger point: paying for a kid's lunch at school shouldn't expose the student or parent to targeted advertising.

MySchoolBucks and Portland Public Schools

The site came to my attention a couple weeks ago when I was reviewing back to school emails for my child. My local school district uses this service. I attempted to find any information about this site on the district web site - in particular, any contract that would give more information on how student and parent data use was limited - but found nothing.

To be clear: the lack of information and disclosure from Portland Public Schools is unnecessary, and fosters mistrust.

Portland Public Schools could take three immediate steps to address these issues:

  • List out the district and school level vendors that have been designated school officials. Link to the privacy policies and terms of service of these companies, and upload the text of any additional contracts in place between these vendors and Portland Public Schools.
  • List out vendors used within schools where the vendor has not been designated a school official. Link to the privacy policy and terms of service of these companies. This list would require input and feedback from schools, as they would need to collect up information about the software used within each school to support teaching and learning.
  • Document the process and criteria used to select technology vendors for district wide services. Right now, the decision making process is completely opaque to the point where it's impossible to know if there even is a process.

The distinction between vendors who have been declared school officials and vendors that require parental consent is key, as the rules around data use and sharing differ based on the status of the vendor. The lack of any documentation around contracts is also problematic. Contracts are public documents, and these purchases are made with public dollars.

It's worth noting that this is information that should be on the Portland Public Schools web site already. At the very least, parents shouldn't need to wonder who is processing their children's information. I understand that there are numerous details competing for attention within the district, but at some point, excuses need to stop, and be replaced with results. The current level of awareness and attention to student privacy issues within Portland Public Schools is problematic, at best. The communications about these issues have been factually inaccurate, which begs the question: how can we trust Portland Public Schools to get the complicated issues right when they appear to be missing the basics?


Facebook, Privacy, Summit Public Charters, Adaptive Learning, Getting Into Education, and Doing Things Well

7 min read

One of the things that I look for within schools is how solid a job they do telling their students and families about their rights under FERPA. One crude indicator is whether or not a school, district, or charter chain contains any information about FERPA on their web site. So, when I read that Facebook was partnering with Summit Public Charter Schools, I headed over to the Summit web site to check out how they notified students and parents of their rights under FERPA. Summit is a signatory of the Student Privacy Pledge and a key part of what they do involves tracking student progress via technology, so they would certainly have some solid documentation on student and parent rights.

Well, not so much.

It must be noted that there are other ways besides a web site to inform students and parents of their FERPA rights, but given the emphasis on technology and how easy it is to put FERPA information on the web, the absence of it is an odd oversight. I'm also assuming that, because Summit clearly defines themselves as a Public Charter school that they are required to comply with FERPA. If I'm missing anything in these assumptions, please let me know.

But, returning to the Facebook/Summit partnership, the news coverage has been pretty bland. In fairness, it's hard to do detailed coverage of a press release. Two examples do a pretty good job illustrating the range of coverage: The Verge really committed to a longform expanded version of the Facebook's press release, and the NY Times ran a shorter summary.

The coverage of the partnership consistently included two elements, and never mentioned a third. The two elements that received attention included speculation that Facebook was "just getting in" to the education market, and privacy concerns with Facebook having student data. The element that received no notice at all is the open question of whether the app would be any good. We'll discuss all of these elements in the rest of the post.

The first oversight we need to dispense with is that Facebook is "just getting in" to education. Facebook's origins are rooted in elite universities. The earliest versions of the application only allowed membership from people enrolled in selected universities - Ivy League schools, and a small number of other universities.

Also, let's tell the students interacting on these course pages on Facebook - or these schools hosting school pages on Facebook - or these PTAs on Facebook - that Facebook is "just getting in" to education. To be clear, Facebook has no need to build a learning platform to get data on students or teachers. Between Instagram and Facebook, and Facebook logins on other services, they have plenty. It's also worth noting that, in the past, Facebook founder Mark Zuckerberg has seemed to misunderstand COPPA while wanting to work around it.

Facebook - the platform - is arguably the largest adaptive platform in existence. However, the adaptiveness of Facebook isn't rooted in matching people with what they want to see. The adaptiveness of Facebook makes sure that content favored by adverisers, marketers, self promoters, and other Facebook customers gets placed before users while maintaining the illusion that Facebook is actually responding directly to people's needs and desires. The brilliance of the adaptiveness currently on display within Facebook is that, while your feed is riddled with content that people have paid to put there, it still feels "personalized". Facebook would say that they are anticipating and responding to your interests, but that's a difficult case to make with a straight face when people pay for the visibility of their content on Facebook. The adaptiveness of Facebook rests on the illusion that they allow users to select the content of their feeds, when the reality of Facebook's adaptiveness as manifested in their feeds is more akin to a dating service that matches ads to eyeballs.

Looking specifically at how this adaptiveness has fared in the past raises additional questions.

Facebook's algorithms and policies fail Native communities.

Facebook's algorithms and policies fail transgender people.

Facebook's algorithms and policies selectively censor political speech.

Facebook's algorithms and policies allow racism to flourish.

Facebook's algorithms and policies ruined Christmas (for real - maybe a slight overstatement, but I'm not making this up).

Facebook allowed advertisers to take a woman's picture and present it to her husband as part of a dating ad.

Facebook's algorithms and policies can't distinguish art.

Facebook's algorithms and policies experiment with human emotions, without consent.

I could continue - we haven't even talked about how Facebook simplified government surveillance, but you get the point: the algorithms and policies used by Facebook tilt heavily toward the status quo, and really miss some of the nuance and details that make the world a richer place. In an educational system, it's not difficult to see how similar algorithmic bias would fail to consider the full range of strengths and abilities of all the students within their systems. Facebook, like education, has a bad track record at meeting the needs of those who are defined as outside the mainstream.

In educational technology, we have heard many promises about technologies that will "disrupt" the status quo - the reality is that many of these technologies don't deliver more than a new UI on top of old systems.

There Is An Easy Solution Here

Fortunately, none of these problems are insurmountable. If Facebook released the algorithms to its learning platform under an open source license, no one would need to guess how they worked - interested parties could see for themselves. Facebook has done this with many projects in the past. Open sourcing their algorithms could potentially be an actual disruption in the adaptive learning marketplace. This would eliminate questions about how the adaptive recommendations work, and would allow a larger adoption of the work that Facebook and Summit are doing together. This wouldn't preclude Facebook or Summit from building a product on top of this work; it would just provide more choices and more options based on work that is already funded and getting done.

It's also worth highlighting that, while there will be many people who will say that Facebook has bad intentions in doing this work, that's not what I'm saying here. While I don't know any of the people doing work on the Facebook project, I know a lot of people doing similar work, and we all wake up wanting to build systems that help kids. In this post, I hope that I have made it very clear that I'd love to see a system that returned control of learning to the learner. Done right, adaptive learning could get us there - but "doing adaptive right" requires that we give control to the learner to define their goals, and to critique the systems that are put in place to help learners achieve. Sometimes, the systems around us provide needed support, and sometimes they provide mindless constraints. Adaptive learning needs to work both ways.

Open sourcing the algorithms would provide all of us - learners, teachers, developers, parents, and other people in the decision making process - more insight into and control over choosing what matters. Done right, that could be a very powerful thing.

This 3yo piece from @natashanyt on consumer data is pretty chilling.

This is why privacy matters. Consumers can't access the data that companies use to judge us. Is Not Neutral, Not Secure, and Not the Internet

Thoughts on related efforts as Facebook gets more into the education game