Streams

NYC Parent Sounds Alarm on Student Privacy

Tuesday, July 23, 2013 - 04:00 AM

(Yasmeen Khan)

Parent advocate Leonie Haimson wants more New York parents to know that the state has agreed to share sensitive information about their children’s education with a national data-sharing system run by inBloom.  While state and city officials have tried to reassure families that privacy is a top priority for them, concerns remain. She answers some of our questions about inBloom Inc.

Q: What is inBloom Inc.?

A: inBloom Inc. is a non-profit organization, funded by the Bill &Melinda Gates Foundation and the Carnegie Corporation of New York, to the tune of $100 million. Its website says it was created to help states and districts "record student information, administer tests, analyze performance, train teachers and share lesson plans to support personalized learning.”

The data about individual students are stored on a cloud run by Amazon.com, with an operating system created by Wireless/Amplify, a subsidiary of News Corporation. inBloom plans to share the data with for-profit vendors as well as non-profits with state and district consent.

 

Q: What states and districts are participating?

A: At least nine states originally planned to share student data with inBloom.  After protests, four states have withdrawn or claimed they never intended to share data in the first place: Louisiana, Kentucky, Delaware, and Georgia. Two states, Massachusetts and North Carolina, are on record as reconsidering their plans. In Illinois, two school districts are participating and state officials said they intended to expand the program to 35 districts in 2014, including Chicago.  

New York is currently the only inBloom client sharing statewide student data for its entire regular public and charter school systems.

 

Q: What data is being shared with inBloom?  

A: inBloom Inc. is planning to collect about 400 student and teacher data points, going back as far as 2006.  Some of these data points are highly sensitive. New York officials said they are sharing student names, test scores, home addresses, grades, disciplinary and attendance data, economic and racial status, and “program participation”, including “whether or not a student is entitled to special education, 504 indicator, English Language Learner educational services and accommodations.”  

inBloom is also collecting teacher data, including names, addresses, social security numbers, and detailed employment histories.  It is not clear if New York is sharing this teacher data as well with inBloom.

 

Q: Who has opposed this?  

A: Parents, teachers, advocacy groups and privacy experts throughout the country have protested this unprecedented plan to share children’s sensitive information with private corporations and for-profit vendors.

New York organizations opposing this data-mining include Class Size Matters, the Learning Disability Association of New York, Alliance for Quality Education, New York State Allies for Education and the Coalition for Educational Justice. These groups have pointed out that a breach of this highly sensitive information, or its inappropriate use, could put children’s safety at risk.

The New York City comptroller, public advocate, State Assembly Speaker Sheldon Silver, as well as Cathy Nolan, chair of the assembly education committee, and Robert Jackson, the chair of the City Council education committee, are on record against the disclosure of student data without parental notification and consent.

 

Q: Is this being done with parental consent, and if not, doesn’t this violate legal privacy protections?  

A: Representatives from inBloom and the Gates Foundation said it would be up to states and districts to decide what their parental notification and opt-out policies will be.  According to a spokesman for the New York State Education Department, parents have no right to opt out or consent, because "when parents register a child for school they give up” the right to keep their children’s information private.

NYSED defends its position by saying that they are compliant with FERPA, or the Family Educational Rights and Privacy Act, the federal law that governs student privacy. FERPA’s regulations were rewritten in 2009 and again in 2012 to facilitate the sharing of confidential student data without parental consent.

The Electronic Privacy Information Center has filed a lawsuit against the U.S. Department of Education on the grounds that the federal government has weakened FERPA’s regulations in a way that violates the language and original intent of the law.

 

Q: What does inBloom have to do with the federal program called Race to the Top?  

A: States received points in their Race to the Top applications if they agreed to create data systems to support instruction. New York State is requiring any school district that received federal funds to sign onto one of the “data portals” produced by three vendors who will gain access to the data from the inBloom cloud. Still, student data from all districts will be uploaded, whether they received Race to the Top funds or not. 

 

Q: Didn’t ARIS provide data dashboards to NYC schools?

A: Yes. The city spent $100 million building the ARIS data system which was supposed to produce many of the same benefits to teachers and students inBloom promises to provide.  

In fact, Sharren Bates, the chief product officer of inBloom, was formerly in charge of the ARIS project for New York City.  ARIS is widely considered a failure and, according to independent studies, is rarely used by teachers or parents.  City officials said they would allow ARIS to lapse as soon as the new data dashboards are operable.  

 

Q: How much will inBloom cost?  

A: Starting in 2015, inBloom says it will charge states and districts between $2 and $5 per student each year for storing the data.  These fees do not count the additional costs charged by vendors if states and districts sign up for other software or hardware products that will receive data populated through the inBloom cloud.

As of now, it is uncertain whether the state or districts will be obligated to pay these fees and whether a district will be able to pull out of inBloom if it chooses not to cover the costs.

 

Q: Is the data being sold?

A: Currently, New York State and New York City are providing this valuable data to inBloom for free and they, as well as inBloom, insist that the data will never be sold.  

However, inBloom board members have said that inBloom is “exploring cost recovery partnerships with select vendors for the services that it provides.”  If not selling the data, this could be likened to renting it out.

 

Q: What about the security of the inBloom cloud?  

A: Though inBloom and New York officials claimed the cloud storage used in this project “exceed the security measures in place currently in most states and school districts,” many experts question the safety of cloud storage.

A survey of technology professionals found that 86 percent do not trust clouds to store their more sensitive information. inBloom has warned that it “cannot guarantee the security of the information stored...or that the information will not be intercepted when it is being transmitted.”

 

Q: What can parents do to stop this data-sharing?

A: Two bills to protect student privacy passed the state assembly in the last session.  A.6059A would have blocked re-disclosures without parental consent, and A.7872A would have allowed parents the right to opt out of the state or district being able to share their child’s data with third parties. A similar bill did not pass the state senate.

I believe parents, advocates and concerned citizens should urge their legislators, their school boards and state education officials to pull all student data out of inBloom as soon as possible. The risks of sharing this data with vendors far outweigh the potential benefits.  A sample letter, which also asks school boards to hold a public meeting and disclose what their current data sharing practices are, is posted here

 

Contributors:

Leonie Haimson

Tags:

The Morning Brief

Enter your email address and we’ll send you our top 5 stories every day, plus breaking news and weather.

Comments [11]

A. S. Evans

How is the inBloom invasion of our children's privacy different from the NSA's invasion of our privacy? It's not.

Jul. 24 2013 12:29 PM
Jon Jacobs from Brooklyn, NY

Is the Sheila Kaplan posting here, my classmate from grad school? I already know that the author Leonie Haimson is my undergrad classmate.

Either of you are welcome to LinkedIn or Facebook me.

Jul. 23 2013 08:32 PM
Jon Jacobs from Brooklyn, NY

Is the Sheila Kaplan posting here, my classmate from grad school? I already know that the author Leonie Haimson is my undergrad classmate.

Either of you are welcome to LinkedIn or Facebook me.

Jul. 23 2013 08:32 PM
Sheila

Final words from me on A6059. I'm sure there are cheers. Sorry for the flurry of posts. I need to correct my comments regarding A6059A.

There are some really good parts. Can you redefine is still the question in my mind. I know state laws can be more restrictive.

Accepting states can redefine federal terms I am uncomfortable with this part:

[(D) COMMERCIAL USE PROHIBITED. THE DEPARTMENT, DISTRICT BOARDS OF
EDUCATION AND INSTITUTIONS MAY NOT, WITHOUT THE WRITTEN CONSENT OF
ELIGIBLE STUDENTS OR PARENTS, DISCLOSE PERSONALLY IDENTIFIABLE INFORMA-
TION FROM EDUCATION RECORDS TO ANY PARTY FOR A COMMERCIAL USE, INCLUDING
BUT NOT LIMITED TO MARKETING PRODUCTS OR SERVICES, COMPILATION OF LISTS
FOR SALE OR RENTAL, DEVELOPMENT OF PRODUCTS OR SERVICES, OR CREATION OF
INDIVIDUAL, HOUSEHOLD, OR GROUP PROFILES; NOR MAY SUCH DISCLOSURE BE
MADE FOR PROVISION OF SERVICES OTHER THAN CONTRACTING, STUDIES, AND
AUDITS OR EVALUATIONS AS AUTHORIZED AND LIMITED BY PARAGRAPHS ]

Why allow the sale of student data or uses above even with consent? Schools shouldn't be brokering data. Why not prohibit commercial, profiling, list sale/rental like it says it's supposed to.

[(D) COMMERCIAL USE PROHIBITED.

I'm concerned the bill is too transparent regarding information about the repository. The public is more than caring parents.

It's a well-written bill. The bill writers know federal law.

Looks to me as though this state bill removes state control of student data. Lots more can be said about the bill.

Jul. 23 2013 06:57 PM
Sheila

My bad. I did not see the amended version of A6059A. I have been reading off of the original. Much better.... apologies on that one one.

The issue was the redefinition of authorized representative & others. I'm going to read it again now that I see my mistake. And perhaps we should publicly discuss this bill & get input from & for other states.

Jul. 23 2013 06:04 PM
Sheila

Barmack -- you said:

[Finally, opting out of student directory would do nothing to prevent non-consensual disclosures to third parties that, like inBloom, purport to be acting as agents or contractors to the state, districts, or schools.]

Opting out of student directory most certainly would prevent disclosures to 3rd parties including people who want to harm children.

Opting out of directory & opting out of inBloom are 2 different scenarios as I know you are aware. The bills died -- parents can STILL protect their children by opting out of student directory.

Let's wish EPIC good luck tomorrow in their lawsuit against US ED regarding the rule changes that allow disclosures that we agree are not in the best interest of children.

Jul. 23 2013 03:39 PM
Sheila

I flip-flopped the bill numbers, Barmack. I disagree with your critique. I have corrected the bill numbers below. I'm not going to go back & forth. And I'm not changing my statements. If I did I would go into further details regarding the flaws.

A6059 was flawed & not do-able. FERPA doesn't allow OPT-IN. The bill sponsor doesn't know the federal law.

A7872 allowed disclosure of PII to inBloom w out parental consent. Why would the Assembly support disclosure w out consent to inBloom? It's a grandstanding 1 house bill.

However if parents are concerned about disclosure of their children's PII w out their consent they should opt-out of student directory. It is their right under FERPA. The problem is parents are not aware of this right because they are not adequately informed by schools.

Jul. 23 2013 03:32 PM
Barmak Nassirian

Ms. Kaplan is correct in suggesting that A.7872A would impose significant operational burdens on the state, districts, and schools. Her comment on FERPA disallowing opt-ins is at once non-germane and an oversimplification of fairly complex mandates of federal law. While somewhat heavy-handed, nothing in A.7872A would have run afoul of FERPA.

As to A.6059A (in the framing of which I was marginally involved), it would absolutely stop the planned disclosure of non-directory information to inBloom, as well as the data-warehousing, data-mining, and data-sharing plans envisioned by the proponents of Big Data.

Finally, opting out of student directory would do nothing to prevent non-consensual disclosures to third parties that, like inBloom, purport to be acting as agents or contractors to the state, districts, or schools.

Jul. 23 2013 12:30 PM

Aside from the inherent dangers of this data collection, the fact that the scheme totally lacks transparency and gathering facts and information about it and the participation of states and districts has been heavily resisted sends up red flags!

The Louisiana participation only became known early this year to a few of us here by virtue of the efforts of Leonie Haimson to determine how far this plan has progressed. Here are some documented facts about inBloom (formerly the shared Learning Collaborative) and Louisiana:

1. LDOE refused to provide info re their participation in this project in response to a FOIA in January.
2. When confronted with questions in open testimony before BESE (Bd. of Elem and Second Ed) State Supt. John White denied having a "contract" with inBloom.
3. It was revealed that White circumvented state policy requiring approval of BESE for data sharing activities. BESE knew nothing about the agreement.
4. Subsequently, after intense testimony and pressure from a few parents and students in open testimony, White admitted to having an "agreement" with inBloom and it was discovered that LDOE had signed an MOU with CREDO more than a year earlier to provide student and teacher data for a 4year study of the purported success of the New Orleans Recovery School District. Interestingly, although that agreement runs thru 2015, CREDO coincidentally published a report shortly after this controversy arose.
5. Although it was demanded by BESE and promised by White, no paper agreement with inBloom was provided until more pressure was exerted, one Gannett newspaper in N. Louisiana persisted, and a FOIA threatened to sue. Finally the agreement was provided and emails were released tracking the progress of White's association with inBloom.

The overriding question and concern here is - why wouldn't the public be concerned and suspicious about this data sharing scheme in light of so much secrecy and outright lying? Trust is itself an issue that but is also an indicator that something much stinkier exists in Denmark!

Jul. 23 2013 11:27 AM
Laura Timoney from Staten Island

It continues to amaze me that we, as parents, have NO RIGHTS when it comes to our children in public schools. I do not want my children's information shared but as of right now, have no way to stop this. It should not be this hard and parents should have more rights!!!

Jul. 23 2013 10:50 AM
Sheila Kaplan

A7872 was flawed & not do-able. FERPA doesn't allow OPT-IN. The bill sponsor doesn't know the federal law.

A6059 allowed disclosure of PII to inBloom w out parental consent. Why would the Assembly support disclosure w out consent to inBloom? It's a grandstanding 1 house bill.

However if parents are concerned about disclosure of their children's PII w out their consent they should opt-out of student directory. It is their right under FERPA. The problem is parents are not aware of this right because they are not adequately informed by schools.

Jul. 23 2013 09:02 AM

Leave a Comment

Email addresses are required but never displayed.

Sponsored