The growing use of remote, Internet-based cloud computing services by European schools is putting students there at risk of being "tracked and profiled for online advertising purposes," concludes a new report by SafeGov.org, an online forum for IT industry experts.
"Sophisticated consumer-grade cloud services such as email, online content creation, and collaboration that several commercial cloud providers are now offering at no cost to European schools indisputably bring many educational benefits, [but] they also carry important privacy risks that school officials and parents often fail to measure," according to the report.
And it's not just a cause for concern across the pond, said Marc Rotenberg, the executive director of the Electronic Privacy Information Center, or EPIC, based in Washington.
"Very few educators and families are aware of how much [student] data is being collected today," Rotenberg said, "and families, teachers and schools lose control of that data when it is transferred to remote service providers."
The SafeGov.org findings are based on interviews and surveys conducted with European data privacy officials. Among the threats discussed in the report:
- Unsuitable Privacy Policies: "Cloud providers may deliberately or inadvertently force schools to accept policies or terms of service that authorize user profiling and online behavioral advertising."
- Poor Consent Policies: "Some cloud privacy policies...stipulate that individual data subjects (students) are also bound by these policies, even when these subjects have not had the opportunity to grant or withhold their consent."
- Commercial Data Mining: "It may be difficult for the cloud provider to turn off [ad-supported user profiling features and tracking algorithms] even when ads are not being served."
- Shady Contracts: "Some cloud providers leave the door open to future imposition of online advertising as a condition for allowing schools to continue receiving cloud services for free."
The group recommends adoption by European Union member-state educational systems of codes of conduct to regulate use of cloud-based computing services. While the details of such a code aren't spelled out, general recommendations include model clauses to be included in contracts, legally binding pledges to conduct user profiling or data mining, and complete disabling of data mining and ad-targeting functions.
"With Europe clearly at the start of a broad wave of cloud adoption by schools, it is critically important to focus early in this process on the vital questions of privacy and data protection for users in schools," the report concludes.
A similar commitment is needed here, said Rotenberg.
"The U.S. has been slow to update its privacy laws," he said. "There are neither sufficient legal nor technical protections in place."