UPDATED
Nearly half of web-based software applications in use by schools do not provide adequate support for encryption, according to a new survey by the Privacy Evaluation Initiative at nonprofit advocacy group Common Sense Education. As a result, users’ logins, passwords, and other sensitive information are often vulnerable to theft or misuse.
In October, the group ran automated tests to determine whether the logins associated with 1,128 ed-tech products supported a basic level of encryption to protect data in transit (making it difficult, for example, for digital eavesdroppers to steal passwords that might be used to access student or administrator accounts.)
Such encryption is a widely recognized best practice, as well as a legally required step to satisfy a minimum standard of reasonable security in California and a number of other states. But it can be tedious for companies to implement, especially when they have established products that need to be retrofitted. Experts also say that many smaller ed-tech vendors remain unaware of the need to ensure such protections.
Common Sense Education found that 52 percent of the logins surveyed required encryption. One-fourth did not support encryption at all. Another 20 percent supported, but did not require, encryption, leaving sensitive data vulnerable despite the appearance of providing secure login connections.
The survey included a range of vendors, products, and sites, from startups to enterprise applications used by thousands of districts serving millions of students. It did not include mobile apps or test for other levels of security (for example, whether software applications encrypt data during the user registration process, or after a user is logged in.)
Bill Fitzgerald, the director of Common Sense Education’s Privacy Evaluation Initiative, said the group is choosing for the moment not to identify specific companies and products and their data-security practices. But he warned the group intends to release another report in late February or early March that will look to see what has changed.
“Our strong preference is not to name names,” Fitzgerald said in an interview.
“In 90 days, we’ll assess the best steps to help people make better decisions.”
Why Encryption Matters
Fitzgerald described login encryption as “the technical equivalent of walking and chewing gum.” It provides a basic level of security that every ed-tech vendor should support, he said.
If a school administrator, for example, is logged into a service using an unencrypted connection, even amateur hackers or eavesdroppers would have little trouble using widely available “sniffing” tools to steal his or her username and password after it is entered and sent. From there, the eavesdropper would have little trouble taking over the user’s full account, potentially gaining access to a wide range of sensitive information frequently collected, stored, and transmitted by ed-tech products. Among them: student IDs, addresses, academic information, behavioral data, and more.
Other groups, including the Future of Privacy Forum, a Washington think tank, agree on the importance of encryption to help prevent such scenarios.
“In the majority of circumstances, it’s absolutely vital, especially when sensitive student data is being held or transferred,” said Amelia Vance, a policy council at the group, which is a prime mover behind the voluntary Student Data Privacy Pledge for vendors.
But according to the review by Common Sense Education, such practice is far from universal, or even widespread.
Among the concerns identified by the group were vendors who only enabled encryption in states where it is required by law, and vendors who only provide support for encryption on a subset of their products.
Running Afoul of State Privacy Laws?
In recent years, a number of ed-tech vendors have found themselves in hot water over their data-security practices.
In 2013, for example, the New York Times wrote about the popular classroom tool Edmodo, noting concerns from parents and engineers about the lack of encrypted connections. (The company later upgraded its security.)
In 2014, California adopted a landmark student-data-privacy law, commonly dubbed SOPIPA, that requires online service providers working with schools to “Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure.”
Nearly a dozen states have followed suit with similar legislation.
Companies that collect, store, or transmit personally identifiable student information, but don’t support encryption, are likely in violation of those statutes, said Vance of the Future of Privacy Forum.
The Federal Trade Commission has held in the past that encryption can be considered a “base-level security practice,” she said.
For now, Fitzgerald said, school administrators and technology officials should be evaluating their vendors’ support for encryption using some of the tips and guides that are available. If a company is not providing adequate security, he suggested, districts should contact the company directly and demand improvements.
For companies not currently providing such support, enabling encryption can be a time-consuming process.
But it’s necessary, Fitzgerald said, and now the possibility of exposure for poor practices is looming over their heads.
“Supporting encryption is a concrete change that everyone can make,” he said. “We want to see this improve.”
This post has been updated to clarify a statement from the Future of Privacy Forum about FTC support for encryption.
See also: