Protect Massachusetts Students' Privacy

Update: As of 3/11/14, Massachusetts has no plans to move forward with inBloom.

The Massachusetts Department of Elementary and Secondary Education plans to help corporations profit from schoolchildren’s most sensitive and confidential information. Massachusetts is one of five states committed to participate in the development and pilot testing of inBloom, a Gates Foundation initiative. Student information—including your child’s name, home address, email address, test scores, racial identity, economic and special education status, and even detailed disciplinary and health records—will be stored on a data “cloud” and shared with for-profit corporations, without any guarantee that the information will be safeguarded.

Everett is the only school district currently participating in the pilot, but if it is successful, the data collection program will be expanded to districts across the state.

The good news is that to date, no Massachusetts student data has been shared with inBloom or its for-profit partners. And thanks to sustained and widespread public outcry, Massachusetts’ educational officials now say they are only evaluating inBloom’s potential, and have not yet committed to going forward with this ill-conceived project. Two pilot states, Georgia and Louisiana, have already ended their relationship with inBloom after extensive parent protests.

FAQ:


What type of data will be collected, stored, and shared with private companies?
inBloom is configured to collect extremely sensitive, personally identifiable student data, including student names, grades, test scores, detailed disciplinary, health and attendance records, race and ethnicity, economic and disability status. Data fields even include whether a student is pregnant, attends a religiously affiliated school, has refugee status, has been removed from his or her home by Child Protective Services, or been involved with law enforcement for an out-of-school incident.

It is difficult to understand how students would benefit from having such sensitive personal information about them shared with for-profit corporations, but it is clear that such disclosures could harm students. Sensitive information about school employees, including teacher health records and reasons for employment termination, will also be shared with inBloom.

Where is the data being stored? Is it safe? The data is being stored on a data “cloud” owned and operated by Amazon.com. In a recent survey, 86% of technology professionals said they did not trust clouds to hold their “more sensitive” data. Indeed, inBloom Inc.’s own privacy policy acknowledges that it “cannot guarantee the security of the information stored … or that the information will not be intercepted when it is being transmitted.”

With which private companies will inBloom share student data? It has been reported that technology companies eagerly anticipate “huge” profits from access to this data. As of May 2013, the inBloom website lists 22 “providers” including huge corporations like Amazon and Dell. To date, no inBloom or Massachusetts representative has identified what protections are in place to ensure that students’ information will not be shared within these enormous companies, many of which have multiple divisions other than those for whom the information is intended.

Who is paying for inBloom? The Gates Foundation has provided $100 million for the project’s initial development. Beginning in 2015, however, school districts will have to pay between $2 and $5 per student per year to have their students’ data stored on inBloom. Should data leakages, information abuse, or hacking occur, school districts could be liable for compromising their students’ confidential data.

Is this legal? Massachusetts officials claim that the sharing of data with inBloom and private companies is legal under the Family Educational Rights and Privacy Act (FERPA). But critics charge that the U.S. Department of Education’s 2011 changes to FERPA—which now allows school districts to share sensitive student data with private contractors—violate the original intent of the law. Recently, the Electronic Privacy Information Center filed suit against the U.S. DOE for these changes to FERPA. In addition, there are concerns that sharing of personal information violates the Children’s Online Privacy Protection Rule, which was recently updated by the Federal Trade Commission. The Children’s Online Privacy Protection Act restricts the capture and use of a child’s personally identifiable information in recognition of the huge risks to safety and privacy that occur when commercial entities obtain access to it.

Do schools need parental permission before sharing children’s information with inBloom? Can parents opt out on behalf of their children? No and no. Parental permission is not needed before a district can share student information with outside vendors, and there is no mechanism for parents to opt their children out of inBloom.

Issue: