On March 26, CCFC's Josh Golin testified in front of the Massachusetts Board of Elementary and Secondary Education and urged the Board to reconsider a plan to share confidential student data with for-profit companies. His testimony is below. CCFC is part of a growing coalition in for student's privacy in Massachusetts fighting that includes Citizens for Public Schools, the Mass PTA, and the ACLU of Massachusetts. For more on the coalition's work, visit this page.
To Commissioner Chester and members of the Board of Elementary and Secondary Education:
We are here on behalf of the American Civil Liberties Union of Massachusetts, the Massachusetts Parent Teacher Association, Citizens for Public Schools and the Campaign for a Commercial-Free Childhood. We appreciate Commissioner Chester’s response to our February 7, 2013 letter that expressed our concerns about Massachusetts’ agreement to participate in the Gates Foundation-funded Shared Learning Collaborative (now called inBloom). We also thank Commissioner Chester for sharing with us the Memorandum of Agreement between the Shared Learning Collaborative, LLC and the Massachusetts Executive Office of Education and the Department of Elementary and Secondary Education.
Nevertheless, we remain deeply concerned about this pilot project and plans to expand it to other Massachusetts schools in the future. We do not believe any confidential student data should be shared with for-profit companies without first obtaining parental consent. In addition, Commissioner Chester’s letter did not address some of our original questions and the Memorandum of Agreement has raised some new concerns, which we share with you today:
The MOA expired on Dec. 31, 2012. The MOA states (section 8) that most of the MOA is a nonbinding expression of intent. Furthermore, the MOA from the Commissioner references a data-sharing agreement in section B.3.f, but that section was not included. Is there currently a binding legal agreement that determines how data collected from students in Everett can be accessed and used and protects from exploitation?
We remain deeply concerned about sharing confidential and student data with for-profit companies. Clearly, the database has been designed to collect extremely sensitive data. For that reason, our concern is not mitigated by the fact that participating school districts retain control over how data is used and shared. For instance, the list of “Data Domains” that can be collected includes Discipline Action, Discipline Incident, and Attendance (p. 13-14 of the MOA). We see no reason why a student would benefit from having his or her disciplinary record shared with a for-profit company, but it is easy to imagine scenarios in which such disclosures could be damaging to a student.
It has been reported that technology companies are eagerly anticipating “huge” profits from access to this data. There are already 22 companies listed as initial inBloom providers. How will the DESE keep track of all of them, and what will they be doing with this sensitive student data? In addition, many of the initial inBloom providers are large corporations with many divisions that would benefit from access to this data. What protections are in place to insure that this data will not be shared internally with divisions other than those for whom data is intended?
Our original concern about data leakage still has not been addressed. As we describe in our original letter: "inBloom has stated that it ‘cannot guarantee the security of the information stored in inBloom or that the information will not be intercepted when it is being transmitted’ to third party vendors." Section 4 of the MOA acknowledges that there are risks of failure but says that DESE believes that the potential benefits outweigh these risks. Shouldn’t parents be fully apprised of the risks to their children’s personal information and be asked for their consent before any data is shared? We also ask again who will be held liable if data leakages do occur.
Commissioner Chester assures that all parties involved will be obligated to comply with the Family Educational Rights and Privacy Act (FERPA). Yet critics have charged that the U.S. Department of Education’s 2011 changes to FERPA violate the original intent of the law. Recently, the Electronic Privacy Information Center filed suit against the DOE for these changes to FERPA. Commissioner Chester’s letter also did not reference the Federal Trade Commission’s recent changes to the Children’s Online Protection and Privacy Rule. These changes restrict the capture and use of a child’s personally identifiable information in recognition of the huge risks to safety and privacy that occur when commercial entities obtain access to it.
InBloom already has generated considerable outrage. There have been protests by parents in New York, Louisiana, and Colorado who ask that parental consent be obtained before any student data is shared.
A key question about costs to taxpayers remains unanswered. What resources are being used to facilitate this project, and what further costs will accrue to taxpayers for the long-term maintenance of this "data store," once the new corporation becomes independent of philanthropic support?
Given the above concerns, we believe it is imperative that parental consent be obtained before any child’s data is shared with inBloom or any private corporation. We also request that you make public the types of data that have been – or will be – collected from students in Everett as part of the initial pilot.
Thank you for your attention to these questions and concerns. We look forward to hearing your responses.
Erik J. Champy, EdD, President, Massachusetts PTA
Kade Crockford, Director, Technology for Liberty program, ACLU of Massachusetts
Josh Golin, Associate Director, Campaign for a Commercial Free Childhood
Marilyn J. Segal, Executive Director, Citizens for Public Schools