Protect Students' Privacy

Update April 2014: Thanks to widespread parent protests, each of the nine states originally committed to participate in this controversial project have either officially withdrawn or have no plans to move forward. For all intents and purposes, inBloom is no longer a threat to students.

Several states plan to help corporations profit from schoolchildren’s most sensitive and confidential information. Colorado, Illinois, Massachusetts, New York, and North Carolina are committed to participate in the development and pilot testing of inBloom, a Gates Foundation initiative. Student information—including your child’s name, home address, email address, test scores, racial identity, economic and special education status, and even detailed disciplinary and health records—will be stored on a data “cloud” and shared with for-profit corporations, without any guarantee that the information will be safeguarded.

FAQ:

What type of data will be collected, stored, and shared with private companies? inBloom is configured to collect extremely sensitive, personally identifiable student data, including student names, grades, test scores, detailed disciplinary, health and attendance records, race and ethnicity, economic and disability status. Data fields even include whether a student is pregnant, attends a religiously affiliated school, has refugee status, has been removed from his or her home by Child Protective Services, or been involved with law enforcement for an out-of-school incident.

It is difficult to understand how students would benefit from having such sensitive personal information about them shared with for-profit corporations, but it is clear that such disclosures could harm students. Sensitive information about school employees, including teacher health records and reasons for employment termination, will also be shared with inBloom.

Where is the data being stored? Is it safe? The data is being stored on a data “cloud” owned and operated by Amazon.com. In a recent survey, 86% of technology professionals said they did not trust clouds to hold their “more sensitive” data. Indeed, inBloom Inc.’s own privacy policy acknowledges that it “cannot guarantee the security of the information stored … or that the information will not be intercepted when it is being transmitted.”

With which private companies will inBloom share student data? It has been reported that technology companies eagerly anticipate “huge” profits from access to this data. As of May 2013, the inBloom website lists 22 “providers” including huge corporations like Amazon and Dell. To date, no inBloom or Massachusetts representative has identified what protections are in place to ensure that students’ information will not be shared within these enormous companies, many of which have multiple divisions other than those for whom the information is intended.

Who is paying for inBloom? The Gates Foundation has provided $100 million for the project’s initial development. Beginning in 2015, however, school districts will have to pay between $2 and $5 per student per year to have their students’ data stored on inBloom. Should data leakages, information abuse, or hacking occur, school districts could be liable for compromising their students’ confidential data.

Is this legal? State officials claim that the sharing of data with inBloom and private companies is legal under the Family Educational Rights and Privacy Act (FERPA). But critics charge that the U.S. Department of Education’s 2011 changes to FERPA—which now allows school districts to share sensitive student data with private contractors—violate the original intent of the law. Recently, the Electronic Privacy Information Center filed suit against the U.S. DOE for these changes to FERPA. In addition, there are concerns that sharing of personal information violates the Children’s Online Privacy Protection Rule, which was recently updated by the Federal Trade Commission. The Children’s Online Privacy Protection Act restricts the capture and use of a child’s personally identifiable information in recognition of the huge risks to safety and privacy that occur when commercial entities obtain access to it.

Do schools need parental permission before sharing children’s information with inBloom? Can parents opt out on behalf of their children? No and no. Parental permission is not needed before a district can share student information with outside vendors, and there is no mechanism for parents to opt their children out of inBloom. To protect your child and your community from improper data sharing with private corporations and for more information click here.

Issue: