To be published in Chomp.
All of the software used at a school aggregates student data in varying amounts. This article is about that.
Large data brokers like Google are harvesting as much information as they can about you, online and in real life.
Browsing data is collected as follows: A website owner will put a script for analytics or ads on their website, provided by that company. To create a device fingerprint, tracking scripts will note your ISP, approximate city, time zone, fonts installed, browser extensions, accounts logged in, battery level, operating system, browser window size, and a lot more. This all is sent to a server and compared to entries in its database. If the server knows of a similar enough device, it links the two, and logs the page you visited. Scripts will often add a cookie to your browser with your ID so it does not have to go through this process repeatedly.
Alternatively, if you use Google Chrome like most people, it’s as simple as Google assigning a unique ID or Google account to your browser and sending your history away.
When you type into Google Docs, Google, in real time, analyzes what you type, spelling or grammar mistakes you make, how fast you type it, vocabulary choice, and sentence structure. No one else types exactly like you do. This is an example of basic recording:
Last key pressed:
Key press history:
The range of ways data is collected online is so broad that no one can hope to create a comprehensive list. You can find many more identifiers of your device on Device Info, and find out how unique your device is with the most common identifiers on Cover Your Tracks by the EFF.
Some necessary types of data collection are still bad: PowerSchool needs your grades to create a report card. The problem with this is that data is being sent to systems completely out of the school’s control. They cannot verify a server is not processing data in other ways.
Companies are bad at keeping your information safe. Facebook has had at least 9 data breaches, and those are only the ones we know about. They have historically voluntarily given away data without thinking about the consequences of that. Apply those expectations to edtech.
Microsoft is the only one able to review the source code for Windows and their Exchange Server. As such, there are simple vulnerabilities to get administrative access to systems. One of those was an intentional backdoor implemented for the government, which was discovered later by criminals, so the FBI used the backdoor to remove the backdoor. Proprietary software often has these backdoors no one knows of. No, backdoors that can only be used by the “good guys” do not exist.
Schools are also terrible at keeping your accounts safe. Gateway Google account passwords are simple, related to your email address, and only 8 characters long. Many other accounts are only 6 characters. (See this comic for a simple explanation.)
Since Gateway accepts federal education funding, it must comply with federal education regulation. Gateway takes their providers’ words for what they comply with, perhaps with some external certification company like “iKeepSafe.” Since companies can at any time modify what runs on their servers, an auditor like those from iKeepSafe cannot be trusted: nearly any privacy audit process fails to prove compliance, since companies can always change what runs on their servers.
Ironically, iKeepSafe’s own website violates your privacy, by loading Google and LinkedIn (Microsoft) tracking scripts!
There is no reason to take their word, or an auditor’s word, for privacy practices. However, regarding system security (not software security), auditors ought to be trusted. No rational company would dilute its outside security.