Illustration by Sam Hundley. (Virginia Center for Investigative Journalism)
An investigation into Virginia school districts’ digital privacy policies reveals data breaches, decade-old guidelines and educators struggling to keep up with fast-moving tech during the coronavirus crisis.
By Tom Nash / Virginia Center for Investigative Journalism
Illustration by Sam Hundley
As the COVID-19 pandemic swept through Virginia, the state’s largest and wealthiest public school district made ambitious online learning plans — providing a suite of real-time digital classes, programs and video engagement for every grade level.
But when Fairfax County Public School students began to log into classes from home in April, they found chaos and confusion. Students joined classes they weren’t registered for and disrupted instruction. Others waited while teachers struggled to gain access to their own classrooms.
Lili Cui, parent of a Fairfax County elementary school student, logged into her son’s account and thought the technology looked outdated and insecure. “Before the pandemic, I was assuming that they were doing a good job with privacy and security,” Cui said. “But now I feel like I was too optimistic.”
As the pandemic forces Virginia’s 1.2 million public school students to trade classrooms for laptops and smartphones — if they have them — many educators, parents and privacy advocates are raising alarms across the state about children’s digital security.
Lapses in online protections have led to issues ranging from students’ internet usage information being mined for profit to the theft of sensitive data, creating long-ranging consequences for children’s personal privacy. Weak controls also have allowed online bullying to flourish in hard-to-monitor chats and private messages.
A review of dozens of school policies by the Virginia Center for Investigative Journalism revealed incomplete or inconsistent rules for guarding student data, despite a 2015 state law enhancing protections. Many district policies appeared to be based on 50-year-old state guidelines originally intended to protect information about student health and report cards.
Advocates say many school districts, especially in poor urban and rural communities, are underfunded and unprepared to protect student privacy. The recent track record for security statewide is alarming: hackers victimized two districts last year with ransomware and serious data breaches.
Linnette Attai, a privacy project director at the Consortium for School Networking, said many districts across the country have struggled to even plan, schedule and execute online classes. “There are going to be mistakes,” she said, “and if there weren’t, it would be a miracle.”
Online tools have been valuable for school districts and educators for decades. Now, in a world created by COVID-19, teachers and students across the state’s 133 school districts are completely dependent on laptops and software, often supplied by schools, as well as broadband and video connections.
Teachers have come up with creative ways to connect to hard-to-reach students, and provide comfort and support, as well as instruction, during the crisis.
An elementary school teacher in Henrico worries that video conferencing may be out of reach for some students. Other than a brief video — “I miss you, I love you” — she is hosting class on Google Hangouts.
“It works well because students can call in from a phone if they don’t have the internet,” she said. “And everything is optional.”
The teacher, who asked not to be identified, said Henrico County administrators are doing their best to guide teachers in a suddenly online-only environment. Questions about what apps or sites are appropriate for student use are filtered through the district, which approves apps and sites on a weekly basis.
Other teachers are filling needs as they emerge, without guidance. Another teacher in a different district reads bedtime stories to students on Zoom, the now omnipresent video conferencing app that has made headlines for its inability to ensure privacy.
As new apps and software rush to prominence, advocates say school districts aren’t prepared to ensure students’ activities are kept secure. Fast-moving advances in technology have outsripped data protection policies.
In Virginia, the problem is highlighted by the vast differences in how local districts approach data privacy policies and contracts with technology providers.
VCIJ used MuckRock to ask Virginia districts across the commonwealth for their current data privacy policies, any amendments made to those policies and any contracts or agreements with vendors that involved student data.
The full list of completed policy requests is available here.
What we found
Virginia school data privacy policies vary from hyper-detailed, regularly updated online parental resources to documents older than most students.
The majority of the nearly 60 responding school districts provided policies that mirrored a student privacy act written in 1974 — and were designed in a mimeograph world to protect children’s health information and grades from public disclosure.
The districts are also guided by Virginia’s 2015 law, modeled on California’s Student Online Personal Information Protection Act (SOPIPA). The Virginia law essentially bars education companies working with school districts to use any student data — including demographic info, browsing history, or any other information that could be tied to a student.
The responses from school districts ranged from comprehensive and transparent to scant and incomplete.
Smyth and New Kent counties were both victims of ransomware attacks between August and September 2019. School officials said they could not provide some of the requested documents because the data was stolen. In both cases, law enforcement, parents and the media were notified of the attacks. Neither county paid the ransom.
Other districts varied widely in what they revealed about their privacy rules.
In Northern Virginia jurisdictions such as Alexandria, Fairfax and Loudoun, policies and amendments were available online to the public. York County Public Schools offered an explanation of the privacy laws they follow and an easy to find list of currently used online materials in its student handbook.
Some school districts said the very policies designed to protect student privacy were private. Several public school administrators requested payment in order to view their policies and related documents. For example, Alleghany County asked for $47 and the City of Richmond demanded $820 — a costly bill for any parent seeking to review and understand the policies guiding their children’s digital security. Others, including Virginia Beach City Schools, did not reply to the request at all.
A few districts responded with contracts related to education software, such as Henrico County’s use of the central privacy-enabling hub Clever. However, the majority referenced Google’s G Suite for Education. Schools across Virginia — including Richmond in the midst of the COVID-19 closure — have offered Google Chromebooks for students to use with G Suite for Education.
A legislative push against Google
As education moves increasingly into digital territory, many have fought an uphill battle against the world’s largest companies to protect K-12 students from prying eyes. Google dominates the online market for education software.
The Electronic Frontier Foundation (EFF), a San Francisco-based digital privacy advocacy group, has battled Google for years over concerns that the company is not doing enough to prevent tracking of individual students’ behaviors. The issue came to a head in 2015 when California passed a new student digital privacy law that became a national model.
Prior to 2015, Google’s 50-percent market share of education apps came with student accounts that ultimately allowed students to be tracked like anyone else on the internet with a Google account, said Sophia Cope, senior staff attorney at EFF.
“Back then, what we found out was happening is the student would login and use their account for school work and then they could navigate to YouTube and do personal stuff,” Cope said. “The moment the student navigated away from the Ed apps, Google treated them like regular consumers, doing the full court press of tracking online behavior and use, and showing targeted ads, and collecting typical advertising profiles.”
EFF and others pressured Google to back away from measures within California’s privacy law that allowed for this type of data collection outright. Cope said the final version, as well as Virginia’s law, could mean students still end up being tracked.
Google maintains a website that outlines its response to privacy concerns around both its G Suite for Education and Chromebooks for Education program. The site includes outlines of how student data is protected and an FAQ about how the data is used.
“Google is high profile, and they pay attention to this scrutiny,” Cope said. “They’ve been responsive. What we worry about now is that there are so many more ed tech apps out there. It’s really hard to keep track of them and understand what their privacy policies are, and if their actual data usage complies.”
Since the California law was implemented, EFF and other privacy advocates have warned that districts continue to adopt education apps with little scrutiny. Districts often present little information to parents and lack the sophistication to negotiate contracts that comply with privacy laws.
“Particularly now,” Cope said, “a teacher struggling to come up with a lesson plan might find a random math app online and have their kids use it. Maybe they have to log in. Is it a legit company or a front for ID theft? Is it spyware?”
Districts left to interpret, enforce policies
While Virginia followed California’s lead in prioritizing student data protection in 2015, districts across the state have been left largely on their own to introduce and implement policies to follow the laws.
The policies received through Freedom of Information Act requests show that larger, wealthier districts can track exactly what programs are being used by students and monitor details about what data is being collected. Smaller districts have less insight and control over student’s digital school lives, records show.
In Pulaski, for example, a request for privacy policies returned a PDF from 2007 that largely covers behavior other students might inflict on others. There is only brief mention of protecting students:
Although the information was not provided when requested, the county does use Google Chromebooks and education apps. A handbook prepared by the district makes no mention of how student’s data is protected.
Researchers at the Consortium for School Networking, an association of education tech professionals based in Washington, D.C., have been scrutinizing digital security practices in schools during the pandemic.
Attai, director of the consortium’s privacy and trusted learning environment program, said the lag between policy and technology is often most acute in districts with fewer resources. Pulaski County’s annual school budget is $45 million. Loudoun County, which participates in the consortium’s special privacy pilot program, spends around $1.4 billion.
Students deserve the same protection no matter where they attend school, Attai said.
“It’s a real challenge that districts have,” Attai said. “[Local] education boards don’t have the resources. There should be a data protection program appropriate for the size and scope of the data you’re using.”
Too often, she said, states pass laws that are impossible to implement without dedicated funding. In a rural or poor county, she said, “You’ve got employee payroll, student health records, no security officer, maybe an IT director who is told, ‘Hey you know how the machines work, you’re doing security.’ And there’s no training, education or funding.”
‘Frustrating and disappointing for everyone’
Fairfax County is expected to spend more than $2.6 million this year on digital instruction for its 200,000 students, yet it could not prevent widespread problems in its online classes. Complaints from around the community spurred a full-scale investigation.
Fairfax County’s software failed to prevent anti-Semitic messages from popping up in German classes and bullying and vulgar comments from filling unmonitored chats.
Cui, a member of the county’s Advanced Academic Programs Advisory Committee, said the district’s response so far has only caused more concerns. “If they can’t foresee these problems, or have a plan about [being online], now I’m really worried,” she said.
Fairfax County Superintendent Scott Brabrand said in a statement the online launch was “frustrating and disappointing for everyone.”
Brabrand said the county would move away from the software provider and hire a law firm “with expertise in information technology and cybersecurity” to review the program.
In Fairfax County and in other districts, state guidance appears to be minimal. So far, the Virginia Department of Education has offered only a dedicated page with online learning resources.
VCIJ asked the department for information about how it implements state laws, whether it has records of any noncompliance, and how COVID-19 may be affecting data privacy at a state level. A spokesman responded with the 2015 law and offered no further comment.
Attai said that the education tech consortium will be busy over the summer as districts around the country look to perform “disaster recovery” following months of disrupted schooling. The association expects schools will revisit data privacy policies and security as districts likely face more pandemic-related shutdowns.
Tech advisors and sophisticated law firms, however, are usually only available for districts that can pay for them. It’s up to state governments, she said, to provide front line leadership.
“What I always look at in states is, where is your guidance on how to comply with the laws and what standards you should meet? Those are missing in every state,” Attai said. “There has been no funding in states to create these resources, nor has there been education. A lot of districts are simply doing their best, and it’s not easy.”
Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our web site. Please see our republishing guidelines for use of photos and graphics.