​Cybersecurity Report Spotlights Privacy Concerns on State Education and...

Data Privacy

​Cybersecurity Report Spotlights Privacy Concerns on State Education and District Websites

By Sydney Johnson     Jan 30, 2018

​Cybersecurity Report Spotlights Privacy Concerns on State Education and District Websites

It doesn’t take technical expertise to a see how websites are tracking you. Using simple, free browser extensions, Doug Levin, who specializes in cybersecurity hiccups that affect K-12 schools and districts, was able to uncover a common—and troubling—pattern affecting nearly every state department of education.

His findings, published in a report on Tuesday, show that nearly every state education agency website in the U.S. uses analytics tracking systems, and yet many do not explicitly disclose this—or how the information is used. And that’s problematic, he believes, because often that information is handed back to online advertising companies.

It’s an issue that Levin, who runs his own consulting firm, EdTech Strategies, has watched closely. He has kept a running tally of hacks, breaches and other cybersecurity incidents at K-12 schools since 2016.

“What I found concerning is that in the vast majority of cases, this sort of [data] collection wasn’t acknowledged by states and school districts," Levin tells EdSurge. “When it was acknowledged, it wasn’t always done correctly or honestly.”

Almost every state education agency in the U.S. relies on third-party tracking platforms to gather information about how users interact with their website. It’s a common practice across industries, but some education sites are failing to comply with terms of service agreements that require disclosing how website activity is reported back to advertising companies like Google, Facebook or Twitter, the study claims.

The report took a look at 51 state department of education websites, including the the District of Columbia, finding that 49 of them use at least one analytics platform. The study, which also looked at 159 public school districts, shows that more than 90 percent of the state departments of education deploy tracking systems from either Google, Facebook, or Twitter, which all offer free, cloud-based analytics platforms.

There are many reasons why an education department might deploy one of these kinds of trackers, from fixing broken links to refining website navigation.

But by failing to disclose that analytics platforms return high-level (but not personally identifiable) data back to their host companies, some education websites may be acting out of compliance.

In particular, the study claims that 84 percent (43 out of 51) of state department of education use Google Analytics services for their websites. Of those, 90 percent were found to be in violation of the platform’s Terms of Service, which states: “You must disclose the use of Google Analytics, and how it collects and processes data.”

The study also charges that at least 10 “state departments of education make demonstrably false statements in their website privacy policies about the use of ad tracking or surveillance cookies on their websites.”

To produce the report, Levin relied on browser plug-ins including Ghostery, which counts the number of tracking technologies on a given URL. “It’s not perfect,” Levin adds. “It doesn’t catch everything, but there aren’t false positives.” Regardless, the education leaders that EdSurge spoke with about the report openly state their use of at least some tracking platforms.

“Part of my decision-making is how to structure [website] content and how to present it based on actual usage,” says Doug Casey, executive director of the Connecticut Commission on Education Technology, referring to the activity he monitors on the state's edtech website in particular. “The data tells me what people are interested in.”

Drawing the line

Aside from being in compliance with the rule, Levin believes people should know how their online activity is being monitored and shared.

“There’s good reason to have some insight into how the website works,” says Levin. But “they are providing insights to Google about users that the company can use for advertising, and districts are not disclosing this [on their websites]”

Online, Google explicitly states that “when you visit a website that uses our advertising products (like AdSense), social products (like the +1 button), or analytics tools (Google Analytics), your web browser automatically sends certain information to Google.”

That information, however, is not legally personally identifiable, meaning sensitive information about a specific user won’t be sent back to Google or another third party. Instead, general user activity is shared with the company, and that can be used to develop broader profiles and trends for online advertising.

Not all are as concerned about high-level browsing trends getting back to big tech companies, though, if it means gaining access to a free service that works for their needs.

“Unfortunately, we enjoy free things on the internet, but the simple reality is there is a cost to everything,” says Cliff Lloyd, chief information officer for the state department of education in Tennessee. “I think it is harmless when the data is aggregated and anonymized.”

Levin notes that “people draw the line different at different places” when it comes to how concerning sharing high-level information back to Google might seem. And he points out that these incidents happen in health care, government, and many other industries with online presences—not only education.

In any case, he presses that school districts and education agencies are often required to disclose if they use ad trackers on their site. “It’s being done secretly and no matter where you draw the line on online ads, the lack of disclosure is problematic and its against the terms of service for these [services].”

Levin’s research raised another concern: many state and district education websites do not use the HTTPS protocol that provides a more secure browsing experience. The study found that more than half of state department websites, and about 43 percent of the districts surveyed, do not use HTTPS. The report claims that this puts those sites at-risk of, for example, malware or third-party interference.

In Tennessee, for anything that has personally identifiable information attached, Lloyd clarifies that the state follows HTTPS protocols as a “minimum protection." "It’s the basic or entry-level security protocol that we use with student data.” But for the state education agency website, he says, the cons outweigh the pros to doing so.

“Pages published over HTTPS have more overhead in terms of processing,” says Lloyd. "It’s slower than a non-HTTPS site, and performance matters.”

Info and alternatives

Analytics platforms such as Google contribute to the lack of transparency issue “because it’s difficult to understand the information they collect,” says Levin. Education leaders might also simply not be aware of the requirement.

Even if they are aware, Lloyd draws attention to another challenge Tennessee and other state education agencies face when it comes to adopting stricter security practices: the education site is managed by the state government, not the education department.

In addition to adding disclosures when education websites are using ad trackers—or avoiding them altogether, which is what Maine and Utah have done—the report also offers suggestions for what state and district websites might do in order to be more proactive about their site security. In particular, Levin calls out the free and open-source analytics platform Matomo, which offers insights about user activity on a website. But the platform differs from other analytics services in that it allows users—like districts—to control all data collection and sharing.

Learn more about EdSurge operations, ethics and policies here. Learn more about EdSurge supporters here.

More from EdSurge

Get our email newsletterSign me up
Keep up to date with our email newsletterSign me up