The Price of Free Cloud Resources

All students, educators, and administrators are subject to data-gathering when they use cloud resources. Everyone's online movements are followed by a number of service providers or advertisers, especially when the services they are using are "free," according to Jim Siegl, chair of the Consortium of School Networking (CoSN) Technical Committee, which researches and reports on internet privacy, along with other education technology issues.

Data is the most common (yet invisible) fee extracted from users by companies that make search engines, e-mail, and other cloud computing resources accessible to schools. Siegl reads the user agreements and terms and conditions of various cloud offerings such as Google Apps for Education or Microsoft 365 in order to understand the true cost of "free."

"I think John Zittrain said it best," Siegel said, "'If what you are getting online is for free, you are not the customer, you are the product.'" He continued, "You have schools that are extremely conservative and white-list: You can only go to these [approved] resources. You have schools that only block things that are explicit: pornography, that sort of thing. Then you have some schools that are in-between, that block YouTube because it could be inappropriate."

The type of cloud resource, the user agreement, and who actually "signs" the contact also impact the level of privacy. An administrator can turn off or control accessibility to different components of an application in a way that a private individual can't.

Contracted vs. Consumer Cloud

According to Sigel, "One critical distinction when evaluating the difference between contracted versus consumer cloud applications: Google Apps for Education is a set of cloud computing applications where there's an agreement between Google and the district. It covers security, privacy, FERPA, COPPA, and provides certain assurances in the ability to audit. By contrast, Gmail … has nearly all the same services, but the agreement is between the end-user and Google, and the district is not a party."

The Family Educational Rights and Privacy Act (FERPA) was revised in 2008 to allow outsourcing by a school district. This means that a school can enter into a contract with a service provider, such as Google, to provide services to the school. The company, in turn, can have access to student information. Cloud companies know that security is a top priority for student data, so they promote their compliance with privacy laws related to children.

Denise Atkinson-Shorey, a senior consultant with CoSN who focuses on telecommunications infrastructure, says that a lot of schools "look the other way" when it comes to the trade-off between privacy and having the tools necessary to teach.

"We've cut a lot of ed-tech funding across the country," Atkinson-Shorey said. "So, we put schools in this squeeze box to provide more and more in this arena, and yet there's not the ability to fund it. You do the best you can; and if it looks like you're fairly secure and the resources are adequate and there's a best-effort approach to what's going on, a lot of schools will take that and run with it, and hope that they're not at-risk on the back-end somewhere.

In short, most schools aren't thinking about the business intelligence that's being gathered that will be used later on, Atkinson-Shorey said. "We've had companies doing assessments for years, gathering data manually about different testing programs, and we've allowed that to happen. We ask for our data back, but we don't look at the aggregate amount of data that comes in." She added that most schools don't consider the fact that companies use student data to develop tests as products to sell "an exploitation."

Even if data-gathering were considered exploitative, legal action by districts or privacy groups is unlikely, she said. "I don't think there [will] be any kind of lawsuit until we cross that invisible line. Because we can't define it, we won't know what it is until it gets crossed. Then there [will] be some outrage about something--and I don't have any idea what that will be--and then there will be a discussion, and then we'll do something."

Regulation and Education

Since cloud computing is a fairly new technology, Siegl believes that federal regulations are about 12 years behind technology and are, therefore, inadequate to define the line between acceptable and unacceptable privacy practices. Atkinson-Shorey agrees, adding that the best interim step is to make sure that everyone in the education environment is aware of how cloud resources work.

"It's most important for schools to understand that there may be an underlying set of data being gathered about a student or a staff member or someone using any kind of software or any kind of connection on the web," she said. "Understand what those are and how to best advocate for their students, their staff, and their school."

Schools also need to teach children about digital literacy and responsibility, Atkinson-Shorey said. "The big thing in the paper today is e-mails that have been going back and forth between adults who probably shouldn't have any expectation of privacy, but things in e-mails are coming back to haunt them." The key, she said, is "helping kids understand that everything they do online, whether they acknowledge it or not, has consequences."

BYOD and Other Options

In schools with 1-to-1 or Bring Your Own Device (BYOD) programs, the opportunity for an invasion of student privacy increases. Curtis Lee, a member of the Colorado state chapter of CoSN, works for Civic Canopy. His organization is building the Community Partnership System (CPS), a web platform that offers an inventory of programs available to students outside the school day and tracks certain metrics, like attendance. It also makes outcome data available to the program providers to determine the level of impact they have on learning. Lee wants educators to ask difficult privacy questions to make sure such cloud collaborations are safe and effective.

"Getting really good at asking those questions will be one of the characteristics of districts that do well and don't end up regretting decisions they make," Lee said. "The pieces you want to look for when talking to a provider are, 'Is your data secure? How are you collecting data about what the users are doing, and how do you use that? Then, do you ever share that information with anyone else?'"

On the other side of the privacy spectrum are paid services, which usually have limited or no advertisements, according to Siegl. And if that isn't an option, districts can pre-screen the free sites to choose those that are less intrusive, and then create an "approved" resources list.

Regardless of the cloud decisions a school district makes, administrators and teachers need to be prepared to explain what steps are being taken to ensure students' privacy to parents, who may be understandably cautious about the data being shared.

"Parents are tech-savvy, but their experience is going to be based on what their concerns about privacy are as someone who is using a consumer version of Google," Siegl said. "Seeing that when they search for 'Cheerios' on Google, then they go to another site and they see an ad for Cheerios--that's their baseline experience about consumer privacy."

For free information and resources related to privacy and data protection, visit the CoSN Cyber Security for the Digital District page.

Featured