Privacy & Security

School Agencies and Districts Do Crummy Job of Protecting Website Visitor Security and Privacy

• By Dian Schaffhauser
• 02/01/18

A new study has found that most education websites — whether state or local — do a horrible job of protecting users' security and privacy. Among the problems: a lack of support for secure browsing, widespread use of tracking and surveillance tools provided by online advertising companies and too little disclosure of the use of those trackers and tools. The project was undertaken by EdTech Strategies, a consultancy that researches education technology, innovation and policy.

To compile the findings in "Tracking: EDU — Education Agency Website Security and Privacy Practices," the research company conducted automated and manual reviews of websites for every state's department of education, including the District of Columbia, as well as a sampling of 159 school district websites, chosen based on their participation in innovation networks, including the Council of Great City Schools; the League of Innovative Schools, a program of Digital Promise; and Consortium for School Networking's Trusted Learning Environment Seal initiative. According to President Doug Levin, membership in these groups "was not found to be consistently associated with better website security or privacy practices." The website checks were done between October 2017 and January 2018.

Among the problems cited in Levin's report, most education websites don't support secure browsing through the default use of the HTTPS protocol. By using the insecure HTTP protocol, the report stated, third-parties can track pages the user views and the information sent online, "inject and deliver malware" and revise the contents of the websites being viewed. According to Levin, 26 state departments of education and 43 percent of school systems checked run websites that "make no attempt to secure communications with their websites, actively redirect website users to insecure connections or have configuration errors that break website security.

Also, nearly every state and local education agency uses tools provided by online advertising companies, which perform user tracking and surveillance on their websites. The tracking may take several forms, the report explained. In some cases, the sites use self-hosted analytics software that is hosted on their own services, thereby avoiding sharing the resulting data with companies. These aren't a worry, noted Levin, because they're under the control of the website administrators and "integrate privacy-respecting features," including the ability to enable the user to opt out of tracking.

Others rely on analytics and user-tracking services the agencies explicitly license from a third-party. In this scenario, one is safer than the other, depending on the type of service agreement the district or agency signs with the provider. Under some agreements, the data that's generated may be kept private; in others it can be shared or combined with other third-party services.

Two additional forms of user-tracking technology also pose problems, according to Levin. These are the programs provided free by companies, "dominated by the Google Analytics platform," and the type that simplify integration with social media platforms, including Facebook and Twitter. The risk with these forms of trackers is their intent is to generate data about users of websites and combine it with other data sources "to create profiles that are used to target advertising and messages with incredible precision."

According to the report, "virtually every state and local education agency has partnered with online advertising companies to deploy sophisticated user tracking and surveillance on their websites, quite extensively in some cases."

On top of that, Levin wrote, all too frequently, the websites don't disclose the use of that ad tracking or user surveillance software. Nor do they provide the means to opt out of those data collections. In the rare case where the disclosures are made, oftentimes, it's done in "misleading ways, including by making demonstrably false statements about their privacy practices."

While two-thirds of the state education agency sites posted privacy policies disclosing the use of ad tracking tools, at least 10 states "made misleading or provably false statements about their data collection and privacy practices," the report stated. In the case of school district sites, just 12 percent had privacy policies covering this.

These website oversights aren't simply irritants to website visitors, asserted Levin. They indicate a "a widespread lack of attention to issues of online security and privacy."

He urged school administrators, technology directors and education policymakers at both the state and local levels to "act swiftly" in addressing the problems raised in the study. "Partnerships with online advertising companies on school websites must be disclosed. In the vast majority of cases, these relationships do not offer substantial benefits to students, families, or educators — and they should be discouraged."

Among the many action steps the report recommended:

• To examine whether the use of third-party ad trackers and surveillance tools are truly essential on state and local education sites and how the use of "more privacy-respecting options" could provide similar analytics capabilities; and
• To make sure website privacy policies are accurate in how they describe agency data collection practices and policies, including data sharing with third-party online advertising companies.

"The good news is that there are free, privacy-respecting tools that exist to improve website security and replace the functionality of many of these advertising-based services," added Levin, in a prepared statement. "The cost of seeking news and information about your state and community's public schools should not be your privacy or online safety."

Links to the six-part research project are available on the EdTech Strategies website.