School Agencies and Districts Do Crummy Job of Protecting Website Visitor Security and Privacy

  • By Dian Schaffhauser
  • 02/01/18
A new study has found that most education websites — whether state or local — do a horrible job of protecting users' security and privacy.

A new study has found that most education websites — whether state or local — do a horrible job of protecting users' security and privacy. Among the problems: a lack of support for secure browsing, widespread use of tracking and surveillance tools provided by online advertising companies and too little disclosure of the use of those trackers and tools. The project was undertaken by EdTech Strategies, a consultancy that researches education technology, innovation and policy.

To compile the findings in "Tracking: EDU — Education Agency Website Security and Privacy Practices," the research company conducted automated and manual reviews of websites for every state's department of education, including the District of Columbia, as well as a sampling of 159 school district websites, chosen based on their participation in innovation networks, including the Council of Great City Schools; the League of Innovative Schools, a program of Digital Promise; and Consortium for School Networking's Trusted Learning Environment Seal initiative. According to President Doug Levin, membership in these groups "was not found to be consistently associated with better website security or privacy practices." The website checks were done between October 2017 and January 2018.

Among the problems cited in Levin's report, most education websites don't support secure browsing through the default use of the HTTPS protocol. By using the insecure HTTP protocol, the report stated, third-parties can track pages the user views and the information sent online, "inject and deliver malware" and revise the contents of the websites being viewed. According to Levin, 26 state departments of education and 43 percent of school systems checked run websites that "make no attempt to secure communications with their websites, actively redirect website users to insecure connections or have configuration errors that break website security.

Also, nearly every state and local education agency uses tools provided by online advertising companies, which perform user tracking and surveillance on their websites. The tracking may take several forms, the report explained. In some cases, the sites use self-hosted analytics software that is hosted on their own services, thereby avoiding sharing the resulting data with companies. These aren't a worry, noted Levin, because they're under the control of the website administrators and "integrate privacy-respecting features," including the ability to enable the user to opt out of tracking.

Others rely on analytics and user-tracking services the agencies explicitly license from a third-party. In this scenario, one is safer than the other, depending on the type of service agreement the district or agency signs with the provider. Under some agreements, the data that's generated may be kept private; in others it can be shared or combined with other third-party services.

Two additional forms of user-tracking technology also pose problems, according to Levin. These are the programs provided free by companies, "dominated by the Google Analytics platform," and the type that simplify integration with social media platforms, including Facebook and Twitter. The risk with these forms of trackers is their intent is to generate data about users of websites and combine it with other data sources "to create profiles that are used to target advertising and messages with incredible precision."

According to the report, "virtually every state and local education agency has partnered with online advertising companies to deploy sophisticated user tracking and surveillance on their websites, quite extensively in some cases."

On top of that, Levin wrote, all too frequently, the websites don't disclose the use of that ad tracking or user surveillance software. Nor do they provide the means to opt out of those data collections. In the rare case where the disclosures are made, oftentimes, it's done in "misleading ways, including by making demonstrably false statements about their privacy practices."

While two-thirds of the state education agency sites posted privacy policies disclosing the use of ad tracking tools, at least 10 states "made misleading or provably false statements about their data collection and privacy practices," the report stated. In the case of school district sites, just 12 percent had privacy policies covering this.

These website oversights aren't simply irritants to website visitors, asserted Levin. They indicate a "a widespread lack of attention to issues of online security and privacy."

He urged school administrators, technology directors and education policymakers at both the state and local levels to "act swiftly" in addressing the problems raised in the study. "Partnerships with online advertising companies on school websites must be disclosed. In the vast majority of cases, these relationships do not offer substantial benefits to students, families, or educators — and they should be discouraged."

Among the many action steps the report recommended:

  • To examine whether the use of third-party ad trackers and surveillance tools are truly essential on state and local education sites and how the use of "more privacy-respecting options" could provide similar analytics capabilities; and
  • To make sure website privacy policies are accurate in how they describe agency data collection practices and policies, including data sharing with third-party online advertising companies.

"The good news is that there are free, privacy-respecting tools that exist to improve website security and replace the functionality of many of these advertising-based services," added Levin, in a prepared statement. "The cost of seeking news and information about your state and community's public schools should not be your privacy or online safety."

Links to the six-part research project are available on the EdTech Strategies website.

Featured

  • AI toolbox containing a wrench, document icon, gears, and a network symbol

    Common Sense Media Releases Free AI Toolkit, AI Readiness & Implementation Guides

    Common Sense Media has developed an AI Toolkit for School Districts, available to educators free of charge, that provides guidelines and resources for implementing AI in education.

  • elementary school building with children outside, overlaid by a glowing data network and transparent graphs

    Toward a Holistic Approach to Data-Informed Decision-Making in Education

    With increasing access to data and powerful analytic tools, the temptation to reduce educational outcomes to mere numbers is strong. However, educational leadership demands a more holistic and thoughtful approach.

  • three silhouetted education technology leaders with thought bubbles containing AI-related icons

    Ed Tech Leaders Rank Generative AI as Top Tech Priority

    In a recent CoSN survey, an overwhelming majority of ed tech leaders (94%) said they see AI as having a positive impact on education. Respondents ranked generative AI as their top tech priority, with 80% reporting their districts have gen AI initiatives underway, or plan to in the current school year.

  • AI-powered individual working calmly on one side and a burnt-out person slumped over a laptop on the other

    AI's Productivity Gains Come at a Cost

    A recent academic study found that as companies adopt AI tools, they're not just streamlining workflows — they're piling on new demands. Researchers determined that "AI technostress" is driving burnout and disrupting personal lives, even as organizations hail productivity gains.