Natasha Singer: Security Flaws in Digital Education Products
When Tony Porterfield’s two sons came home from elementary school with an assignment to use a reading assessment site called Raz-Kids.com, he was curious, as a parent, to see how it worked. As a software engineer, he was also curious about the site’s data security practices. And he was disappointed to discover that the site stored passwords in plain text — a security weakness that could potentially have
allowed unauthorized users to gain access to details like students’ names, voice recordings or skill levels. “A lot of education sites have glaring security problems,” said Mr Porterfield, the principal engineer at a software start-up in Los Altos, Calif. “A big part of the problem is that tech companies cannot agree on what ‘good security’ means for an educational website or app.”
Mr Porterfield has gone on to examine nearly 20 digital education products, used collectively by millions
of teachers and students, and found other potential security problems. He alerted makers of those products, - among them school-districtwide social networks, classroom assessment programs and learning apps. Some, including Pearson, a leading educational publisher, and ClassDojo, a popular classroom management app for teachers, addressed the issues he brought to their attention.
Others did not.
Some technologists say that lapses in student data protection are symptomatic across the education technology sector. They warn that insecure learning sites, apps and messaging services could potentially expose students, many of them under 13, to hacking, identity theft, cyberbullying by their peers, or even unwanted contact from strangers.
It is a common practice among start-ups to concentrate primarily on increasing their market share. “For
many younger companies, the focus has been more on improving the product and less on
guaranteeing a level of comprehensive privacy and security,” said Jonathan Mayer, a lawyer and
computer science graduate student at Stanford University. Security lapses are not limited to education
software devised for prekindergarten through 12th-grade students, an annual market estimated at about
$8 billion. In the fall, as Mr Mayer was preparing to teach a class at Stanford Law School for
Coursera, a start-up that provides
hundreds of online courses, he discovered a security weakness that could have allowed instructors to gain access to the names and email addresses of millions of students. Another flaw would have potentially allowed other websites, digital advertising networks or online analytics firms to compile lists of the students’ courses.
Protection of student data is gaining attention as schools across the country are increasingly introducing
learning sites. The idea is to personalize lessons by analyzing data about each student’s actions and tailoring academic material to individual learning levels and preferences. In an effort to increase confidence in their products, more than 100 learning companies recently signed on to a voluntary industry pledge on student privacy. The signers agree, among other commitments, to “maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality and integrity of student
personal information against risks — such as
unauthorized access or use.” Although President Obama supported the industry pledge in a speech last month, it does not require tech vendors to comply with specific basic security measures.