WHAT YOU DON T KNOW CAN HURT YOU

22  Download (0)

Full text

(1)

WHAT YOU DON’T KNOW CAN

HURT YOU

Beatriz Arnillas, Houston ISD

(2)

School Practice Challenges

Balance “innovation” and security

Managing opt-outs, parental consent/notification

Ease of signup/self disclosure

Maintaining a central list of vetted educational online services

Vendors and Online Service Challenges

High rate of change

“Free” like a puppy

Contracts vs. click-wrap

Hard to understand, validate and negotiate

Regulation Challenges

(3)

CLOUD COMPUTING

Benefit

Risk

Leverage Learning analytics/adaptive

capabilities

student data could be collected and

used for inappropriate purposes (e.g.

targeted marketing)

Users access services over the Internet

Potential data breach, or accidental data

disclosure by users

Rapid provisioning and deployment of

new services

Free services

Ease of signing up lends itself to

unregulated/unapproved use

Gray area for vendors as “school

officials”

Cloud services are updated regularly

Control over changes

Changes to privacy policies and terms of

service with consent/review

Privacy related “bugs” introduced

through new features

Economies of scale/shared infrastructure

Risks of shared infrastructure/database

(4)

CLOUD MODELS

Private:

District hosted SIS, LMS

Contracted:

Microsoft Office 365, Google Apps,

Textbooks, iReady, or dedicated hosting

Operating Systems, App Stores:

Apple, Google,

Microsoft

Free (and clear):

No non-educational data collection

Freemium +:

Free for user/class use with fee for

school/district use, or security (e.g. Edmodo,

TypingClub)

Free with a catch:

Ads or data collection (data

brokers)

Identity Ecosystems:

Sign-in with Facebook, Twitter,

(5)

HISD PRACTICES

• Educate

Social Media Statement:

https://goo.gl/EL4gKj

– http://www.houstonisd.org/cybersafety

– Raise awareness using rubric

www.houstonisd.org/edtech

• Manage (control)

– Google Domain | O365 Domain

– Reduce options (supported apps)

– PD

– Partnerships

– Contracts and DSA

• Are We Overregulating Student Data Privacy? (Ed Surge)

(6)

HISD RUBRIC

• Security: Encryption in Transit

• Privacy Policy and Terms of Use

Account creation, data collected, data

minimization, supportability, product

ownership, account deletion practices

• Student Safety: Boundaries, Public

Sharing, Contact & Privacy Controls

• Advertising: General and Behavioral

(7)
(8)
(9)
(10)
(11)

Student Privacy Ratings: The Need

• Privacy a growing challenge to Edtech adoption

- 138 178 student privacy bills pending in 39 45

states

-

About a dozen active state bills based on CSM’s

SOPIPA covering large proportion of school kids

- Risk of misguided legislation that doesn’t address

the real issues and stifles innovation

• Pressure from parents, schools, districts who want

to protect kids’ privacy

- We already serve both parents and teachers

• Vendor changes and responses

- to press coverage, e.g. ClassDojo

- with Privacy Pledges and certification solutions

• No existing privacy rubric on edtech products for

use by districts, schools, vendors, parents

(12)

District-Driven Common Sense Privacy Ratings Initiative

Goal: Provide a clear privacy rating to inform districts, schools, teachers and parents about an app’s privacy

and data security policies on Graphite

• In collaboration with major school districts and key thought leaders

and privacy experts, we are developing a comprehensive privacy

checklist and process

- Detailed info to districts to make decisions based on their own policies

- Districts to share key info to support each other

- Houston ISD and Fairfax, VA key players

• Working with vendors to secure support and compliance

• Creative Commons licensed to spur adoption

• Beta Testing March-August

-

Presentations to SIIA, Council of Chief School Superintendents,

Council of Great City Schools, Texas COSN, ISTE, privacy/security

experts and others to gather input and build base of support

(13)

Common Sense Comprehensive Privacy Evaluation

Five Key Checklist Elements:

A.

P

RIVACY

B.

S

ECURITY

C.

S

AFETY

& S

OCIAL

M

EDIA

D.

A

DVERTISING

& C

ONSUMERISM

E.

L

EGAL

C

OMPLIANCE

(COPPA, FERPA)

An open source rubric protected under Creative Commons license

Access: Send an email to

ewilkeyoh@commonsense.org

or

omar@commonsense.org

with your username on

(14)

STEP 1

Common Sense Comprehensive Privacy Evaluation: Step 1

STEP 1a

STEP 1c

Archive

Policy in

Database

Map Policy

Terms to

Evaluation

Sections

Transparent

Not Transparent

Check links

against

most recent

database

version

Map Policy

Terms to

Changed

Sections

STEP

1b

(ongoing)

(15)

STEP 2

Vendor

Common Sense

Community

Fills out evaluation on Graphite for their product, a well- explained checklist. Can be done together with Step 1 or afterwards.

Common Sense

Community

Manually reviews info before it goes live. Checks if any District review/Issues w/ App. Contact vendor as needed. Common Sense approves publication of rating.

Third Party Co.

(as needed)

For enterprise apps, 3rd party

review paid directly to firm.

.

Privacy Review &

Rating Published

on Graphite

Live Rating via

Graphite API

Common Sense Comprehensive Privacy Evaluation: Steps 2-6

C

H

E

C

K

L

I

S

T

STEP 3

STEP 4

as needed

STEP 5

as needed

STEP 6

F

U

L

L

R

E

V

I

E

W

C

H

E

C

K

L

I

S

T

No Issues Found

Think Twice

Not Safe

District CIO Staff

Reviewing

District

(as needed)

Takes the App from prioritized pool and performs full review or as requested by community. Uses District Handbook.

F

U

L

L

R

E

V

I

E

W

- If App passes the District Review it would receive a badge of some sort

- Other certifications can also be included

?

(16)

Common Sense Privacy Ratings Launch Timeline

Pressure test rubric checklist and with vendors and

districts entering data on Graphite

.

NOT public (behind

private vendor/selected district logins)

Developer/District Pilot Program

Announce with key partners at ISTE

Build district review model and rate up to 1,000 Apps

Public Launch Q2 2016

Q2/3

‘15

Q3

‘15

Q4

‘15

Q1

(17)

FUTURE OF PRIVACY FORUM

• Brenda Leong, Senior Counsel and Director of Operations

• Email

info@futureofprivacy.org

or

bleong@futureofprivacy.org

www.futureofprivacy.org

www.ferpasherpa.org

or

www.studentprivacypledge.org

• Follow on:

https://www.facebook.com/FutureofPrivacy

• @futureofprivacy

• @ferpasherpa

• @julespolonetsky

(18)
(19)
(20)
(21)
(22)

Figure

Updating...

References