Sunday, January 11, 2015

Seattle Schools and Technology/Data Privacy: Do They Get It?

Several troubling things have happened over the last several months that relate to data privacy and the Technology Department.

The first is, of course, the huge data breach by Sped/Legal (no one will take responsibility here so I don't know who to name) in releasing student data about every Sped student in the district (as well as some Gen Ed students at Roosevelt High School).

I am dismayed by both the district and Board reactions.  I get why they want to believe this is just some isolated incident and wasn't a "true" data breach (meaning, some outside hacker got the data).  The problem is that it IS the district's job to protect that data, in both big and small ways.

Then there is the issue of a data breach at Ballard High School in late December.  Principal Keven Wyncoop sent home a letter to parents that said it happened on Dec. 8th 2014 with student transcripts from the senior class being sent by a counselor via e-mail to a Ballard high parent AND the admissions office at Western Washington University.

The claim is that "immediate action" was taken when the school was informed of the "error."

Okay, so question one: when did Ballard become aware there were two errors in sending out the transcripts?  
The letter is dated Dec. 18th so that's 10 days.  Principal Wyncoop says both the Ballard parent and WWU said they deleted the data and did not use or disclose it in any way.  That's great and that's just what the guardian in the Sped case said as well.  But how long did either the parent or WWU hang onto that data?

What about the day when someone doesn't  report getting data and doesn't delete that info and does use it?  Because you keep making these kinds of mistakes and that day will come.

Principal Wyncoop says they review "transcript release processes and educated staff on best practices."  Great but is that accountability?  It is in Seattle Schools.

One oddity to his letter to parents is this: "These protocols include searching for transcripts one at a time when it is to be shared and establishing an expectation of double checking personal information to be shared is accurate before it is shared with anyone else."  Why would he feel the need to tell parents that personal information needs to be doubled-checked for accuracy before it is shared?  I find that strange because the issue at hand was not accuracy; it was allowing out information that should not have gone out to those entities.

So at least one parent, Broken, was not happy with these answers and here is what that parent says:

From the principal's letter:The transcripts released in error have been deleted and are no longer in the possession of any private parties outside the district.

"The question no one is asking: who is or are the email providers of the Ballard parent? Hotmail? Gmail? The statement above is false, because the email provider(s) are still in possession of those transcripts, and they have almost certainly already been added to personal profiles (existing or shadow) for every name on every transcript, followed by associating that data back with those kids' gmail, hotmail, etc. accounts wherever possible. You can't "undo" a mistake like this.

All text and data, whether it's in the body of an email or embedded in decipherable enclosures is fair game for data-mining purposes. This is not in question, Google has made it very clear that not only do they do this, but they believe it is their legal right to do so:

<a href="" C|Net: Google says Gmail users have no expectation of privacy.

The important thing to remember: nothing EVER gets deleted. Unless the district has written confirmation from Google or Microsoft or whoever that the content of those emails have been deleted from their systems, and the subsequent data-mining analysis removed from their databases, the statement above by Mr. Wyncoop is a lie. It may be an accidental lie, but it is still incorrect.

The reality of 2014 is that most email providers never delete your emails or their analyses of them. Ever. They're just marked as not being visible to you. Something everyone should consider with their personal email, and something that all kids should be taught from day one."

End of Broken's statements.

Our final story? 

The Technology department has organized a Teaching and Learning (T&L) Technology Vision Summit for January 24th.  This was described by district communications like this:

Do you have a vision for how technology can enable teaching and learning at Seattle Public Schools and how it can support “A Day in the Life of a Seattle Public School Student”?

Are you willing to share and discuss that vision with instructors, principals, district leaders, community partners, students and ed-tech visionaries from Microsoft, Google, Apple, Dell, Cisco, HP, Blackboard, Intel and other leading technology companies?

If your answer is “yes,” we encourage you to register for the Seattle Public Schools Teaching & Learning Technology Vision Summit to be held at Cleveland High School on Saturday, January 24. This is NOT a taskforce, and you will not simply be a spectator. You will be involved, and your voice will be heard.  Attendance is limited.

Here's the actual webpage for the Summit and what it says:

This summit will bring together representatives from SPS leadership, faculty, community partners, students, City of Seattle, business, members of the SPS Technology Vision Taskforce and others to help create a vision for Teaching & Learning at SPS, and how technology will enable that vision.

A technology understanding is important...but representatives should also have a passion for creating an educational environment for SPS students to flourish in, be able to share the views and visions of the organization they represent, and provide a vision on how technology will enable that environment. All discussions and activities will focus on a vision for our students...not on specific technology products or services. That comes later!

The summit will be facilitated by Mr. Jim Lengel (see bio) and will focus on "A day in the life of a 21st Century SPS student" - What the student is doing from when he/she rises in the morning to when he/she goes to bed at night. To learn more about the process to be used during the Summit, click here.

Your participation will help create the vision for a world class K-12 environment in Seattle where every SPS student can flourish and achieve their dreams.

See the difference?  Much bigger emphasis on the latter statements on business and City government and the Technology Vision taskforce, not community and parents.  In fact, they don't even mention parents in their statement.

Naturally, I was interested and signed up.  (I also asked to speak on student data privacy but was told that would be for another time.) But I was also informed by Tech Department head, Carmen Rahm:

I absolutely agree that student data privacy and safety needs to be paramount in everything we do. It will either be viewed as part of the vision, or one of the guiding principles we use when we execute every aspect of the vision.

Unfortunately, the Summit is not going to be structured in such a way that will permit anyone giving talks, not even the technology businesses that will be attending.

Fine on "no talks" but how is student data privacy and safety is "paramount" but they won't be discussing it at this summit? 

Then, almost if he was foretelling, he invited me to meet with him and his staff.  That's great but that's not going to a district-sponsored event on technology. 
The foretelling is that I received an e-mail saying "sorry, no space."  They have a cap of 150 from these 8 groups:

·         SPS Students
·         SPS Instructors/Teachers
·         SPS Principals
·         SPS Community Partners
·         SPS Cabinet and Board
·         SPS Parents/Guardians
·         SPS Ed-Tech Business Partners
·         SPS Technology Taskforce Members

I'm not sure I understand why this was advertised at all if it would be so easily filled by existing members or partners.

The worst part of the e-mail?  It was NOT sent blind cc and had the names and e-mail address for about 60 people.  Now my name and e-mail address is a public one for this blog but if it had been my private one, I would NOT have been happy.

To have sent this notice in this fashion strikes me as unprofessional and a disservice to those who inquired about attending.

I wrote to Mr. Rahm about who the Ed-Tech Business partners and community partners were as well as the issue of not blind cc'ing the previous e-mail.  In his e-mail back to me, he let me know the ed-tech partners but completely ignored the issue of the blind copy cc.  I know that at least one other person on that list was quite irate about this. (On who are the community partners, he said he would have to check to see if I would have to file a public disclosure document for that information.  For a public school district event.)

So who are the tech partners coming?
  • Google
  • Microsoft
  • Apple
  • Dell
  • Public Consulting Group (PCG)
  • Lenovo
  • Apex Learning
  • Pearson
  • SAP
  • Intel
  • Cisco
  • Instructure
  • Amplify
  • Hewlett Packard

So 14 of the 150 participants at the Summit will be tech businesses.  Do I believe there will be 14 of every other group there?  Does there really need to be 14 people from the Board/Cabinet? 

Want to know what else is sad?  There's an SPS "Instructional Technology Blog" that looks like a place for SPS teachers/Tech staff to share ideas.  This seems like a good idea and something worthwhile for teachers.

The last post was June 2012. 


Mary G said...

Melissa, I hope you saw this article: The announcement on a new student data privacy law is to come tomorrow, but the big worry is that any national law may be weaker than some of the current state laws and will override them. But as of yet, the details are unknown.

Melissa Westbrook said...

Yes, I saw this and need to read it carefully. Many in government and business realize they might actually get constricted by laws and have moved to put forth their own "privacy" measures.

dw said...

Is anyone following up on the Ballard data leak, or is it considered "done" now?

Is the district okay with the fact that some unnamed email service has datamined those emails and transcripts? Are Ballard parents okay with that? Is it even possible to find out (through disclosure) which email provider the information was sent to? Some parents might say "oh, it's gmail, that's fine because I like google; thank goodness it wasn't hotmail/microsoft". or "no problem, it was yahoo; thank goodness it wasn't google". But that kind of reasoning is bogus.

Let's say, for example, it was Yahoo email, and Rupert Murdoch decides to buy Yahoo next year? Or Facebook decides to buy them, for the massive amounts of personal email data they've gathered over the past 20 years. Will parents still be okay with it?

These are not impossible scenarios. When data is lost, stolen, or accidentally given away in bulk, like this, there's no way to ever take it back, and you have no idea where it will end up, though most likely in the hand of marketers and government, among others.

Certainly if no one follows through on this, the district will sweep it under the rug. What kinds of protections are in place to (attempt to) prevent this from happening again? What situations exist around the district where students' personal information is being given away, either accidentally or on purpose, that we don't know about??

Anonymous said...


You are being rhetorical, yes?

We all know no one at the District is going to "follow up" on this, and secure an agreement with the email provider(s) to the third parties, that they have not and will not use the private data.

That is almost comical if you think about it: this is the same District that would not, has not, even secured an agreement with a provider of money to us to 'do' preschool at our facility (Bailey Gatzert).

If this District doesn't even get agreements for something like that latter, where clearly an agreement is essential (otherwise how are we to understand the operation of the preschool, and the responsibilities and processes and privileges and liabilities of its operations??) then clearly it is preposterous to think this District will pursue an agreement with a third party to ensure it does not injure students by committing to not exploiting fruit from the poison tree.

But, it would be nice, of course.

-if only...

dw said...

If only,

The purpose wasn't entirely rhetorical, but you're right, the odds of the district taking the lead to correct mistakes like this are just about zip.

That said, if more parents actually start paying attention, and start pushing back on the district every time this crap happens (or BEFORE it happens), it's possible things won't continue to get worse and worse, which is the current trajectory. For example, there are tons of FOIAs happening these days, is anyone attempting to follow up on this issue? The same basic datamining problem exists with the SpEd data as the Ballard transcripts. Companies like google (if gmail) will not treat that data as confidential, because it was "willingly" handed over to them.

Mostly, I just want to make sure parents stop and think about the consequences of mistakes like this. It's all fine and dandy when it's someone else's kids, but when you look at your own kid at night and realize that their personal data and test scores are being bought and sold on the open market, thanks in part to SPS, hopefully that will get more parents to pay attention.

Are the recent Ballard and SpEd/Roosevelt data screwups getting the attention of parents at those schools/programs? One or two parents griping in their own school doesn't cut through the noise. What will it take to mobilize parents?

Melissa Westbrook said...

DW, the President addressed this issue today and I hope to do a deep dive.

Frankly, it might take something really awful - either in our district or someone else' - to get parents to rise up.

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

The over-involvement of tech industries in what the 21st century student will be doing is the 21st century equivalent of snake oil salesman tent revivals.

Right now, technology is not serving the students, the teachers or the district well. As an example, just exactly how are the students performing who fall into the opportunity gap? Let's take the much-talked-about and little-served African American male, the subject of much hand-wringing and little else. How do African American males do on EOC exams? What percentage graduate? What happens to them after high school? Who knows? But let's award contracts and sign leases based on the data no one will admit to having.

Is technology the answer for these students? Blended learning? Personalized learning? Look out, because that's the snake oil that's coming down the pipe.

Additionally, current laws have not kept up with even the most basic privacy expectations. It sounds like the latest proposal from President Obama, modeled on the student privacy law in California, still has many parents concerned that these companies will collect data and use it in untested ways to peg children or rank them in unfair ways.


Anonymous said...

Let's take the much-talked-about and little-served African American male.

What are you talking about?

Please stop

Anonymous said...

@Please stop,

Here's what I'm talking about:

DOE, May 2012 "The Education Department is investigating whether Seattle's public school district discriminates against black students by subjecting them to tougher and more frequent discipline than white students"

Jose Banda, May 2014 "Closing the opportunity gap for our African-American students. Seattle Public Schools has an unacceptable achievement gap. We heard that from our families, who also asked what we are doing to close that gap.

Solution: We are creating a specific work plan that will address the needs of African-American male students and how we need to work together to close the opportunity gap and improve academic success for our students. Princess Shareef, former Cleveland High School Principal, and Bernardo Ruiz, Director of School Family Partnerships and Equity and Race, have been appointed to lead this work."

Larry Nyland, November 2014 "Looking beneath our achievement numbers we find some disturbing trends showing that too many of our students of color are not benefitting from those trends. For example, African American male students are five times more like to be suspended, three times more likely to be placed in Special Education, and half as likely to be achieving at grade level in comparison to their peers. We will not be successful until EACH and EVERY student achieves well. More of the same will not get us there. New and improved strategies, and continued hard work are needed.”

So what exactly has happened? Virtually nothing, and in recognition of this, SPS will be allowing a group (Africatown) to rent school facilities at a lower rate that they don't actually qualifiy for because SPS has nothing better to throw at helping African American male students. I don't know what outcomes Africatown can claim, but it's not like SPS hasn't known about the opportunity gap for African American students for a long time.

I reiterate, what exactly is their graduation rate? What about their dropout rate?


dw said...

DW, the President addressed this issue today and I hope to do a deep dive. 

Frankly, it might take something really awful - either in our district or someone else's - to get parents to rise up.

Hi Melissa,

Yes, the President is at least talking about addressing some of the issues, but there are also concerns that while new federal laws may bring more uniformity, they may come in weakened (not the first time), weaker than some of the existing state laws, and there's a worry that federal laws may end up overriding state laws. I hope people will stay on top of this, and write to their representatives to explain this and tell them not to let this happen.

From the article linked by GL above: “Even if the law is passed, parents would still not know which vendors have their kids’ data and what they are doing with it,” said Rachael Stickland, a mother of two in Littleton, Colo., who is a co-chairwoman of the Parent Coalition for Student Privacy. “There’s this veil of secrecy. Parents would really appreciate that opportunity to know what is going on.”

It may seem like the proposed bill is better than nothing, but it's dangerous because it invites complacence, and inhibits the introduction of alternative bills with teeth.

On your second point, this is a huge concern of mine as well. Then again, from a student privacy standpoint, releasing the records of every single SpEd student to an outside law firm, followed by the law firm releasing them through email to a private citizen? That's getting pretty close to "really awful" already.

To tag onto the above thoughts, would the SpEd community feel more up-in-arms if the headline read: "8000 Special Education Students' Data Released to Google" ??

Not to pick on one company in particular, but gmail is by far the most common email service used by young people these days. (Can anyone verify the recipient's email provider? Is that information available via FOIA or PRR?) If so, the headline above would spell out very clearly what happened, and might make a few more people sit up and take notice.

It seems that a lot of effort was made to ensure that the private citizen signed an affidavit that he deleted this data from his computer, but zero effort was made to ensure that the largest data miner on the planet didn't suck all this data into their records.

From a privacy standpoint, other than posting this data on an open public web site (where it would be removed very quickly), is there any worse scenario than what already happened? Short of physical harm?

dw said...

Speaking of physical harm, here's an example of really bad stuff that can happen when school districts aren't diligent about protecting student data.

(Spoiler: mobile dentists were performing unauthorized and unnecessary root canals on kids as young as 4 years old for Medicaid reimbursements)

EdWeek - Danger Posed by Student-Data Breaches Prompts Action

Stuff like this is immediately and obviously horrible, but there are lots of misuse cases where it takes years for the data and potential for harm to build up, and it's not always obvious at the time.

Anonymous said...

NEVER commit to long term memory anything the district belches after busted guzzling. Good news, the truth's about Edith's naturalist data breach is fix-in to be eternalized.

All the oppressed dirty secrets revealed for those with good oscillators. Roll in it like a dog in the grass. Sidebands without squelch bleeding into peoples Sunday morning frequencies, a bit stream of various flavors.

Snowden lives

Watching said...

“We want to prevent companies from selling student data to third parties for purposes other than education,” said President Obama.

It will be interesting to read the actual bill, but I"m not confident we will see adequate protections. From the above statement, it appears student data will be available for educational product development.

I'm not confident Obama's plan has teeth.

I've recently learned that Khan Academy is another mechanism used to mine data.

Charlie Mas said...

To tag onto the above thoughts, would the SpEd community feel more up-in-arms if the headline read: "8000 Special Education Students' Data Released to Google" ??

Let's say that the parent who received the data had, in a perverse move to make the district and the law firm really liable, posted it all in a public Google doc and promoted its presence with links. Then what?

Would the district have taken it seriously then? Would regulators have taken it seriously? Is this what it's going to take to spur those in authority to action? And, if so, then shouldn't this happen sooner rather than later?

The next time this sort of thing happens - and I think we can all predict that it will happen this year - should the recipient of the data make it public?