Without Retention Rules, Edtech is Just Another Tool for Surveillance and Privacy Abuse

Valentine’s Day 2018 marked the moment I learned that the fear of public embarrassment could motivate even a Canadian public school board to use disinformation and intimidation tactics to cover up a security breach.

Caused by the botched deployment of a cloud-based ‘educational technology’ (“edtech”) system and plagued from the start by poor due diligence, project planning and utter disregard for parental consent, the breach of children’s data — accidentally discovered by me — extended to over 100,000 students and remained accessible for about a year.

The sinister figure adorning this page is a ‘process server’ sent by the board to to my home under cover of darkness to loudly and aggressively make the point that it would be best if I kept quiet about the whole thing.

Having brought the matter confidentially to the board months earlier, I freely advised administrators on how to report, repair and reboot their ill-conceived plan. Alas, that involved swallowing a bitter pill at a time when the board was battling other reputational demons of its own making, so it did what any terrified mob would do: go on the offensive and personally write to parents telling them yours truly was the source of the breach.

It was a pretty awful experience for me and my family but it resulted in the creation of Canada’s first standardized edtech cybersecurity assessment service and the acclaimed CybersecurED Podcast on voicEd Radio.

Unfortunately, the deployment of trustworthy education technology in Canada remains precarious for one fundamental reason: in the absence of the legal requirement to secure parental consent for the collection and sharing of children’s data, there is also no requirement to *ever* dispose of students’ personal information, a reality currently exploited for fun and profit by every parasite in this dubious food chain. In the U.S, some progressive districts have long ago adopted proper retention limits enforced by annual data deletion of all collected data, including the information shared with service providers and their acolytes.

Until Canada takes steps to actually legislate respect for children’s future by denying educational institutions the consent grab they liberally exploit to permanently misappropriate student data, the education sector will continue to be complicit in the privacy abuses it enables at the hands of unscrupulous data aggregators.

This article originally appeared on BadPrivacy.com on Valentine’s Day, 2022.

The K-12 Cyber Incident Map masterfully illustrates the stark difference between the ability of US schools to detect breaches and the situation north of the border, where schools and regional boards are disincentivized from reporting anything but the most public breaches.

Interested in advocating for data deletion in your district or region? Here’s how it’s done:

• https://www.theguardian.com/education/2019/dec/05/schools-monitor-students-online-activity
• https://cdt.org/wp-content/uploads/2019/03/Student-Privacy-Deletion-Report.pdf
• https://www.edweek.org/technology/schools-collect-tons-of-student-information-deleting-it-all-is-a-major-challenge/2019/03
• https://us.boell.org/en/2021/03/31/privacy-key-holding-edtech-accountable
• https://www.commonsense.org/education/articles/the-long-life-of-a-data-trail