Without Retention Rules, Edtech is Just Another Tool for Surveillance and Privacy Abuse

Valentine’s Day 2018 marked the moment I learned that the fear of public embarrassment could motivate even a Canadian public school board to use disinformation and intimidation tactics to cover up a security breach.

Caused by the botched deployment of a cloud-based ‘educational technology’ (“edtech”) system and plagued from the start by poor due diligence, project planning and utter disregard for parental consent, the breach of children’s data — accidentally discovered by me — extended to over 100,000 students and remained accessible for about a year.

Having brought the matter confidentially to the board months earlier, I freely advised administrators on how to report, repair and reboot their ill-conceived plan. Alas, that involved swallowing a bitter pill at a time when the board was battling other reputational demons of its own making, so it did what any terrified mob would do: go on the offensive and personally write to parents telling them yours truly was the source of the breach.

It was a pretty awful experience for me and my family but it resulted in the creation of Canada’s first standardized edtech cybersecurity assessment service and the acclaimed CybersecurED Podcast on voicEd Radio.

Unfortunately, the deployment of trustworthy education technology in Canada remains precarious for one fundamental reason: in the absence of the legal requirement to secure parental consent for the collection and sharing of children’s data, there is also no requirement to *ever* dispose of students’ personal information, a reality currently exploited for fun and profit by every parasite in this dubious food chain. In the U.S, some progressive districts have long ago adopted proper retention limits enforced by annual data deletion of all collected data, including the information shared with service providers and their acolytes.

Until Canada takes steps to actually legislate respect for children’s future by denying educational institutions the consent grab they liberally exploit to permanently misappropriate student data, the education sector will continue to be complicit in the privacy abuses it enables at the hands of unscrupulous data aggregators.

This article originally appeared on BadPrivacy.com on Valentine’s Day, 2022.

The K-12 Cyber Incident Map masterfully illustrates the stark difference between the ability of US schools to detect breaches and the situation north of the border, where schools and regional boards are disincentivized from reporting anything but the most public breaches.

Interested in advocating for data deletion in your district or region? Here’s how it’s done:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bad Privacy

Fīat jūstitia, ruat cælum. Personal musings on data protection fails, snafus & oddities, collected & edited by Claudiu Popa; author, educator, booknerd.