Everybody is very concerned about data privacy. K–12 schools prioritize student data privacy due to the increased focus from Data Privacy Week across various sectors. Student data privacy is essential for many reasons, including edtech data privacy at Online Learning Platforms.
Technology teams and district administrators must be aware of a range of risks related to school data privacy. In my opinion, the most important thing to understand is that data security and privacy are inextricably linked.
District administrators frequently concentrate on the data use aspect of edtech data privacy, but edtech security risks are a significant factor in protecting student data privacy.
A few edtech data privacy risks affecting your schools are as follows:
Vendors’ improper use of student data
State and district laws target this as the primary tech data privacy risk.
Concerns about how these third-party vendors use the data their ed-tech platforms collect are understandable for schools, students, and parents/guardians. The following are some of the leading tech data privacy issues regarding how vendors use student data:
1. using the information to show students—especially the younger ones—ads.
2. Packing, renting, selling, or giving student data to other businesses, groups, etc., for undisclosed uses.
3. Using data gathered over time, student profiles may be utilized for discriminatory, disciplinary, college acceptance, or other potentially harmful reasons.
4. If they decide to run for public office, preserve student information that might be used against them.
A number of states have implemented edtech laws mandating that suppliers attest to the fact that any student information gathered will be utilized solely for educational objectives. Laws requiring districts to publicly disclose the tech platforms they have agreements with that gather or otherwise access student data have also been passed in several states.
Edtech data privacy is impacted by insecure data storage and transfer
One of the less well-known risks to edtech data privacy is the safety of the underlying technology. To avoid data loss and safeguard students’ privacy, data must be secured both “in transit” and “at rest.”
When data is transferred between two locations, it is said to be “in transit.” When data is being stored unaltered, it is said to be “at rest.” To protect data in both forms of states from unintentional leaks or deliberate data breaches, vendors must include data security measures in their application development process.
Data breaches in edtech applications and vendors
Edtech data privacy is also impacted by how safe third-party apps are from being hijacked.
According to K12 SIX’s State of K-12 Cybersecurity 2020 Year in Review Report, security incidents involving their partners and vendors accounted for at least 75% of all data breaches that affected K–12 schools in the United States.
The Government Accountability Office’s (GAO) assessment of vendor vulnerability and K–12 data security is cited in the report after that. The fact that cyberattacks directed specifically at ed-tech vendors often affect a large number of students simultaneously in several school districts makes them particularly damaging to K–12 education.
Dangerous OAuth access to district Microsoft 365 and Google domains
OAuth is a relatively new and poorly understood cloud data breach risk that allows users to circumvent established security measures.
Open-standard authorization (OAuth) is a widely used framework that permits unrestricted data and control transfer between your Google and Microsoft 365 apps and third-party apps. Easy login access between different applications is one of its common uses (for example, logging in to an app using your Google account).
It may also enable the third-party app to read, write, and send emails from your Gmail or Outlook account on your behalf, depending on the kind of app and its features. An app may also access an account’s contacts, profile information, documents, images, and more. Some even demand access to the administrative database.
Although none are inherently harmful, the user must exercise some discernment in granting these permissions. Regretfully, many of us accept permissions when they first appear without reading them or considering the potential repercussions.
OAuth security threats are comparatively recent, and identifying and controlling them can be challenging. Incidents happen when a hacker obtains access to a third-party app. They can take over a user account without ever breaching your domain using the app’s OAuth permissions. For instance, they can send emails with phishing links to every account contact by using the app’s read, write, and send email permissions.
malicious third-party apps
The primary distinction is that malicious apps are designed to fool users into believing they are authentic. In certain instances, they may promote entertaining games or other “lifestyle” apps. In other cases, they are created and promoted to resemble well-known, authentic apps strikingly.
Attackers can use permissions in the same ways as previously mentioned after tricking a user into installing the application and permitting it to access those permissions. The user has granted permission for that access, so native security controls and perimeter-based security tools see it as legitimate access to areas where they can take action.
