When I talk to people about the importance of data security in education, I’m often asked, “Why does securing students’ information matter?”
While it’s true that most adults and even teenagers regularly enter personal information to services that may not keep it private or secure, including social media, there’s a fundamental distinction between this and what happens in the educational setting. At schools, student information is entered by educators, or by students themselves, to online services chosen by educators on a student’s behalf. Students and their parents are rarely asked permission and younger children are not capable of making such decisions. There is an obligation and responsibility on the part of the service providers and educators to make sure that the information is protected.
What information could intruders get, and how?
In security circles, the term “remote attack” describes a situation where an attacker is able to exploit a vulnerability without access to a user’s credentials or the messages that the user’s computer sends across the network. An example of this type of attack is if an intruder can craft a URL with a numeric userid and retrieve the user’s profile information without being logged in. Another is if an intruder could generate valid class registration codes and use them to access a user’s profile and activity in that class with no verification of the intruder’s access rights to this information. Some services will reveal student names or parent emails as hints when a login attempt fails. In other words, the intruder can gain access to privileged information from anywhere by presenting the right requests to the service’s web servers.
An “eavesdropping attack” (or “sniffing attack”) is when an intruder observes the network messages a user’s computer generates and extracts sensitive information from it. An example of this is if a user’s login name and password is sent across an airport wifi network and another user on the network is able to “sniff” it from the network traffic and log in to the first user’s account. Similarly, authentication tokens sent without encryption after a user logs in can be used by an attacker to take control of a user’s account: this is called “session hijacking”.
Encryption provided by Transport Layer Security (TLS) defends against this type of attack. In browsers, “https” in a URL indicates that TLS (also called Secure Sockets Layer or SSL) is in use, while an “http” shows that it is not. There are similar systems in place to protect things like emails, as they go across the shared network between two companies’ mail servers. (Read more about TLS here.)
Over the past couple of school years I have found that remote attacks have been possible in several educational apps my kids used at school, and that many others did not protect against eavesdropping. By exploiting the remote attack vulnerabilities, intruders could have gathered the following types of personal information about my children: first name, middle initial, last name, gender, date of birth, parent email address, name and address of school, usernames (some with associated passwords), teacher email addresses, teacher and class roster affiliations, class photos with students labeled by name, in-class behavior records, reading level and progress assessments, and math skill and progress assessments. By eavesdropping on unencrypted network messages, intruders could have gathered most of the same information plus voice recordings of them reading, and links their report cards.
Incorrect configurations or sharing permissions can unintentionally leave personal information open to web searching and browsing. For example, in February 2015, BuzzFeed reported that Washington DC’s school district had left internal web pages holding personal information about special education students accessible to the public since 2010. Some of this information was left open to web searching and browsing, while other information was collected in shared email accounts that had their usernames and passwords recorded in a document viewable online by the public.
What could be done with the information?
Students or their parents could view the educational records, academic performance or other personal information of students in their school. There have also been reported cases of students and parents accessing school systems to change grades. (The speaker notes of Jessy Irwin’s recent presentation on Information Security for the Classroom contain several examples.)
Intruders could take over the email or educational service accounts of teachers or students and view the contents or cause “reputational harm” to the owners of those accounts by sending spam or offensive messages from those accounts, as in two recent examples of students taking control of teachers’ emails.
The thought of strangers or acquaintances approaching our kids, in person or online, provokes a visceral reaction, and we should keep the actual risk of this concern in perspective. That said, information about teachers, classmates and family members, email addresses, and even what programs students use in class goes far beyond what someone might see in social media or a newspaper report of a science fair or a sporting event. There is no denying that it could be used to help gain the trust of a child.
It’s also important to recognize that once information is lost, we can’t control what happens to it, and that cross-referencing data from different sources can amplify the reach of the information. Consider a service that stores students’ names, schools and classroom groupings, and another that doesn’t associate students with schools or classes but collects information about performance in math. Individually they are of limited scope, but together they could allow comparisons of math performance within a class, between classes or between schools. Think back to the list of information that could have been collected about my children and consider the impact of combining it together. This is why it’s imperative to secure all student information, even if what’s held by a given application doesn’t seem to be sensitive.
Lastly, it’s not just students who are at risk. Personal information about students and family members could be used for effective and legitimate-seeming phishing attempts against the parents.
What can we do to better protect students’ information?
Laws such as FERPA, COPPA, and California’s SOPIPA establish that reasonable measures must be taken to secure student data, relative to its sensitivity. They don’t, however, provide much clarity on the meanings of “reasonable” and “sensitive”. A draft of the Student Data Privacy and Parental Rights Act announced Monday contains similar language. Developers, educators, parents and students must work together to create common definitions and standards that everyone in the education community can refer to. Developers will have a standard to design to, and consumers will know what to expect and ask for.
Once we have standards, we can establish metrics to quantify how well applications and services adhere to the requirements. We can also define processes for reporting security problems to developers, and for responsibly disclosing them to users. Transparency and information sharing is essential. Educators and parents can’t make informed decisions without them, and each school district should not have to repeat the work of others.
Schools can adopt security standards for acceptance of applications and services and share them with parents and students. If it’s not possible to go all the way in one step, then start with something that can be done and build from there. For example, requiring SSL for anything with a login is not enough, but would be a big step forward if uniformly applied.
Parents and students may not have the technical background to evaluate the security of the apps used at their schools, but they can ask school districts to adopt and publish security guidelines and policies, and to adhere to them. And together, we can work toward the common goal of protecting our students’ information.
I’d like to thank and acknowledge the contributions of several colleagues who provided facts and feedback as I worked on this post.