The FBI has released a public service announcement warning educators and parents that edtech can create cybersecurity risks for students.
Specifically, the organization notes that the “widespread collection of sensitive information” by education technology vendors, such as web browsing history, biometric data and students’ geolocation, could “present unique exploitation opportunities for criminals.”
The memo also notes that in 2017, two large edtech companies experienced cybersecurity issues. “According to security researchers, one company exposed internal data by storing it on a public-facing server,” states the FBI. “The other company suffered a breach and student data was posted for sale on the Dark Web.”
When asked to comment, the FBI declined to tell EdSurge the names of the two companies it was referring to. However, the companies are likely Schoolzilla and Edmodo, respectively. In April 2017, security researchers found a flaw in Schoolzilla’s data configuration settings. And in May 2017, a hacker reportedly stole 77 million user accounts from Edmodo.
The FBI did not say what prompted this particular notice, but stated in an email that it “routinely prepares public service announcements, published by the Internet Crime Complaint Center” in order to “alert U.S. businesses and individuals on the latest cyber trends and scams, emerging threats, and potential vulnerabilities.”
Amelia Vance, the director of the Education Privacy Project at the Future of Privacy Forum, writes in an email to EdSurge that the FBI likely wanted to make sure that as the new school year starts, parents and schools are aware of potential security risks. And while she thinks it’s “great” that the FBI is bringing more attention to this issue, she wishes the public service announcement had also addressed another crucial challenge.
“Schools across the country lack funding to provide and maintain adequate security,” she writes. “Now that the FBI has focused attention on these concerns, policymakers must step up and fund impactful security programs.”
She also worries that the FBI’s suggestion that parents research “the many very complicated” student privacy laws is not particularly helpful. Parents can do that, she explains, but ultimately, “parents just want to know what their school is doing to keep their child’s information safe.”
According to Vance, a better approach might involve encouraging parents to have conversations with their children's’ school about how it keeps student data safe.
“Parents don't need to become experts on these topics to meaningfully engage with their schools about how their child's data is being used.”