This curated collection includes updates, resources, and research with critical perspectives related to the intersections of educational psychology and emerging technologies in education. The page also serves as a research tool to organize online content (funnel shaped icon allows keyword search). For more on the intersections of privatization and technologization of education with critiques of the social impact finance and related technologies, please visit http://bit.ly/sibgamble and http://bit.ly/chart_look. For posts regarding screen time risks to health and development, see http://bit.ly/screen_time and for updates related to AI and data concerns, please visit http://bit.ly/DataJusticeLinks. [Note: Views presented on this page are re-shared from external websites. The content may not necessarily represent the views nor official position of the curator nor employer of the curator.
"Minneapolis Public Schools appears to be the latest ransomware target in a $1 million extortion scheme that came to light Tuesday after a shady cyber gang posted to the internet a ream of classified documents it claims it stole from the district.
While districts nationwide have become victims in a rash of devastating ransomware attacks in the last several years, cybersecurity experts said the extortion tactics leveraged against the Minneapolis district are particularly aggressive and an escalation of those typically used against school systems to coerce payments.
In a dark web blog post and an online video uploaded Tuesday, the ransomware gang Medusa claimed responsibility for conducting a February cyberattack — or what Minneapolis school leaders euphemistically called an “encryption event” — that led to widespread digital disruptions. The blog post gives the district until March 17 to hand over $1 million. If the district fails to pay up, criminal actors appear ready to post a trove of sensitive records about students and educators to their dark web leak site. The gang’s leak site gives the district the option to pay $50,000 to add a day to the ransom deadline and allows anyone to purchase the data for $1 million right now.
On the video-sharing platform Vimeo, the group, calling itself the Medusa Media Team, posted a 51-minute video that appeared to show a limited collection of the stolen records, making clear to district leaders the sensitive nature of the files within the gang’s possession.
“The video is more unusual and I don’t recall that having been done before,” said Brett Callow, a threat analyst with the cybersecurity company Emsisoft.
A preliminary review of the gang’s dark web leak site by The 74 suggest the compromised files include a significant volume of sensitive documents, including records related to student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications.
The video is no longer available on Vimeo and a company spokesperson confirmed to The 74 that it was removed for violating its terms of service, which prohibits users from uploading content that “infringes any third party’s” privacy rights.
As targeted organizations decline to pay ransom demands in efforts to recover stolen files, Callow said the threat actors are employing new tactics “to improve conversion rates.”"...
By Drew Harwell "One company advertised the names and home addresses of people with depression, anxiety, post-traumatic stress or bipolar disorder. Another sold a database featuring thousands of aggregated mental health records, starting at $275 per 1,000 “ailment contacts.”
For years, data brokers have operated in a controversial corner of the internet economy, collecting and reselling Americans’ personal information for government or commercial use, such as targeted ads.
But the pandemic-era rise of telehealth and therapy apps has fueled an even more contentious product line: Americans’ mental health data. And the sale of it is perfectly legal in the United States, even without the person’s knowledge or consent.
In a study published Monday, a research team at Duke University’s Sanford School of Public Policy outlines how expansive the market for people’s health data has become.
After contacting data brokers to ask what kinds of mental health information she could buy, researcher Joanne Kim reported that she ultimately found 11 companies willing to sell bundles of data that included information on what antidepressants people were taking, whether they struggled with insomnia or attention issues, and details on other medical ailments, including Alzheimer’s disease or bladder-control difficulties.
Some of the data was offered in an aggregate form that would have allowed a buyer to know, for instance, a rough estimate of how many people in an individual Zip code might be depressed.
But other brokers offered personally identifiable data featuring names, addresses and incomes, with one data-broker sales representative pointing to lists named “Anxiety Sufferers” and “Consumers With Clinical Depression in the United States.” Some even offered a sample spreadsheet.
It was like “a tasting menu for buying people’s health data,” said Justin Sherman, a senior fellow at Duke who ran the research team. “Health data is some of the most sensitive data out there, and most of us have no idea how much of it is out there for sale, often for just a couple hundred dollars.”
The Health Insurance Portability and Accountability Act, known as HIPAA, restricts how hospitals, doctors’ offices and other “covered health entities” share Americans’ health data.
But the law doesn’t protect the same information when it’s sent anywhere else, allowing app makers and other companies to legally share or sell the data however they’d like.
Some of the data brokers offered formal customer complaint processes and opt-out forms, Kim said. But because the companies often did not say where their data had come from, she wrote, many people probably didn’t realize the brokers had collected their information in the first place. It was also unclear whether the apps or websites had allowed their users a way to not share the data to begin with; many companies reserve the right, in their privacy policy, to share data with advertisers or other third-party “partners.”
Privacy advocates have for years warned about the unregulated data trade, saying the information could be exploited by advertisers or misused for predatory means. Health insurance companies and federal law enforcement officers have used data brokers to scrutinize people’s medical costs and pursue undocumented immigrants.
Mental health data, Sherman said, should be treated especially carefully, given that it could pertain to people in vulnerable situations — and that, if shared publicly or rendered inaccurately, could lead to devastating results.
In 2013, Pam Dixon, the founder and executive director of the World Privacy Forum, a research and advocacy group, testified at a Senate hearing that an Illinois pharmaceutical marketing company had advertised a list of purported “rape sufferers,” with 1,000 names starting at $79. The company removed the list shortly after her testimony.
Now, a decade later, she worries the health-data issue has in some ways gotten worse, in large part because of the increasing sophistication with which companies can collect and share people’s personal information — including not just in defined lists, but through regularly updated search tools and machine-learning analyses.
“It’s a hideous practice, and they’re still doing it. Our health data is part of someone’s business model,” Dixon said. “They’re building inferences and scores and categorizations from patterns in your life, your actions, where you go, what you eat — and what are we supposed to do, not live?”
The number of places people are sharing their data has boomed, thanks to a surge of online pharmacies, therapy apps and telehealth services that Americans use to seek out and obtain medical help from home. Many mental health apps have questionable privacy practices, according to Jen Caltrider, a researcher with the tech company Mozilla whose team analyzed more than two dozen last year and found that “the vast majority” were “exceptionally creepy.”
Federal regulators have shown a recent interest in more aggressively assessing how companies treat people’s health details. The Federal Trade Commission said this month that it had negotiated a $1.5 million civil penalty from the online prescription-drug service GoodRx after the company was charged with compiling lists of users who had bought certain medications, including for heart disease and blood pressure, and then using that information to better target its Facebook ads.
An FTC representative said in a statement that “digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information.” GoodRx said in a statement that it was an “old issue” related to a common software practice, known as tracking pixels, that allowed the company to “advertise in a way that we feel was compliant with regulations.”
After the Supreme Court overturned Roe v. Wade last summer and opened the door to more state abortion bans, some data brokers stopped selling location data that could be used to track who visited abortion clinics.
Several senators, including Elizabeth Warren (D-Mass.), Ron Wyden (D-Ore.) and Bernie Sanders (I-Vt.), backed a bill that would strengthen state and federal authority against health data misuse and restrict how much reproductive-health data tech firms can collect and share.
But the data-broker industry remains unregulated at the federal level, and the United States lacks a comprehensive federal privacy law that would set rules for how apps and websites treat people’s information more broadly.
Two states, California and Vermont, require the companies to register in a data-broker registry. California’s lists more than 400 firms, some of which say they specialize in health or medical data.
Dixon, who was not involved in the Duke research, said she hoped the findings and the Supreme Court ruling would serve as a wake-up call for how this data could lead to real-world risks.
“There are literally millions of women for whom the consequences of information bartered, trade and sold about aspects of their health can have criminal consequences,” she said. “It is not theoretical. It is right here, right now.”
"Millions of children had their online behaviors and personal information tracked by the apps and websites they used for school during the pandemic, according to an international investigation that raises concerns about the impact remote learning had on children’s privacy online.
The educational tools were recommended by school districts and offered interactive math and reading lessons to children as young as prekindergarten. But many of them also collected students’ information and shared it with marketers and data brokers, who could then build data profiles used to target the children with ads that follow them around the Web.
Those findings come from the most comprehensive study to date on the technology that children and parents relied on for nearly two years as basic education shifted from schools to homes.
Researchers with the advocacy group Human Rights Watch analyzed 164 educational apps and websites used in 49 countries, and they shared their findings with The Washington Post and 12 other news organizations around the world. The consortium, EdTech Exposed, was coordinated by the investigative nonprofit the Signals Network and conducted further reporting and technical review.
What the researchers found was alarming: nearly 90 percent of the educational tools were designed to send the information they collected to ad-technology companies, which could use it to estimate students’ interests and predict what they might want to buy.
Researchers found that the tools sent information to nearly 200 ad-tech companies, but that few of the programs disclosed to parents how the companies would use it. Some apps hinted at the monitoring in technical terms in their privacy policies, the researchers said, while many others made no mention at all.
The websites, the researchers said, shared users’ data with online ad giants including Facebook and Google. They also requested access to students’ cameras, contacts or locations, even when it seemed unnecessary to their schoolwork. Some recorded students’ keystrokes, even before they hit “submit.”
The “dizzying scale” of the tracking, the researchers said, showed how the financial incentives of the data economy had exposed even the youngest Internet users to “inescapable” privacy risks — even as the companies benefited from a major revenue stream.
“Children,” lead researcher Hye Jung Han wrote, were “just as likely to be surveilled in their virtual classrooms as adults shopping in the world’s largest virtual malls.”
School districts and the sites’ creators defended their use, with some companies saying researchers had erred by including in their study homepages for the programs, which included tracking codes, instead of limiting their analysis to the internal student pages, which they said contained fewer or no trackers. The researchers defended the work by noting that students often had to sign in on the homepages before their lessons could begin.
The coronavirus pandemic abruptly upended the lives of children around the world, shuttering schools for more than 1.5 billion students within the span of just a few weeks. Though some classrooms have reopened, tens of millions of students remain remote, and many now depend on education apps for the bulk of their school days.
Yet there has been little public discussion of how the companies that provided the programs remote schooling depends on may have profited from the pandemic windfall of student data.
The learning app Schoology, for example, says it has more than 20 million users and is used by 60,000 schools across some of the United States’ largest school districts. The study identified code in the app that would have allowed it to extract a unique identifier from the student’s phone, known as an advertising ID, that marketers often use to track people across different apps and devices and to build a profile on what products they might want to buy.
A representative for PowerSchool, which developed the app, referred all questions to the company’s privacy policy, which said it does not collect advertising IDs or provide student data to companies for marketing purposes. But the policy also says the company’s website uses third-party tools to show targeted ads to users based on their “browsing history on other websites or on other devices.” The policy did not say which third-party companies had received users’ data.
The policy also said that it “does not knowingly collect any information from children under the age of 13,” in keeping with the Children’s Online Privacy Protection Act, or COPPA, the U.S. law that requires special restrictions on data collected from young children. The company’s software, however, is marketed for classrooms as early as kindergarten, which for many children starts around age 4.
The investigation acknowledged that it could not determine exactly what student data would have been collected during real-world use. But the study did reveal how the software was designed to work, what data it had been programmed to seek access to, and where that data would have been sent.
School districts and public authorities that had recommended the tools, Han wrote, had “offloaded the true costs of providing education online onto children, who were forced to pay for their learning with their fundamental rights to privacy.”
The researchers said they found a number of trackers on websites common among U.S. schools. The website of ST Math, a “visual instructional program” for prekindergarten, elementary and middle school students, was shown to have shared user data with 19 third-party trackers, including Facebook, Google, Twitter and the e-commerce site Shopify.
Kelsey Skaggs, a spokeswoman for the California-based MIND Research Institute, which runs ST Math, said in a statement that the company does not “share any personally identifiable information in student records for the purposes of targeted advertising or other commercial purposes” and does not use the same trackers on its student platform as it does on its homepage.
But the researchers said they found trackers not just on ST Math’s main site but on pages offering math games for prekindergarten and the first grade.
Google spokesperson Christa Muldoon said the company is investigating the researchers’ claims and will take action if they find any violations of their data privacy rules, which include bans on personalized ads aimed at minors’ accounts. A spokesperson for Facebook’s parent company Meta said it restricts how businesses share children’s data and how advertisers can target children and teens.
The study comes as concern grows over the privacy risks of the educational-technology industry. The Federal Trade Commission voted last week on a policy statement urging stronger enforcement of COPPA, with Chair Lina Khan arguing that the law should help “ensure that children can do their schoolwork without having to surrender to commercial surveillance practices.”
COPPA requires apps and websites to get parents’ consent before collecting children’s data, but schools can consent on their behalf if the information is designated for educational use.
In an announcement, the FTC said it would work to “vigilantly enforce” provisions of the law, including bans against requiring children to provide more information than is needed and restrictions against using personal data for marketing purposes. Companies that break the law, it said, could face fines and civil penalties.
Clearly, the tools have wide impact. In Los Angeles, for example, more than 447,000 students are using Schoology and 79,000 are using ST Math. Roughly 70,000 students in Miami-Dade County Public Schools use Schoology.
Both districts said they’ve taken steps to limit privacy risks, with Los Angeles requiring software companies to submit a plan showing how student information will be protected while Miami-Dade said it had conducted a “thorough and extensive” evaluation process before bringing on Schoology last year.
The researchers said most school districts they examined had conducted no technical privacy evaluations before endorsing the educational tools. Because the companies’ privacy policies often obscured the extent of their monitoring, the researchers said, district officials and parents often were left in the dark on how students’ data would be collected or used.
Some popular apps reviewed by the researchers didn’t track children at all, showing that it is possible to build an educational tool without sacrificing privacy. Apps such as Math Kids and African Storybook didn’t serve ads to children, collect their identifying details, access their cameras, request more software permissions than necessary or send their data to ad-tech companies, the analysis found. They just offered simple learning lessons, the kind that students have relied on for decades.
Vivek Dave, a father of three in Texas whose company RV AppStudios makes Math Kids, said the company charges for in-app purchases on some word-search and puzzle games designed for adults and then uses that money to help build ad-free educational apps. Since launching an alphabet game seven years ago, the company has built 14 educational apps that have been installed 150 million times this year and are now available in more than 35 languages.
“If you have the passion and just try to understand them, you don’t need to do all this level of tracking to be able to connect with kids,” he said. “My first beta testers were my kids. And I didn’t want that for my kids, period.”
The researchers argued that governments should conduct data-privacy audits of children’s apps, remove the most invasive, and help guide teachers, parents and children on how best to prevent data over-collection or misuse.
Companies, they said, should work to ensure that children’s information is treated differently than everyone else’s, including by being siloed away from ads and trackers. And lawmakers should encode these kinds of protections into regulation, so the companies aren’t allowed to police themselves.
Bill Fitzgerald, a privacy researcher and former high school teacher who was not involved in the study, sees apps’ tracking of students not only as a loss of privacy but as a lost opportunity to use the best of technology for their benefit. Instead of rehashing old ways to vacuum up user data, schools and software developers could have been pursuing fresher, more creative ideas to get children excited to learn.
“We have outsourced our collective imagination and our vision as to what innovation with technology could be to third-party product offerings that aren’t remotely close to the classroom and don’t have our best interests at heart,” Fitzgerald said.
“The conversation the industry wants us to have is: What’s the harm?” he added. “The right conversation, the ethical conversation is: What’s the need? Why does a fourth-grader need to be tracked by a third-party vendor to learn math?”
Abby Rufer, a high school algebra teacher in Dallas, said she’s worked with a few of the tested apps and many others during a frustratingly complicated two years of remote education.
School districts felt pressured during the pandemic to quickly replace the classroom with online alternatives, she said, but most teachers didn’t have the time or technical ability to uncover how much data they gobbled up.
“If the school is telling you to use this app and you don’t have the knowledge that it might be recording your students’ information, that to me is a huge concern,” Rufer said.
Many of her students are immigrants from Latin America or refugees from Afghanistan, she said, and some are already fearful of how information on their locations and families could be used against them.
“They’re being expected to jump into a world that is all technological,” she said, “and for many of them it’s just another obstacle they’re expected to overcome.”
Some educational tools that they recommend for school districts, there it mentions that the covid opened doors to this new era, on this website you can check what the benefits of studying remotely are.
"The highly sensitive information of millions of Australians — including logins for personal Australian Tax Office accounts, medical and personal data of thousands of NDIS recipients, and confidential details of an alleged assault of a Victorian school student by their teacher — is among terabytes of hacked data being openly traded online.
An ABC investigation has identified large swathes of previously unreported confidential material that is widely available on the internet, ranging from sensitive legal contracts to the login details of individual MyGov accounts, which are being sold for as little as $1 USD.
The huge volume of newly identified information confirms the high-profile hacks of Medibank and Optus represent just a fraction of the confidential Australian records recently stolen by cyber criminals.
At least 12 million Australians have had their data exposed by hackers in recent months.
It can also be revealed many of those impacted learnt they were victims of data theft only after being contacted by the ABC.
They said they were either not adequately notified by the organisations responsible for securing their data, or were misled as to the gravity of the breach.
The highly sensitive information of millions of Australians — including logins for personal Australian Tax Office accounts, medical and personal data of thousands of NDIS recipients, and confidential details of an alleged assault of a Victorian school student by their teacher — is among terabytes...
One of the main hubs where stolen data is published is a forum easily discoverable through Google, which only appeared eight months ago and has soared in popularity — much to the alarm of global cyber intelligence experts.
Anonymous users on the forum and similar websites regularly hawk stolen databases collectively containing millions of Australians' personal information.
Others were seen offering generous incentives to those daring enough to go after specific targets, such as one post seeking classified intelligence on the development of Australian submarines.
"There's a criminal's cornucopia of information available on the clear web, which is the web that's indexed by Google, as well as in the dark web," said CyberCX director of cyber intelligence Katherine Mansted.
"There's a very low barrier of entry for criminals … and often what we see with foreign government espionage or cyber programs — they're not above buying tools or buying information from criminals either."
In one case, law student Zac's medical information, pilfered in one of Australia's most troubling cyber breaches, was freely published by someone without a clear motive.
Zac has a rare neuromuscular disorder which has left him unable to walk and prone to severe weakness and fatigue. The ABC has agreed not to use his full name because he fears the stolen information could be used to locate him.
His sensitive personal data was stolen in May in a cyber attack on CTARS, a company that provides a cloud-based client management system to National Disability Insurance Scheme (NDIS) and NSW out-of-home-care service providers.
The National Disability Insurance Agency (NDIA), which is responsible for the NDIS, told a Senate committee it had confirmed with CTARS that all 9,800 affected participants had been notified.
But ABC Investigations has established this is not the case. The ABC spoke with 20 victims of the breach, all but one — who later found a notice in her junk mail — said they had not received a notification or even heard of the hack.
The leaked CTARS database, verified by the ABC, included Medicare numbers, medical information, tax file numbers, prescription records, mental health diagnoses, welfare checks, and observations about high-risk behaviour such as eating disorders, self-harm and suicide attempts.
"It's really, really violating," said Zac, whose leaked data included severe allergy listings for common food and medicine,
"I may not like to think of myself as vulnerable … but I guess I am quite vulnerable, particularly living alone.
"Allergy records, things that are really sensitive, [are kept] private between me and my doctor and no one else but the people who support me.
"That's not the sort of information that you want getting into the wrong hands, particularly when ... you don't have a lot of people around you to advocate for you."
The CTARS database is just one of many thousands being traded on the ever-growing cybercrime black market. These postings appear on both the clear web — used everyday through common web browsers — and on the dark web which requires special software for access.
The scale of the problem is illustrated by the low prices being demanded for confidential data.
ABC Investigations found users selling personal information and log-in credentials to individual Australian accounts which included MyGov, the ATO and Virgin Money for between $1 to $10 USD.
MyGov and ATO services are built with two-factor authentication, which protects accounts with compromised usernames and passwords, but those same login details could be used as a means to bypass less-secure services.
One cyber intelligence expert showed the ABC a popular hackers forum, in which remote access to an Australian manufacturing company was auctioned for up to $500. He declined to identify the company.
CyberCX's Ms Mansted said the "black economy" in stolen data and hacking services was by some measures the third largest economy in the world, surpassed only by the US and Chinese GDP.
"The cost of buying a person's personal information or buying access to hack into a corporation, that's actually declining over time, because there is so much information and so much data out there," said Ms Mansted.
Cyber threat investigator Paul Nevin monitors online forums where hundreds of Australians' login data are traded each week.
"The volume of them was staggering to me," said Mr Nevin, whose company Cybermerc runs surveillance on malicious actors and trains Australian defence officials.
"In the past, we'd see small scatterings of accounts but now, this whole marketplace has been commoditised and fully automated.
"The development of that capability has only been around for a few years but it shows you just how successful these actors are at what they do."
Explosive details leaked about private school
The cyber attack on Medibank last month by Russian criminal group REvil brought home the devastation cyber crime can inflict.
The largest health insurer in the country is now facing a possible class action lawsuit after REvil accessed the data of 9.7 million current and former customers, and published highly sensitive medical information online.
On the dark web, Russian and Eastern European criminal organisations host sites where they post ransom threats and later leak databases if the ransom is not paid.
The groups research their targets to inflict maximum damage. Victims range from global corporations, including defence firm Thales and consulting company Accenture, to Australian schools.
In Melbourne, the Kilvington Grammar School community is reeling after more than 1,000 current and former students had their personal data leaked in October by a prolific ransomware gang, Lockbit 3.0.
The independent school informed parents via emails, including one on November 2 that stated an "unknown third party has published a limited amount of data taken from our systems".
Correspondence sent to parents indicated this "sensitive information" included contact details of parents, Medicare details and health information such as allergies, as well as some credit card information.
However, the cache of information actually published by Lockbit 3.0 was far more extensive than initially suggested.
ABC Investigations can reveal the ransomware group published highly confidential documents containing the bank account numbers of parents, legal and debt disputes between the school and families, report cards, and individual test results.
Most shocking was the publication of details concerning the investigation into a teacher accused of assaulting a child and privileged legal advice about the death of a student.
Kilvington Grammar has been at the centre of a coronial inquest into Lachlan Cook, 16, who died after suffering complications of Type 1 diabetes during a school trip to Vietnam in 2019.
Lachlan became critically ill and started vomiting, which was mistaken for gastroenteritis rather than a rare complication of his diabetes.
The coroner has indicated she will find the death was preventable because neither the school nor the tour operator, World Challenge, provided specific care for the teenager's diabetes.
Lachlan's parents declined to comment, but ABC Investigations understands they did not receive notification from the school that sensitive legal documents about his death were stolen and published online.
Other parents whose details were compromised told the ABC they were frustrated by the school's failure to explain the scale of the breach.
"That's distressing that this type of data has been accessed," said father of two, Paul Papadopoulos.
"It's absolutely more sensitive [than parents were told] and I think any person would want to have known about it."
In a statement to the ABC, Kilvington Grammar did not address specific questions about the Cook family tragedy nor if any ransom was demanded or paid.
The school's marketing director Camilla Fiorini acknowledged its attempt to notify families of the specifics of what personal data was stolen was an "imperfect process".
"We have adopted a conservative approach and contacted all families that may have been impacted," she said.
"We listed — to the best of our abilities — what data had been accessed ... we also suggested additional steps those individuals can consider taking to further protect their information.
"The school is deeply distressed by this incident and the impact it has had on our community."
Other Australian organisations recently targeted by Lockbit 3.0 included a law firm, a wealth management firm for high-net-worth individuals, and a major hospitality company.
Blame game leaves victims out in the cold
The failure of Kilvington Grammar to properly notify the victims of the data-theft is not an isolated case and its targeting by a ransomware group is emblematic of a growing apparatus commoditising stolen personal information.
Australian Federal Police (AFP) Cybercrime Operations Commander Chris Goldsmid, told the ABC personal data was becoming "increasingly valuable to cybercriminals who see it as information they can exploit for financial gain".
"Cybercriminals can now operate at all levels of technical ability and the tools they employ are easily accessible online," he warned.
He added the number of cybercrime incidents has risen 13 per cent from the previous financial year, to 67,500 reports — likely a conservative figure.
"We suspect there are many more victims but they are too embarrassed to come forward, or they have not realised what has happened to them is a crime,"
Commander Goldsmid said.
While authorities and the Federal Government have warned Medibank customers to be on high-alert for identity thieves, many other Australians are unaware they are victims.
Under the Privacy Act, all government agencies, organisations that hold health information and companies with an annual turnover above $3 million are required to notify individuals when their data has been breached if it is deemed "likely to cause serious harm".
After CTARS was hacked in May, the company published a statement about the hack on its website but devolved its responsibility to inform its NDIS recipients to 67 individual service providers affected by the breach.
When ABC Investigations asked CTARS why many of the impacted NDIS recipients were not notified, it said it decided the processes was best handled by each provider.
"The OAIC [Office of the Australian Information Commissioner] suggests that notifications are usually best received from the organisation who has a relationship with impacted individuals — in this case, the service providers," a CTARS spokesperson said.
"CTARS worked extensively to support the service providers in being able to ... bring the notification to their clients' attention."
However, the NDIA told the ABC this responsibility lay not with those individual providers, but with CTARS.
"The Agency's engagement with CTARS following the breach, indicated that CTARS was fulfilling all its obligations under the Privacy Act in relation to the breach," an NDIA spokesperson said.
"The Agency has reinforced with CTARS its obligation to inform users of their services."
This has provided little comfort to Zac and other CTARS victims whose personal information may never be erased from the internet.
"It's infuriating, it's shocking and it's disturbing," said Zac.
"It makes me really angry to know that multiple government agencies and these private support companies, who I would have thought would be duty bound to hold my best interests at heart … especially when my safety is at risk … that they at no level attempted to get in contact with me and assist me in protecting my information."
Zac's former service provider, Southern Cross Support Services, did not respond to the ABC's questions.
A victim of another hack published on the same forum as the CTARS data is Karen Heath.
Woolworths told the ABC it has "enhanced" its security and privacy practices operations since the MyDeal hack and it "unreservedly apologise[d] for the considerable concern the MyDeal breach has caused".
But Ms Heath remains anxious.
"You feel a bit helpless [and] you get worried about it," Ms Heath said.
"I don't even know that I'll shop at Woolworths again ... they own MyDeal. They have insurance companies, they have all sorts of things.
Summary "As contemporary societies continue to integrate digital technologies into varying aspects of everyday life—including work, schooling, and play—the concept of digital game-based learning (DGBL) has become increasingly influential. The term DGBL is often used to characterize the relationship of computer-based games (including games played on dedicated gaming consoles and mobile devices) to various learning processes or outcomes. The concept of DGBL has its origins in interdisciplinary research across the computational and social sciences, as well as the humanities. As interest in computer games and learning within the field of education began to expand in the late 20th century, DGBL became somewhat of a contested term. Even foundational concepts such as the definition of games (as well as their relationship to simulations and similar artifacts), the affordances of digital modalities, and the question of what “counts” as learning continue to spark debate among positivist, interpretivist, and critical framings of DGBL. Other contested areas include the ways that DGBL should be assessed, the role of motivation in DGBL, and the specific frameworks that should inform the design of games for learning.
Scholarship representing a more positivist view of DGBL typically explores the potential of digital games as motivators and influencers of human behavior, leading to the development of concepts such as gamification and other uses of games for achieving specified outcomes, such as increasing academic measures of performance, or as a form of behavioral modification. Other researchers have taken a more interpretive view of DGBL, framing it as a way to understand learning, meaning-making, and play as social practices embedded within broader contexts, both local and historical. Still others approach DGBL through a more critical paradigm, interrogating issues of power, agency, and ideology within and across applications of DGBL. Within classrooms and formal settings, educators have adopted four broad approaches to applying DGBL: (a) integrating commercial games into classroom learning; (b) developing games expressly for the purpose of teaching educational content; (c) involving students in the creation of digital games as a vehicle for learning; and (d) integrating elements such as scoreboards, feedback loops, and reward systems derived from digital games into non-game contexts—also referred to as gamification.
Scholarship on DGBL focusing on informal settings has alternatively highlighted the socially situated, interpretive practices of gamers; the role of affinity spaces and participatory cultures; and the intersection of gaming practices with the lifeworlds of game players.As DGBL has continued to demonstrate influence on a variety of fields, it has also attracted criticism. Among these critiques are the question of the relative effectiveness of DGBL for achieving educational outcomes. Critiques of the quality and design of educational games have also been raised by educators, designers, and gamers alike. Interpretive scholars have tended to question the primacy of institutionally defined approaches to DGBL, highlighting instead the importance of understanding how people make meaning through and with games beyond formal schooling. Critical scholars have also identified issues in the ethics of DGBL in general and gamification in particular as a form of behavior modification and social control. These critiques often intersect and overlap with criticism of video games in general, including issues of commercialism, antisocial behaviors, misogyny, addiction, and the promotion of violence. Despite these criticisms, research and applications of DGBL continue to expand within and beyond the field of education, and evolving technologies, social practices, and cultural developments continue to open new avenues of exploration in the area."
The Federal Trade Commission (FTC) recently issued a policy statement about the application of the Children’s Online Privacy Protection Act (COPPA) to Ed Tech providers, warning that they can only use student personally identifiable information (PII) collected with school consent for the benefit of the school, and that they cannot retain it for longer than required to meet the purpose of collection.
Ironically, days later, a Human Rights Watch investigative report observed that almost 90 percent of Ed Tech products it reviewed “appeared to engage in data practices that put children’s rights at risk.”
These revelations are no surprise to children’s privacy advocacy groups like the Student Data Privacy Project. But in the midst of a COVID-fog, much like the fog of war, Ed Tech remained largely insulated from scrutiny, siphoning student PII with impunity.
Taking a step back, it’s important to understand how Ed Tech providers access and collect this information. In 1974, the Family Educational Rights and Privacy Act (FERPA) was passed to protect school-held PII, such as that found in student directories. But FERPA contains a “School Official Exception” that allows schools to disclose children’s PII without parental consent so long as it’s disclosed for a “legitimate educational interest” and the school maintains “direct control” over the provider.
In 1974, it was easy to maintain direct control over entities because there was no internet.
Today, schools increasingly rely on Ed Tech platforms to provide digital learning, pursuant to an electronically signed agreement, hosted by a nameless/faceless server, somewhere in the ether. Yet the law has barely changed since 1974. For example, the Department of Education (DOE) maintains that direct control can be established through use of a contract between the parties, despite the fact that online contracts and Terms of Service are often take-it-or-leave-it propositions that favor online services. In law, we called these “contracts of adhesion.” In Ed Tech advocacy, we call them data free-for-alls.
Given these concerns, in 2021 the Student Data Privacy Project (SDPP) helped parents from North Carolina to Alaska file access requests with their children’s schools under a FERPA provision mandating that schools provide parents access to their children’s PII. Most parents received nothing. Many schools seemed unable to get their Ed Tech providers to respond, and other schools didn’t know how to make the request of the provider.
One Minnesota parent received over 2,000 files, revealing a disturbing amount of personal information held by EdTech. How might this data be used to profile this child? And how does this comport with the FTC’s warning about retaining information only for as long as needed to fulfill the purpose of collection?
Despite this isolated example, most parents failed to receive a comprehensive response. As such, SDPP worked with parents to file complaints with the DOE in July 2021. As the one-year anniversary of these complaints draws near, however, the DOE has taken no substantive action.
Ironically, in cases where the DOE sent copies of the parent’s complaint to the affected school district, the school’s response only bolstered concerns. One Alaska school district misapplied a Supreme Court case dealing with FERPA, asserting that “data gathered by technology vendors is not ‘educational records’ under FERPA” because the Ed Tech records are not “centrally stored” by the school. Ironically, that school attached its FERPA addendum to that same letter, which explicitly states that it “includes all data specifically protected by FERPA, including student education records, in any form.”
Unfortunately, this is indicative of widespread confusion by schools about applying FERPA to Ed Tech.
Yet parents have few options for holding Ed Tech providers accountable. Parents can’t sue Ed Tech because the schools have the direct contractual relationship. Parents can’t directly enforce FERPA because FERPA doesn’t offer a private right of action. Even state privacy laws are of little help when consent for sharing is given — and FERPA allows schools to consent on parents’ behalf.
There is some cause for hope. For example, President Biden’s March 1 State of the Union speech challenged Congress to strengthen children’s privacy protections “by banning online platforms from excessive data collection and targeted advertising for children.” And in January, Rep. Tom Emmer (R-Minn.) sent DOE a letter inquiring about the SDPP parent complaints. Most recently, we have the FTC’s warning to Ed Tech about protecting student data privacy. Beyond that, however, we’ve seen little progress, or action, by the government.
So here are three things that need to happen to hold Ed Tech accountable:
The FTC needs to enforce COPPA obligations on Ed Tech providers.
The DOE must enforce FERPA, compelling schools to hold Ed Tech vendors accountable.
Congress must update FERPA for the realities of the 21st century.
A 50th Anniversary is always a big occasion in a relationship, warranting a grand gesture to renew the commitment.
So what better gesture for the 50th anniversary of FERPA in 2024 than for the government to renew its commitment to protecting the privacy of nearly 50 million students by enforcing the law and closing the gaps that have allowed Ed Tech providers to exploit children’s PII for their own profit, without oversight or accountability?"
"Colleges and universities experienced a surge in ransomware attacks in 2021, and those attacks had significant operational and financial costs, according to a new report."
By Susan D'Agostino
“You can collect that money in a couple of hours,” a ransomware hacker’s representative wrote in a secure June 2020 chat with a University of California, San Francisco, negotiator about the $3 million ransom demanded. “You need to take us seriously. If we’ll release on our blog student records/data, I’m 100% sure you will lose more than our price what we ask.”
The university later paid $1.14 million to gain access to the decryption key.
Colleges and universities worldwide experienced a surge in ransomware attacks in 2021, and those attacks had significant operational and financial costs, according to a new report from Sophos, a global cybersecurity leader. The survey included 5,600 IT professionals, including 410 from higher education, across 31 countries. Though most of the education victims succeeded in retrieving some of their data, few retrieved all of it, even after paying the ransom.
“The nature of the academic community is very collegial and collaborative,” said Richard Forno, assistant director of the University of Maryland Baltimore County Center for Cybersecurity. “There’s a very fine line that universities and colleges have to walk between facilitating academic research and education and maintaining strong security.”
That propensity of colleges to share openly and widely can make the institutions susceptible to attacks.
Nearly three-quarters (74 percent) of ransomware attacks on higher ed institutions succeeded. Hackers’ efforts in other sectors were not as fruitful, including in business, health care and financial services, where respectively 68 percent, 61 percent and 57 percent of attacks succeeded. For this reason, cybercriminals may view colleges and universities as soft targets for ransomware attacks, given their above-average success rate in encrypting higher education institutions’ data.
Despite high-profile ransomware attacks such as one in 2020 that targeted UC San Francisco, higher ed institutions’ efforts to protect their networks continued to fall short in 2021."...
By Stephen J. Neville and Natalie Coulter, York University, Canada "In many busy households around the world, it’s not uncommon for children to shout out directives to Apple’s Siri or Amazon’s Alexa. They may make a game out of asking the voice-activated personal assistant (VAPA) what time it is, or requesting a popular song. While this may seem like a mundane part of domestic life, there is much more going on.
The VAPAs are continuously listening, recording and processing acoustic happenings in a process that has been dubbed “eavesmining,” a portmanteau of eavesdropping and datamining. This raises significant concerns pertaining to issues of privacy and surveillance, as well as discrimination, as the sonic traces of peoples’ lives become datafied and scrutinized by algorithms.
These concerns intensify as we apply them to children. Their data is accumulated over lifetimes in ways that go well beyond what was ever collected on their parents with far-reaching consequences that we haven’t even begun to understand.
There are pressing issues that derive from the collection, storage and analysis of sonic data as they pertain to parents, youth and children. Alarms have been raised in the past — in 2014, privacy advocates raised concerns on how much the Amazon Echo was listening to, what data was being collected and how the data would be used by Amazon’s recommendation engines.
Information about acoustic environments (like a noisy apartment) or particular sonic events (like breaking glass) can also be gleaned through “auditory scene analysis” to make judgments about what is happening in that environment.
For example, smart speaker data may be used to create profiles such as “noisy households,” “disciplinary parenting styles” or “troubled youth.” This could, in the future, be used by governments to profile those reliant on social assistance or families in crisis with potentially dire consequences.
There are also new eavesmining systems presented as a solution to keep children safe called “aggression detectors.” These technologies consist of microphone systems loaded with machine learning software, dubiously claiming that they can help anticipate incidents of violence by listening for signs of raising volume and emotions in voices, and for other sounds such as glass breaking.
Monitoring schools
Aggression detectors are advertised in school safety magazines and at law enforcement conventions. They have been deployed in public spaces, hospitals and high schools under the guise of being able to pre-empt and detect mass shootings and other cases of lethal violence.
We can anticipate that the speech and voices of racialized children and youth will be disproportionately misinterpreted as aggressive sounding. This troubling prediction should come as no surprise as it follows the deeply entrenched colonial and white supremacist histories that consistently police a “sonic color line.”
Sound policy
Eavesmining is a rich site of information and surveillance as children and families’ sonic activities have become valuable sources of data to be collected, monitored, stored, analysed and sold without the subject’s knowledge to thousands of third parties. These companies are profit-driven, with few ethical obligations to children and their data.
With no legal requirement to erase this data, the data accumulates over children’s lifetimes, potentially lasting forever. It is unknown how long and how far-reaching these digital traces will follow children as they age, how widespread this data will be shared or how much this data will be cross-referenced with other data. These questions have serious implications on children’s lives both presently and as they age.
There are a myriad threats posed by eavesmining in terms of privacy, surveillance and discrimination. Individualized recommendations, such as informational privacy education and digital literacy training, will be ineffective in addressing these problems and place too great a responsibility on families to develop the necessary literacies to counter eavesmining in public and private spaces.
We need to consider the advancement of a collective framework that combats the unique risks and realities of eavesmining. Perhaps the development of a Fair Listening Practice Principles — an auditory spin on the “Fair Information Practice Principles” — would help evaluate the platforms and processes that impact the sonic lives of children and families."...
"We need much stricter controls on the brands and influencers that share photos of children on social media, according to a pediatric consultant."
By Michael Staines "In a recent column for The Irish Examiner, Dr Niamh Lynch said we need to re-think how we use images of children on social media – calling for an end to what she called ‘digital child labour.’
She said children’s rights to privacy and safety were being breached without their consent, and often for financial gain.
On The Pat Kenny Show this morning, she said the article was in response to the rise in ‘sharenting’ and ‘mumfluencers.’
“Without picking one example - and that wouldn’t actually be fair because I think a bit of responsibility has to be taken by the social media companies themselves and by the companies that use these parents - but certainly there would be tales of children being clearly unhappy or tired or not in the mood and yet it has become their job to promote a product or endorse a product or whatever,” she said.
“These children are doing work and because they’re young, they can’t actually consent to that. Their privacy can sometimes be violated and there is a whole ethical minefield around it.”
'Digital child labour'
She said Ireland needs tighter legislation to protect children’s rights and privacy – and to ensure there is total transparency about the money changing hands.
“People don’t realise that these children are working,” she said.
“These children are doing a job.
“It is a job that can at times compromise their safety. It is a job that compromises their privacy and it is certainly a job they are doing without any sort of consent.
“It is very different say with a child in an ad for a shopping centre or something like that. Where you see the face of the child, but you know nothing about them.
“These children, you know everything about them really in many cases.
“So yes, I would say there needs to be tighter legislation around it. It needs to be clear because very often it is presented within the sort of cushion of family life and the segue between what is family life and what is an ad isn’t always very clear.
“There needs to be more transparency really about transactions that go on in the background.”
Privacy
She said there is a major issue around child safety when so much person l information is being shared.
“The primary concern would be the safety of the child because once a child becomes recognisable separate to the parent then there’s the potential for them to become a bit of a target,” she said.
“When you think about how much is shared about these children online, it is pretty easy to know who their siblings are, what their date of birth is, when they lost their last tooth, what their pet’s name is.
“There is a so much information out there about certain children and there are huge safety concerns around that then as well.”
Legislation
Dr Lynch said we won’t know the impact of many children for at least another decade; however, children that featured in early YouTube videos are already coming out and talking about what an “uncomfortable experience” it was for them.
“I think the parents themselves to a degree perhaps are also being exploited by large companies who are using them to use their child to promote products,” she said.
“So, I think large companies certainly need to take responsibility and perhaps we should call those companies out when we see that online.”
“The social media companies really should tighten up as well.”
California's Largest District & Riverside County Add Nearly 1 Million To the Number of Students Whose Private Data Was Stolen From Illuminate
By Kristal Kuykendall
"The breach of student data that occurred during a January 2022 cyberattack targeting Illuminate Education’s systems is now known to have impacted the nation’s second-largest school district, Los Angeles Unified with 430,000 students, which has notified state officials along with 24 other districts in California and one in Washington state.
The vast reach of the data breach will likely never be fully known because most state laws do not require public disclosure of data breaches; Illuminate has said in a statement that the data of current and former students was compromised at the impacted schools but declined to specify the total number of students impacted in multiple email communications with THE Journal.
The estimated total of 3 million is based on New York State Department of Education official estimates that “at least 2 million” statewide were impacted, plus the current enrollment figures of the other districts that have since disclosed their student data was also breached by Illuminate.
California requires a notice of a data breach to be posted on the attorney general’s website, but the notices do not include any details such as what data was stolen, nor the number of students affected; the same is true in Washington, where Impact Public Schools in South Puget Sound notified the state attorney general this week that its students were among those impacted by the Illuminate incident.
Oklahoma City Public Schools on May 13 added its 34,000 students to the ever-growing list of those impacted by the Illuminate Education data breach; thus far, it is the only district in Oklahoma known to have been among the hundreds of K–12 schools and districts across the country whose private student data was compromised while stored within Illuminate’s systems. Oklahoma has no statewide public disclosure requirements, so it’s left up to local districts to decide whether and how to notify parents in the event of a breach of student data, Oklahoma Department of Education officials told THE Journal recently.
In Colorado, where nine districts have publicly disclosed that the Illuminate breach included the data of their combined 140,000 students, there is no legal mandate for school districts nor ed tech vendors to notify state education officials when student data is breached, Colorado Department of Education Director of Communications Jeremy Meyer told THE Journal. State law does not require student data to be encrypted, he said, and CDE has no authority to collect data on nor investigate data breaches. Colorado’s Student Data Transparency and Security Act, passed in 2016, goes no further than “strongly urging” local districts to stop using ed tech vendors who leak or otherwise compromise student data.
Most of the notifications shared by districts included in the breach have simply shared a template letter, or portions of it, signed by Illuminate Education. It states that Social Security numbers were not part of the private information that was stolen during the cyberattack.
Notification letters shared by impacted districts have stated that the compromised data included student names, academic and behavioral records, enrollment data, disability accommodation information, special education status, demographic data, and in some cases the students’ reduced-price or free lunch status.
Illuminate has told THE Journal that the breach was discovered after it began investigating suspicious access to its systems in early January. The incident resulted in a week-long outage of all Illuminate’s K–12 school solutions, including IO Classroom (previously named Skedula), PupilPath, EduClimber, IO Education, SchoolCity, and others, according to its service status site. The company’s website states that its software products serve over 5,000 schools nationally with a total enrollment of about 17 million U.S. students.
Hard-Hit New York Responds with Investigation of Illuminate
The New York State Education Department on May 5 told THE Journal that 567 schools in the state — including “at least” 1 million current and former students — were among those impacted by the Illuminate data breach, and NYSED data privacy officials opened an investigation on April 1.
The list of all New York schools impacted by the data breach was sent to THE Journal in response to a Freedom of Information request; NYSED officials said the list came from Illuminate. Each impacted district was working to confirm how many current and former students were among those whose data were compromised, and each is required by law to report those totals to NYSED, so the total number of students affected was expected to grow, the department said."
By Alison McDowell, wrenchinthegears.com "This is a presentation prepared for One Ocean, Many Waves Cross-movement Summit on the occasion of the 2020 UN Conference on the Status of Women, which was cancelled due to the pandemic, and thus presented online instead. The topic is the ways in which the Sustainable Development Goals underpin predatory "pay for success" human capital investment markets."
"ChatGPT is fueled by our intimate online histories. It’s trained on 300 billion words, yet users have no way of knowing which of their data it contains."...
" The digital behaviour-monitoring app ClassDojo has become one of the most popular educational technologies in the world. Widely adopted by teachers of young children in Australia, Europe and North America since its initial launch in 2011, ClassDojo is now attracting critical attention from researchers and the media too. These critical perspectives are importantly illuminating how popular classroom technologies such as ClassDojo and the wider ‘ed-tech’ market are involved in reshaping the purposes and practices of education at an international scale. They are global, networked, demanding of teachers’ labour, and based on the extraction of digital information from schools—all raising significant questions for critical interrogation.
The purpose of engaging with ClassDojo critically is to challenge some of the taken-for-granted assumptions used to justify and promote the rollout and uptake of new edtech products and services in classrooms. Being critical does not necessarily imply militant judgement, but instead careful inquiry into the origins, purposes and implications of new technologies, their links to education policies, and the practices they shape in schools. What do these new technologies ultimately mean for education looking to the future?
Much contemporary education policy and practice tends to be fixated on research that solves problems and offers evidence of ‘what works’ (Biesta, Filippakou, Wainwright & Aldridge, 2019). One of the most important aims of educational research, however, is to identify problems:
Educational research that operates in a problem‐posing rather than a problem‐solving mode is … itself a form of education as it tries to change mindsets and common perceptions, tries to expose hidden assumptions, and tries to engage in ongoing conversations about what is valuable and worthwhile in education and society more generally. (Biesta et al, 2019, p.3)...
"The Federal Trade Commission on Monday cracked down on Chegg, an education technology firm based in Santa Clara, Calif., saying the company’s “careless” approach to cybersecurity had exposed the personal details of tens of millions of users.
In a legal complaint, filed on Monday morning, regulators accused Chegg of numerous data security lapses dating to 2017. Among other problems, the agency said, Chegg had issued root login credentials, essentially an all-access pass to certain databases, to multiple employees and outside contractors. Those credentials enabled many people to look at user account data, which the company kept on Amazon Web Services’ online storage system.
As a result, the agency said, a former Chegg contractor was able to use company-issued credentials to steal the names, email addresses and passwords of about 40 million users in 2018. In certain cases, sensitive details on students’ religion, sexual orientation, disabilities and parents’ income were also taken. Some of the data was later found for sale online.
Chegg’s popular homework help app is used regularly by millions of high school and college students. To settle the F.T.C.’s charges, the agency said Chegg had agreed to adopt a comprehensive data security program.
In a statement, Chegg said data privacy was a top priority for the firm and that the company had worked with the F.T.C. to reach a settlement agreement. The company said it currently has robust security practices, and that the incidents described in the agency’s complaint had occurred more than two years ago. Only a small percentage of users had provided data on their religion and sexual orientation as part of a college scholarship finder feature, the company said in the statement.
“Chegg is wholly committed to safeguarding users’ data and has worked with reputable privacy organizations to improve our security measures and will continue our efforts,” the statement said.
The F.T.C.’s enforcement action against Chegg, a prominent industry player, amounts to a warning to the U.S. education technology industry.
Since the early days of the pandemic in 2020, the education technology sector has enjoyed a surge in customers and revenue. To enable remote learning, many schools and universities rushed to adopt digital tools like exam-proctoring software, course management platforms and video meeting systems.
Students and their families, too, turned in droves to online tutoring services and study aids like math apps. Among them, Chegg, which had a market capitalization of $2.7 billion at the end of trading on Monday, reported annual revenues of $776 million for 2021, an increase of 20 percent from the previous year.
Some online learning systems proved so useful that many students, and their educational institutions, continued to use the tools even after schools and colleges returned to in-person teaching.
But the fast growth of digital learning tools during the pandemic also exposed widespread flaws.
Many online education services record, store and analyze a trove of data on students’ every keystroke, swipe and click — information that can include sensitive details on children’s learning challenges or precise locations. Privacy and security experts have warned that such escalating surveillance may benefit companies more than students.
In March, Illuminate Education, a leading provider of student-tracking software, reported a cyberattack on certain company databases. The incident exposed the personal information of more than a million current and former students across dozens of districts in the United States — including New York City, the nation’s largest public school system.
In May, the F.T.C. issued a policy statement saying that it planned to crack down on ed tech companies that collected excessive personal details from schoolchildren or failed to secure students’ personal information.
The F.T.C. has a long history of fining companies for violating children’s privacy on services like YouTube and TikTok. The agency is able to do so under a federal law, the Children’s Online Privacy Protection Act, which requires online services aimed at children under 13 to safeguard youngsters’ personal data and obtain parental permission before collecting it.
But the federal complaint against Chegg represents the first case under the agency’s new campaign focused specifically on policing the ed-tech industry and protecting student privacy. In the Chegg case, the homework help platform is not aimed at children, and the F.T.C. did not invoke the children’s privacy law. The agency accused the company of unfair and deceptive business practices.
Chegg was founded in 2005 as a textbook rental service for college students. Today it is an online learning giant that rents e-textbooks.
But it is most known as a homework help platform where, for $15.95 per month, students can find ready answers to millions of questions on course topics like relativity or mitosis. Students may also ask Chegg’s online experts to answer specific study or test questions they have been assigned.
Teachers have complained that the service has enabled widespread cheating. Students even have a nickname for copying answers from the platform: “chegging.”
Chegg’s privacy policy promised users that the company would take “commercially reasonable security measures to protect” their personal information. Chegg’s scholarship finder service, for instance, collected information like students’ birth dates as well as details on their religion, sexual orientation and disabilities, the F.T.C. said.
But regulators said the company failed to use reasonable security measures to protect user data, even after a series of security lapses that enabled intruders to gain access to sensitive student data and employees’ financial information.
As part of the consent agreement proposed by the F.T.C., Chegg must provide security training to employees and encrypt user data. Chegg must also give consumers access to the personal information it has collected about them — including any precise location data or persistent identifiers like IP addresses — and enable users to delete their records.
Other online learning services may also hear from regulators. The F.T.C. disclosed in July that it was pursuing a number of nonpublic investigations into ed tech providers.
“Chegg took shortcuts with millions of students’ sensitive information,” Samuel Levine, the director of the agency’s Bureau of Consumer Protection, said in a news release on Monday. “The commission will continue to act aggressively to protect personal data.”
Natasha Singer is a business reporter covering health technology, education technology and consumer privacy. @natashanyt"
"In 2020, New York became a national civil rights leader, the first state in the country to ban facial recognition in schools. But almost two years later, state officials are examining whether to reverse course and give a passing grade to this failing technology.
Wasting money on biased and faulty tech will only make schools a harsher, more dangerous environment for students, particularly students of color, LGBTQ+ students, immigrant students, and students with disabilities. Preserving the statewide moratorium on biometric surveillance in schools will protect our kids from racially biased, ineffective, unsecure and dangerous tech.
Biometric surveillance depends on artificial intelligence, and human bias infects AI systems. Facial recognition software programmed to only recognize two genders will leave transgender and nonbinary individuals invisible. A security camera that learns who is “suspicious looking” using pictures of inmates will replicate the systemic racism that results in the mass incarceration of Black and brown men. Facial recognition systems may be up to 99 percent accurate on white men, but can be wrong more than one-in-three times for some women of color.
What’s worse, facial recognition technology has even higher inaccuracy rates when used on students. Voice recognition software, another widely known biometric surveillance tool, echoes this pattern of poor accuracy for those who are nonwhite, non-male, or young.
The data collected by biometric surveillance technologies is vulnerable to a variety of security threats, including hacking, data breaches and insider attacks. This data – which includes scans of facial features, fingerprints, and irises – is unique and highly sensitive, making it a valuable target for hackers and, once compromised, impossible to reissue like you would a password or PIN. Collecting and storing biometric data in schools, which tend to have inadequate cybersecurity practices, puts children at great risk of being tracked and targeted by malicious actors. There is absolutely no need to expose children to these privacy and safety risks.
The types of biometric surveillance technology being marketed to schools are widely recognized as dangerous. One particularly controversial vendor of facial recognition technology, Clearview AI, has reportedly tested or implemented its systems in more than 50 educational institutions across 24 states. Other countries have started to appreciate the threat Clearview poses to privacy, with Australia recently ordering it to cease its scraping of images. And last year, privacy groups in Austria, France, Greece, Italy and the U.K. filed legal complaints against Clearview. All while the company continues to market its products to schools in the U.S.
As the world begins to wake up to the risks of using facial recognition, New York should not make the mistake of allowing young kids to be subjected to its harms. Additionally, one study found that CCTV systems in U.K. secondary schools led many students to suppress their expressions of individuality and alter their behavior. Normalizing biometric surveillance will bring about a bleak future for kids at schools across the country.
New York shouldn’t waste money on tech that criminalizes and harms young people. Most school shootings are committed by current students or alumni of the school in question, faces of whom would not be flagged as suspicious by facial recognition systems. And even if the technology were to flag a real potential perpetrator of violence, given the speed at which most school shootings usually come to an end, it is unlikely that law enforcement would be notified and able to arrive to the scene in time to prevent such horrendous acts.
Students, parents and stakeholders have the opportunity to submit a brief survey to let the State Education Department know that they want facial recognition and other biased AI out of their schools, not just temporarily but permanently. New York must at least extend the moratorium on biometric surveillance in schools, and ultimately should put an end to the use of such problematic technology altogether."
Mahima Arya is a computer science fellow at the Surveillance Technology Oversight Project (S.T.O.P.), a human rights fellow at Humanity in Action, and a graduate of Carnegie Mellon University. Nina Loshkajian is a D.A.T.A. Law Fellow at S.T.O.P. and a graduate of New York University School of Law.
"A ransomware attack over Labor Day weekend brought to a standstill the online systems of Los Angeles Unified School District, the second-largest K–12 district in the country with about 640,000 students, LAUSD officials confirmed this morning in a statement on its website.""
By Joshua Brustein "Over the course of his life, Alejo Lopez de Armentia has played video games for a variety of reasons. There was the thrill of competition, the desire for companionship, and, at base, the need to pass the time. In his 20s, feeling isolated while working for a solar panel company in Florida, he spent his evenings using video games as a way to socialize with his friends back in Argentina, where he grew up.
But 10 months ago, Armentia, who’s 39, discovered a new game, and with it a new reason to play: to earn a living. Compared with the massively multiplayer games that he usually played, Axie Infinity was remarkably simple. Players control three-member teams of digital creatures that fight one another. The characters are cartoonish blobs distinguished by their unique mixture of interchangeable body parts, not unlike a Mr. Potato Head. During “combat” they cheerily bob in place, waiting to take turns casting spells against their opponents. When a character is defeated, it becomes a ghost; when all three squad members are gone, the team loses. A match takes less than five minutes.
Even many Axie regulars say it’s not much fun, but that hasn’t stopped people from dedicating hours to researching strategies, haunting Axie-themed Discord channels and Reddit forums, and paying for specialized software that helps them build stronger teams. Armentia, who’s poured about $40,000 into his habit since last August, professes to like the game, but he also makes it clear that recreation was never his goal. “I was actually hoping that it could become my full-time job,” he says.
The reason this is possible—or at least it seemed possible for a few weird months last year—is that Axie is tied to crypto markets. Players get a few Smooth Love Potion (SLP) tokens for each game they win and can earn another cryptocurrency, Axie Infinity Shards (AXS), in larger tournaments. The characters, themselves known as Axies, are nonfungible tokens, or NFTs, whose ownership is tracked on a blockchain, allowing them to be traded like a cryptocurrency as well.
There are various ways to make money from Axie. Armentia saw his main business as breeding, which doesn’t entail playing the game so much as preparing to play it in the future. Players who own Axies can create others by choosing two they already own to act as parents and paying a cost in SLP and AXS. Once they do this and wait through an obligatory gestation period, a new character appears with some combination of its parents’ traits.
Every new Axie player needs Axies to play, pushing up their price. Armentia started breeding last August, at a time when normal economics seemed not to apply. “You would be making 300%, 400% on your money in five days, guaranteed,” he says. “It was stupid.”
Axie’s creator, a startup called Sky Mavis Inc., heralded all this as a new kind of economic phenomenon: the “play-to-earn” video game. “We believe in a world future where work and play become one,” it said in a mission statement on its website. “We believe in empowering our players and giving them economic opportunities. Welcome to our revolution.” By last October the company, founded in Ho Chi Minh City, Vietnam, four years ago by a group of Asian, European, and American entrepreneurs, had raised more than $160 million from investors including the venture capital firm Andreessen Horowitz and the crypto-focused firm Paradigm, at a peak valuation of about $3 billion. That same month, Axie Infinity crossed 2 million daily users, according to Sky Mavis.
If you think the entire internet should be rebuilt around the blockchain—the vision now referred to as web3—Axie provided a useful example of what this looked like in practice. Alexis Ohanian, co-founder of Reddit and an Axie investor, predicted that 90% of the gaming market would be play-to-earn within five years. Gabby Dizon, head of crypto gaming startup Yield Guild Games, describes Axie as a way to create an “investor mindset” among new populations, who would go on to participate in the crypto economy in other ways. In a livestreamed discussion about play-to-earn gaming and crypto on March 2, former Democratic presidential contender Andrew Yang called web3 “an extraordinary opportunity to improve the human condition” and “the biggest weapon against poverty that we have.”
By the time Yang made his proclamations the Axie economy was deep in crisis. It had lost about 40% of its daily users, and SLP, which had traded as high as 40¢, was at 1.8¢, while AXS, which had once been worth $165, was at $56. To make matters worse, on March 23 hackers robbed Sky Mavis of what at the time was roughly $620 million in cryptocurrencies. Then in May the bottom fell out of the entire crypto market." ...
Big Tech's self-regulatory effort has long been accused of being toothless. Is that about to change?
By Mark Keierleber - July 24, 2022
"A few months after education leaders at America’s largest school district announced that a technology vendor had exposed sensitive student information in a massive data breach, the company at fault — Illuminate Education — was recognized with the software industry’s equivalent of the Oscars.
Since that disclosure in New York City schools, the scope of the breach has only grown, with districts in six states announcing that some 3 million current and former students had become victims. Illuminate has never disclosed the full extent of the blunder, even as critics decry significant harm to kids and security experts question why the company is being handed awards instead of getting slapped with sanctions.
Amid demands that Illuminate be held accountable for the breach — and for allegations that it misrepresented its security safeguards — the company could soon face unprecedented discipline for violating the Student Privacy Pledge, a self-regulatory effort by Big Tech to police shady business practices. In response to inquiries by The 74, the Future of Privacy Forum, a think tank and co-creator of the pledge, disclosed Tuesday that Illuminate could soon get the boot.
Forum CEO Jules Polonetsky said his group will decide within a month whether to revoke Illuminate’s status as a pledge signatory and refer the matter to state and federal regulators, including the Federal Trade Commission, for possible sanctions.
“We have been reviewing the deeply concerning circumstances of the breach and apparent violations of Illuminate Education’s pledge commitments,” Polonetsky said in a statement to The 74.
Illuminate did not respond to interview requests.
In a twist, the pledge was co-created by the Software and Information Industry Association, the trade group that recognized Illuminate last month as being among “the best of the best” in education technology. The pledge, created nearly a decade ago, is designed to ensure that education technology vendors are ethical stewards of kids’ most sensitive data. Its staunchest critics have assailed the pledge as being toothless — if not an outright effort to thwart meaningful government regulation. Now, they are questioning whether its response to the massive Illuminate breach will be any different.
“I have never seen anybody get anything more than a slap on the wrist from the actual people controlling the pledge,” said Bill FItzgerald, an independent privacy researcher. Taking action against Illuminate, he said, “would break the pledge’s pretty perfect record for not actually enforcing any kind of sanctions against bad actors.”
Through the voluntary pledge, launched in 2014, hundreds of education technology companies have agreed to a slate of safety measures to protect students’ online privacy. Pledge signatories, including Illuminate, have promised they will not sell student data to third parties or use the information for targeted advertising. Companies that sign the commitment also agree to “maintain a comprehensive security program” to protect students’ personal information from data breaches.
The privacy forum, which is funded by tech companies, has long maintained that the pledge is legally binding and offers assurances to school districts as they shop for new technology. In the absence of a federal consumer privacy law, the forum argues the pledge grants “an important and unique means for privacy enforcement,” giving the Federal Trade Commission and state attorneys general an outlet to hold education technology companies accountable via consumer protection rules that prohibit unfair and deceptive business practices.
For years, critics have accused the pledge of providing educators and parents false assurances that a given product is safe, rendering it less useful than a pinky promise. Meanwhile, schools and technology companies have become increasingly entangled — particularly during the pandemic. As districts across the globe rushed to create digital classrooms, few governments checked to make sure the tech products officials endorsed were safe for children, according to a recent report by the Human Rights Watch. Shoddy student data practices by leading tech vendors, the group found, were rampant. Of the 164 tools analyzed, 89 percent “engaged in data practices that put children’s rights at risk,” with a majority giving student records to advertisers.
As companies suck up a mind-boggling amount of student information, a lack of meaningful enforcement has let tech companies off the hook for violating students’ privacy rights, said Hye Jung Han, a Human Rights Watch researcher focused on children. As a result, she said, students whose schools require them to use certain digital tools are being forced to “give up their privacy in order to learn.” Paired with large-scale data breaches, like the one at illuminate, she said students’ sensitive records could be misused for years.
“Children, as we know, are more susceptible to manipulation based on what they see online,” she said. “So suddenly the information that’s collected about them in the classroom is being used to determine the kinds of content and the kinds of advertising that they see elsewhere on the internet. It can absolutely start influencing their worldviews.”
But the regulatory environment under the Biden administration may be entering a new, more aggressive era. The Federal Trade Commission announced in May that it would scale up enforcement on education technology companies that sell student data for targeted advertising and that “illegally surveil children when they go online to learn.” Even absent a data breach like the one at Illuminate, the commission wrote in a policy statement, education technology providers violate the federal Children’s Online Privacy Protection Act if they lack reasonable systems “to maintain the confidentiality, security and integrity of children’s personal information.”
The FTC declined to comment for this article. Jeff Joseph, president of the Software and Information Industry Association, said its recent awards were based on narrow criteria and judges “would not be expected to be aware of the breach unless the company disclosed it during the demos.” News of the breach was widelycoveredin the weeksbefore theJune awardsceremony.
The trade group “takes the privacy and security of student data seriously,” Joseph said in a statement, adding that the Future of Privacy Forum “maintains the day-to-day management of the pledge.”
‘Absolutely concerning’
Concerns of a data breach at California-based Illuminate began to emerge in January when several of the privately held company’s popular digital tools, including programs used in New York City to track students’ grades and attendance, went dark.
Yet it wasn’t until March that city leaders announced that the personal data of some 820,000 current and former students — including their eligibility for special education services and for free or reduced-price lunches — had been compromised in a data breach. In disclosing the breach, city education officials accused the company of misrepresenting its security safeguards. The Department of Education, which reportedly paid Illuminate $16 million over the last three years, told schools in May to stop using the company’s tools.
A month later, officials at the New York State Education Department launched an investigation into whether the company’s data security practices ran afoul of state law, department officials said. Under the law, education vendors are required to maintain “reasonable” data security safeguards and must notify schools about data breaches “in the most expedient way possible and without unreasonable delay.”
Outside New York City, state officials said the breach affected about 174,000 additional students across the state.
Doug Levin, the national director of The K12 Security Information eXchange, said the state should issue “a significant fine” to Illuminate for misrepresenting its security protocols to educators. Sanctions, he said, would “send a strong and very important signal that not only must you ensure that you have reasonable security in place, but if you say you do and you don’t, you will be penalized.”
Meanwhile, Illuminate has since become the subject of two federal class-action lawsuits in New York and California, including one that alleges that students’ sensitive information “is now an open book in the hands of unknown crooks” and is likely being sold on the dark web “for nefarious and mischievous ends.”
Plaintiff attorney Gary Graifman said that litigation is crucial for consumers because state attorneys general are often too busy to hold companies accountable.
“There’s got to be some avenue of interdiction that occurs so that companies adhere to policies that guarantee people their private information will be secured,” he said. “Obviously if there is strong federal legislation that occurs in the future, maybe that would be helpful, but right now that is not the case.”
School districts in California, Colorado, Connecticut, Oklahoma and Washington have since disclosed to current and former students that their personal information had been compromised in the breach. But the full extent remains unknown because “Illuminate has been the opposite of forthcoming about what has occurred,” Levin said.
Most states do not require companies to disclose data breaches to the public. Some 5,000 schools serving 17 million students use Illuminate tools, according to the company, which was founded in 2009.
“We now know that millions of students have been affected by this incident, from coast to coast in some of the largest school districts in the nation,” including in New York City and Los Angeles, Levin said. “That is absolutely concerning, and I think it shines a light on the role of school vendors,” who are a significant source of education data breaches.
Nobody, including the National Security Agency, can guarantee that their cybersecurity infrastructure will hold up against motivated hackers, Levin said, but Illuminate’s failure to disclose the extent of the breach raises a major red flag.
“The longer that Illuminate does not come clean with what’s happened, the worse it looks,” he said. “It suggests that this was maybe leaning on the side of negligence versus them being an unfortunate victim.”
‘A public relations tool’
When Illuminate signed the privacy pledge six years ago, it acknowledged the importance of protecting students’ data and said it offered a “secure online environment with data privacy securely in place.” On its website, Illuminate touts an “unwavering commitment to student data privacy,” and offers a link to the pledge.
“By signing this pledge,” the company wrote in a 2016 blog post, “we are making a commitment to continue doing what we have already been doing from the beginning — promoting that student data be safeguarded and used for encouraging student and educator success.”
Some pledge critics have accused tech companies of using it as a marketing tool. In 2018, a Duke Law and Technology Review report argued that pledge noncompliance was rampant and accused it of being “a mirage” that offered comfort to consumers “while providing little actual benefit.”...
By Ben Williamson, Kalervo N. Gulson, Carlo Perrotta and Kevin Witzenberger
"The global ‘big tech’ company Amazon is increasing its reach and power across a range of industries and sectors, including education. In a new paper for the special symposium ‘Platform Studies in Education’ in Harvard Educational Review, we conceptualize Amazon as a ‘state-like corporation’ influencing education through a ‘connective architecture’ of cloud computing, infrastructure and platform technologies. Like its retail and delivery logistics business it is operating at international scope and scale, and, congruent with Amazon’s growing influence across industries and sectors, possesses the power to reshape a wide range of educational practices and processes.
Our starting point is that education increasingly involves major technology companies, such as Google, Microsoft, and Amazon playing active roles as new kinds of networked governance actors. Infrastructures of test-based accountability and governance in education have long involved technical and statistical organizations. However, contemporary education governance is increasingly ‘data-driven’, using advanced technologies to collect and process huge quantities of digital information about student achievement and school and system performance.
In this context, new digitalized and datafied processes of education governance now involve multinational technology businesses offering infrastructure, platforms and data interoperability services. These connective architectures can affect the ways information is generated and used for institutional decision making, and also introduce new technical affordances into school practices, such as new platform-based learning, API-enabled integrations for increased interoperability, and advanced computing and data processing functionality from cloud infrastructures.
Our analysis focuses on Amazon, specifically its cloud computing subsidiary Amazon Web Services (AWS). Despite significant public, media, and regulatory attention to many of Amazon’s other activities and business practices, its activities in education remain only hazily documented or understood. AWS, we argue, enacts five distinctive operations in education.
Inscribing
The first part of our examination of AWS identifies how its corporate strategy underpins and infuses its objectives for education—a process we call inscribing to refer to the ways technology companies impress their business models on to the education sector. AWS is Amazon’s main profit engine, generating more than 60% of the corporation’s operating profits. Typifying the technoeconomic business model of big tech, it functions as a ‘landlord’ hosting industry, government, state and public sector operations on the cloud, while generating value from the ‘rent’ paid for on-demand access to cutting-edge cloud services, data processing, machine learning and artificial intelligence functionalities.
The ways this process of inscribing the business model on education takes place is evident in commercial marketing and discourse. AWS seeks to establish itself as an essential technical substrate of teaching, learning and administration, promoting its capacity to improve ‘virtual education’, ‘on-demand learning’ and ‘personalized learning’, and to support ‘digital transformation’ through ‘cloud-powered’ services like ‘campus automation’, ‘data analytics platforms’ and ‘artificial intelligence’. These promotional inscriptions paint a seductive picture of ‘pay-as-you-go’ educational improvement and seamless ‘plug-and-play’ transformation.
Beyond being discursive, these transformations require very specific kinds of contractual relations for cloud access, pay-as-you-go plans, and data agreements as per the AWS business model. AWS thus discursively inscribes and materially enacts its business model within education, impressing the techno-economic model of cloud tenancy, pay-as-you-go subscription rents, and computational outsourcing on to the education sector—potentially affecting some of the core functions of education in its pursuit of valuable rent and data extraction. Through this strategy, AWS is fast becoming a key cloud landlord for the education sector, governing the ways schools, colleges and edtech companies can access and use cloud services and digital data, while promoting a transformational vision of education in which its business interests might thrive.
Habituating
The second architectural operation of AWS is its techniques for accustoming users to the functionality of the cloud. We term this habituating users to AWS, or synchronizing human skills to the cloud. It does so through AWS Educate, an educational skills program designed to develop teachers and students’ competencies in cloud computing and readiness for ‘cloud careers’. AWS Educate seeks to establish a positive educational discourse of ‘the cloud’, whereby educators and students are encouraged to develop their skills with AWS services and tools for future personal success, thereby connecting hundreds of thousands of students, educators and institutions and accustoming current and future users to the AWS architecture.
With stated aims to reach 29 millions learners worldwide by 2025, key features of AWS Educate include Cloud Career Pathways and Badges, with dedicated technical courses and credentials aligned to industry job roles like cloud computing engineer and data scientist. These credentials are underpinned by the Cloud Competency Framework, a global standard used to create, assess, and measure AWS Educate cloud programs informed by the latest labour market data on in-demand jobs. This strategy also serves the goal of increasing user conversions and further AWS adoption and expansion, advancing the business aim of converting user engagement into habitual long-term users as a route to future revenue streams.
In short, through its habituating operations, AWS promotes a normative vision of education as electronic micro-bundles of competency training and credentials, twinned with the habituation of users to its infrastructure. While serving its own revenue maximization prospects, AWS Educate challenges public education values of cultivating informed citizenship with values prioritizing a privatized and platformized education dedicated to the instrumentalist development of a future digital workforce.
Interfacing
The third operation enacted by AWS in education is interfacing. AWS provides new kinds of technical interfaces between educational institutions, intermediary partners, and the AWS infrastructure. This is exemplified by Amazon’s Alexa, a conversational interface, or voice assistant, that sits between users and AWS, and which AWS has begun promoting for integration into other educational applications. Its interfacing operations are achieved by the Alexa Education Skills Kit, a set of standards allowing Alexa to be embedded in third party products and services. We argue it illustrates how application programming interfaces (APIs) act as a connective tissue between powerful global data infrastructures, the digital education platform industry, and educational institutions.
For example, universities can develop their own Alexa Skills in the shape of institutionally branded voice interfaces for students to access coursework, grades and performance data; educators can embed Alexa in classes as voice-enabled quizzes and automated ‘study partners’; and institutions are encouraged to include Alexa Skills in ‘smart campus’ plans. In these ways, the Alexa Skills Kit provides a set of new AWS-enabled, automated interfaces between institutions, staff and students, mediating an increasing array of institutional relations via the AWS cloud and the automated capacities of Alexa.
The Alexa Education Skills Kit is one of many APIs AWS provides for the educational sector to access fast, scalable, reliable, and inexpensive data storage infrastructures and cloud computing capacities. The integration of automated voice assistants through the Education Skills Kit provides educational institutions a gateway into the core functionality of AWS. These interfaces depend upon the automated collection and analysis of voice data on campuses, its automated analysis in the AWS cloud, and the production of automated feedback, so generating a cascade of automation within institutions that have synchronized their operations with AWS. It normalizes ideals of automation in education, including the extensive data collection and student monitoring that such automation entails. Through its interfacing operations, we therefore argue, AWS and Alexa are advancing cascading logics of automation further into everyday educational routines.
Platforming
Cloud computing establishes the social and technical arrangements that enable other technology companies to build and scale platforms. Amazon has developed an explicit market strategy in education by hosting—or platforming—the wider global industry of education technology on the AWS Cloud, specifically by providing the server hosting, data storage and analytics applications necessary for third parties to build and operate education platforms. Its AWS Imagine conference highlights its aspirations to host a huge range of edtech products and other services, and to guide how the industry imagines the future of education.
The role of AWS in platforming the edtech industry includes back-end server hosting and data storage as well as active involvement in startup development. Many of the globe’s largest and most highly capitalized edtech companies and education businesses are integrated into AWS. AWS support for the edtech industry encompasses data centre and network architecture to ensure that clients can scale their platform, along with data security and other AWS services including content delivery, database, AI, machine learning, and digital end user engagement services. This complete package enables edtech companies to deliver efficient computing, storage, scale, and reliability, and advanced features like data analytics and other AI services.
As such, through its platforming operations, AWS acts as an integral albeit largely invisible cloud presence in the back-end of a growing array of edtech companies. The business model of AWS, and the detailed contractual agreements that startups must sign to access AWS services, construct new kinds of dependencies and technical lock-ins, whereby the functionalities offered by third-party education platform companies can only exist according to the contractual rules and the cloud capacities and constraints of AWS. This puts AWS into a powerful position as a catalyst and accelerator of ‘digital transformation’ in education, ultimately responsible for re-tooling the industry for expanded scale, computational power, and data analytics functionality.
Re-infrastructuring
The final operation we detail is re-infrastructuring, referring to the migration of an educational institution’s digital infrastructure to AWS. It does so through AWS Migration services, and by providing institutions with a suite of data analytics, AI and machine learning functionalities. AWS promises that by ‘using the AWS Cloud, schools and districts can get a comprehensive picture of student performance by connecting products and services so they seamlessly share data across platforms’. AWS also promotes Machine Learning for Education to ‘identify at-risk students and target interventions’ and to ‘improve teacher efficiency and impact with personalized content and AI-enabled teaching assistants and tutors’.
This seamless introduction of AI and automation is enabled by the formation of ‘data lakes’—a repository that hosts multiple types of data for machine learning analysis and visualization in the cloud. The process of ‘architecting a data lake‘ involves the deployment of multiple AWS products and functionalities, including those for pulling data seamlessly from student information and learning management systems, and for handling the ‘machine learning workload’ of analysis. AWS promotes full infrastructure migration to the cloud in terms of making everything from students and staff to estates and operational processes more intelligible from data, and thereby more amenable to targeted action or intervention.
Through cloud migration and data lake architecting, schools and universities are outsourcing a growing range of educational and administrative operations. This ultimately reflects a fresh hierarchical stratification of education, with AWS and its cloud firmly on top, followed by a sprawling ecology of edtech companies that mediate between AWS and the clients at the bottom: the schools and universities that form the data lakes from which AWS derives value. Yet, despite being highly consequential, these infrastructural rearrangements remain opaque, hidden in proprietorial ‘black boxes’, potentially resistant to autonomous institutional decisions, and extremely expensive and challenging to reverse.
‘Big tech’ and ‘state-like corporations’
One key implication we detail in the paper is the growing role of multinational ‘big tech’ companies in education, and the complex ways they are advancing longstanding reform efforts to privatize and commercialize public education, albeit through new techno-economic business models and practices. Social scientific and legal scholarship on private platforms and infrastructures has begun to contend with their growing social, technical and economic power, particularly their implications for key functions and processes traditionally considered the responsibility of state agencies or public sector organizations. As a corporate cloud company, Amazon is attempting to create market dominance and even monopoly power across a multitude of sectors and industries, raising sharp political and legal questions over the appropriate regulatory or antitrust measures to be taken.
Part of this competition is also for infrastructural dominance in education. The expansion of AWS signifies how the governance of the public sector and its institutions is becoming increasingly dependent on the standards and conditions set by multinational big tech corporations like Amazon and Google. Amazon is gathering significant power as what Marion Fourcade and Jeff Gordon term a ‘state-like corporation’. As a corporation with state-like powers, AWS can use its technical and economic capacity to influence diverse education systems and contexts, at international scale, and potentially to fulfil governance roles conventionally reserved for state departments and ministries of education.
As such, the continuing expansion of AWS into education, through the connective architecture we outline in the paper, might substitute existing models of governance and policy implementation with programmable rules and computer scripts for action that are enacted by software directly within schools and colleges rather than mandated from afar by policy prescriptions and proscriptions. As a state-like corporation with international reach and market ambitions, AWS is exceeding the jurisdictional authority of policy centres to potentially become the default digital architecture for governing education globally."
May 23, 2022 "The report from SumOfUs highlights the staggering amount of harms found on Meta’s Horizon Worlds – as investors gather to vote on metaverse human rights assessment
San Francisco - A researcher was sexually harassed and assaulted (virtually), and witnessed gun violence and homophobic slurs within hours of entering Meta’s new virtual reality platform, Horizon Worlds.
Within about an hour of being on the platform, the researcher, posing as a 21 year old woman of color, was led to a private room at a house party where she was sexually assaulted, while a second user watched. View the clip here.
The findings of the investigation conducted by corporate accountability group, SumOfUs, comes days before investors are due to vote on a shareholder resolution, co-filed by SumOfUs with Arjuna Capital, that demands Meta undertake a human right impact assessment of its metaverse plans.
The research is further evidence that Meta’s light touch approach to moderation is allowing toxic behavior to already take root on its VR platforms, including sexual harassment and predatory behaviour towards female- appearing and female-sounding avatars.
Rewan Al-Hadad, SumOfUs campaign director said: “As it stands now, the metaverse is not safe, and based on Meta’s stance on how it will moderate the platform, it will continue to spiral into a dark abyss. Our researcher went from donning an oculus headset for the first time, to being virtually raped in less than an hour. And this isn’t a one-off account. Mark Zuckerberg claims he wants to connect the world – but what he’s doing is exposing people to seriously harmful encounters in a desperate attempt to save his company.”
Multiple researchers and users have reported similar experiences of sexual violence, hate speech and graphic content on Meta’s VR platforms, as well as on non-Meta apps that are able to be accessed through an Oculus headset. This is despite Meta promises to improve safety measures (1) and implement community guidelines. (2)
Last week Nick Clegg wrote that Metaverse moderation would be different to the active policing of problematic content on the Facebook platform but offered little detail about how this would work in practice.
In addition, SumOfUs and other groups as part of the Make Mark Listen campaign are calling for better governance of the company through shareholder resolution 4 demanding an assessment of the Audit and Risk Oversight Committee’s capacities and performance in overseeing company risks to public safety and the public interest.
"A Florida teenager taking a biology class at a community college got an upsetting note this year. A start-up called Honorlock had flagged her as acting suspiciously during an exam in February. She was, she said in an email to The New York Times, a Black woman who had been “wrongfully accused of academic dishonesty by an algorithm.”
What happened, however, was more complicated than a simple algorithmic mistake. It involved several humans, academic bureaucracy and an automated facial detection tool from Amazon called Rekognition. Despite extensive data collection, including a recording of the girl, 17, and her screen while she took the test, the accusation of cheating was ultimately a human judgment call: Did looking away from the screen mean she was cheating?
The pandemic was a boom time for companies that remotely monitor test takers, as it became a public health hazard to gather a large group in a room. Suddenly, millions of people were forced to take bar exams, tests and quizzes alone at home on their laptops. To prevent the temptation to cheat, and catch those who did, remote proctoring companies offered web browser extensions that detect keystrokes and cursor movements, collect audio from a computer’s microphone, and record the screen and the feed from a computer’s camera, bringing surveillance methods used by law enforcement, employers and domestic abusers into an academic setting.
Honorlock, based in Boca Raton, Fla., was founded by a couple of business school graduates who were frustrated by classmates they believed were gaming tests. The start-up administered nine million exams in 2021, chargingabout$5 per test or $10 per student to cover all the tests in the course. Honorlock has raised $40 million from investors, the vast majority of it since the pandemic began.
The Florida teenager is a rare example of an accused cheater who received the evidence against her: a 50-second clip from her hourlong Honorlock recording. She asked that her name not be used because of the stigma associated with academic dishonesty.
Flagged
The teenager was in the final year of a special program to earn both her high school diploma and her associate degree. Nearly 40 other students were in the teenager’s biology class, but they never met. The class, from Broward College, was fully remote and asynchronous.
Asynchronous online education was growing even before the pandemic. It offers students a more flexible schedule, but it has downsides. Last year, an art history student who had a question about a recorded lecture tried to email his professor, and discovered that the man had died nearly two years earlier.
The Florida teenager’s biology professor, Jonelle Orridge, was alive, but distant, her interactions with students taking place by email, as she assigned readings and YouTube videos. The exam this past February was the second the teenager had taken in the class. She set up her laptop in her living room in North Lauderdale making sure to follow a long list of rules set out in the class syllabus and in an Honorlock drop-down menu: Do not eat or drink, use a phone, have others in the room, look offscreen to read notes, and so on.
The student had to pose in front of her laptop camera for a photo, show her student ID, and then pick her laptop up and use its camera to provide a 360-degree scan of the room to prove she didn’t have any contraband material. She didn’t mind any of this, she said, because she hoped the measures would prevent others from cheating.
She thought the test went well, but a few days later, she received an email from Dr. Orridge.
“You were flagged by Honorlock,” Dr. Orridge wrote. “After review of your video, you were observed frequently looking down and away from the screen before answering questions.”
She was receiving a zero on the exam, and the matter was being referred to the dean of student affairs. “If you are found responsible for academic dishonesty the grade of zero will remain,” Dr. Orridge wrote.
“This must be a mistake,” the student replied in an email. “I was not being academically dishonest. Looking down does not indicate academic dishonesty.”
‘The word of God’
The New York Times has reviewed the video. Honorlock recordings of several other students are visible briefly in the screen capture, before the teenager’s video is played.
The student and her screen are visible, as is a partial log of time stamps, including at least one red flag, which is meant to indicate highly suspicious behavior, just a minute into her test. As the student begins the exam, at 8:29 a.m., she scrolls through four questions, appearing to look down after reading each one, once for as long as 10 seconds. She shifts slightly. She does not answer any of the questions during the 50-second clip.
It’s impossible to say with certainty what is happening in the video. What the artificial intelligence technology got right is that she looked down. But to do what? She could be staring at the table, a smartphone or notes. The video is ambiguous.
When the student met with the dean and Dr. Orridge by video, she said, she told them that she looks down to think, and that she fiddles with her hands to jog her memory. They were not swayed. The student was found “responsible” for “noncompliance with directions,” resulting in a zero on the exam and a warning on her record.
“Who stares at a test the entire time they’re taking a test? That’s ridiculous. That’s not how humans work,” said Cooper Quintin, a technologist at the Electronic Frontier Foundation, a digital rights organization. “Normal behaviors are punished by this software.”
After examining online proctoring software that medical students at Dartmouth College claimed had wrongly flagged them, Mr. Quintin suggested that schools have outside experts review evidence of cheating. The most serious flaw with these systems may be a human one: educators who overreact when artificially intelligent software raises an alert.
“Schools seem to be treating it as the word of God,” Mr. Quintin said. “If the computer says you’re cheating, you must be cheating.”
Tess Mitchell, a spokeswoman for Honorlock, said it was not the company’s role to advise schools on how to deal with behavior flagged by its product.
“In no case do we definitively identify ‘cheaters’ — the final decision and course of action is up to the instructor and school, just as it would be in a classroom setting,” Ms. Mitchell said. “It can be challenging to interpret a student’s actions. That’s why we don’t.”
Dr. Orridge did not respond to requests for comment for this article. A spokeswoman from Broward College said she could not discuss the case because of student privacy laws. In an email, she said faculty “exercise their best judgment” about what they see in Honorlock reports. She said a first warning for dishonesty would appear on a student’s record but not have more serious consequences, such as preventing the student from graduating or transferring credits to another institution.
Who decides
Honorlock hasn’t previously disclosed exactly how its artificial intelligence works, but a company spokeswoman revealed that the company performs face detection using Rekognition, an image analysis tool that Amazon started selling in 2016. The Rekognition software looks for facial landmarks — nose, eyes, eyebrows, mouth — and returns a confidence score that what is onscreen is a face. It can also infer the emotional state, gender and angle of the face.
Honorlock will flag a test taker as suspicious if it detects multiple faces in the room, or if the test taker’s face disappears, which could happen when people cover their face with their hands in frustration, said Brandon Smith, Honorlock’s president and chief operating officer.
Honorlock does sometimes use human employees to monitor test takers; “live proctors” will pop in by chat if there is a high number of flags on an exam to find out what is going on. Recently, these proctors discovered that Rekognition was mistakenly registering faces in photos or posters as additional people in the room.
When something like that happens, Honorlock tells Amazon’s engineers. “They take our real data and use it to improve their A.I.,” Mr. Smith said.
Rekognition was supposed to be a step up from what Honorlock had been using. A previous face detection tool from Google was worse at detecting the faces of people with a range of skin tones, Mr. Smith said.
But Rekognition has also been accused of bias. In a series of studies, Joy Buolamwini, a computer researcher and executive director of the Algorithmic Justice League, found that gender classification software, including Rekognition, worked least well on darker-skinned females.
Determining a person’s gender is different from detecting or recognizing a face, but Dr. Buolamwini considered her findings a canary in a coal mine. “If you sell one system that has been shown to have bias on human faces, it is doubtful your other face-based products are also completely bias free,” she wrote in 2019.
The Times analyzed images from the student’s Honorlock video with Amazon Rekognition. It was 99.9 percent confident that a face was present and that it was sad, and 59 percent confident that the student was a man.
Dr. Buolamwini said the Florida student’s skin color and gender should be a consideration in her attempts to clear her name, regardless of whether they affected the algorithm’s performance.
“Whether it is technically linked to race or gender, the stigma and presumption placed on students of color can be exacerbated when a machine label feeds into confirmation bias,” Dr. Buolamwini wrote in an email.
The human element
As the pandemic winds down, and test takers can gather in person again, the remote proctoring industry may soon be in lower demand and face far less scrutiny. However, the intense activism around the technology during the pandemic did lead at least one company to make a major change to its product.
ProctorU, an Honorlock competitor, no longer offers an A.I.-only product that flags videos for professors to review.
“The faculty didn’t have the time, training or ability to do it or do it properly,” said Jarrod Morgan, ProctorU’s founder. A review of ProctorU’s internal data found that videos of flagged behavior were opened only 11 percent of the time.
All suspicious behavior is now reviewed by one of the company’s approximately 1,300 proctors, most of whom are based abroad in cheaper labor markets. Mr. Morgan said these contractors went through rigorous training, and would “confirm a breach” only if there was solid evidence that a test taker was receiving help. ProctorU administered four million exams last year; in analyzing three million of those tests, it found that over 200,000, or about 7 percent, involved some kind of academic misconduct, according to the company.
The teenager graduated from Broward College this month. She remains distraught at being labeled a cheater and fears it could happen again.
“I try to become like a mannequin during tests now,” she said.
Kashmir Hill is a tech reporter based in New York. She writes about the unexpected and sometimes ominous ways technology is changing our lives, particularly when it comes to our privacy. @kashhill"
To get content containing either thought or leadership enter:
To get content containing both thought and leadership enter:
To get content containing the expression thought leadership enter:
You can enter several keywords and you can refine them whenever you want. Our suggestion engine uses more signals but entering a few keywords here will rapidly give you great content to curate.