In Which the Washington Bureau Chief Explains Her Ire at Data-Sharing Bills

by Eileen | 6:12 am, February 1, 2013 | Comments Off

I’d like to put a bill I briefly addressed earlier this week into context.  Andy Kerr’s SB 13-053 is superficially concerned with the mechanisms by which secondary schools share student data with state colleges.  This data sharing is done for the benefit and the ease of the colleges, allowing such decidedly un-student-centered tactics as sending data to colleges that students haven’t even applied to, allowing those school to recruit students even if the student hasn’t demonstrated interest.  At several points, the text mentions compliance with FERPA, but FERPA is so weak as to mean nothing when it comes to privacy concerns.  Much more on that in a bit.

SB 053 is the latest iteration in a succession of Democratic bills designed to make it easier for the state to gather and use data about citizens.  It is also an effort to bring Colorado into compliance with the Obama Administration’s agenda of removing any barriers to data mining America, in no small part achieved with disingenuous appeals to ‘streamlining’, providing ‘analyses’ that we’re supposed to assume are necessary and proper, and (what else) dangling federal money in front of states, provided they share data.

The article that got me thinking about the larger framework of bills like Sen. Kerr’s opened with a line that pretty much encapsulates my grievance with government data collecting: “Data is king in the progressives’ world. The more they have on you, the more they can control you.”

I would expand that sentiment, though.  Data is king in government’s world.  The more they have on you, the more they can control you. 

Remember, the PATRIOT Act came from George Bush.  FISA is lambasted by the minority party but keeps getting renewed.  SOPA and PIPA had friends on both sides of the aisle.  No political stripe has a monopoly on discarding privacy in the pursuit of power.  Having data on someone does indeed make him controllable.  Knowing he is monitored alters a man’s behavior.  That someone hostile or indifferent to him has so much data about him is an implied threat of blackmail.  And, as most people live the same day over and over, knowing how a man spends one day tells you a lot about how he will spend the next.  Information about a man makes him predictable and therefore manipulable and controllable.

The states likes to tell us the gravest threats to our privacy are from criminals and terrorists.  Balderdash.  You, oh reader, need to worry about the government and the corporations who have formed partnerships with the state.  Common sense and a few easy privacy fixes can largely negate the threat from scam artists and phishers.  The terrorism bogeyman is overrated to the point of unintentional satire.  If you are living in America in 2013, your privacy concerns are the U.S. Government and the companies with whom they’re bedding down.

Those general ideas certainly hold as regards student privacy.  Exemptions to laws protecting student privacy began as considerations of competing and legitimate interests – law enforcement, for instance.  Then, they gave way to specific interests with aims pretty distant from education – INS keeping an eye on foreign students, for one.  Now, it’s a goddam free-for-all.  The state compels students to provide massive amounts of data and creates masses more by tracking every conceivable aspect of a student’s academic performance, affiliation with campus groups, use of services, etc.  All this is widely shared among government agencies and with the private sector.  This holds from pre-school through graduate education.  Being in a private school offers little mitigation.

You’re aren’t just getting an education; you’re a product whether you know, whether you like it. 

This is particularly grotesque when done to minors who can’t imagine or understand what’s being done with their information and who have limited means to protest and challenge that data collection, anyway.  SB 053 fits into an already-established mechanism for collecting, sharing, and profiting from student data, a system with a fey key traits:

1. Bad legislation already makes sensitive data about students available to data miners and marketers, often under circumstances where the law explicitly denies parents the right to be notified and students the right to decline to participate.

2. Transferring massive amounts of student data to governmental agencies that are not part of the educational system could make sensitive information technically subject to FOIA and CORA, a legal reality that would violate privacy and deform the intent of open government and transparency efforts into taxpayer funded assistance of data brokers.  Freedom of Information laws are supposed to facilitate citizens keeping an eye on the state, not the make it easy for marketers to target citizens and not to worsen state surveillance.

The government is talking about open government without addressing the legitimate concern that some data should never have been collected.  Transparency isn’t a good when what’s being made transparent is the personal information of people who are denied the opportunity to opt out or to protect their data.  The state should share its own information, not attempt to distract from deliberate opacity on matters of valid public interest by handing over sensitive personal information.

The guiding principle here should be that any available data will be sought by bad actors and will be used for purposes contrary to the creation of the data.  Knowing that the mere existence of a dataset is tempting to people who lack a legitimate interest ought to caution us against creating datasets that aren’t vital, or that have any more than the bare minimum of data points.  Chicago Tribune v. University of Illinois has already introduced the question of whether privacy or FOIA wins when private student data is turned into government records.

3. Data collection of students is far out of control.  At this point we aren’t even paying lip service to the ideas of collecting only necessary data or of limiting the use and dissemination of data to parties with a legitimate interest.

4.  The current administration is so fully on the bandwagon of promoting wide access to student data as a great tool for improving student achievement that they aren’t saying anything about how student privacy might be a worthy achievement.  And they certainly aren’t measuring how much any of the massive tracking of students has done to benefit students or differentiating valuable studies from out-and-out data mining.  It’s awfully hard to believe everything the state does to make student data readily available to third parties is for the sake of students when current law explicitly allows marketing and advertising interests access to students for purposes of gathering data.

Fine, if you’re still interested, here’s the long form.  I apologize for the a

First, FERPA, the Family Educational Rights and Privacy Act, passed in 1974 and occasionally referred to as the Buckley Amendment, after one of its Senate sponsors.  Broadly speaking FERPA gives students and their parents, if they are minors, rights to access and seek to amend educational records.

As with so much governmental output, the devil lies in the exceptions.  What protections it does offer bind schools that receive federal funding under certain U.S. Department of Education programs, which effectively makes every educational institute in the United States subject to FERPA.  FERPA only protects information classified as a ‘record’, which excludes a lot, such as “records of instructional, supervisory, and administrative personnel” and treatment records of students seeking mental health therapy.  Any law-enforcement records, including those created by campus security, are also exempt.  Records deemed to have been anodized are exempt, regardless of the quality of the anonymization.

Parents may receive data about their adult children, so long as those children are still under 21, in some cases, without the student being informed, let alone give the chance to oppose disclosure.  When either parents or students seek access to records, schools are usually allowed to demand that parent or student come to the school and require they examine the records on the school grounds with a school official present.  In cases where FERPA decrees it would be excessive to demand the student or parent come to the school, schools are allowed to charge students for providing them with a copy of their own data.

Quite a bit can be released not only without student consent but in the face of the student’s explicit request for data not to be released.  The only actual veto students have is over “directory information,” lengthy sets of descriptive data about students that, unless the student takes the effort to contact the school and opt out, schools may legally provide to anyone.

After the 2002 Supreme Court decision Gonzaga University v. Doe, it is established that students and their parents and guardians have no right of action against anyone for FERPA violations.  In practice, the Department of Education is willing to let a lot go by calling it a ‘good faith’ mistake and only really pays attention to schools that have a persistent policy of ignoring FERPA.  In other words, schools know they can sail if they ignore FERPA when dealing with isolated and singular cases of students who get on administrative radar for any reason.

DoE enforcement of FERPA is done through threats to withhold funding, turning student privacy into a money game.  Schools have an incentive to keep funding coming but not do any more than that.

ESEA, the Elementary and Secondary Education Act, part of the execrable Lyndon Johnson’s execrable War on Poverty and currently bundled into the execrable No Child Left Behind, allows, among other things, data about students to be given to military recruiters upon request.  If you don’t recall every being asked if you wanted to opt out of this back in your own school days, it’s because you or your parents would have had to take the initiative and explicitly opt you out.  Though ESEA passed in 1965, the more recent FERPA does nothing to limit its privacy implications.  So too, amendments to the original Act have quite seriously weakened what protections FERPA does offer.

FERPA itself began as an amendment to an extension of ESEA and was initially passed without public comment or hearing.  That lack of consideration shows; the first batch of amendments, exempting confidential letters concerning students and the financial data of parents from student examination, came barely three months after Gerald Ford signed FERPA.  In total, FERPA has been amended 11 times, overwhelmingly in favor of stripping privacy.  In some cases, that’s not a bad thing; allowing victims of alleged crimes committed by students access to the outcomes of disciplinary hearings, for instance, is a good idea.

On the whole, though, when the privacy students may expect from FERPA is lessened, it is in favor of allowing the state access to student data for purposes that have nothing to do with education and for monetizing student data.

The PATRIOT Act, reliably horrible as ever, allows immigration and national security entities to monitor foreign born students, including their academic performance and any disciplinary actions.  At the twilight of the Bush Administration, a round of FERPA amendments allowed for the non-consenual release of data to “contractors, consultants, volunteers, and other outside parties providing institutional services and functions or otherwise acting for an agency or institution.”  More recent amendments have continued the trend of releasing data to entities whose use of that data will benefit the school or the vendor far more than the students whose data are released.

The Obama Administration has been a flagrant offender, overseeing worrying amendments to FERPA in 2011, and 2012. Bush’s 2008 amendments had already greatly expanded to class of people titled as ‘school officials’ and thus given wide access to sensitive student data, including the prize of it all – official transcripts.  These amendments included third parties with hideous data management, even when those third parties had data management and privacy policies that specifically refused to take liability for data loss and breaches.

In 2011, FERPA was further amended by redefining “education programs” and “authorized representatives.”  Because any individual or group falling into one of those categories has wide access to student data, broadening those definitions was a massive erosion of student privacy.  Initially, an “education program” was an entity whose primary focus was on “improving educational outcomes.”  Currently, entities whose link to education is, charitably, tenuous, are given access to student data.  Under the rubric of aiming to improve health, the Department of Agriculture is in.  In the name of fighting terrorism, the entire security apparatus gets a peek.  You get the picture.  “Authorized representative” has also been downgraded from individuals under the direct authority of the school to anyone to whom the school gives the title.  In other words, schools may now share sensitive student data with anyone at all, merely by deeming that person to be an “authorized representative”.

Among the groups now allowed wide access to student data are those who can get themselves defined as conducting studies, analyses, or audits,  More than a few of these, however, function exclusively to gather student data under the guise of administering surveys, combine that information with publicly available information, and then inundate students with marketing pitches – like high interest credit cards on atrocious terms to college freshmen.  The FTC has settled cases against at least two such groups, but the current terms of FERPA mean the practice itself is largely uncorrected.

In 1978, ESEA was amended with the Protection of Pupil Rights Amendment (PPRA), aka, The Hatch Act, which gave parents a right of inspection of Department of Education surveys intended for children.  Third party surveys were not considered, a problem given that advertisers have long since figured out they can get a lot of data if they can take advantage of the trusted position of teachers and the captive role of students in the classroom to extract data they’d be hard pressed to get otherwise.

When, in 2001, NCLB was new legislation, it included a right for parents to be notified of third-party surveys to be administered in-class and opt their students out of the data collection.  That clause, section 1061, originated as the S. 290, the Student Privacy Protection Act, which would have made exposure of students to data hungry marketers illegal unless parents explicitly opted their children in.  Following the lobbying attention of the advertising industry, the bill became a list of the instances where third parties may seek out student data without parental notification or the option for students to decline participation and placed the onus to refuse to provide data on the parents and student.  S. 290 was also, obviously, folded into NCLB.

In other words, we went from not having any clear federal legislation on making students available to advertisers to having a proposed bill that banned it to having an enacted bill that allowed it.  May our children forgive us.

That neither PPRA nor NCLB has actually been able to curb to misuse of student data to profit off of and target students has much to do with exceptions broad enough that any remotely talented scammer could get past the law.  For instance, surveys sold as attempts to recognize student achievement are exempt…and one of the biggest cons used to get sensitive data about students are the notorious ‘Who’s Who Among American Students’ breed of stunts – vanity presses that profit from students twice, first by selling useless books at exorbitant prices to neurotic overachievers and again by selling student data to any and all.  The endless ‘aptitude’ tests where students waste entire school weeks filling in bubbles, wait months for the results, and then get told profoundly obvious things about themselves are also exempt if the school administers it directly, although the schools are free to sell the resulting data sets to anyone.  Which they do.

The latest round of alterations of FERPA come as a joint effort of the Department of Education and the Office of Science and Technology Protocols (OSTP).  The so-called Education Data Initiative (EDI) is first and foremost concerned with aggregating data.  A public-private partnership, EDI is all about collecting data and turning it over to third parties.  When it does speak to student concerns about how their data is used and how they might gain a benefit from the existence of masses of aggregated sensitive information, the EDI talking points chirp about how students can consent to hand their data to third parties who will offer them ‘useful’ services.  What they should be talking about is how questionable data sharing is already going on without student consent or even awareness.

Instead, the nauseous press release announcing EDI talked about the data in question as if it solely belonged to the Department of Education, as if there are no trade-offs or downsides at all to making it available to private entities.  The program’s data policy is alarmingly simplistic, and explicitly states “Data accessed through Data.gov do not, and should not, include controls over its end use.”

So, that’s where we are.  A raft of acronyms notwithstanding, there is a lack of meaningful privacy protections for students.  Students and their parents are increasingly excluded from the debate over their data.  Data are used for the benefit of third parties, used toward ends that have nothing to do with educational quality, used in ways that harm students.

And, rather than debating any of this, the current legislature is considering a bill that would help that along.

Comments

Praise for PPC From Our Lefty "Fan"

• "Zany-ass bombast-entertainment...Hackneyed weirdo communist pseudo-nostalgia" --Alan Franklin, ProgressNow

Featured Posts

• PPC Training for Activists

  UPDATE: Something apparently got messed up with the PayPal buttons during this past weekend’s database glitch – fixed now. Yes, it’s that time again — PPC will be conducting training classes for center-right activists on Saturday, April 20 and Saturday, April 27, at Independence Institute in Denver. The tentative class schedule is as follows: Saturday, [...]

• Holder’s First Letter to Paul Precipitates the Best Filibuster Ever
• The Lamest Twitter Argument Ever Offered?
• Return of the PPC Re-Education Camps – You Know You Want to Be There
• Supreme Courts Blesses Warrantless Surveillance of Citizens in a Kafkaesque Farce
• GOP Elite and the Ruling Class
• Do We Now Get to Call Joe Salazar a “Rapist”?