Saturday, September 28, 2013

Will the European Union Ban Data Mining of Student School Content?

To lower costs and increase efficiencies a growing number of educational institutions are transitioning from utilizing internal servers to external cloud based services.  Well known technology companies such as Amazon, Google, HP, IBM, Microsoft, and Oracle are competing to become the go-to cloud service provider for schools.

Milton Friedman, a famous economist, popularized the phrase, "there ain't no such thing as a free lunch".  In other words, one always has to pay for a good or service, whether by exchanging money or giving up something of value.  During the past decade, a growing number of digital companies have adopted a model where they offer their services for free in the hope that their platform gains widespread acceptance.  In return, those utilizing these services pay for the service by giving up their personal privacy by accepting agreements that enable service providers to monetize their personal information. 

Education budgets in some European member states have been slashed during the past several years due to the economic downturn.  Some cloud computing providers appear to be capitalizing on these deep budget cuts as part of their pitch to governments and educational institutions.  Unfortunately, some digital service providers do not have the best intentions because strong privacy protections are not built into the design of some of their platforms.  

These companies may require schools to execute agreements that do not properly protect the personal data of students.  For example, Sweden's data protection authority recently ordered a school district to stop utilizing Google Apps for Education because the service contract didn't comply with Sweden's Data Protection Act.  In other words, Google's agreement with a municipality in Stockholm did not provide the proper safeguards to protect student data.

The model UK Google Apps For Education Agreement, states, "Customer agrees that Google may serve advertisements (“Ads“) in connection with the Service to End Users who are not designated by Customer as enrolled students."  Does this clause mean that teachers, administrators, and almuni are served ads?  Since students most likely are utilizing school provided email to communicate with their teachers and teachers may discuss student matters with administrators via email are teacher-student and administrator-student, and teacher-administrator emails data mined and monetized by Google? 

Another troubling agreement clause states, "Customer agrees that any revenue generated by Google from the Ads or otherwise derived by Google from the Services will be retained by Google and will not be subject to any revenue sharing."  Does this indicate that in addition to serving ads based upon teacher-student/administrator-student/teacher-administrator digital interactions, the information contained in these emails may be monetized in other forms not necessarily mentioned in the agreement?   

SafeGov.org recently released a report about cloud computing and student privacy.  The organization conducted "in-depth interviews with over a dozen  representatives of European Data Protection Authorities (DPAs) as well as a number of European Commission officials involved in the development of data protection policy."  Their report found, "wide support for the idea that vulnerable data subjects such as school children deserve special protection."

SafeGov.org's findings stated that some cloud providers may be offering schools services that were initially built for the consumer behavioral advertising market and that these services do not appear to have privacy by design built into their architecture.  According to SafeGov.org, "advertising-oriented cloud services may jeopardize the privacy of data subjects in schools, even when ad-serving is nominally disabled." 

Some major threats to student privacy noted in SafeGov.org's report include:

Lack of privacy policies suitable for schools: "[C]loud providers may deliberately or inadvertently force schools to accept policies or terms of services that authorize user profiling and online behavioral advertising."

Potential for commercial data mining: "When school cloud services derive from ad-supported consumer services that rely on powerful user profiling and tracking algorithms, it may be technically difficult for the cloud provider to turn off these functions even when ads are not being served."

User interfaces that don't separate ad-free and ad-based services: "By failing to create interfaces that distinguish clearly between ad-based and ad-free services, cloud providers may lure school children into moving unwittingly from ad-free services intended for school use (such as email or online collaboration) to consumer ad-driven services that engage in highly intrusive processing of personal information (such as online video, social networking or even basic search)."

Contracts that don't guarantee ad-free services:  "By using ambiguously worded contracts and including the option to serve ads in their services, some cloud providers leave the door open to future imposition of online advertising as a condition for allowing schools to continue receiving cloud services for free."

SafeGov.org's findings are very troubling and demonstrate the need for regulators and lawmakers in the EU to be proactive to protect the personal privacy of our next generation of leaders.  While this report was based upon research performed in the EU, it would not surprise me if regulators and lawmakers around the world have similar thoughts and ideas regarding the need to protect vulnerable groups such as students and children from behavioral advertising.  Shouldn't all students and children, regardless of their geographic location, be afforded the same privacy protections?  

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved. 

No comments:

Post a Comment