Because Edtech Without Integrity is Fraud

After two decades in information security, I was a latecomer to the edtech party back in 2016 and what I found was a land rush for the last frontier of intangible assets: children’s personal data.

To be clear, 2016 was a watershed year in edtech cybersecurity breaches. With tens of millions of records compromised, the concerns were not limited to data breaches, but also unintentional leaks, evidence of oversharing, and shocking privacy violations.

The nascent industry had already failed to live up to service level agreements, disappointed school boards and deceived families by, among other things, exploiting children’s data for profit. The most sensitive data had received the lowest amount of security scrutiny.

What’s more, all of it was preventable. All the breaches, the violations and the misconfigurations can be prevented on three conditions that I call my three baseline considerations for security (3BC), privacy and integrity:

  1. #Security: Independent professional assessment of secure development and standards-compliant implementation.
  2. #Disposal: Demonstrated evidence of deletion of student data and metadata from all repos and dependencies (especially other parties and backup sets), or proof that no data can be reidentified.
  3. #Consent: Proof of informed consent from parents, illustrating that they are aware of all tools and technologies in use, understand all the parties involved and have been informed of all the risks related to surveillance and long term privacy violations.

I built the 3BC into a standardized cybersecurity audit offered at cost to school boards, and it has so far resulted in a shared awareness of priorities among vendors, families and school board administrators.

Make no mistake, the 3BC are by no means the complete set of controls required for good, resilient edtech to work, but they represent a good starting point for anyone to begin asking questions.