Mar 182018
 
 March 18, 2018  Featured News, Youth & Schools

In the past month, I’ve been reading more parent concerns about student data being collected, stored, or shared without parent knowledge or consent. One such situation was brought to my attention recently by Leonie Haimson who had been made aware of some concerns about a math app called Mathletics. We’ll call  the concerned parent “Annie Mae,” although that is not their real name. They requested anonymity out of concern that their child might be retaliated against for their advocacy.

Mathletics (by 3P Learning) is a math learning app that is used in a number of countries. It seems to have some data demonstrating its value  in U.K. schools, although I did not see any controlled research on its effectiveness in U.S. schools.

As part of trying to challenge kids and to make it more fun, the app has public leaderboards with 5-minute snapshots taken across each day, showing the top scoring 100 youth. The leaderboard snapshots reveal the students’ first name, their last initial, their school and its location, as in the screenshot below, where students’ names have been redacted by DataBreaches.net:

Redacted screenshot of Mathletics leaderboard showing world leaders, March 17, 2018.

The leaderboard can also be filtered  to return results by country, as the second screenshot demonstrates by returning results from the U.S. The redacted “Name” field contains students’ first names and the first initial of their last names:

Redacted screenshot of Mathletics leaderboard showing U.S. leaders, March 17, 2018.

And as the “classes” and “students” links at the top of the screen indicate, the data could also be sorted by those parameters.

Of concern to Annie Mae: all of the data can be collected, stored, and displayed at the sole discretion of the students’ teachers, without any direct knowledge or opt-in consent of parents required.

According to Mathletics’ privacy policy, here’s how they collect and process your information:

  • We may collect your personal information in a number of ways, including:
    • directly from you (unless it is unreasonable or impracticable to do so);
    • from our school / educational institution customers (e.g. teachers or school administrators that purchase access to our Site for their students and teachers); or
    • from third parties such as our distributors (resellers and sales agents).
  • In order to register for 3P Learning resources, students registering individually and not part of a school, must give their consent at the time of registration to provide us with their personal information such as their name, age and email address (or if they are under 13 years of age, or legally a minor in their relevant location, a parent or guardian must consent on their behalf).
  • Alternatively, parents registering on behalf of their child(ren), must give their consent at the time of registration to provide us with information about them and their child(ren).
  • Teachers or administrators registering for their class or school must give their consent at the time of registration to provide us with their own name, class name, school name and their email address, as well as the names of their students.
  • We also ask for Registrants’ consent to use any personal information collected in accordance with this Privacy Policy at the time of login to our Site. If a Registrant does not wish to provide us with their consent, they cannot agree to the Site Terms and Conditions and must not use the Site.

As Annie Mae explained to me,  a privacy policy allowing teachers to decide to have students use the app and then having teachers provide their first names and first initial of last names could be problematic for domestic violence victims who may not even know that their child’s first name, last initial, school and its location are on a publicly available site.

Additionally, students can create/edit an avatar. Their avatar might also give additional clues to their identity.

Could someone  figure out who this student is from the available text and the avatar?

It was not clear to me why there should even be a real name policy for student names for this app or other similar apps. Yes, helpful progress and diagnostic reports can be generated by Mathletics for teachers and districts, but there’s no reason students couldn’t pick a fun name to use online where only the teacher and district know what screen name is associated with a real name.

It turns out that if you dig deeper into their Privacy Policy, Mathletics does make mention of  pseudonyms instead of real names, but unfortunately, the statement is not in the section on what information they collect. The policy states:

3P Learning strives to provide a highly engaging Site for students. Given students have indicated their strong preference for their name to be shown publicly in recognition of their achievements, we allow this – but we do not allow full names (i.e. First Name and Surname) to be shown publicly. In addition, all administrative user access to any Site permits the partial (to initials only) or full anonymising (by use of a pseudonym) of names, where preferred by the user.

But does that apply to students, too, or just to administrative users and teachers? And what percent of students indicated a “strong preference” for using their real names over nicknames? And is that “strong preference” true for all age groups across k-12?

To make a point about potential problems with Mathletics’ leaderboard data storage, Annie Mae found that because the snapshots had been publicly archived for the past two years, anyone could access almost 190,000 snapshot files.  And once you have all that data, of course, you can just re-process it, sorting it all by the students’ names and schools. Which is exactly what Annie Mae did.

Disturbingly, Mathletics never seems to have even noticed that someone had accessed and downloaded/scraped all of that data.  Maybe Mathletics wasn’t worried about the data being downloaded by outside entities because they didn’t store sufficiently detailed information to make it a “breach,” under some definitions of that term, but would their answer be acceptable under GDPR?

More than 114,000 U.S. students

As proof of the severity of the concern, Annie Mae sent PogoWasRight.org a summary spreadsheet based on more than 114,000 unique  combinations of U.S. students’ information (first name, last name initial, name of school, and state). The spreadsheet did not show students’ names. There were 2,155 unique U.S. schools in the spread sheet.  The data were from the period April, 2016 – early March, 2018 (before the 3P Learning presumably “closed” the loophole).

The issues Leonie and Annie Mae brought to my attention were previously raised in Australia in the Daily Telegraph.   As a result of the Daily Telegraph‘s reporting, 3P Learning stated that they had closed the loophole that allowed leaderboard scraping. Except that they haven’t actually closed it, it seems, but merely shortened the timeframe in which the leaderboard results are available for downloading/viewing.  As the following figure illustrates, between March 1 – March 17, more than 6,700 students had their details exposed on the leaderboards.

Mathletics did not close any loophole. Data can still easily be scraped.

Annie Mae’s concerns were  also forwarded by Leonie Haimson to individuals employed by the NYS Education Department, with a note that it appeared that 180 schools in New York State had student data on these leaderboard exposures. Other than an acknowledgement from one of the parties, no one in the state education department seems to have responded substantively.

But then, on what basis would/could NYSED intervene? What law has Mathletics broken? I am not a lawyer, but I don’t find any evidence of anything illegal under U.S. law in what they have done (see this FAQ from the FTC on COPPA and Schools).

But just because something may be lawful, it doesn’t mean it is a good idea.

So PogoWasRight.org sent an inquiry to Mathletics asking two questions. The first sought clarification on the use of pseudonyms by students – whether it is permitted and if so, whether teachers are told that in the directions at the time they enter their students’ information. The second question concerned the use of the “offline” mode for Mathletics and whether that might protect students’ information better (although I would think that features like Hall of Fame would be lost if there was no internet connection).

PogoWasRight.org has not yet received any reply from the firm (some people actually do take weekends off, it seems!). If a reply is received, this post will be updated.

The bottom line is that I love apps that make learning fun for students and that can give those who need it additional rehearsal and creation of multiple examples (something that may be time-consuming and boring for teachers). But I do not want to see us sacrificing student privacy or security to access these programs. There needs to be a way to make these tools available while keeping our children’s information private and secure, and I’m actually optimistic enough to believe that if governments lay down the law on expectations, companies will find a way to comply. In a relatively small school, figuring out that “Jane L.” in Grade 3 may be a particular student may be quite easy – particularly if that school is a public school that makes too much information readily available as “directory information.” Will Jane’s parents start receiving marketing for tutoring services if Jane seems to be doing poorly in math? Will Jane be embarrassed that her peers – and the entire world – may see how poorly she is doing?

There has to be a somewhat better way to protect privacy. At the very least, companies should be required to obtain parental opt-in consent if a child’s name and school is to be exposed online. And if that’s not the law, then perhaps it should be considered a “best practice” or “best policy” for now.

Update: This post was edited post-publication to make it clearer that the spreadsheet sent to this site did not include students’ names, although the summary sheet had been developed using the individual records in leaderboards.