Regular readers of this blog may be aware that I am fighting the unlawful sharing of private student data to unsupervised private unaccountable vendors. I’ve even started a petition to support this effort. Friday morning I got some good news, or at least I thought I had. John White seemed to come to his senses and agreed to withdraw the student data he supplied to inBloom.
For those not in the know, inBloom is a privately operated data cloud that advertises its ability to host all personal student data, from Social Security Numbers, to names, dates of birth, pictures, medical information, discipline records and history, test scores, etc. John White tried to simply spin his inBloom “partnership” (his word not mine) as a data garage housing “cars” he likened to our students. White claimed like all garages, once the cars are parked there, no one can get the keys so our cars (kids) are perfectly safe.
inBloom cannot see or use any information regarding students or schools in Louisiana. This is like renting space in a parking garage. The garage company may house the car for a while, but it may not touch or use the cars in the garage. While inBloom stores information, inBloom does not have access to the information
At first I thought this was an overly simplistic, condescending analogy, perhaps something thought up by a small child, but the more I thought about it, the more I realized he may actually be on to something. So let’s go with it.
Virtual garages, like real garages in real life, can have cars stolen from them all the time at any moment. Putting a car in a garage does not magically make it safe, and actually makes it less safe by virtue of placing it into someone else’s custody who does not have as much vested interest in taking care of your car as you do. What’s more, the “garage” inBloom and similar vendors are proposing will eventually hold all the cars. They want to hold everyone’s data, all their data, in one place. While it’s true cars can be stolen from personal garages, thieves have to go to each garage and steal each car. . . one at a time. In the virtual garage scenario all thieves have to do is get access to one garage, (the garage) and they can steal everyone’s car (actually all their cars, and any car they’ve ever owned.)
What’s worse is while a car thief might have to go physically to your home or to a real garage and steal a car in the flesh, drive it away manually, and find a buyer one at a time. . .well most hackers actually live in countries outside of the United States like Russia, China, Iran, North Korea, etc. They don’t have to travel to the car (the student data) to steal it. They can steal it from the privacy of their home or “professional” hacking corporation composed of career and sometimes government sponsored and supported hackers. Their “jobs” are to find vulnerabilities to exploit an steal data and trade secrets. Many foreign governments like China, Iran, and North Korea actually support these efforts. These foreign “car” thieves can steal all the cars in the blink of an eye and sell them to millions of other criminals just as fast.
So yeah, a virtual garage is a horrible idea, for us. It’s a great idea for criminals and whatever companies like inBloom would like us to believe they are.
Every public garage I’ve parked in has a big disclaimer on the wall when you drive in that the owner of the garage cannot be liable for thefts, damage or stolen property left in the automobiles. When you give the keys to a valet to park your “car” they can damage your car, take it for a joy ride, forget to lock the doors, any number of unpleasant things. . . And cars have been hot-wired at least since episodes of Starsky and Hutch originally ran on television.
. . .inBloom has a disclaimer too.
“[inBloom] cannot guarantee the security of the information stored in inBloom or that the information will not be intercepted when it is being transmitted.”
Pretty familiar, eh? Would you trust a car for permanent storage under such an agreement? Would you trust your child to an establishment that made you sign such an agreement. . . that they are not responsible if your child gets kidnapped, or injured. . . but they will take “reasonable precautions”
Yeah, you’re not taking my kids, you freaks, and I’m not trusting you with their future either, inBloom. But I digress.
A number of parents, students and legislators have been alerted to this violation of our privacy and an emergency item was placed on the BESE agenda by BESE member Lottie Beebe. This meeting was held Wednesday the 17th.
Shortly after what has been reported as a “lively” BESE meeting (who knew they had those?) John White promised to release all MOUs and contracts related to data sharing agreements like inBloom or Agilix (another vendor that was uncovered from internal e-mails.) White then sent out this letter (I mentioned above) to Superintendents and school districts to try and spin and sell his garage idea. It did not seem to work because the next day he informed BESE members he was withdrawing the state’s data from inBloom. White implied he was cancelling the contract until he was able to alleviate fears and run such agreements by BESE. He issues this letter to BESE to that effect.
|
|
Members:
At Wednesday’s meeting we heard some compelling testimony regarding the state’s and school districts’ data storage practices. It’s an issue worth continued discussion with the board.
The data storage agreement with the inBloom database was undertaken with caution and a sense of responsibility. However, because of the concerns expressed by some parents, and because we have not yet had an in-depth discussion with the board and public about data storage at the agency or district level, I think that it is best for now that we withdraw student information from the inBloom database. I have told our staff to do so and have informed inBloom of our decision.
We have protected student information for decades and take security very seriously. Given the concerns expressed by our most important constituents — students and families — I’d like a chance to discuss our policies and procedures with you before we enter into new relationships with partners providing this service.
Thanks as always for your time. Have a great weekend.John
John White
Louisiana Department of Education
Twitter @LouisianaSupe
Barbara Leader, with the Monroe News Star, has been investigating this story for the last week and calling folks all over the state (including yours truly) and had interviewed White earlier in the week about inBloom and Louisiana’s role/partnership with this private company. As Barbara was preparing to run a story on Friday, John White contacted her out of the blue to announce his decision to “seemingly” rescind his agreement.
Louisiana Department of Education Superintendent John White says he is withdrawing Louisiana student information from a non-profit database, just two days after he assured Board of Elementary and Secondary Education members that the data was safe and could not be distributed without DOE approval.
This seemed like good news and I was grateful to Barbara for covering this story that was so dear to so many parents and children. While I was unable to make the Wednesday meeting I heard there was a robust turnout and even some brave students from Mandeville High School showed up to testify against this unlawful data sharing. I can’t speak for these students, but many of our students are 18 or older and had no say and no knowledge of the inBloom agreement and did not give permission to share their details with private vendors. The only folks who seemed aware of these agreements of questionable legality were White’s inner circle but not BESE which is supposed to review and approve such contracts by law.
However just when I thought things might be going well I was forwarded this tweet from inBloom’s official twitter account that got me to thinking. . .
inBloom@inBloomEdu
.@frankcatalano
@audreywatters Louisiana still part of inBloom community. Many inaccuracies in coverage
I asked inBloom to explain this cryptic tweet that they sent to other education reporters, but so far they have not elaborated. Nevertheless it brought to mind a question. I never did see what John White actually sent to inBloom to cancel his legal agreement with them – to withdraw “student information from the inBloom database.” Did you?
Did he withdraw it all?
Did he simply tell inBloom to lay low while he “handles” those yokels in Louisiana?
Did John White make a jaded calculation that if he placated us on a Friday release, he could take advantage of the Boston Bombing coverage and people would simply forget about this come Monday? Later he could go back to BESE and get them to rubberstamp his agreement while no one was watching?
I wonder who is lying?
Did John White actually lie to BESE, to the Monroe News Star, to our legislators, to all the citizens of Louisiana?
Is this inBloom’s desperate attempt to stop other states from pulling out of the inBloom project? Perhaps. . . but if they are shown to be lying that will only further damage their credibility. Would inBloom risk lying about something that is easily disproved with the simple production of the John White cancellation notification?
I would ask that John White clears this up right away. He still has not produced the MOU that he promised to produce at the April 17th BESE meeting. Surely to cancel such a contract (which by law he would have been required to create to share student data like name, Date of Birth and Social Security number) he would have had to review it to determine how exactly to go around cancelling that agreement? White could not have shared the data in the first place (even under the weakened FERPA laws) without this legal document, a contract or MOU (Memorandum of Understanding) describing duties, uses, what data was to be shared, and under which circumstances the agreement could be cancelled.
I strongly encourage John White to produce the MOU with inBloom that he promised to punctually produce at Wednesday’s meeting and to produce the subsequent cancellation notification this contract would have required that he sent to inBloom. That’s all it will take to demonstrate that inBloom is lying, or at least in error, and they he did not lie to all of us, over and over.
However it occurred to me that maybe John White is lying, if not about this, maybe something else. So just to be on the safe side, I felt this warranted me looking into John White’s other claims at this point. I contacted Barbara Leader, who produced the article for the Monroe News Star that announced John White was withdrawing from his inBloom agreement to ask for something she mentioned in her article. . .the file layout John White provided to back up his claim he only provided:
In an email to The News-Star, White said that “the only student info we are storing in this garage: local student ID, first name, last name, gender, date of birth, ethnicity and race.”
You see, I know a little bit about data, especially Louisiana Department of Education data, having worked in that area for almost 9 years, so there was something that bothered me about this statement. You see, local student ID is optional, and most school districts don’t send it. State ID is required, and is about 98% of the time the student’s Social Security Number. The local ID field did not seem like it could possibly be correct since most of them are blank.. Then when I looked at the rest of the fields, and looked at this description of who John White said would be using this or a similar database (if a similar database it’s one he did not cancel yet) in this statement:
John White, Superintendent of Louisiana Schools, says, “By connecting to IBDS, Agilix opens a lot of doors for our Course Choice product not only for registration but also for detailed analysis of student performance. We expect this will assist greatly in tracking and reporting results of Course Choice adoption to state authorities.”
Did you catch it? J Probably not, but let me explain. White said this would be used for registration. This information would have to be sent to school districts and registration through school districts to keep track of student performance and what their kids have register for unless LDE plans to handle all that in-house. Even then you would need to know a few more basic things, like grade level, where the child is enrolled, if they are still enrolled, etc. You can’t get all that from those 7 elements. You’d need more. The News Star Reported John White provided documentation that only those 7 elements were shared, so I figured I’d just check myself. I asked Barbara to forward the file John White sent to her to me. This is it, and I’ll explain what I found.
<?xml version=”1.0″ ?>
– <InterchangeStudentParent xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xmlns=”http://ed-fi.org/0100” xsi:schemaLocation=”http://ed-fi.org/0100 ../../../../../../domain/src/main/resources/edfiXsd/Interchange-StudentParent.xsd“>
– <Student>
<StudentUniqueStateId>999999999</StudentUniqueStateId>
– <Name>
<FirstName>JANE</FirstName>
<LastSurname>DOE</LastSurname>
</Name>
<Sex>Female</Sex>
– <BirthData>
<BirthDate>2005-05-19</BirthDate>
</BirthData>
– <Address>
<StreetNumberName>No Data Exists</StreetNumberName>
<City>No Data Exists</City>
<StateAbbreviation>LA</StateAbbreviation>
<PostalCode>0000000</PostalCode>
</Address>
– <Telephone>
<TelephoneNumber>0</TelephoneNumber>
</Telephone>
– <ElectronicMail>
<EmailAddress>No Data Exists</EmailAddress>
</ElectronicMail>
<ProfileThumbnail>No Data Exists</ProfileThumbnail>
<HispanicLatinoEthnicity>false</HispanicLatinoEthnicity>
– <Race>
<RacialCategory>White</RacialCategory>
</Race>
</Student>
<StudentSchoolAssociation>
<StudentReference>
<StudentIdentity>
<StudentUniqueStateId>999999999</StudentUniqueStateId>
</StudentIdentity>
</StudentReference>
<SchoolReference>
<EducationalOrgIdentity>
<StateOrganizationId>032023</StateOrganizationId>
</EducationalOrgIdentity>
</SchoolReference>
<EntryDate>2012-08-09</EntryDate>
<EntryGradeLevel>Twelfth grade</EntryGradeLevel>
</StudentSchoolAssociation>
John White unwittingly sent us a file for yet another (third?) data aggregator he shared student data with and did not run by BESE. You see, these xml files look like they came from and/or go to Ed-Fi if you read the header for this file. Ed-Fi is yet another data aggregation company owned by a different set of billionaires, Michael and Susan Dell. inBloom is a company created by another pair of billionaires, Bill and Melinda Gates. A third company, Amplify, which partnering with inBloom was set up by yet another billionaire named Rupert Murdoch of News Corp and child phone hacking fame.
This is how Ed-Fi describes itself.
The Ed-Fi Solution
The Ed-Fi solution is an educational data standard and tool suite (unifying data model, data exchange framework, application framework, and sample dashboard source code) that enables vital academic information on K-12 students to be consolidated from the different data systems of school districts while leaving the management and governance of data within those districts and states. Ed-Fi components act as a translator of academic data, integrating and organizing information so that educators can start addressing the individual needs of each student from day one, and can measure progress and refine action plans throughout the school year.
This Ed-Fi tidbit reminded me of some internal e-mails I’d obtained some time ago but had not figured out how to connect to anything, until now. These are correspondence from John White, and Ed-Fi where he was exploring a relationship with Ed-Fi. This was done either before or while simultaneously working with inBloom.
Here’s some of the correspondence from over a year ago with Ed-Fi. (DOE apparently provides their FOIA requests as a sideways oriented image files to make use very difficult. You will have to orient them image one rotation clockwise to view.)
To summarize this set of emails: it appears the Louisiana Department of Education was sending data to Ed-Fi too, long before inBloom. I wonder how many other groups like this John White has been sharing with? Agilix seems like another one as well as the Course Choice providers. Did White simply sacrifice inBloom to save all these other relationships, perhaps 4 that we know of at this point?
It seems quite likely we’ve been duped and inBloom was offered up as a sacrificial lamb.
Now to get back to the Ed-Fi file John White has characterized as the inBloom file. Let’s assume these are the same elements that were actually provided to inBloom. . . too. I notice that Grade level is included, site code is included of which the first three characters are the school district ID, entry date is include, and State ID (the student’s SSN) not the local ID was sent to Ed-Fi and or inBloom. That’s a shame, EdFi was only asking for a unique ID, not SSN, but John White decided to send a less accurate number for tracking unique students but more dangerous for students. I can tell we sent the SSN because they DOE shows they are sending a 9 character number and our unique internal state ID is 10 characters to make differentiation readily apparent. SSN is a totally unnecessary bit of info that can be used for identity theft especially with the date of birth and name John White is also helpfully (for criminals) providing.
What I find intriguing is that there are empty spots for the student’s address, their picture, their phone number and e-mail address. I can’t think of a reason to leave those in the file unless you’re leaving them as placeholders to fill later.
To summarize:
- John White can prove he did not falsely inform BESE and the state of Louisiana about cancelling a contract with inBloom he has no intention of cancelling by production of the cancellation agreement.
- John White can prove he did not lie to BESE that he would produce the inBloom MOU and all other sharing/partnership agreements by doing so quickly and in good faith.
- We need to know how many vendors has John White shared date with already and not recalled . . . but it appears to be at least 3 more. . . (Ed-Fi, Course Choice, Agilix)
- John White may not have cancelled the inBloom contract as he claimed. InBloom has publicly claimed otherwise.
- John White sent more than the 7 data elements he claimed to BESE and the Monroe News Star that he sent. It also looks like he plans to send much more sensitive data at a later date.
- John White has definitely already sent private student data to Ed-Fi, an inBloom like operation, as much as a year ago, based on the internal e-mail trail and file spec. He did not notify school districts or BESE about this agreement to my knowledge. (I will be happy to amend this statement if somone can show me that I’m wrong.)
Now, what are we going to do about this?
Crazy Crawfish 
Brilliant!
[What I find intriguing is that there are empty spots for the student’s address, their picture, their phone number and e-mail address. I can’t think of a reason to leave those in the file unless you’re leaving them as placeholders to fill later.]
Yes, very interesting. Perhaps because it’s directory information & public information.
I was having a discussion about this a couple of weeks ago with someone. When a vendor returns the data is there any reason why they can’t keep the directory information in their system & use it? No law against it.
Also, one can return the data & obtain the directory information directly from the school.
This is an important paper that I’m dissecting. I think it’s somewhat relates to above excerpt:
The PII Problem: Privacy and a New Concept of Personally Identifiable Information by Paul Schwartz & Daniel Solove:
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1909366
The podcast may be more interesting as an intro:
https://itunes.apple.com/us/itunes-u/uc-berkeley-events-2012-podcasts/id494002768
There have already been requests to parents by LA Course Choice providers for their student’s SS#, which they are not supposed to be doing.
You know how ed deformer “Samsons” will be brought down? One bold and brave “David” at a time. Thank you.
Very welcome. I am glad this is finally getting the attention it deserves and that I have so many great people working with me behind the scenes and across the political spectrum. It’s been a very refreshing and affirming experience. Politics may be a divider at times, but protecting our children is a great unifier. That will be one of my takeaways from this, no matter what happens in the short term.
I am currently a high school student. This is completely unfair. I dont even have a facebook because I dont want to deal with people seeing my data. At the meeting Mr. White repetedly used the word “Vendor”. Doesnt that word imply selling? This all just seems sketchy to me.
At the moment they are giving your data away, and in the near future we will be paying these “vendors” to take your data and half-heartedly protect it. They are not responsible if it gets used by anyone within their own company inappropraitely, or gets stolen by hackers. They also have the legal right to sell your data to other folks for non-educational purposes. Your data is currently intended to profile you so other “vendors” can direct market products to you. Eventually this data is likely to be used to determine whether you should be hired, what insurance premiums you should pay, and who knows what else. White is giving your data away so other people canmake money off your private data at your expense.
I received an email this week asking me to ask NY State to follow the “lead” of John White and pull out of an agreement with inBloom! what a shock to be asked to follow John White after all I’ve read! But the pulling out of inBloom sounded like a very good idea indeed.
He told everyone that’s what he was doing, but if you read my next post apparently inBloom and White had alreayd put the project on hold while they work out a way to get data without SSN. He told everyone he did not hnd over SSN, and claimed he was listening to the concerns of parents, students and BESE members. None of this is true, but now the question is, while out state board of education sanction him for his dishonesty and flagrant violations of state law?
I”m beginning to think they will not sanction him. Are they all getting their pockets lined?
one way or another. They will when they leave for sure.
CC, Thanks so much for your fine investigative blogging. Those in the media could learn a lesson by following your work.
I attended a School Board Meeting in Covington on Sept 09. There was a Lady there, Miss Cheryl Abadie, who said that Comon Core was a ‘living document’. In other words, what you see here now is NOTHING like what you are going to see five years from now.
I can’t wait!