Regular readers of this blog may be aware that I am fighting the unlawful sharing of private student data to unsupervised private unaccountable vendors. I’ve even started a petition to support this effort. Friday morning I got some good news, or at least I thought I had. John White seemed to come to his senses and agreed to withdraw the student data he supplied to inBloom.
For those not in the know, inBloom is a privately operated data cloud that advertises its ability to host all personal student data, from Social Security Numbers, to names, dates of birth, pictures, medical information, discipline records and history, test scores, etc. John White tried to simply spin his inBloom “partnership” (his word not mine) as a data garage housing “cars” he likened to our students. White claimed like all garages, once the cars are parked there, no one can get the keys so our cars (kids) are perfectly safe.
inBloom cannot see or use any information regarding students or schools in Louisiana. This is like renting space in a parking garage. The garage company may house the car for a while, but it may not touch or use the cars in the garage. While inBloom stores information, inBloom does not have access to the information
At first I thought this was an overly simplistic, condescending analogy, perhaps something thought up by a small child, but the more I thought about it, the more I realized he may actually be on to something. So let’s go with it.
Virtual garages, like real garages in real life, can have cars stolen from them all the time at any moment. Putting a car in a garage does not magically make it safe, and actually makes it less safe by virtue of placing it into someone else’s custody who does not have as much vested interest in taking care of your car as you do. What’s more, the “garage” inBloom and similar vendors are proposing will eventually hold all the cars. They want to hold everyone’s data, all their data, in one place. While it’s true cars can be stolen from personal garages, thieves have to go to each garage and steal each car. . . one at a time. In the virtual garage scenario all thieves have to do is get access to one garage, (the garage) and they can steal everyone’s car (actually all their cars, and any car they’ve ever owned.)
What’s worse is while a car thief might have to go physically to your home or to a real garage and steal a car in the flesh, drive it away manually, and find a buyer one at a time. . .well most hackers actually live in countries outside of the United States like Russia, China, Iran, North Korea, etc. They don’t have to travel to the car (the student data) to steal it. They can steal it from the privacy of their home or “professional” hacking corporation composed of career and sometimes government sponsored and supported hackers. Their “jobs” are to find vulnerabilities to exploit an steal data and trade secrets. Many foreign governments like China, Iran, and North Korea actually support these efforts. These foreign “car” thieves can steal all the cars in the blink of an eye and sell them to millions of other criminals just as fast.
So yeah, a virtual garage is a horrible idea, for us. It’s a great idea for criminals and whatever companies like inBloom would like us to believe they are.
Every public garage I’ve parked in has a big disclaimer on the wall when you drive in that the owner of the garage cannot be liable for thefts, damage or stolen property left in the automobiles. When you give the keys to a valet to park your “car” they can damage your car, take it for a joy ride, forget to lock the doors, any number of unpleasant things. . . And cars have been hot-wired at least since episodes of Starsky and Hutch originally ran on television.
. . .inBloom has a disclaimer too.
“[inBloom] cannot guarantee the security of the information stored in inBloom or that the information will not be intercepted when it is being transmitted.”
Pretty familiar, eh? Would you trust a car for permanent storage under such an agreement? Would you trust your child to an establishment that made you sign such an agreement. . . that they are not responsible if your child gets kidnapped, or injured. . . but they will take “reasonable precautions”
Yeah, you’re not taking my kids, you freaks, and I’m not trusting you with their future either, inBloom. But I digress.
A number of parents, students and legislators have been alerted to this violation of our privacy and an emergency item was placed on the BESE agenda by BESE member Lottie Beebe. This meeting was held Wednesday the 17th.
Shortly after what has been reported as a “lively” BESE meeting (who knew they had those?) John White promised to release all MOUs and contracts related to data sharing agreements like inBloom or Agilix (another vendor that was uncovered from internal e-mails.) White then sent out this letter (I mentioned above) to Superintendents and school districts to try and spin and sell his garage idea. It did not seem to work because the next day he informed BESE members he was withdrawing the state’s data from inBloom. White implied he was cancelling the contract until he was able to alleviate fears and run such agreements by BESE. He issues this letter to BESE to that effect.
At Wednesday’s meeting we heard some compelling testimony regarding the state’s and school districts’ data storage practices. It’s an issue worth continued discussion with the board.
The data storage agreement with the inBloom database was undertaken with caution and a sense of responsibility. However, because of the concerns expressed by some parents, and because we have not yet had an in-depth discussion with the board and public about data storage at the agency or district level, I think that it is best for now that we withdraw student information from the inBloom database. I have told our staff to do so and have informed inBloom of our decision.
We have protected student information for decades and take security very seriously. Given the concerns expressed by our most important constituents — students and families — I’d like a chance to discuss our policies and procedures with you before we enter into new relationships with partners providing this service.
Thanks as always for your time. Have a great weekend.
Louisiana Department of Education
Barbara Leader, with the Monroe News Star, has been investigating this story for the last week and calling folks all over the state (including yours truly) and had interviewed White earlier in the week about inBloom and Louisiana’s role/partnership with this private company. As Barbara was preparing to run a story on Friday, John White contacted her out of the blue to announce his decision to “seemingly” rescind his agreement.
Louisiana Department of Education Superintendent John White says he is withdrawing Louisiana student information from a non-profit database, just two days after he assured Board of Elementary and Secondary Education members that the data was safe and could not be distributed without DOE approval.
This seemed like good news and I was grateful to Barbara for covering this story that was so dear to so many parents and children. While I was unable to make the Wednesday meeting I heard there was a robust turnout and even some brave students from Mandeville High School showed up to testify against this unlawful data sharing. I can’t speak for these students, but many of our students are 18 or older and had no say and no knowledge of the inBloom agreement and did not give permission to share their details with private vendors. The only folks who seemed aware of these agreements of questionable legality were White’s inner circle but not BESE which is supposed to review and approve such contracts by law.
However just when I thought things might be going well I was forwarded this tweet from inBloom’s official twitter account that got me to thinking. . .
I asked inBloom to explain this cryptic tweet that they sent to other education reporters, but so far they have not elaborated. Nevertheless it brought to mind a question. I never did see what John White actually sent to inBloom to cancel his legal agreement with them – to withdraw “student information from the inBloom database.” Did you?
Did he withdraw it all?
Did he simply tell inBloom to lay low while he “handles” those yokels in Louisiana?
Did John White make a jaded calculation that if he placated us on a Friday release, he could take advantage of the Boston Bombing coverage and people would simply forget about this come Monday? Later he could go back to BESE and get them to rubberstamp his agreement while no one was watching?
I wonder who is lying?
Did John White actually lie to BESE, to the Monroe News Star, to our legislators, to all the citizens of Louisiana?
Is this inBloom’s desperate attempt to stop other states from pulling out of the inBloom project? Perhaps. . . but if they are shown to be lying that will only further damage their credibility. Would inBloom risk lying about something that is easily disproved with the simple production of the John White cancellation notification?
I would ask that John White clears this up right away. He still has not produced the MOU that he promised to produce at the April 17th BESE meeting. Surely to cancel such a contract (which by law he would have been required to create to share student data like name, Date of Birth and Social Security number) he would have had to review it to determine how exactly to go around cancelling that agreement? White could not have shared the data in the first place (even under the weakened FERPA laws) without this legal document, a contract or MOU (Memorandum of Understanding) describing duties, uses, what data was to be shared, and under which circumstances the agreement could be cancelled.
I strongly encourage John White to produce the MOU with inBloom that he promised to punctually produce at Wednesday’s meeting and to produce the subsequent cancellation notification this contract would have required that he sent to inBloom. That’s all it will take to demonstrate that inBloom is lying, or at least in error, and they he did not lie to all of us, over and over.
However it occurred to me that maybe John White is lying, if not about this, maybe something else. So just to be on the safe side, I felt this warranted me looking into John White’s other claims at this point. I contacted Barbara Leader, who produced the article for the Monroe News Star that announced John White was withdrawing from his inBloom agreement to ask for something she mentioned in her article. . .the file layout John White provided to back up his claim he only provided:
In an email to The News-Star, White said that “the only student info we are storing in this garage: local student ID, first name, last name, gender, date of birth, ethnicity and race.”
You see, I know a little bit about data, especially Louisiana Department of Education data, having worked in that area for almost 9 years, so there was something that bothered me about this statement. You see, local student ID is optional, and most school districts don’t send it. State ID is required, and is about 98% of the time the student’s Social Security Number. The local ID field did not seem like it could possibly be correct since most of them are blank.. Then when I looked at the rest of the fields, and looked at this description of who John White said would be using this or a similar database (if a similar database it’s one he did not cancel yet) in this statement:
John White, Superintendent of Louisiana Schools, says, “By connecting to IBDS, Agilix opens a lot of doors for our Course Choice product not only for registration but also for detailed analysis of student performance. We expect this will assist greatly in tracking and reporting results of Course Choice adoption to state authorities.”
Did you catch it? J Probably not, but let me explain. White said this would be used for registration. This information would have to be sent to school districts and registration through school districts to keep track of student performance and what their kids have register for unless LDE plans to handle all that in-house. Even then you would need to know a few more basic things, like grade level, where the child is enrolled, if they are still enrolled, etc. You can’t get all that from those 7 elements. You’d need more. The News Star Reported John White provided documentation that only those 7 elements were shared, so I figured I’d just check myself. I asked Barbara to forward the file John White sent to her to me. This is it, and I’ll explain what I found.
<?xml version=”1.0″ ?>
– <InterchangeStudentParent xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xmlns=”http://ed-fi.org/0100” xsi:schemaLocation=”http://ed-fi.org/0100 ../../../../../../domain/src/main/resources/edfiXsd/Interchange-StudentParent.xsd“>
<StreetNumberName>No Data Exists</StreetNumberName>
<City>No Data Exists</City>
<EmailAddress>No Data Exists</EmailAddress>
<ProfileThumbnail>No Data Exists</ProfileThumbnail>
John White unwittingly sent us a file for yet another (third?) data aggregator he shared student data with and did not run by BESE. You see, these xml files look like they came from and/or go to Ed-Fi if you read the header for this file. Ed-Fi is yet another data aggregation company owned by a different set of billionaires, Michael and Susan Dell. inBloom is a company created by another pair of billionaires, Bill and Melinda Gates. A third company, Amplify, which partnering with inBloom was set up by yet another billionaire named Rupert Murdoch of News Corp and child phone hacking fame.
This is how Ed-Fi describes itself.
The Ed-Fi Solution
The Ed-Fi solution is an educational data standard and tool suite (unifying data model, data exchange framework, application framework, and sample dashboard source code) that enables vital academic information on K-12 students to be consolidated from the different data systems of school districts while leaving the management and governance of data within those districts and states. Ed-Fi components act as a translator of academic data, integrating and organizing information so that educators can start addressing the individual needs of each student from day one, and can measure progress and refine action plans throughout the school year.
This Ed-Fi tidbit reminded me of some internal e-mails I’d obtained some time ago but had not figured out how to connect to anything, until now. These are correspondence from John White, and Ed-Fi where he was exploring a relationship with Ed-Fi. This was done either before or while simultaneously working with inBloom.
Here’s some of the correspondence from over a year ago with Ed-Fi. (DOE apparently provides their FOIA requests as a sideways oriented image files to make use very difficult. You will have to orient them image one rotation clockwise to view.)
To summarize this set of emails: it appears the Louisiana Department of Education was sending data to Ed-Fi too, long before inBloom. I wonder how many other groups like this John White has been sharing with? Agilix seems like another one as well as the Course Choice providers. Did White simply sacrifice inBloom to save all these other relationships, perhaps 4 that we know of at this point?
It seems quite likely we’ve been duped and inBloom was offered up as a sacrificial lamb.
Now to get back to the Ed-Fi file John White has characterized as the inBloom file. Let’s assume these are the same elements that were actually provided to inBloom. . . too. I notice that Grade level is included, site code is included of which the first three characters are the school district ID, entry date is include, and State ID (the student’s SSN) not the local ID was sent to Ed-Fi and or inBloom. That’s a shame, EdFi was only asking for a unique ID, not SSN, but John White decided to send a less accurate number for tracking unique students but more dangerous for students. I can tell we sent the SSN because they DOE shows they are sending a 9 character number and our unique internal state ID is 10 characters to make differentiation readily apparent. SSN is a totally unnecessary bit of info that can be used for identity theft especially with the date of birth and name John White is also helpfully (for criminals) providing.
What I find intriguing is that there are empty spots for the student’s address, their picture, their phone number and e-mail address. I can’t think of a reason to leave those in the file unless you’re leaving them as placeholders to fill later.
- John White can prove he did not falsely inform BESE and the state of Louisiana about cancelling a contract with inBloom he has no intention of cancelling by production of the cancellation agreement.
- John White can prove he did not lie to BESE that he would produce the inBloom MOU and all other sharing/partnership agreements by doing so quickly and in good faith.
- We need to know how many vendors has John White shared date with already and not recalled . . . but it appears to be at least 3 more. . . (Ed-Fi, Course Choice, Agilix)
- John White may not have cancelled the inBloom contract as he claimed. InBloom has publicly claimed otherwise.
- John White sent more than the 7 data elements he claimed to BESE and the Monroe News Star that he sent. It also looks like he plans to send much more sensitive data at a later date.
- John White has definitely already sent private student data to Ed-Fi, an inBloom like operation, as much as a year ago, based on the internal e-mail trail and file spec. He did not notify school districts or BESE about this agreement to my knowledge. (I will be happy to amend this statement if somone can show me that I’m wrong.)
Now, what are we going to do about this?