Debunking inBloom and New York’s data sharing arguments

Debunking inBloom and New York’s data sharing arguments

I’ve tried to get inBloom CTO, Garret Suhm, to answer or respond to my questions debunking the propaganda he is spreading on Twitter under the twitter id @gsuhm. So far Garret has not responded to me, nor has inBloom ever responded to my comments, complaints or observations. I am more than willing to engage them in any medium they choose to discuss the very real concerns I and other parents have about their endeavor. The reason they choose to ignore me is because they have no answers, at least none that will fail to confirm what I have been saying for more than a year.

This weekend I took part in a Twitter Dialogue with Sheila Kaplan, Garret (who responded to others but not me) and others about FERPA, privacy regulations, interpretations and implications. What I learned form that dialogue is that there is a great deal of variation across the spectrum. Not all privacy advocates see things the same way. For some folks, no amount of data sharing should be allowed under any circumstance. Others take more pragmatic approaches and concede some amount of data access and sharing will be necessary, but our obligation to parents and students is to make it as safe as possible and limited in scope. I fall somewhere along the pragmatic side of the equation, but not as far as I believe Sheila has journeyed. Despite my fairly regular trouncings of inBloom on my blog, I don’t hold any special animosity towards them personally, or any company that seeks to use data for constructive purposes. I don’t believe “beating” inBloom will solve all our data sharing and access problems, other companies will fill in or have already filled in this role in less prominent ways. However, inBloom has taken a direct and confrontational stance that it should be one of the premier databrokers, and for that reason they have become a necessary target for privacy advocates. If they are successful in their mission, as they’ve described it to date, privacy laws and advocacy will be a largely moot endeavor. So while I don’t necessarily fault their mission of helping school districts and students through use of data, I do find their aggressive stance very threatening and dangerous and one that must be actively and prominently opposed.

Since inBloom is not responding to me and the New York State Department of Education, under Commissioner John King, is the last large declared district or state ally of inBloom and their student data sharing, storing and dissemination project (and has declared they are proceeding full speed ahead hell or high water) I feel it behooves me to confront their fallacious logic head-on. If inBloom is successful in their mission it may bode poorly for others trying to prevent them and those like them from obtaining confidential student data in our own states and from our own children and students.

Argument one: New York’s current data storage access and storage practices are much worse than inBloom’s. New York actually made this argument recently. This shows a complete lack of understanding of the entire concept. inBloom still has to get information from those same poorly maintained and monitored systems. Those systems do not disappear, they stay in all their crappy, poorly secured glory. Now, in addition to them (not instead of) inBloom is creating a very attractive one stop shopping mall for hackers, phishers and dishonest employees to access.

To illustrate:

Before inBloom:

Perhaps your databases and systems look something like this, with different users and offices over each system, and different people responsible for adding data to all these disparate systems.

After inBloom:

Now in addition to your crappy setup, which you still have to maintain to populate inBloom, you now have an inBloom database that is much more valuable, visible and vulnerable to hackers, and much more portable and complete, containing all of your students data, all stitched together in one neat place. Hackers can still get the data from your admittedly terrible systems which you are not addressing because you, mistakenly, believe inBloom will solve all your problems.

(Note: Golden statue image below not obscene because it is art, and clothed art at that.)

Argument two: The only way to provide a personalized experience is to store all data on inBloom’s servers. This is not accurate. InBloom could store a unique ID that links back to personal data retained by their clients. This ID would be a key that unlocks data for applications to retrieve from local servers. While it is true those local servers could be hacked, that is true regardless. Local School districts actually need the names and addresses of their students, but intermediary vendors do not. If inBloom did not store the most sensitive PII on their side, the potential for a massive breach of inBloom creating a crisis for children and families nationwide is greatly reduced. However this solution would be resource intensive and technically difficult and the data stored with inBloom would be less valuable for inBloom to find creative ways to leverage and exploit. The process I envision would be similar to how e-mail encryption works.

Argument three:
inBloom needs all this data from districts to resolve single sign-on authentication, which is a challenging problem no one else wants to tackle. This is one of the newest arguments I’ve seen made, and perhaps the most ridiculous. Having student addresses, pictures, phone numbers and Social security numbers will do nothing to resolve single sign-on authentication. For those of you wondering what this term means, in simple terms it means a teacher/user would only have to remember a single password and log into a single system to have access to a multitude of other systems without the need to log in again. This is generally handled by Microsoft Active Directory on PCs or Profile Manager with Apple based systems. There is zero need to obtain student information for single-sign on authentication unless you are providing this to a vendor to monetize so as to receive a discount for the single sign-on solution. What you need to this solution is user profiles and systems they have access to, and ways to point those systems to a single source security manager. Back in my programming days I wrote one of these for Amedisys Inc. to synch up all the in-house applications we’d built for our users. I did not need personally identifiable patient data for that. That argument is just plain ridiculous and evidence they are simply trying to confuse folks by promising them anything to get their hands on student data.

Argument four: Student data is safe because districts have total control over who they grant access, and only those individuals will ever be able to access the data stored on inBloom. Most data breaches and hacks are inside jobs (like Bradley Manning’s release of Pentagon records and Edward Snowden’s release of NSA records) or the result of clicking on unsafe links which almost everyone has done at one time or another. One of the things revealed by Edward Snowden is that many NSA folks use the data in their charge to investigate girlfriends, family members and people they want to hook up with. If the NSA and Pentagon can’t prevent employees from accessing and exposing their data, and abusing their access for nefarious purposes, what hope could a private company have? inBloom limits its liability for accidental and unintentional exposures to basically nothing, and simply states it complies or exceeds industry standards for privacy and security, and complies with FERPA, which basically means nothing for a private vendor. The reality inBloom recognizes, and you should recognize, is that any data stored with inBloom will inevitably be misused, stolen, and probably resold and used for non-educational purposes.

Argument five: inBloom is a non-profit so we are in this for the children, not to make money. The contract inBloom entered into with Louisiana actually allows them to sell themselves to another company and to transfer all of their data and contracts to that vendor without Louisiana having any recourse or say in the matter.

14.1 Assignment, Successors. Service Provider may freely assign this Agreement, in whole, to a not-for-profit entity that expressly assumes the Service Provider’s rights and obligations hereunder arising after the date of assignment

14.3 Subcontracting. Service Provider may freely subcontract its duties and obligations under this Agreement.

Just because a company is classified as a non-profit, does not mean it cannot make money for its owners and investors indirectly (such as in exorbitant salaries, providing services to other companies or access to assets and data at below market or no costs), or that it can’t be sold for a profit or to someone else who can make a profit off the non-profit’s assets and contracts, or that it can’t contract with external for-profit entities at very generous rates. One of the way non-profit mom and pop Home Health companies made money in the nineties was by hiring on the whole family as “executives”, giving them large salaries to go with their fancy titles, BMW’s to drive on the company’s dime, conventions in Hawaii and Barbados that doubled as family vacations, and purchases or expensive rare artwork to decorate their offices, and then convert to liquidated furnishings which they would sell to themselves or family members at greatly reduced rates.

The Challenge

If you can describe an actual benefit to how inBloom or other vendors like Ed-Fi are proposing to operate, please do so. I would enjoy reading about it and responding. I am not opposed to the idea of a data broker with limited access, and heavy restrictions on the use, storage, and retention of said data. I think most of us understand data is a necessary component of doing business these days and handling large and complex companies, tasks and systems. However, just because we can do something does not mean we should or have to do it (like human cloning.) Just because we feel we need to do “something”, that does not mean we have to do that something poorly and without adequate thought and planning spent towards minimizing the risks and consequences. Companies are good at minimizing costs and maximizing revenues, and I do not fault them for that. That quality can be a powerful tool to employ in organizing, mobilizing and employing resources efficiently. However companies are much less good at protecting privacy, protecting the environment, minimizing risks to others. Even if a company wanted to do all those things well, a company run by less scrupulous folks would be able to prosper and replace the good citizen company by engaging in less costly and perhaps more risky behaviors. Companies require folks like us to provide thoughtful regulations and guidance that evens out the playing field for all of them, while protecting our rights, privacy, and resources. In the right context, with the proper regulations and laws in place and enforced, I have no doubt inBloom and other vendors like them could produce efficiencies and products that could help our children and our society. However until such a time as we define a proper, fair and safe framework for them to operate in, I feel they will have to be opposed because of the threat they pose to our children, our society and ourselves.

(Corrections as of 1/5/14: King is the State Commissioner for New York State, not City.  King has decided the entire state will share/provide data to inBloom regardless of the wishes of districts or parents.  The new mayor of New York,  deBlasio, as a candidate, claimed he would cancel any agreement with inBloom which becomes a moot point if the State Commissioner shares New York City’s data for them.  I apologize for these errors.)

Advertisements

2013 in review

The WordPress.com stats helper monkeys prepared a 2013 annual report for this blog.

I had the goal of reaching 100,000 hits this year, which would have been a 10 fold increase over last year.  What I achieved was almost double that.  Next year my goal is reaching 1 million views, only a five fold increase from what I have now.

When I started out the year I had fewer than 100 followers.  Now the blog has more than 1200 with many more folks following via e-mail forwards.  Not bad, a more than 10 fold increase.  My goal for next year is 5000 followers, something I would have though ridiculous a year ago, now I just see that total as overly optimistic. 🙂

I do not ask for donations to run the blog, and I won’t start now, but what I would ask you for is to help me reach my goals of informing parents across the state across the nation. We can do this by working together to increase these stats, by continuing to comment as many of you are doing, and by continuing to provide info and material for the blog, including guest posts.  I see this blog as belonging to the community, to the public, not financial interests as so much of our media is owned and controlled today.  Please help me expand the reach of our blog and our community.

Here’s an excerpt:

The Louvre Museum has 8.5 million visitors per year. This blog was viewed about 190,000 times in 2013. If it were an exhibit at the Louvre Museum, it would take about 8 days for that many people to see it.

Click here to see the complete report.

Breaking News: Mayor-Elect Chooses an Educator to Lead NYC Schools!

Great news for New York, and perhaps one of the first nails to be hammered into what I hope to see as the coffin holding the tarnished remains of school reform and reformers. We have our own elections for Governor and BESE coming up. I hope we make the right decisions for our children and our people and reverse the horrible education experimentation Jindal has wrought on our state.

Diane Ravitch's blog

For the past dozen years, New York City has had a procession of school chancellors who were not educators: a banker, a prosecutor, a publisher, a former deputy mayor.

Mayor-elect Bill de Blasio made a daring–and wise– decision to select a professional educator to run the nation’s largest school system, which enrolls 1.2 million students. His search narrowed to three excellent candidates, all of whom are career professional educators: Joshua Starr, superintendent of the Montgomery County public schools, known for his strong stand against standardized testing; Kathleen Cashin, a member of the New York Board of Regents, who has valiantly opposed its unwise emphasis on high-stakes testing; and Carmen Farina, a seasoned educator and former deputy chancellor in the city school system.

De Blasio selected Farina, who promises to bring a new era of collaboration with parents, teachers, and principals. She brings humor, passion, and intelligence to the job…

View original post 115 more words

Teach For America Civil War: A sincere tell-all from New York City

Great youtube video from a former TFA teacher. His story aligns with the stories I’ve been told or wittnessed with a number of other well-intentioned but ill prepared TFA recruits. His closing remarks on what TFA has become (and influence peddler and scab workforce for the wealthy) is sadly accurate for an organization that started out with laudable goals before being lured away with promises of power and wealth. Watch his video and you will see not just his shattered dreams and illusions, but those of the children he had to face every day in his classroom. The reality is that all too many of our children face unprepared novices in their classrooms due to the machinations of TFA, the New Teacher Project, City Year and the other do-gooder amateur teacher franchises that have sprung up to serve the wealthy and corrupt by underserving our kids and driving off our experienced teachers and close our public schools to install their charter profit centers.

Cloaking Inequity

A Cloaking Inequity reader made me aware of this sincere tell-all from a former TFA teacher that was recently posted on Carla Ranger’s blog, a Dallas ISD School Board member (we have lots and lots and lots of TFA in Texas— Dallas, Houston, Rio Grande Valley etc.). John Bilby’s thoughts reblogged from Ranger’s blog:

I left the organization because I felt that it does not adequately prepare its people to serve the poorest children in public schools. I also think that TFA is more interested in power, access, and influence in the federal game of education than it is concerned with resolving educational inequity. Its “corps members” are merely a means to this end, providing the organization with a front while it pursues the goals of its donors, namely to remodel public education in this country in order to favor a high-turnover, non-unionized workforce in charters run by hedge-fund…

View original post 164 more words

The RSD and New Orleans miracle (of cheating)

The RSD and New Orleans miracle (of cheating)

Some of you may have read by my recent expose on the issues facing Mary D. Coghill elementary school (an RSD school which was turned into a Park View charter school this year without any internal records or discussion of why this was done.)

I asked why this was done, and some basic info about what the accountability plans were for Mary D. Coghill as part of my investigation, but was told no such discussion or record existed. I was told no sitecode existed for this new site. (or at least this site was never discussed in e-mail or interoffice mail or memorandum.) I can assume LDOE is telling me the truth (or lying and violating state law. )

Incidentally when I re-read my notes I realized I had the number of students pulled out incorrect. It was not 70, but 90 students pulled out for special reading aloud accommodations or 26% of all students taking tests.

(I will amend my previous post with this correction.)

But while I think this is likely a serious and intentional abuse of testing accommodations that took place over multiple years for the purpose of improving RSD test scores, if this was the only case I can understand why you might think my recommendation, to have all reports of cheating investigated by an external auditor, overkill. However this is not the only case of reported cheating or abuse of testing accommodations or policies. This is but the tip of a very large iceberg, and we have no idea how much is lurking below the surface. We have evidence of at least 38 schools involved in testing irregularities or outright cheating in New Orleans (most in RSD.) How many more cases exist that we have not found out about, or which were completely concealed from any public inquiry or record? How many have not been reported by teachers for fear of being fired as coach Frank was when he tried to the right thing?

In addition to Mary D. Coghill, I believe there is a serious case to be made for cheating taking place at John Mcdonogh High School under RSD’s direction before it was turned over to a charter school with Future is Now Schools under Steve Barr. A former accountability source detailed the reason I believe John McDongh’s scores were being influenced by RSD cheating. . .

Actually, a sharp drop in school performance is a common flag that indicates a “cheater” has been replaced, or monitored to prevent cheating The perfect example of this was in West Baton Rouge Parish. A former superintendent whose wife ran the IT department had all kids who dropped out at Brusly High School transfer to Port Allen High and be recorded as Port Allen dropouts. After the couple ‘moved on,’ Port Allen High’s results shot up, while Brusly’s dropped. The current IT director (Tammy Seneca) can confirm this.

Prior to the handover of John Mac to a private charter organization, the school posted less than stellar School Performance Scores (SPS). But the latest score, a 9.3 out of 150 is absurd and represents a 78% drop in a single year. To get back to where they were before the handover from RSD, John Mac would have to improve their score more than 400%.

Operator Year SPS Score out of 150
RSD

2008

20.9

RSD

2009

21.6

RSD

2010

32.2

RSD

2011

41.8

FIN

2012

9.3

So with Mary D. Cogwell we have a reported case of cheating that involved a teacher coming forward, subsequently being fired under suspicious circumstances, no investigation taking place, a whistleblower lawsuit being filed, and the secretive closure of the RSD school.

We have another RSD school, John Mcdonogh, posting steady gains from 2008 through 2011, when it was handed over to a charter operator who discovered what may be the true performance of RSD schools, a 9.3 out of 150.

We have three charter schools that RSD oversees with reported cheating. They have allowed the school boards to investigate themselves and decide that no cheating has occurred. These schools are

Lafayette Academy:

Lafayette Academy, which is governed by the Choice Foundation, has received acclaim in recent years for its high academic performance. At the end of its first year in 2007, its school performance score was a failing score of 38.6 out of 200. That jumped by 20 points in 2008, another 5 points the next year, and at least 10 points each year after that. Its 2012 score is a 93.4, a C under the state’s letter grade system.

The scope of the cheating investigation remains unclear. Jim Huger, president of the Choice Foundation board, would only say that the board concluded that no wrongdoing occurred. The board hired a private attorney, local media lawyer Loretta Mince, to look into the claims. She referred questions to Huger.

“This is a matter that is very murky, and very sort of a ‘he-said, she-said,’ and we investigated it,” Huger said Monday. “Cheating is a very ugly word.”

Miller-McCoy Academy:

This is the third time in recent years that such allegations have surfaced at a New Orleans charter school. In 2010, teachers at Miller-McCoy Academy reported to the Recovery School District, which oversees the school, that someone had opened the state’s standardized test in advance to give test-takers extra prep on the questions.

RSD intervened, conducting its own investigation – in addition to the school’s board – that ultimately concluded that some kind of cheating did occur.

The Miller-McCoy board investigation, however, found no evidence of cheating. School officials refused to void their scores but required teachers to undergo training on proper administration of tests.

Robert Moton Charter Elementary

In August [2012], an Orleans Parish School Board investigation found evidence of cheating at Robert Moton Charter Elementary School. Moton’s board, like Lafayette and McCoy’s, concluded otherwise.

Moton was required to present preventative measures against cheating to the Orleans Parish School Board, which oversees Moton. The faculty member accused of the cheating no longer works at the school.

So now we are up to 5 schools, but the cheating doesn’t stop there. According to investigations conducted by the Lens reporter Jessica Williams, and records reported by the Louisiana Department of Education, as many as 33 additional schools have been involved in cheating or testing irregularities in the past 3 years without serious repercussions or reports to the general media.

In three recent years, 33 New Orleans public schools have been flagged for problems and possible cheating on standardized tests, including an excessive number of changed answers, plagiarism and improper test proctoring, according to records provided by the Louisiana Department of Education.

To my counting that brings the cases of reported or suspected cheating up to 38 schools.

12 of these 33 schools have repeat problems, and most of them are RSD schools.

Over the three-year period, 12 schools had repeated problems. Most of them are RSD schools:

Dwight Eisenhower Academy of Global Studies, an RSD charter

Dr. King Charter School, an RSD charter

Edna Karr High School, an OPSB charter

Mary McLeod Bethune Elementary School of Literature and Technology, an OPSB direct-run school

Dr. Charles R. Drew Elementary, an RSD direct-run school

O. Perry Walker College and Career Preparatory High School and Community Center, an RSD charter

Thurgood Marshall Early College High School, an RSD charter

F.W. Gregory Elementary School, an RSD direct-run school

International School of Louisiana, a BESE charter

George Washington Carver Senior High School, an RSD direct-run school

Langston Hughes Academy, an RSD charter

John Dibert Community School, an RSD charter

This is the same RSD that Reformers like Leslie Jacobs have been touting as models that should be replicated in other struggling school districts.

This is despite the fact the state did not check for a high rate of changed answers in 2009 and 2010 because of “budget reasons.”

There were problems at about 22 percent of the city’s schools in 2011, twice as many as the year before. A likely reason: In 2010, the state didn’t check tests for high rates of changed answers, citing budget cuts.

The state didn’t check for high rates of changed answers in 2009 for the same reason, department officials told The Lens.

How many more “irregualarities might be have discovered and largely ignored? Hard to say, but despite this lax and irresponsible oversight, and the failure of many of these entities to investigate or report instances of cheating, RSD and reformers want you to believe the New Orleans turnaround model.

RSD and LDOE has only turned over data touting their success of charters and RSD to the charter friendly CREDO institute, a Hoover institute spinoff run by charter champions Margaret Raymond and Eric Hanushek, a husband and wife team and Hoover institute fellows. (Eric has also famously promoted the idea that class size doesn’t matter and that class sizes of 50 or more are appropriate if only a “good” teacher is present.) LDOE have in fact used FERPA to rebuff other researchers from obtaining the same data that might disprove the claims RSD and LDOE makes about their success. Incidentally, did you know these brainiacs compared Ben Franklin and Luscher (charter schools that only accepts kids who meet strong academic standards, against regular RSD schools which must take everyone, and based upon this comparison determined charter marginally better than traditional public schools, represented by RSD? (Special Note: When asked to comment on how and why they did this and how they don’t believe this is a complete misrepresentation, Margaret and her chief researcher, Devora Davis, declined to comment.)

However I digress. The point here, is LDOE and RSD, and charter schools, cannot be trusted to investigate their own cheating. What happens when cheating is reported is those reporting the cheating like Coach Frank are conveniently disappeared, schools are secretly closed and rechartered, and Boards conveniently lose the reports and bury the investigations. While RSD and New Orleans is being used as a model for the Nation, people are not being given a true picture. All they are seeing is the result of cheating that is being hidden, stats that are being massaged and produced by puppet organizations like CREDO, and publicity that is being bought by hedge fund managers that want everyone to jump onboard the charter train so they can rack up.

Education is big business in the United States, and worldwide.

What would you do for 809 billion dollars, annually in the US or several trillion wordwide? Would you fudge a few stats, fund a few friendly researchers to show your product is safe (like tobacco did in the 70s and now charters schools do today), or take out some full page ads in papers? For those who mock folks that try to expose this corruption by calling us conspiracy theorists, wouldn’t you be more surprised if folks weren’t doing this, and much, much, more?

That is why we need proper controls and oversight. We are not just putting our own children, or children from New Orleans, at risk by failing to investigate the fairy tale that is the New Orleans miracle, we are endangering the rest of Louisiana, the US and the world.

So in that context, these recommendations from my previous article are not all that onerous, are they?

  • I recommend that the legislative auditor’s office heretofore investigate all reported instances of cheating and that the legislature encode this into law. (for charters, RSD, vouchers schools and traditional public schools)
  • I encourage a formal investigation into whether federal laws relating to fraud were violated if any federal funds were disbursed as a result of these fraudulently obtained test scores, and reporting the findings to relevant authorities.
  • I recommend an expansion of the whistleblower law for greater protections of teachers reporting cheating.
  • I recommend an audit of all direct run RSD schools and test scores from 2007 to present with particular care paid to accommodations and relevant IEP and IAP paperwork.
  • I recommend tapes be made of tests being read for review.
  • I recommend new guidelines be published for when and which accommodations are appropriate and the accommodations being provided are not solely used for high stakes testing. If these kids are really struggling with a disability, it is much more important that children get these accommodations throughout the year to facilitate their actual learning of the material. It is much more important to the children, and the furtherance of their education, that these accommodations be made while they are learning this material rather than just when they are being tested on it once for a school grade.

If RSD is legit, and not the product of cheating, misrepresented stats, and subterfuge, don’t you think it’s time they proved it, and all the fancy claims they make? They tell us they can fly, but they won’t show us any wind beneath their wings. It’s time to put up or shut up.


I suspect when we look closer, under the full light of day, RSD will not fly for very long. . .

I Spy – ‘Think The NSA’s Bad? Data Brokers Sell Rape Victims’ Names For 7.9 Cents Apiece’

inBloom, Ed-Fi and other data sharing outfits like them are setting themselves up to be a universal Data brokers for student data. Data brokers buy, sell and trade data to others for money, reduced prices for services and to obtain contracts with other entities to use, share and pool their collective stores of data. This type of set-up is not illegal, and is in fact a very common business practice many vendors and companies engage in routinely. However, just because something Is routine and not illegal, does not make it right, or safe for consumers or our children.

This is one of the places where legislation is needed to define how businesses can collect, store, sell, use and trade data they collect on you, me and our children. Left to their own devices, they will sell the names, addresses and phone numbers of rape victims at a price of 7.9 cents per rape victim. How cheap will our children’s information and privacy be violated? How much will their discipline records, disabilities, interests, pictures, phone numbers, addresses and grades will go for on such a market? How much is your privacy and the privacy and safety of your children worth to you?
To corporations we are just data points and profit margins. We require real legislation to make them see us as more than that.

The Last Of The Millenniums

epsilon1

 

epsilon

Now tell me again how turning over phone and internet ‘records’ to private companies is going to be better then the Government having it.

‘If you thought NSA spying was bad, then wait till you read this. Data brokers, companies that sell your information to marketers for a profit, sell the names of rape victims for 7.9 cents apiece’.

‘And it gets even worse: Rape victims are not the only people who’ve lost their privacy thanks to these companies. Data brokers also sell information about AIDS victims, domestic violence victims, people with genetic diseases, and even names, phone numbers, and home addresses of police officers’.

‘Data brokers have all sorts of info on you, me, and everyone’.

‘The Wall Street Journal reports that data brokers have entire databases on people’s health. They know who has diabetes, osteoporosis, insomnia and even depression. They know when women visit their gynecologists’.

‘Collecting…

View original post 171 more words

FERPA does not protect student privacy, and never did

FERPA does not protect student privacy, and never did

I’ve been debating for a few months on how to tackle this topic in a way that is both informative and engaging while providing firmly grounded sources that back up my analysis. I’ve finally decided that might be too ambitious, and certainly a lot to tackle in a single piece Rather than let anymore grass grow underneath my feet on this issue I decided to jump right in and I’ll be amending and updating my work on this topic much as Congress and US ED as amended FERPA continuously throughout the years. FERPA laws, interpretations and guidance are dense and jargon filled. I will refer to some specific passages, but I will leave it to you delve into those documents directly if you are so inclined. I’ve been asked to synthesize and summarize what I know and have read. If you feel more informed and more concerned after reading this piece I will see my work as successful.

FERPA is old and outdated

FERPA was created in 1974, before much of the current technology, we take for granted today, was even imagined by most legislators (except maybe the creator of the Internet, Al Gore.) As such, the framework is suspect and a patchwork of fixes and amendments that really fails to do what many people think it does. FERPA does not protect student privacy to any real degree, not to the extent we would expect a modern law to do. FERPA was written when many computers were housed in underground facilities on universities campuses (to make cooling them easier) and were the size of houses. Here is a state of the art computer from 1973, a GEC 4000.

And a close up of its fanciest part.

You couldn’t exactly hack into one of these and the data they stored was on tapes that had to be manually mounted. A modern thumb drive probably contains more data that the entire wall of tape cartridges shown in the picture, and most had no external connections. There was no Internet and top transmission speeds through dedicated phone lines with connected modems were about 300bps or about 37 characters per second (on a good day.) Todays transmission speeds can top 100Mbps or more which is the equivalent of 13 million characters per second if my rough estimates are correct. The computers millions of folks carry around in their pockets dwarf the processing speeds of even the fastest computers of 40 years ago, that were usually relegated to musty university and government warehouses and not the least bit portable.

So when FERPA was conceived computers and computerized records were not prevalent, data was not very portable, and usage and applicability of any data was almost non-existent. Fast forward 40 years and now computers are the size of wallets and watches. Millions of bits of data, or names and SSNs, can be stored on hard drives the size of a thumbnail that cost a few dollars and can be purchased at convenience stores. If you drive down almost any city block you can pick up dozens to hundreds of WiFi connections that access computers or computer networks, and the internet allows access to almost any computer anywhere on the planet. Messages and data can be transmitted virtually instantaneously to anyone anywhere via radio or satellite transmissions for little to no cost. Credit agencies, insurance agencies, employment agencies, advertising agencies, and government agencies use data collected and aggregated on everyone to sell, hire, investigate, issue or deny credit, fire, provide or deny benefits etc. We now have cyber bullies, phishers, hackers, identity thieves, and online predators to worry about in addition to all the physical threats of yesteryear to worry about as parents and consumers. When FERPA was created none of these threats were known and FERPA does next to nothing to protect against these threats.

For the dry specifics and dates you can refer to this passage, but I will be going into more detail about specific shortcomings and necessities.

FERPA History

Let’s start at the beginning with a brief history of how FERPA came to be.

The Family Educational Rights and Privacy Act of 1974 (“FERPA”), § 513 of P.L. 93-380 (The Education Amendments of 1974), was signed into law by President Ford on August 21, 1974, with an effective date of November 19, 1974, 90 days after enactment. FERPA was enacted as a new § 438 of the General Education Provisions Act (GEPA) called “Protection of the Rights and Privacy of Parents and Students,” and codified at 20 U.S.C. § 1232g. It was also commonly referred to as the “Buckley Amendment” after its principal sponsor, Senator James Buckley of New York. FERPA was offered as an amendment on the Senate floor and was not the subject of Committee consideration. Accordingly, traditional legislative history for FERPA as first enacted is unavailable.

Senators Buckley and Pell sponsored major FERPA amendments that were enacted on December 31, 1974, just four months later, and made retroactive to its effective date of November 19, 1974. These amendments were intended to address a number of ambiguities and concerns identified by the educational community, including parents, students, and institutions. On December 13, 1974, these sponsors introduced the major source of legislative history for the amendment, which is known as the “Joint Statement in Explanation of Buckley/Pell Amendment” (“Joint Statement”). See Volume 120 of the Congressional Record, pages 39862-39866.

Congress has amended FERPA a total of nine times in the nearly28 years since its enactment, as follows:

P.L. 93-568, Dec. 31, 1974, effective Nov. 19, 1974 (Buckley/Pell Amendment)
P.L. 96-46, Aug. 6, 1979 (Amendments to Education Amendments of 1978)
P.L. 96-88, Oct. 17, 1979 (Establishment of Department of Education)
P.L. 101-542, Nov. 8, 1990 (Campus Security Act)
P.L. 102-325, July 23, 1992 (Higher Education Amendments of 1992)
P.L. 103-382, Oct. 20, 1994 (Improving America’s Schools Act)
P.L. 105-244, Oct. 7, 1998 (Higher Education Amendments of 1998)
P.L. 106-386, Oct. 28, 2000 (Campus Sex Crime Prevention Act)
P.L. 107-56, Oct. 26, 2001 (USA PATRIOT Act of 2001)

Unapproved Changes to FERPA

What you don’t see in this bit of US ED lore is that the changes enacted by the US Department of Education over the last decade (plus) were not approved by Congress. The most recent and significant one I would like to direct you too occurred in 2011 and can viewed here along with a discussion of objections raised and DOEs responses to the objections.

http://www.gpo.gov/fdsys/pkg/FR-2011-12-02/pdf/2011-30683.pdf

These are very telling indications of how DOE intends to enforce (or not enforce FERPA) but it is 58 pages so I will excerpt a few of the more concerning sections to direct your attention to throughout my examination.

Before we go there though, let me summarize by saying FERPA was theoretically enacted in 1974 to protect the rights of parents and students under very specific situations that were known or understood at that time. (I would assert it actually defines the rights and preeminence of Federal agencies to oversee education matters and data with a small set of rights for parents under a few limited circumstances.) FERPA has been amended 9 times by Congress, and the primary enforcement mechanism is reduction or disqualification for funding directed at schools and states that fail to comply with FERPA regulations.

Applicability and Scope

This leads directly to the next point I would like to discuss; something many people may not be fully aware of or understand about FERPA. Namely the scope and applicability or in other words what it applies to and how it works and can be enforced.

Scope and Applicability

FERPA is a “Spending Clause” statute enacted under the authority of Congress in Art. I, § 8 of the U.S. Constitution to spend funds to provide for the general welfare. (“No funds shall be made available under any applicable program…” unless statutory requirements are met.)

Let me translate this a bit. FERPA has no defined penalties for folks who willfully and/or negligently and repetitively violate it. I can take your children’s personal data and wallpaper my house with it, use it to wrap all my presents, post it in the newspaper, print it on souvenir toilet paper and make paper airplanes out of it and launch them from atop the State Capital during Mardi Gras (something I’ve always wanted to do, sans the personal data) and FERPA and the US Department of Ed cannot prosecute you and the only sanction available to them is to withhold federal funding, if they so choose. This means any vendor that obtains personally identifiable data is largely immune to any repercussions or restrictions on its use or misuse. This is a matter of settled law and an opinion issued by US ED in the afore-linked 2011 document.

. . .Thus, if an authorized representative receives funds under a program administered by the Secretary, the Department has the authority to enforce failures to comply with FERPA under any of GEPA’s enforcement methods. If an authorized representative does not receive funds under a program administered by the Secretary and improperly rediscloses PII from education records, then the only remedy available under FERPA against the authorized representative would be for the Department to prohibit the disclosing educational agency or institution from permitting the authorized representative from accessing PII from education records for a period of not less than five years. 20 U.S.C. 1232g(b)(4)(B). These are the only remedies available to the Department to enforce FERPA. Remedies, such as assessing fines against any entity that violates FERPA, are not within the Department’s statutory authority. Under the FERPA regulations, and in accordance with its longstanding practice, the Department only will take an enforcement action if voluntary compliance and corrective actions cannot first be obtained. If the violating entity refuses to come into voluntary compliance, the Department can take the above listed enforcement actions. However, in addition to these statutorily authorized remedies, we encourage FERPA-permitted entities to consider specifying additional remedies or sanctions as part of the written agreements with their authorized representatives under § 99.35 in order to protect PII from education records. Written agreements can be used to permit increased flexibility in sanctions, to the extent that the desired sanction is permitted under law.

All vendors are free to use and misuse as much data however they choose without real restrictions or penalties

This means US ED has no authority over vendors or use or misuse data, that it must first try and convince abusers to stop abusing and disclosing the data they have received, and that their only recourse is to forbid school districts from providing data to them directly for 5 years or more. However if they obtain the data from another source, say another vendor, agencies can bypass even this very minor censure. Additionally, since DOE has no enforcement mechanism provided by FERPA, agencies can ignore this decision with impunity. This is why inBloom is not going out of business with no one officially committing to provide data to them. They intend to get this data secretly other ways and through other avenues. FERPA does allow schools, school districts and states to state their own civil penalties in their contracts, but most, if not all, fail to do so. What this means is any vendor for any data system in any school district that has access to data can currently use that data however they want if their only restriction written into their contract is that they will comply with FERPA. FERPA does not restrict or target vendors, only schools and school districts. State agencies are also largely excluded from many of the provisions of FERPA although references to them have been sprinkled in throughout the years. Most of the sanctions and wording it directed at local school districts, not state agencies who subsequently acquire the data.

Additionally, parents do not have the right to sue or take actions against vendors, state agencies, local school districts, or individuals who use, misuse or abuse their children’s data, or their own data under FERPA. All enforcement actions are handled through FPCO (the Family Policy Compliance Office), if they so choose. Parents may make a formal complaint, but those complaints can be ignored and parents have no further recourse.

The Kickboard and inBloom connection

A couple of months ago I was contacted by a parent and technology insider about a new company operating in New Orleans in coordination with Leslie Jacobs, a chief reform figure in Louisiana and one of the principal people responsible for creating RSD an creating the deforms striking across Louisiana and particularly New Orleans. This company is called KickBoard, and run by a former Teach for America alum named Jennifer “Jen” Medbery. Kickboard is an inBloom ally and dashboard provider that goes into schools and school districts to obtain all of their student and teacher data and provide tools and metrics for the teachers. What I have been told is that inBloom is now working with groups like Kickboard to obtain student data indirectly, bypassing contracts and oversight with school districts and state agencies. Please refer to this comment provided below.

I have to commend you and brilliant citizens like yourself for standing up and fighting against the partnership between LDOE and inBloom. As a parent and an EdTech critic, I’m so proud to see that partnership dissolving even if only for now. However, I’ve been alarmed for quite some time at the fact that no one has ever called out or investigated the more direct link between our state’s children’s data and inBloom than through Kickboard for Teachers. A search of your blog and even your readers’ comments pulled up zero hits on Kickboard. Jen Medbery and her self-proclaimed mentor and investor Leslie Jacobs more than likely played huge roles in the backroom deals between White and inBloom. As the poster child for New Orleans Edtech specifically and New Orleans entrepreneurship in general, Kickboard cannot be allowed to falter or worse die. Several prominent groups including Idea Village and the New Orleans Startup Fund have too much riding on Kickboard’s success in spite of the fact that Kickboard remains nearly two years behind on its own growth projections. Why else is there such a huge media blitz for Kickboard originating from Idea Village for each of the past two autumns despite that Idea Village has incubated probably five dozen other start-ups since Kickboard graduated from its program four years ago?

The hidden revenue stream was and probably continues to be to Kickboard from other inBloom members at the expense of our state’s children and their parents. Kickboard is listed alphabetically as the 15th of 21 inBloom partners. Leslie Jacobs took over the New Orleans Startup Fund precisely when the Fund was faltering and had really only one major investment consuming the bulk of its pledges, Kickboard. John White’s severing of his contract with inBloom has only served now to push the Kickboard and inBloom partnership deeper and further underground. And, contracts between Kickboard and the schools and districts it services permit the same data exchange through Kickboard to inBloom that White was permitting from the LDOE directly.

We can only hope that Medbery and Kickboard put our children before profits. Yet, I don’t see them justifying a recent unjustifiable valuation in the millions of dollars which subsequently resulted in them securing a sizable out-of-state venture capital investment without extracurricular income from inBloom partnerships.

I do not have detailed financials disclosing how these partnerships work, but I have been wondering how inBloom could continue to function without student data commitments. To be quite frank, there is no way they could operate as they’ve defined themselves (a centralized student data repository and intermediary) without obtaining data from someone. Initially inBloom was going to provide data to their partners like Kickboard. Now that virtually every state and large school district has pulled out of inBloom, thanks to the efforts of Leonie Haimson, Rachel Strickland, Debbie Sachs and others, the only available path I see to them is obtaining this data through vendors that already have access to it. Their most likely place for inBloom to acquire this data will be via and through their existing partners. There are currently not Federal laws to safeguard or prevent this, which is why State laws must be enacted in every state if you wish to prevent personal, student, teacher and parent data from falling into the hand of anyone and everyone who wants it.

For a current list of partnering companies with inBloom you can go here. If your parish does business with any of these vendors there is a decent chance inBloom and other data aggregators will be able to obtain your children’s data through them.

Please note: I do not have concrete proof Kickboard or any of these partners are actively sharing data with inBloom although I have had reports from sources that they are and have included one of those reports provided to me in this article. I have shown that there FERPA has no teeth to prohibit this, and US ED has no inclination or authority to address this issue. As every state and partner that I am aware of has pulled out of inBloom (or allowed parent opt outs or opt ins) and inBloom has not closed up shop it stands to reason they have plans to get this data another way. Bill Gates has 150 million reasons to see this venture succeed.

Future posts will include an outline on how to craft State legislation to address these issues but suffice it to say specific monetary and criminal penalties will need to be enacted.

Additional Note: If the only protections your vendor agreement defines is that it complies with FERPA, then essentially you have no real protections to safeguard or define ownership of your data or penalties for its misuse.  However, many vendors like JPAMS/EdGear (the largest SIS vendor in Louisiana whom contacted as part of my research for this story) have privacy agreements that go far beyond the use, ownership, storage, sharing and destruction restrictions defined by FERPA.  As a local superintendent or school board I believe it would be a good idea to review my contracts with my vendors and tighten up those that lack appropriate safeguards.  I do not attribute this lack to subterfuge on most of your vendors’ parts.  Many vendors may not even be aware of how poorly FERPA defines safeguards for data, as this lack is not something US ED or the Family Compliance Office actively advertises.