Recently I (as well as a dozen or so student and parent activists) testified at the June 18th Louisiana BESE meeting about our concerns related to the inBloom data sharing and selling project Superintendent John White secretly entered into on behalf of all Louisiana citizens. Our spot came up 4 hours late, and without an outcry from one of our tireless privacy advocates named Debbie Sachs would have been pushed back another 3 hours or postponed to another day (when most of us would not be able to be there.)
I believe Debbie and her group arrived at 8:30 and stayed until 5 or later for their chance to speak their 2 minutes and because they knew I had to leave to pick up my children they arranged so I could speak first so we all owe Debbie and her folks a debt of gratitude.
For a quick synopsis of this meeting you can review this article courtesy of the Associated Press. Although it really fails to convey the passion and concerns of the other children and parents who testified. While they did capture some of my points from the meeting. . .
Jason France is a former Department of Education employee who worked on data collection for the agency and a parent of public school children. He said the state’s contractual arrangement with inBloom runs through 2014 unless the department sends a certified letter ending it, and he said the deal contained no opt-out clause for parents.
“The contract is still in force and that data can be sent back at any time,” he told BESE members.
White said he’ll send the certified letter to inBloom, but he said he’s sent several letters already notifying the organization that Louisiana’s data-sharing had ended.
. . .due to time constraints and the meeting format I was not able to pose questions nor respond to all the answers given. I could probably go on for days about why this is a foolish and dangerous enterprise, but I will stick to some of what I felt were more important points. By all means I encourage you delve into the agreements appended to the end and make your own observations. (My classes in contract law were several decades ago, but I did my best and I don’t charge as much as lawyers 🙂 )
In an earlier post I expressed the desire to finally see the MOU, or Memorandum of Understanding between the Louisiana Department of Education and inBloom which also apparently does business under a number of other names and with a number of different partners, including Ed-Fi, Wireless Generation, SLI (Shared Learning Infrastructure), and the Shared Learning Collaborative, LLC. It’s not clear why these folks have to use so many subcontractors and go by so many different names except to make data available to all these parties and to perhaps confuse anyone trying to investigate these folks. . . In the event of a massive release of protected information, how would anyone even begin to figure out who was responsible? Speaking of responsibility, this SLI/SLC/InBloom entity accepts none, nor do they back up Superintendent White assertions that inBloom is compliant with FERPA, the federal law defining student privacy rights.
11.2 Privacy and Security Limitations. Service Provider does not warrant or represent that by using the SLI Service, Customer will be in compliance with Data Privacy and Security Laws, FERPA or any other federal or state law or regulation. Service Provider does not warrant that its electronic files containing Customer Data are not susceptible to intrusion, attack, or computer virus infection,
Of course in the event of gross negligence, contract assertions that a service provider is not responsible are sometimes found to be unenforceable. In those cases plaintiffs can seek damages from insurance or assets of the company. InBloom is seeking not only student data from Louisiana, which numbers around 7 hundred thousand students, but students across the United States and perhaps the world. The current level of insurance they have promised to retain seems woefully inadequate:
13. Insurance. Service Provider, at Service Provider’s expense, will procure and maintain during the Initial Term, a minimum $2,500,000 per occurrence/$5,000,000 aggregate limit of Professional Liability, covering technology errors and omissions, privacy liability, network security and liability, and network extortion.
Recently another Service Provider named Living Social using the same cloud technology and same cloud vendor that inBloom is using (Amazon) was hacked and fifty million users accounts were stolen, or about 1/6th of the entire population of the United States or around 17 Louisiana’s.
(At the BESE meeting I mistakenly quoted 500,000, which was off by a factor of 100. Oops. One of the benefits of blogging is the ability to research and revise your work.)
With a similar breach inBloom or SLC would only be able to compensate each student 10 cents before exhausting the insurance they have promised to carry. This would not exactly buy a lot of credit monitoring, let alone begin to compensate anyone except maybe a lawyer or two – obviously the 5 mill is the max before any legal fees were paid to bring such a class action suit. Boy, this makes me feel safer. How ’bout you?
If this is such a safe technology why is this all the insurance they can afford? The amount of money insurance companies charge to insure an activity is often a pretty good indication of how risky “professionals” have determined that activity to be. Sheesh, I have almost that much insurance on myself and I’m not the healthiest or youngest person on the planet. Clearly we can take this as evidence that the “industry” sees this is a very risky endeavor that is very likely to result in claims being filed.
Where will you spend you 2/3 of 10 cents (after legal fees)?
I found this next section to be interesting as well. Apparently InBloom/SLC/SLI, whatever it calls itself today, can hand off this agreement to any other non-profit entity it wants to, without input from the State.
Isn’t it nice that our children and their data are simply a tradable, transferable commodity?
Non-profits can still be quite “profitable” for those who running them. They can simply pay themselves whatever salary they feel is appropriate.
14.1 Assignment, Successors. Service Provider may freely assign this Agreement, in whole, to a not-for-profit entity that expressly assumes the Service Provider’s rights and obligations hereunder arising after the date of assignment
We are allowed to peek behind the curtain, every 6 months, so long as we foot the entire bill. Since John White has laid off most of DOE’s IT staff I wonder who he will subcontract that work out to, or if he will even bother? It’s not like he’s worried too much about such things in the past I suppose since previous audits of his lack of audits by legislative auditor Daryl Pupera clearly indicate as much.
(a) Customer shall have the right, at Customer’s expense, to conduct independent code and network security reviews following each major release (i.e., Alpha Release, Release 1.0, etc.), and no more than once every six (6) months thereafter, upon reasonable notice to Service Provider and at reasonable times. Notwithstanding the foregoing, if Customer has reasonable cause to believe Service Provider is not in compliance with this Agreement, Customer may perform an independent code and network security review up to once every three (3) months.
Did you think your data was only going to be available to the half dozen initial vendors plus all the third party vendors inBloom expects “Customers” to subcontract with? Guess what, they can subcontract with anyone they choose for anything they choose, as much as they choose.
At the State we limited who had access to student data to direct staff, and only those that had a need. How will these guys keep track of all the folks that will have access to student data through all the complex vendor relationships they plan to engage? When recording studios can’t keep bootleg copies of music CDs hitting the internet before official release dates, and can’t track down pre-releasers, how can we really expect to keep our data safe once so many vendors and eyes have access to it?
14.3 Subcontracting. Service Provider may freely subcontract its duties and obligations under this Agreement. In the event that Service Provider subcontracts any of its duties and obligations, Service Provider agrees that: (i) the third party contractor shall execute an agreement regarding confidentiality consistent with the terms of this Agreement to the extent that such third party contractor has access to Confidential information of Customer and an agreement relating to any other obligations of such contractor as required to comply with Data Privacy and Security Laws, the Data Privacy and Security Policy and FERPA, and (ii) any such permitted subcontracting shall not release Service Provider from any of its obligations under this Agreement.
So just how long is this agreement and how binding?
8. Term and Termination.
8.1 Term. This Agreement will be effective for a term ending on December 31, 2014 (“Initial Term”). The parties may mutually agree to extend the term of this Agreement with such amendments to this Agreement as are appropriate and mutually agreed to for making available the SLI Service after the Initial Term.
This contract is in place until at least 12/31/14, but unless inBloom violated some of the contractual provisions it takes 90 days to cancel this contract, but only with written notice.
(a) Each party will have the right to terminate this Agreement upon thirty (30) days’ prior written notice if the other party is in material breach of this Agreement and the breaching party fails to remedy such breach within thirty (30) days after notice from the other party; provided, however: (i) if the failure stated in the notice cannot be corrected within the applicable period, the non-defaulting party will not unreasonably withhold its consent to an extension of such time if corrective action is instituted by the defaulting party within the applicable period and diligently pursued until the default is corrected; and (ii) such extension shall not exceed ninety (90) days after the initial notice.
(b) Each party will have the right to terminate this Agreement for any reason upon ninety (90) days’ prior written notice.
And not just any notice. All written notices must be as follows. John White asserted he sent numerous letters to inBloom, but did not turn any over in response to multiple FOIA requests expressly asking for this letter or any other official communique.
14.6 Notice. All notices required or permitted under this Agreement will be in writing and sent by certified mail, return receipt requested, or by reputable overnight courier, or by hand delivery. The notice address for Service Provider is Iwan Streichenberger, Manager, 3451 Flabersham Road NW, Atlanta, GA 30305; and the notice address for Customer is John C. White, State Superintendent, Louisiana Department of Education, P.O. Box 94064, Baton Rouge, LA 70802. Any notice sent in the manner set forth above shall be deemed sufficiently given for all purposes hereunder (i) in the case of certified mail, on the third business day after deposited in the U.S. mail, and (ii) in the case of overnight courier or hand delivery, upon delivery. Either party may change its notice address by giving written notice to the other party by the means specified in this Section.
I don’t think I mentioned this before, but this is all information from a separate Service Contract. The actual MOU is merely an attachment, not unlike your appendix, and about as useful.
This Agreement includes: Attachment A (Terms & Conditions)
Attachment B (SLI Service)
Attachment C (Support Services)
Attachment D Reserved
Attachment E (Additional Terms applicable to SEAs)
Attachment F (MOU)
Attachment G (Super Administrator(s))
There was an MOU that was defined and signed by DOE, but it was sent as an attachment to this Service Contract. Within this service contract is a section that converts the MOU, such that it is, into nothing more than a poor toilet paper substitute.
14.8 Entire Agreement; Amendments; Memorandum of Understanding.
(a) This Agreement, together with the attachments hereto, constitutes the entire agreement between Service Provider and Customer with respect to the subject matter hereof. There are no restrictions, promises, warranties, covenants, or undertakings other than those expressly set forth herein and therein. Except as provided in Section 14.8(b), this Agreement supersedes all prior negotiations, agreements, and undertakings between the parties with respect to such matter. This Agreement, including the exhibits hereto, may be amended only by an instrument in writing executed by the parties or their permitted assignees. (b) If Customer is a School District, the MOU is attached for reference purposes only. If Customer is the State Educational Agency that is party to the MOU, Customer and Service Provider agree that: (i) notwithstanding Section B.6 of the MOU to the contrary, the term of the MOU shall survive execution of this Agreement and expire on December 31, 2014; and (ii) the terms of this Agreement, together with its other attachments, shall prevail over any conflicting terms contained in the MOU, including but not limited to MOU Paragraphs B.2.c (Privacy and Security), B.3.d (Test Data), B.3.e (Notice), B.3.f (SLI Implementation), B.6 (Term), and B.7 (Confidentiality and Publicity), and MOU Exhibit C (Data Privacy and Security Plan).
I have provided a copy of this agreement in full, as well as the toilet paper substitute, at the bottom of this post. There is more here you need to be aware of that alarmed me when I saw it and feel I would be remiss if I did not point this out in this post. However before I get there, let’s examine some more of John White’s claims. When John White made the claim he had requested that inBloom “destroy” our data, he merely exercised the following section of the agreement. He did not terminate the agreement as he has tried to imply, and any assertion to the contrary is completely disingenuous, and actually contractually impossible – such is the agreement he signed us onto.
10.4 No License; Destruction of Customer’s Confidential Information.
(a) Nothing in this Section shall be construed as a grant or assignment of any right or license in the Disclosing Party’s Confidential Information. The Disclosing Party’s Confidential Information shall at all times remain the property of the Disclosing Party. (b) At any time Customer reasonably requests, and in any event when Customer determines that the Confidential Information of Customer is no longer needed to obtain SLI Service, or upon the termination or expiration of this Agreement, Service Provider shall promptly destroy the Customer’s Confidential Information in Service Provider’s possession; provided that (i) if Customer is a School District, Customer may request or approve that Confidential Information of Customer not be destroyed and be made available to Customer’s State Educational Agency for its use in performing their functions for evaluating and overseeing compliance in federal and state-supported educational programs in accordance with Section 444(b)(3)&(5) of FERPA and State Data Privacy and Security Laws, and (ii) at Customer’s request, Customer shall be provided up to thirty (30) business days, according to Customer’s request, to export Confidential Information of Customer prior to its destruction.
(c) Notwithstanding anything contained in this Section 10.4 to the contrary, during Alpha Release, Service Provider may delete Customer Data without notice.
At April’s BESE meeting, John White attempted to characterize his relationship with inBloom and other similar providers was a partnership, a collaboration, and not subject to the needs of an MOU. This was notwithstanding the fact that he had already signed an MOU as well as actual Contractual Service Agreement with his partner. It took him almost 6 months to finally produce this document and the Service Contract and based on even the most cursory review of the contract you can easily see why he was trying so hard to conceal this relationship. However I found this next passage particularly funny. (By funny, I mean in that infuriating way when you find your children sitting in the middle of a pile of a broken “something” playing with the broken pieces, all the while claiming someone else broke it or they simply “found” it that way.)
14.7 Independent Contractor. Service Provider is acting as an independent contractor in its capacity under this Agreement. Nothing contained in this Agreement or in the relationship of the Customer and Service Provider shall be deemed to constitute a partnership, joint venture, or any other relationship between the Customer and Service Provider except as is limited by the terms of this Agreement.
Keep in mind John White was claiming this was merely a partnership, months after he signed this contract and after dozens and dozens of e-mails and other internal correspondence – up to and including the submission of all of our student data to inBloom. So either White is ridiculously forgetful, (We’re talking “50 First Dates” with Drew Barrymore and Adam Sandler forgetful) and should not be signing contracts and instead living in an assisted living facility, or he is shamelessly lying in the most egregious ways possible, on camera and in print, to BESE, his theoretical bosses, and all of us.
But now that that is out of the way, take a look at this.
Additional Terms Applicable to SEAs
A State Educational Agency that participates by accessing the SLI Service in accordance with this Agreement and discloses Personally Identifiable Information derived from student records to the SLI to assist it in performing evaluation and compliance activities related to federal- and state-supported education programs is subject to the following additional terms:
1. The State Educational Agency hereby designates the Service Provider (and its contractors that perform services to carry out this purpose) as its authorized representative to assist it in carrying out evaluation and compliance activities related to federal- and state-supported education programs.
2. The State Educational Agency will disclose Personally Identifiable Information to the SLI Service from source systems maintained by the Louisiana Department of Education and its authorized representatives including (i) student demographic, enrollment, program service, and assessment data; and (ii) educator assignment, certification, performance, and other related data. The State Educational Agency will only disclose SEA Data: (i) when the SEA is the authoritative source of data needed for applications that Schools, Districts, or Parents have elected to utilize; (ii) when utilization of SEA Data will avoid or limit redundant data entry or verification on behalf of School District Customers; or (iii) when necessary to support an evaluation or compliance activity by an authorized representative of the State Educational Agency related to federal- and state-supported education programs.
3. The State Educational Agency intends for the SLI Service to serve as a technology platform to support its overall evaluation and compliance activities. SEA Data maintained within the SLI Service may be utilized to support state evaluation or compliance activities to the fullest extent permitted by state and federal law.
Despite John White’s contentions to the contrary that only basic student demographic data was to be stored, this contract makes it quite clear we were sending enrollment, program, assessment info, teacher info including certifications and “other related data” which disturbed me when I located what some of this other data was. The other interesting section here is that John White appears to be relying on inBloom to start submitting all federally required data, and to produce all necessary state reports. This was intended to be the final privatization piece of the LDE IT puzzle, but we have no idea what the cost for all that would be. I have no doubt one way to defray some of those costs would have been to allow this student and teacher data to be used for marketing purposes. This “cost recapture” strategy has actually been mentioned by inBloom as a way to reduce costs for services. However once we have signed on with inBloom for all our state and federal reporting, any guesses as to which direction those costs will go?
Hold onto your checkbooks folks, it’s gonna’ be an expensive ride, White’s signed us up for. And by the looks of this next section, it looks like we’ll be riding naked.
3.0 Data Domains. The Company intends the following with respect to data domains and is working with its vendors to incorporate these features and functions into the SLI consistent with the terms of the vendor agreements:
a. The SLI Model defines a total of 250 types or entities. The domain types contain over 400 granular data elements and the flexibility to add more as needs evolve. However, these are captured in 39 high-level “Domain Types:”
The MOU did reveal something more “informational” as the Service Contract described it. This company also intends to capture information on parents and teachers. We’ve already seen how teachers were treated when high-stakes testing was introduced. If their students did not improve, they were held accountable and subject to sanctions and termination. Some states like Tennessee have already started punishing parents by taking them off foodstamp rolls, and many states, including Louisiana, fine or jail parents when their children are truant. While I am not suggesting truancy is a good thing, or something to be encouraged, I can easily see a scenario after the Reformers realize making teacher scapegoats for all the ills of our society has failed, their next logical target to focus their ire and blame on will be parents. This database, and databases like it, will be how that new lynch movement starts. Because many of these folks refuse to factor in the effects of poverty and disabilities, any guesses who these punishments will disproportionately fall upon?
Tell BESE and John White to shut this down. John White promised to send me copies of the letters he theoretically sent to inBloom cancelling this agreement Tuesday the 18th, as well as confirmation as to whether or not he honored my opt-out request for my children. It is now the 22nd and I still have not received a response. Perhaps some of you could remind him for me?
Service Contract with inBloom/SLC/SLI: SLI SaaS
MOU: SLI MOU (2) I wonder what happened to MOU 1? I wonder what that one looked like. . .
BESE Contact and video info courtesy of Geauxteacher:
James.email@example.com, Kira.firstname.lastname@example.org, Lottie.email@example.com, Walter.firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, Carolyn.firstname.lastname@example.org, Connie.email@example.com, Judith.firstname.lastname@example.org, Stephen.email@example.com
Go for it. You can find more info on BESE and meetings and view the video archives of meetings at the Louisiana Dept of Ed website. Little difficult to negotiate after the TFA child wonders redesigned it. http://bese.louisiana.gov/