The recent visual and virtual reminder of the need for strong student privacy laws

The recent visual and virtual reminder of the need for strong student privacy laws

I think the internet just exploded. At least, that’s what I’m thinking based on the number of articles I’ve seen come out in the last few days on the latest hacking scandal involving the Apple iCloud storage system involving “private” stolen celebrity photos of their, uhm, privates. You would think the world was coming to an end, that Russia really had started World War III, that North Korea finally nuked the South (or themselves accidentally). These are not the most important hacking stories or concerns by far, certainly not compared to the massive security breaches of Target, Neiman Marcus, Amazon’s cloud service (that now defunct inBloom was planning to use to store all student data), defense contractors, and various banking institutions around the world at the hands of Russian mobsters, Iranian Hacktivists or Chinese “State sponsored” hacking consortiums. Researchers had even discovered as far back as 2011 that it was possible to use Google Search to hack (or access without authority) various clouds throughout the world, so the term “Cloud security” has really always been more of an oxymoronic concept, not a legitimate claim anyone with any IT background should really make – except in assisting the marketing department with lawyerly vetted, non-binding, sales literature.

To me it looks like the media and the public are much less concerned about coverage of those stories than the lack of “coverage” of various celebrities.

For those of you unsure what a “cloud” is let me define it in what may be an overly simplistic way but which will help you understand why cloud computing is both powerful and dangerous. Most of you know what a hard drive is. Most of you know what a local network is. Some of you may know what a “shared” network drive is. A cloud service is simply a shared network drive that everyone in the world has access to from anywhere all the time. Additionally the “clouds” we are talking about from Google, Amazon, Microsoft, store redundant copies of data throughout the world, on actual physical servers throughout the world and often in foreign countries because it’s cost effective to do so. Imagine taking the hard-drive from your computer or memory form your cell phone and making 100 copies of it and shipping it to 100 different countries. You can access your data with your password. So can anyone else who intercepts your password or guesses it, or hacks directly into one of the various servers throughout the world hosting your data or intercepts it enroute (from your phone or computer) like the NSA does by tapping directly into the physical backbone of the internet. Any of those hundreds of thousands of employees might have access to your data too. There are thousands of Edward Snowdens out there, but not all of them are using their access to tell us how vulnerable we really are.

The backbone of the internet is made up of hundreds of underwater fiber-optic cables that stretch for thousands of miles across the ocean. The cables shoot information around the networked world at super-high speeds, up to 19 terabits per second—nearly the speed of light. In fact, light is exactly what’s being transmitted. Fiber-optic cables work by converting electrical signals into waves of light, and then back again at the other end.

It’s pretty nuts when you stop to think about it. The 21st century global economy is being built on strands of glass the size of a garden hose, resting on the ocean floor. And we’ve known for years these cables can be hacked or vulnerable to breaks—if, say, a ship drops anchor in the wrong place, or a natural disaster ruptures the cable.

Via Submarine Cable Map

Google and Yahoo have massive data centers around the globe that are connected via these fiber-optic cables—many of which the companies either own or privately lease to assure (or so they thought) a secure route for their internet traffic. Now it seems the NSA is taking advantage of the inherent weakness in the web’s infrastructure

In 2010 Google e-mail servers were actually hacked by Chinese hackers, but you can be sure it’s happened long before then, and almost assuredly even now transpiring undetected.

But it doesn’t take a sophisticated organization or mastermind to hack into your account and ruin your life as this journalist found out and documented. A kid basically acting alone or a freak living in their mother’s basement, like the latest Celebrity iCloud hacker probably is, can do a lot more by themselves than most people realize.

So you might be asking yourselves, what is the solution here? It sounds hopeless. Hackers are even making clones of silly games that might be attractive to children to download video and image content from phones. How can we keep sensitive information from hackers so determined to violate laws, privacy and just plain decency? I’ve heard of a number of different proposals including multi-tier authentication and physical keys or biometric authentication and/or only storing data in encrypted formats.

There are problems with these methods:

  • These methods are often costly; and some exceedingly so
  • They are cumbersome (negating much of the convenience of conducting business electronically)
  • Most of the public doesn’t understand the risks well enough to protect themselves (especially in such an swiftly evolving environment)
  • Without regulations to mandate universal adoption of strong security measures many businesses report they won’t undertake these measures on their own dime while their competitors lure customers away with cheaper prices and more convenience
  • These measures are not foolproof; and hackers constantly evolve their tactics and techniques to match countermeasures
  • Encryption is not permanent. Technology processing speed has been increasing exponentially. Recognizing this, the NSA is simply storing encrypted data in massive warehouses for a few years while they wait for or build processors powerful enough to decrypt data using brute force processing methods.

So to answer my own question about how to protect your information in a foolproof way . . . the answer is you can’t. If you store data, pictures, anywhere it can be acquired. In fact, when you make a “record” you should plan for the eventuality that it will be seen by someone and exploited. The more places your information is stored, the more likely it will be exposed to hacking by someone, somewhere. The more attractive your target (because of their celebrity status or financial exploitability potential) the more at risk your data and information is. We must assume what we create on our private phones and networks will be seen by someone else (so keep that in mind the next time you take some pictures thinking they are just for yourself or your spouse.)

This is why Louisiana’s recently signed and strongest is the nation student privacy bill (HB1076 by Representative Schroder) that passed in the 2014 legislative session is so important. This bill prevents the State of Louisiana from collecting Social Security Numbers in most cases and requires that the state introduce a student identifier system not tied into SSNs in any way. (it appears parents must sign a form allowing the state to collect SSN’s and other necessary data for the Student Transcript System which is used to award TOPS scholarships and determine financial aid and admissions determinations for students attending institutions in-state. Parents will need to remain vigilant to ensure this data is not merged with the rest of the student data and provided to other databases like the one created for the Workforce Commission or other third party vendors that might follow undetected in inBloom’s footsteps.)

The state is also reportedly purging their existing data bases of legacy SSN’s. The bill also includes civil and criminal penalties for negligent or intentional mishandling of student data. This law became very important recently when the public learned that the State’s Superintendent of Education, John White, shared SSNs and other personal data with third party vendor inBloom (because of yours truly) with no guarantees of privacy, no guarantees of security, no legal liability for intentional or unintentional disclosures. The now defunct inBloom project, which was built with 100+ million in seed money from Bill Gates, even planned to store hundreds to thousands of points of very private, very sensitive data, pictures, medical records, discipline records, psychological profiles of all children (in their ideal scenario) on a cloud computing platform hosted by Amazon. Amazon’s own subsidiary, Living Social, was hacked on Amazon’s very own cloud resulting in the theft of over 50 million users’ information while this proposal was being floated.

Computers and the internet is not going anywhere, and we should not fear it to the point of not using it. However it appears very clear to me that laws, regulators and legislators are not keeping up with the changes as fast as they need to be. We can make ourselves safer by educating our leaders to make more responsible choices on our behalf and by taking some common sense steps ourselves to protect ourselves and our families. Louisiana parents took a very important step this summer by engaging our legislature. Regrettably most legislatures across the country failed their citizens on the student privacy issue, succumbing to lobbyists and pressure from Google, Apple and Microsoft. Louisiana was the first state to boot inBloom due to privacy concerns. We were also the first state, to my knowledge, to pass some very meaningful privacy legislation to address many of the weaknesses introduced by Arne Duncan to FERPA. For a state so often labeled and maligned (often rightly so) as backward and trailing in public health issues, education policy, infrastructure and economics it’s nice to see us acting as the leaders and trailblazers we know we are, and know we should be.

 

Advertisements

Data Security Fail: John White and LDOE up to their old irresponsible data tricks again

Data Security Fail: John White and LDOE up to their old irresponsible data tricks again

 

John White recently testified multiple times in front of the Louisiana House Education Committee that he has a firm commitment to student privacy and takes his responsibilities toward ensuring the department only collects data that is absolutely necessary and does so responsibly. He made the argument that without detail student level data, the Department would not be able to fulfil their reporting duties lain out by the federal government and auditing duties to ensure data is being accurately reported. When State Representative John Schroeder introduced a bill a few months back that only allowed LDOE to collect aggregated data, John White was adamant that he would not be able to adequately report to the legislature and federal government. Neither assertion is true. White also assured House members he took great pains to safeguard information and that he did not need to document all the data elements he was collecting, or what they were being collected for, but we could be sure they were only collecting exactly what was needed.

All of these claims were complete lies, but they sounded convincing to most folks and I was not asked by any Senator or Representative to debunk them, despite my numerous offers to cut through White’s BS before the session and during it. (If anyone would like to contact me I am still available.) I’ve worked with other state’s privacy advocates and Senators so I’m not sure why ours have not accepted my numerous offers. (I was told more than half a dozen times that I would be called or contacted about the various privacy bills making their ways through the Senate and House, but these promises never materialized into any actual direct correspondence. I find that . . . interesting. Perhaps folks don’t want to know the truth? But I digress.)

Last I checked Louisiana has a privacy bill that has been voted on in the House but which has not been taken up in the Senate. As this legislative session closes it appears less and less likely every day that we will get a privacy bill through the legislature and onto Governor Jindal’s desk to sign. I can only assume Jindal will sign such a bill since he has had his folks publicly support it while it made its way through the House.

This brings me to this week’s latest finding that might be of some interest to parents and legislators pondering data privacy and security issues and the promises John White made just a few weeks ago in front of cameras, parents, legislators, the press, and God. His testimony is still available to review if you care to take the time to listen. . . But back to the latest example of LDOE incompetence under John White.

Introducing the new:

Alternative School/Program Data Collection

Please forward to district alternative school/program staff.
The 2013-14 Annual Report on Alternative Education Schools/Programs is a report submitted to BESE on the effectiveness of alternative education schools and programs. Please complete the school/program overview and student roster layout provided (under Announcements to the right) by May 23, 2014
and email a signed and scanned copy of the overview to Renee Montogmery at
renee.montgomery@la.gov. The alternative program/school roster should be uploaded via your districts’ secured FTP site. For questions regarding data collection, layout/template, or FTP upload instructions, please contact Crystal Wilkinson at crystal.wilkinson@la.gov.

 

LDOE created a new data collection they want LEAs to submit by May 25th of 2014 that they introduced on May 2nd. LDOE is asking school districts to aggregate all their data for them on the first page, which is the data they really want, but they also want LEAs to submit student level data (that they already have and that was obtained more securely) via an unencrypted Excel Spreadsheet. Element H, Student Sate ID, is Social Security number for 97+% of students in Louisiana. They are having schools and districts submit this along with a student’s full name and Date of Birth to ensure if this info was stolen it could be used to obtain credit cards and apply for loans. To ensure student’s privacy rights will be violated they are asking LEAs to define students as dropouts, their discipline records, whether they were expelled, and if they are disabled.

Wow.

They did this while the legislative session is still going on.

They are doing this after they testified they don’t request info unnecessarily. (All of this info is already in their possession except dropouts – which are not final and are official produced by LDOE not school districts, and the program code.)  None of that data is necessary if they just collect the summary page which I have no objection to as long as this was only done this one year and next year the program element was collected in SIS properly.

LDOE attempted to collect this data in a wildly irresponsible way that no one would endorse as a safe or proper way to collect data (Even themselves when questioned about it.) Here is an official response from Barry Landry, official spokesperson for LDOE. I asked who was in charge or this and questioned the wisdom of doing this (in a less civil way to be sure.) The response I got back was mildly reassuring . . . at first.

Jason,

 This original form is not an appropriate way to collect this data,  [emphasis mine] and the Department has taken down this form. No information or data concerning alternative schools or programs was submitted by any district to the Department.  

 Barry

 

It took LDOE a few days to get back to me. (I learned they were scrambling around based on my initial inquiries and trying to get their stories straight.) I did verify they took the information about the collection down from their “Insight” portal, where they communicate with school district personnel indirectly. Per John White, LDOE staff are not permitted to talk directly to school districts on the off chance they would provide helpful information accidentally. That is not made up or even the slightest bit sarcastic. I’d tell you to ask a current LDOE staffer if this was true, but they would not be able to answer you without worrying about being fired. Instead I ask you to ask a recently departed staff member and verify.

Now, back to the data collection. I was briefly encouraged that LDOE was taking my concerns, parent’s concerns seriously for once. I actually figured they would just hold off on collecting this data this way until after the legislative session, so legislators would go home without passing any serious student privacy and data security legislation and go about business as usual. However, even I was surprised that Kim Nesmith, the creator of this data collection, immediately contacted SIS (Student Information System) vendors and denied that they were doing away with this collection, or even that they were doing away with this data collection method. She told them to continue building the reports and files less than 5 hours after I received an e-mail from Barry Landry at LDOE that “this was not an appropriate way to collect data”. The following e-mail was sent by one of the SIS vendors to their client. Apparently they were contacted around noon.

I have been in contact with the state. They have not made that decision yet. They may or may not require the file at this time. They just don’t know.

I will keep you up to date as I get more information. Please forward me the statement from Barry Landry saying they won’t need the report.

It is true they took the form down about this data collection. (at least for a few hours)  It may be true that no data was transmitted this way. What is missing is any confirmation that they are not collecting data this inappropriate way. All Barry reported to me was they took the form down (true) and that no data was transmitted this way. (I have not verified this one way or the other yet.)

When I saw this collection, I knew right away that Kim Nesmith was behind it. I verified this on my own later although, and one of the contacts listed as a contact reports directly to her, but LDOE refused to confirm this officially. However this is not the first time Kim has collected data this way. In 2011 she demanded IT collect data this way for students that were corporally punished or bullied and for identified bullies. I refused to collect this data this way because I believed it was dangerous, inefficient and stupid, however I was overruled by Patrick Dobard (currently the superintendent of RSD, then Superintendent Paul Pastorek, and Kim Nesmith.) What happened was Kim collected this data herself, but was unable to use it to build any reports so I was called in to link the hundreds of excel data files and report from them. Paul, Patrick and I are gone, but Kim remains. Kim no longer has anyone that can summarize the data, hence the summary page.

Kim is also LDOE’s FERPA compliance person in IT, the supervisor in charge of data collections and data collectors (including student data collections), and the self-titled Data Quality Director. Yep. Kim is the person who LDOE put in charge of ensuring your students’ data is treated carefully and securely, that data is reported accurately, and that school districts know what to report.

I will have more information on current issues facing the data collections department, under Kim, in future posts. I have been getting specific complaints about her from school districts for years. I’ve done my best to give LEAs information they can feed back to LDOE to fix the data problems they have been having in the wake of firing or driving off all the experienced and qualified IT staff, but it has gotten so bad that even if I get step by step instructions on what to fix Kim’s staff is unable to address any of the problems they are having. Currently they are unable to properly calculate dropouts. I believe they are also the reason LDOE gave incorrect budget numbers to the legislature at the start of the session that John White tried to vaguely explain away.

White said $35 million of this year’s shortfall is tied to having higher-than-estimated student enrollment for the 2013-14 school year.

This is the 2013-2014 school year. We have those numbers in October 2013 and February 2014. How could they have been surprised if they had the actual numbers 6 months prior to being surprised unless the numbers they originally collected were wrong?

I don’t blame Kim’s staff. With proper training and a competent supervisor I’m sure they would do fine. I blame Kim for claiming she knew what she was doing and for driving off all the people that did know what they were doing. I blame John White for promoting her, putting her in charge of our children’s data, for and keeping her around this long. This is exactly the type of situation you should expect from putting someone with a Home Economics degree in charge of Statewide data collections and data security and privacy. My degree is in Accounting and I specialized on systems accounting and design, but I would make a terrible dress maker.  Just sayin’. . .

Here are the actual files LDOE took down but probably still plans to use once the session is over unless by some miracle enough legislators start taking data privacy and security seriously enough to pass some meaningful legislation.

Copy of 2013-14 Alternative Schools Programs Data Collection Layout

Facilitating the Reporting of Alternative Programs and Schools

 

Privacy Legislation: How to protect your children and negotiate from a position of strength (Data opt-out)

Privacy Legislation: How to protect your children and negotiate from a position of strength (Data opt-out)

Tomorrow the Louisiana House Education Committee is poised to hear testimony on several bills related to protecting the rights of parents and students in regards to privacy. (I plan to stop by around lunchtime to meet with folks and compare notes, msg me if you want to try to meet up. . .) From what I have been hearing there are forces and plans already set in motion to confound any attempts at producing meaningful legislation. I’ve learned that LDOE will be calling in supporters of Big Data to scare legislators with the implications of scaling back our data collections. This is strategy that has been working well in other States and of course this should be entirely expected.

The Louisiana Department of Education needs your children’s data to justify its existence.

They need your data to have something to sell to inBloom and Big Data aggregators and merchants like them.

They need your data to produce their SPS scores which enable them to take over your local schools and turn them into shadowy RSD and charter schools that operate beyond any meaningful oversight.

They need your detailed data to calculate their VAM scores to make a case for firing experienced teachers. LDOE needs your data to make it easy for Course Choice providers to peddle their pseudo-educational wares to our children and stick us tax-payers with the bill.

LDOE needs data to identify students that are eligible for their “voucher” program which they refuse to allow anyone to impartially examine (even the US Department of Justice in relation to numerous consent decrees across the state.)

LDOE needs your data to make a case that they are successful, needed and relevant. They need your data to ensure you are implementing the Federal Common Core Curriculum to their liking.

They need your data, but you don’t need them.

You don’t need to buy what they’re selling.

You don’t need what they’ve become.

The politicians and LDOE think they have you over a barrel here. They plan to let you have your day at the Capital, to have your grievances heard. They plan to pretend to listen patiently, and then many of them will pat you on the head and send you home believing you accomplished something. But the fix is already in. Your bills will either get tied up to where nothing emerges, or killed in the Education Committee, or the Senate will tie it up, kill it, or refuse to bring it to the floor. If all else fails Jindal will veto it and like every other veto Jindal has issued, the legislature won’t get called back into session and the veto will stand. The worst case scenario I see happening is something labeled a “privacy” bill will get passed, perhaps Senator Appel’s, but it will do exactly the opposite. Just as was done with our ethics laws, which have turned our state into a laughingstock, we might become the fodder for late night television with our newfangled “privacy”.

Yo Eve, do you think we need more leaves or a belt or something?  I’m thinking snakeskin.

Now of course I could be wrong and everything will work out hunky dory. That would be awesome! I hope I’m wrong, because if I am, then I won, but let’s assume for the moment I am correct in my analysis and what I have foretold comes to pass. That does not mean they have won, merely that our victory will need to take another shape, will take a little longer, and perhaps take a little more work.

Now to go ultra-tangential on you: As the recent Russian invasion of the Crimean Peninsula by Putin shows, it’s a lot easier to negotiate from a position of strength. While of course I don’t endorse his aggression , his move does illustrate a crucial strategic and philosophic point – ownership is nine/tenths the law or something like that. We own our children’s data, and it does not get to schools or the state without our permission or release of it. I will get back to this in a bit.

Now that the Ukraine bases in Crimea are surrounded by Russian forces, the harbor has been blockaded with sunken ships so their fleet can’t sail out, and the Crimean’s have voted for Independence, the Ukrainians have few attractive options left. The Russians have systematically applied pressure and used their superior numbers and position to win a conflict without ever firing a shot. I think Sun Tzu, a military philosopher who posited one should never wage a war that they had not already won, would be impressed.

If we hope to achieve victory here, we can’t rely on the good graces of our opponents. To gratuitously use even more cliché’s than I have already, we can’t put all our eggs in one basket on this one. We need to apply pressure to this situation to ensure we achieve the outcome we want, and we need the opponents of privacy and parents to see our moves and know we mean business.

We will need to make it clear to the opponents of privacy and public education that we are watching them, and we will exact a political price on them at the polls. The NRA posts a list of friendly legislators (snd not so friendly) to their causes, as do many other liberal and conservative groups for various causes. We will need to start making a list, and posting it, of friends and enemies of students and parents and public education. This will become another pressure point.

For another we need to offer a credible (non-violent) threat of civil disobedience. I have watched many groups create Common Core pull-out days, and test opt-out movements, but has anyone considered a data opt-out or data corruption movement?

How would one do this might you ask?

For starters SSN’s are not required in Louisiana for enrollment. According to federal law they cannot be required. LDOE knows this, but likes to keep this information secret and hidden. I have already asked my district to replace my children’s SSN’s with State Temporary IDs. For those of you not wishing for the state to have your child’s SSN you can contact your school or SIS coordinator in your school district and ask that they replace your SSN’s with temp IDs. I’ve covered this detail a number of times in a number of posts. . .

https://crazycrawfish.wordpress.com/2013/03/28/the-campaign-to-save-our-children/

. . .but I still think a lot of people are skeptical or haven’t seen that advice. Feel free to contact LDOE and ask them if you don’t believe me.

http://www.louisianabelieves.com/resources/contact-us

Contact Us

Email Us: Ask LDOE

Call Us: 877-453-2721 (toll-free)

Another fun thing to do will be to update your records with your “correct” information. A lot of reports and stats are broken down by race/ethnicity. For some reason LDOE thinks most citizens of Louisiana are either Black or White. Numerous state and federal reports based on “subgroups” are dependent upon that information being correct. Whatever a parent puts down for Race and or Ethnicity cannot be questioned by school or district staff. If, as a result of some recent genealogy research you may or may not have done, you tracked one of each ethnicity in your background, you can report belonging to every ethnicity. You might suddenly realize, perhaps from a peyote fueled vision, that your roots are all of one of the least reported groups like American Indian, Asian and Pacific Islander or Eskimo. Maybe you registered your child with the wrong info initially? It happens.

Except for enrollment in pre-k or Kindergarten, does date of birth have to be all that accurate or consistent from year to year? That’s an important piece of info for an identity thief. . . Should we really be trusting an accurate DOB with folks who have such little regard for our children’s credit ratings and futures that they would choose to share SSN’s for millions of Louisiana citizens when an alternative ID was already available and was created for the express purpose of never sharing SSNs?

We used to have Esperanto, Volapuk and a number of other made up or university created languages as a possible Language codes that could be selected for a student’s primary language. I had our school districts do a clean-up on those codes a while back. A number of kids/parents picked those languages, perhaps just for kicks. There are still quite a number of very interesting a rare languages available to choose from. . .

Some of you may remember when the musician, Prince, had his name legally changed to:

I once had a student/parent submit their name as the letter X.

How much fun could we have with this?

I think I found new names for my children.

What these folks who have been so brazenly careless about sharing our data need to understand is, besides the fact that they work for us, is that we control some of the most important pieces of data. If our legislators, LDOE and governor are not willing to protect our data better than they have been. . . well we can easily take matters into our own hands (or claws.)

If you guys think I’m bluffing, just try me. I put that “crazy” in my name for a reason.

I kinda hope the legislature does the wrong thing just so I can see how far we can take this. . .

And that, my friends, is how you pull a Putin.

Your Children For Sale . . . Sold!

There is an insidious plot unfolding all around us that poses a grave danger to our children, and to many adults. Not many people know about this yet, or understand the implications of what is happening, so I thought you would like to know. I’ve seen a few pieces that show both sides of this issue, the good and the bad, but I really don’t think the “bad” has received nearly enough attention. The bad far outweighs the good that is being touted, but most of the articles I’ve read touch on the bad, and don’t delve into the dirty details or address the scope of just how “bad” things could get. I will attempt to do so, by thinking like the soulless profiteer and ruthless predator, and I will show you what you can do about this. Hopefully I can scare you enough that you will be inspired to do something about this before it is too late. There is still hope for many of you, but you must act now.

For starters, FERPA, the Federal Education Rights and Privacy Act, has been gutted. You can’t tell that from the summarized version that is posted on the US Department of Education website. However under Arne Duncan, software vendors lobbied the DOE to permit the sharing of all student data, without parental permission or notification, and for them to use this information without significant restrictions, and certainly none that couldn’t be removed secretly.

Until I investigated, I thought my children’s data was still protected, but I was wrong.

But the most influential new product may be the least flashy: a $100 million database built to chart the academic paths of public school students from kindergarten through high school.

In operation just three months, the database already holds files on millions of children identified by name, address and sometimes social security number. Learning disabilities are documented, test scores recorded, attendance noted. In some cases, the database tracks student hobbies, career goals, attitudes toward school – even homework completion.

Local education officials retain legal control over their students’ information. But federal law allows them to share files in their portion of the database with private companies selling educational products and services.

Entrepreneurs can’t wait.

“This is going to be a huge win for us,” said Jeffrey Olen, a product manager at CompassLearning, which sells education software.

CompassLearning will join two dozen technology companies at this week’s SXSWedu conference in demonstrating how they might mine the database to create custom products – educational games for students, lesson plans for teachers, progress reports for principals.

The database is a joint project of the Bill & Melinda Gates Foundation, which provided most of the funding, the Carnegie Corporation of New York and school officials from several states. Amplify Education, a division of Rupert Murdoch’s News Corp, built the infrastructure over the past 18 months. When it was ready, the Gates Foundation turned the database over to a newly created nonprofit, inBloom Inc, which will run it.

States and school districts can choose whether they want to input their student records into the system; the service is free for now, though inBloom officials say they will likely start to charge fees in 2015. So far, seven states – Colorado, Delaware, Georgia, Illinois, Kentucky, North Carolina, and Massachusetts – have committed to enter data from select school districts. Louisiana and New York will be entering nearly all student records statewide(emphasis added): ( Stephanie Simon/Reuters)

After working to change the rules sell out children to unscrupulous software vendors, one of Arne Duncan’s top people, Press Secretary Justin Hamilton, went to work for one of the companies that lobbied for the relaxed standards, Amplify.  Amplify is a for profit company owned and run by Rupert Murdoch of News Corp. I expect a number of USDOE folks that worked on removing FERPA barriers will be going to these types of companies over the next few year to reap the rewards of their efforts.

If you are in one of these nine states your children’s data as already been shared or is about to be shared:

  • Colorado
  • Delaware
  • Georgia
  • Illinois
  • Kentucky
  • North Carolina
  • Massachusetts
  • Louisiana (Shared)
  • New York (Shared)

Please read this section again:

“In operation just three months, the database already holds files on millions of children identified by name, address and sometimes social security number. Learning disabilities are documented, test scores recorded, attendance noted. In some cases, the database tracks student hobbies, career goals, attitudes toward school – even homework completion.”

In Louisiana we collect SSNs for our student ID, while most states do not. Louisiana has built a data system from a 4 million dollar IES grant that de-identifies students by name and SSN. Louisiana could have provided these vendors de-identified data to protect our children, but they are choosing not to do this because the vendors don’t really want that.  What these vendors want is your children’s verified, intimate identities; their educational-DNA, if you will.

These companies want to know everything about your children and your family so they can direct sell products to you and them. But that is just the start. They don’t need your name, SSN, or actual date of birth to simply sell products to you, but they do need that information to sell your data, and your children’s data, to others.

  • They want to know if your child was ever diagnosed with ADHD, or dyslexia, or hearing, visual, emotional or cognitive disabilities.  Medical information is protected under HIPPA, but no longer under FERPA. . . and that information is valuable to lots of people. . . . “I’m sorry, Mr. Smith, we’re going to hire the applicant without dyslexia. Company policy.”
  • These vendors and their clientele want to know if your child has discipline problems in second grade, or if they were bullied or sexually assaulted (I was protecting victim data with anonymous IDs.  However an LDE employee contacted me recently to find out how to remove that constraint because Kim Nesmith – the Data Quality Director and ironically the FERPA compliance officer – was insisting on having that information to make adjustments to reports such as Valued added – and to share with external vendors apparently.) “As you well know Mrs. Kennedy, victims of sexual assault may pose a greater risk for mental breakdown or higher mental health needs, so we’ll just have to adjust your premium. . . And we won’t be able to accept your application into the police academy or issue you a gun permit.”
  • On the plus side, all bullies will be flagged for life, which might make getting jobs a little harder even if they clean up their act.
  • Studies show kids who are corporeally punished are prone to more violent behavior in adulthood it might be good to account for that in their permanent psychological profile. Some kids in Louisiana, including disabled students, are paddled dozens of time a year with 2 foot long wooden paddles for minor infractions like chewing gum or uniform violations so it probably would be a good idea to keep track of them, and to prohibit them from certain types of jobs.
  • Did you know that many schools and school districts keep photos of children for student IDs, along with descriptions of their physical characteristics, in their data systems? How great would that be for a dating service or pedophile oriented group to get a hold of? Combine that info with your home address, and phone number and your kids will be easy pickin’s for criminals to drop by and abuse or kidnap at their leisure. Criminals already steal SSNs and sell that info to each other, now they can trade your kids info to pedophiles like baseball cards. They can use the bubble gum to lure your kids out of your houses while you’re at work. They’ll of course call the cell phone number you provided the school, to make sure you’re not home yet.
  • Even if your data is nothing to be ashamed of, and you don’t worry about things like identity theft, or eternal targeted marketing, there is no provision for fixing data that is incorrect, nor for allowing you to review your data or your children’s data. From working in a state department of education I can promise you that thousands of these records get jumbled up every year with just a single student data system. Now imagine what can happen with you combine the data from dozens of systems over more than a dozen years. . . Have you ever tried to get something fixed on your credit report? Now imagine that situation, but with dozens of unregulated private companies that have no laws governing their behaviors, and no oversight.

It appears there is no way to prevent this disclosure from happening, at least for Louisiana. But you should be aware this is not just an issue for children. Louisiana, and most states, have decades of detailed student data in their repositories. Louisiana has student data going back to the 1993-1994 school year, and is not shy about sharing this with vendors, so you can be sure this data will be shared with one of the SLCs (Shared Learning Collaboratives) Louisiana is courting. The only hope we have protecting our children’s data is raising this issue with our Legislators.

We must force them to act to protect our children, and our adults 38 and under, from John White and his cronies.  There are some ways we can work together to accomplish this. I can’t do this alone, but with your help we can work on this together . . . if you are interested in saving your children’s future.