In April, Berkeley High School students were shocked when in the middle of their video conference, a man joined the meeting, exposing himself and shouting obscenities. The infiltration was just one of the numerous examples of so-called "Zoom bombing", which occurs when an unwanted or uninvited guest causes a disruption. However, unlike other high profile instances of Zoom bombing, Berkeley High Schools example stands out as the organizers of the video conference followed best practices aimed at preventing such an invasion.
The response was an immediate suspension of video conferencing services. Berkeley Unified School District Superintendent Brent Stevens wrote in a districtwide email, "... Ive received from many of you that the real-time online interaction between students and teachers has been a valuable relief from the sense of isolation during this Shelter-in-Place order...It is simply unacceptable to ignore the risk of this significance."
Yet, therein lies an underlying problem, due to shelter-in-place orders, schools and students have been thrust into unfamiliar territory. These disruptions are not merely the latest in school pranks. Students coordinating efforts to Zoom bomb each others lessons over on the platform Discord might be likened to a high-tech version of typical foolery. But class clowns were not previously able to broadcast pornographic material to kindergarteners as they are now.
Concerns do not stop with the actions of outsiders alone. Instead, the increased reliance on remote learning services leaves students in a potentially vulnerable position due to the practices of their educational institutions. In the name of repressing the hijinks, there seems to be an unfortunate tendency among administrators to increase their remote monitoring capabilities. Douglas Levin of EdTech Strategies in an SC Magazine article said, "In many cases, school districts are circumventing what privacy and cybersecurity controls they may have implemented in a rush to offer online learning to students who wont be returning to school for weeks or months,"
At the same time, schools are making efforts to monitor students remotely, and these efforts raise serious concerns about loss of privacy. Many schools have issued devices that are pre-installed with spyware -- spyware that can conduct scans of student emails, instant messages, and internet browser history. Roughly one-third of American students use school-issued devices. What is at stake here is not benign supervision by teachers whom parents know, but instead monitoring, tracking, and recording by invisible strangers whose intentions are unknown. Also at stake is possible future harassment of students after they leave the K-12 system, based on stored information.
Spyware, which would be considered malicious if someone loaded it onto your personal computer, is frequently marketed to educational institutions. Amelia Vance, director of Youth & Education Privacy at the Future of Privacy Forum, points out, "These products are not privacy-protective by default, and many likely violate FERPA [the Family Educational Rights and Privacy Act]." The Childrens Internet Protection Act (CIPA) imposes rules on schools and libraries that receive internet service discounts through the federal e-rate program. While the purported intention was to target pornography, in an effort to comply with CIPA requirements, schools have invested in radically invasive web filters.
Not only are filters poor when it comes to preventing illicit content, but they also over block content with educational value, including websites that cover important issues such as religious and 2nd Amendment topics. Accompanying monitoring software can track student browsing habits and generate detailed reports for administrators.
Unfortunately, this issue has come up before. In 2009 the Lower Merion School District in Pennsylvania had installed spyware on school-issued laptops, which also gave the ability to activate webcams. School personnel spied on their students while the students were in the comforts of their homesthe school district ended up paying out a settlement of $610,000.
Many schools have no specific privacy policies like data retention limits to protect their students. Notably, the Vermont Superintendent Association publication took the prudent step of recommending that parents be able to decide if their student was recorded. But others have been slow to adopt.
With schools and universities holding exams online, test proctoring software has been a popular tool for instructors trying to dissuade would-be cheaters. At the University of California, Santa Barbara, the faculty association in a letter, went to bat for students and expressed professors concerns over the remote monitoring software ProctorU.
The UC Santa Barbara Faculty Association wrote:
"...this service also mines the data of our students, making them available to unspecified third parties, and therefore violates our students rights to privacy, and potentially implicates the university into becoming a surveillance tool. [We fear this] may incur not only in very significant and unbudgeted expenses but also in serious violations of constitutional rights by partnering with private enterprises like ProctorU."
With the mass use of online learning services, now is the opportune time to reconsider the government requirement for the "Orwellian" monitoring of school-issued devices such as Chromebooks.