by Rigele Abilock and Debbie Abilock
(crossposted from chooseprivacyweek.org)

The girl swallows the pill.   Millions of tiny magnetic nanoparticles disperse into her bloodstream.  They are her trusty scouts, tracking her body for early signs of cancer, heart disease, and other conditions.  Her wearable wristband magnetically recalls the nanoparticles to her wrist veins for instant skin read-outs.  She is constantly monitored by physicians and healthcare companies.  In return, she receives the best chances of a long, healthy life.

This futuristic narrative could sit on your library shelf alongside Michael Crichton’s nanotechnology thriller, Prey.  However, it belongs in non-fiction.  Over one hundred scientists at Google’s life sciences spinout, Verily, are hard at work today on these health nanoparticles and associated wearable monitor.  And it’s all in the name of human health…and big data…and profit.

Reconciling big data opportunities with healthcare privacy concerns is the same dilemma we face in education.  Instructors want to support personalized learning, instruction, and classroom management with online offerings – but the data of underage patrons hangs in the balance.  Just as health profiling based on longitudinal data collection raises red flags, so does educational performance profiling.  Ethically and practically, youth will always be our Achilles Heel.

In our Knowledge Quest article, I Agree but Do I Know: Privacy and Student Data, we examine the evolving legislation around “safe” online educational products, as well as the responsibilities of school, parent, and technology vendor.  We describe some simple ways to gauge the intentions of online vendors, and to look beneath the surface of online products designed for school use.  We caution that vendors are often able to collect information for purposes far beyond those that directly benefit a school or library.  Therefore, it is imperative for libraries to develop protocols for vetting online products, in order to protect the privacy of their patrons, especially students and youth.

A close reading of the Terms of Service and Privacy Policy is essential to evaluating a product, whether that product is for purchase or “free.”  The Terms of Service is a formal contract between the school and the vendor; it governs the vendor’s obligations and limits its liabilities. Especially significant are terms governing data collection, handling, retention and storage, as well as liability for data breach, and contract termination.   A vendor’s policies should be spelled out under these, or similar, headings, and the language should be clear and understandable.  Once a school or district representative clicks “I agree,” typically by click-wrap or click-through signature, the school or library has accepted the vendor’s terms, regardless of whether those terms are in alignment with the Family Educational Rights and Privacy Act (FERPA), Protection of Pupil Rights Amendment (PPRA), and other federal and state laws.

The Privacy Policy is an on-the-ground description of how the vendor operates its site, and should be read in conjunction with the Terms of Service.   A link to the Privacy Policy must be placed on the vendor’s homepage and/or product page.   The Privacy Policy is a working picture of the company’s current and expected practices related to data use, collection, and sharing, as well as marketing, advertising, access, and security control.  While a Privacy Policy lacks the contractual element of a click-through signature, it remains the primary declaration of the company’s privacy practices, and thus may be enforceable against a vendor that breaches those standard practices.  Through a close reading of the Privacy Policy, you should be able to learn a great deal about a vendor’s privacy standards; if the language is overly complex or contorted, treat that as indicative of what a vendor may want you to know, or not.

And so we come to intention.  Close reading of a Terms of Service and Privacy Policy must be augmented by your common-sense evaluation of a vendor’s corporate intention.  Both for-profit and non-profit entities may choose to embed trackers into Web pages to collect information such as navigation patterns and preferences.  Certain trackers, such as Facebook’s “like” thumb and Twitter’s blue bird, are visible, but most are hidden.  Sometimes these trackers follow the user to other sites to gain additional insight, in order to create a better user experience. Specifically, trackers may run tests on differences in language and image use, look for ways to improve navigation, and fix technical problems.

While this may sound innocuous, vendors can learn about a young person’s school performance, personal life, and family situation and values.  Vendors may also have rights – through a Terms of Service – to use personal information and/or preferences in ways that far exceed school or library purposes.

To evaluate how pervasively a vendor is collecting information, download a browser add-on that exposes the embedded but invisible code that collects data and tracking users’ behavior.  For example, Disconnect Basic organizes blockers by category: advertising, analytics, social media and content, explaining why some trackers are blocked and others aren’t.  Ghostery, a Firefox, Chrome, Safari, Internet Explorer, and Opera add-on, allows you to configure your preferences, and then shows you the trackers at each site so that you can decide to block or allow them.  If do you use a tracker and it unearths names such as DoubleClick and ComScore, note that these “data brokers” are likely paying your vendor for user data that, in turn, can be resold.

When it comes to our personal consumption of online services and social media, we may quickly click “I Agree,” but our en loco parentis responsibilities increase when protecting the privacy of youth in our schools and libraries.  Call a vendor directly if you have questions about privacy policies and data treatment.  In our KQ article , we also share tips about ways to build awareness within a school or district.  For the time being, the nanoparticles are under development but not yet on the market.  Let’s practice before they’re (and we’re) for sale.

Rigele and Debbie Abilock are founders of NoodleTools, an online educational platform for research management.  They encourage all online educational vendors – whether for-profit or non-profit – to be safe havens for student online privacy.  NoodleTools is used by thousands of schools and districts worldwide.  It has a Privacy Policy that is written in clear language that you as a librarian, administrator, teacher, parent or student can understand.  This focus on educational goals simplifies the decision-making process, and resonates with librarians and teachers.