Research Publication No.

2014-1 January 15, 2014

Student Privacy and Cloud Computing at the District Level: Next Steps and Key Issues Alicia Solow-Niederman Leah Plunkett Urs Gasser

This paper can be downloaded without charge at: The Berkman Center for Internet & Society Research Publication Series: http://cyber.law.harvard.edu/node/8716 The Social Science Research Network Electronic Paper Collection: Available at SSRN: http://ssrn.com/abstract=2378570

23 Everett Street Second Floor Cambridge, Massachusetts 02138 +1 617.495.7547 +1 617.495.7641 (fax) http://cyber.law.harvard.edu cyber@law.harvard.edu

Electronic copy available at: http://ssrn.com/abstract=2378568

Student Privacy & Cloud Computing at the District Level: Next Steps and Key Issues January 2014

Alicia Solow-Niederman, Leah Plunkett, and Urs Gasser

23 Everett Street Second Floor Cambridge, MA 02138 +1 617.495.7547 www.cyber.law.harvard.edu/

Electronic copy available at: http://ssrn.com/abstract=2378568

INTRODUCTION
Building from the Spring 2013 exploratory workshop Student Privacy in the Cloud Computing Ecosystem1, the Berkman Center for Internet & Societys Student Privacy Initiative2 joined with the Consortium for School Networking3 to convene a conversation among policymakers and educational technology thought leaders (including, but not limited to, administrators, technical experts, industry representatives, and academics). This conversation emphasized the view on the ground as seen from the district level; follow-on discussions might stress school-level, industry, or other policymaker perspectives. In this working meeting at Harvard Law School, participants identified specific resources for potential inclusion in a toolkit for diverse stakeholdersa group that might include students, parents, teachers, school administrators, district officials, technology providers, regulators, and legislatorsconsidering the adoption and impact of cloud technologies in K-12 educational contexts. Throughout this discussion of potential components of such a toolkit, as well as consideration of possible complementary efforts, participants drew upon their extensive experiences in school and/or technological settings, knowledge of law and regulations, and empirical research on privacy attitudes and expectations. The group was mindful of the complex normative issues that educational technology (edtech) may implicate, as well as sensitive to the rapid pace of technological innovation.4 The results of this conversation reflect considerable consensus around the main areas in need of attention in the dynamic edtech landscape, as well as how best to approach such work. A number of organizations and educational entities are already independently developing content and adopting processes around cloud technology in K-12 contexts to both support learning innovations and protect student privacy. Likely next stepsvia independent efforts and ongoing collaboration among interested stakeholderscentered on education, communication, and the creation and dissemination of general guidance documents and other similar resources that could support the development of shared good practices. These next steps clustered around two general areas: (1) law and policy and (2) norms, values, attitudes, and practices. The body of this report situates our discussion in the context of these two clusters. This conversation not only surfaced existing efforts and potential future steps in each cluster, but also offered some initial reflections on how empirical data, current school and district policies and practices, legal and policy considerations, and technological developments may relate to each !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
1

Key findings from this convening are synthesized in the report accessible at http://cyber.law.harvard.edu/publications/2013/student_privacy_in_the_cloud_computing_ecosystem. 2 More information about the Initiative is available at http://cyber.law.harvard.edu/research/studentprivacy. 3 The Berkman Center is grateful for the opportunity to collaborate with the Consortium for School Networking to organize this meeting, and would like to thank Keith Krueger, Jim Siegl, and Bob Moore in particular. To learn more about CoSNs work, please visit http://www.cosn.org/. 4 Note that these dimension of the conversation overlap with a key finding from the Student Privacy Initiatives April 2013 workshop: the strong sense that norms and values as well as the impact of (technological, environmental, and behavioral) change over time represent two critical cross-cutting categories that should be taken into account in all discussion, and which will continue to inform the consideration of student privacy in the K-12 educational ecosystem. For more details, please see the Student Privacy Initiatives full report, Student Privacy in the Cloud Computing Ecosystem: State of Play & Potential Paths Forward, accessible at http://cyber.law.harvard.edu/publications/2013/student_privacy_in_the_cloud_computing_ecosystem.

cluster. It also highlighted open questions and pressing issues that may require additional research, regulation, and / or coordination across parties to resolve; in addition to substantive questions, one particularly central process question involves the best mode(s) of multistakeholder collaboration and communications.

BUILDING THE TOOLKIT: EXISTING EFFORTS, NEXT STEPS & OPEN QUESTIONS
The report below reflects the multifaceted opportunities and challenges that characterize student privacy concerns in the K-12 innovation space. It also aims to capture a selection of the open questions, unresolved issues, and action items that meeting participants identified as among the most pressing for ongoing research, policy debate, and other forms of engagement. Whenever possible, such topics are accompanied by suggestions regarding (1) which stakeholder(s) might be most empowered to lead further discussion and / or research and (2) which process(es) and mode(s) might be best suited to help resolve this particular issue. As they did in the Student Privacy Initiatives April 2013 exploratory workshop, participants in the latest convening noted the impact of change over timeincluding but not limited to technological advancements, environmental trends, and evolving behavioral factorsas an important cross-cutting theme. In that spirit, the suggestions in the text that follows are designed to be generative rather than prescriptive. The strong shared hope of meeting participants is that stakeholders in this space will assess where they most would like to make independent or collaborative contributions to this rapidly evolving field and strive to produce complementary outputs, including, for example, a publicly available toolkit for district-level decision makers.5 Meeting participants also believe that questions of audience, both in terms of the end reader (e.g. parent, teacher, administrator, etc.) of the document and the level of actor at which it is oriented (e.g., classroom level, district level, etc.), are important in crafting practical, effective, and welltargeted resources. Coordination of materials and efforts targeted at different audiences6 will be essential as participants continue to make progress across both the law and policy and the norms and values clusters described below.

1) Law, Regulation, and Policy

At the federal, state, local, and district levels, the intersection of education, cloud technologies, and innovative and economic opportunities raises complex legal, regulatory, and policy issues. Strategically, though ongoing work remains to examine the role of regulation at both the school and school district levels, participants tentatively concluded that centralizing decision-making about classroom technologies at the school district level, rather than leaving such decisions in the hands of individual teachers at the classroom or school level, might be a desirable course of action at this point in the roll-out of K-12 edtech. However, many questions remain not only !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
5

As noted in the introduction, a comprehensive toolkit (or set of toolkits) might contain components targeted at a diverse set of stakeholders considering the adoption and impact of cloud technologies in K-12 educational contexts, including but not limited to students, parents, teachers, school administrators, district officials, technology providers, regulators, and legislators. At present, the Berkman Centers Student Privacy Initiative is working with CoSN and others to produce a toolkit focused on district-level officials, to be made publicly available in March 2014. 6 In particular, guidance offered at the district level is likely to affect teachers and shape classroom level decisions, and teachers actions in the classroom can either support or impede district-level efforts. Therefore, even as different advice and resources will likely be appropriate for different audiences, a holistic perspective remains important.

regarding the best modes of centralization (for example, participants disagreed as to whether an acceptable use policy (AUP) would be a good place for such guidance), but also regarding how to ensure that any such centralization empowers teachers to innovate rather than inadvertently thwarting pedagogical advancements. During this conversation, a general consensus emerged regarding a need for additional clarification of existing statutes and policies, which might include both succinct analysis of existing statutes and clearer definitions of specific terms within existing laws. The discussion also surfaced a strong desire for practical guidance regarding the creation and vetting of contracts, terms of service, and privacy agreements, written to empower district policymakers who seek the services of cloud providers. Possible Next Steps Include: Producing clear and succinct summaries of relevant laws, such as Harvard Law School Cyberlaw Clinics guide to COPPA and FERPA.7 In particular, participants raised the Protection of Pupil Rights Amendment (PPRA)8 as worthy of similar analysis. o In preparing these summaries, participants discussed the need to be mindful of the legal, normative, and other goals that relevant laws are designed to serve. An open question remains about the potential need to consider improvement to laws, policy, and regulations, with an eye toward eliminating unnecessary friction difficulty in understanding and / or implementing laws, as well as barriers to technological and pedagogical innovationwherever possible. Note that some arrangements that may appear to be friction may in fact be appropriate structural arrangements necessary to serve desirable legal, normative, and other goals. Clarifying specific terms in current law, namely FERPAs school official exception.9 The educational record portion of the law also emerged as a point of confusion for many educational policymakers. o A pressing issue involves how best to offer clarification of such terms without necessarily relying on immediate action from the US Department of Education and / or Congress. Such action would of course be welcome but seems unlikely given the constraining realities of the contemporary political climate. Several participants expressed concern about how to proceed without clarity regarding such terms; in particular, some contributors appeared wary that ambiguity around FERPA and its provisions could either lead districts to halt innovation altogether to avoid accidentally contravening the law or, conversely, could lead districts or teachers to go underground and proceed without full adherence to legal and regulatory provisions. Engaging in similar analysis of state legislation (e.g., Oklahomas recently passed Student Data Act or the American Legislative Exchange Councils model state bill)10 and how it interoperates (or not) with existing federal law and policy. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
7

Please visit http://cyber.law.harvard.edu/publications/2013/privacy_and_childrens_data to download a copy of Privacy and Children's Data: An Overview of the Children's Online Privacy Protection Act and the Family Educational Rights and Privacy Act. 8 Please visit the Department of Education Website, http://www2.ed.gov/policy/gen/guid/fpco/ppra/index.html, for more detail regarding PPRA. 9 Pease see p. 6 of Privacy and Childrens Data: An Overview of the Children's Online Privacy Protection Act and the Family Educational Rights and Privacy Act for explanation of FERPAs school official provision.

o Though participants agreed that state laws must become better incorporated into the broader national discussion about educational technology, an open question is how to parse the state legislative terrain without introducing too many layers into an already complex space, and which actors might be best positioned to coordinate such efforts. o A related pressing issue is the concern that, given a lack of clarity regarding federal law and policy, states may pass laws that appear to districts to be more relevant than FERPA, which could add another layer of complexity to existing interoperability issues. Providing guidance for school districts and school administrators on technology contract creation. Participants stressed that any model template for contractual language must be sufficiently modular to apply across a range of settings (e.g., a small rural district, a large urban district, a minority majority district, etc.). Some participants recommended more specific solutions such as, for instance, mandatory disclosures for contract language along the lines of nutrition labeling. Energy also coalesced around the idea of checklists for officials to consult before they sign contracts,11 as well as the power of a centralized repository that would list non-binding best practices, guidance documents, and use cases. Additionally, future efforts might incorporate lessons learned from other sectors, such as government negotiations of contractual terms with vendors. o An important open question involves how to integrate necessary perspectives in this work. Participants stressed that the legal experts who draft such guidance must integrate input from practitioners in the field; to this point, one participant suggested systematically mapping out how districts are (not) currently addressing key elements of the ideal business / vendor relationship. Other participants also emphasized that the voice of the industry, including both industry consortiums and individual cloud vendors, must be heard in this effort. Cooperative workvia co-branded outputs, working groups, workshops, or some combination of modesamong legal scholars, industry actors, district level policymakers, and teachers appears integral. o Another challenging open question involves how to develop guidance documents that are sufficiently specific, yet also generalizable across different kinds of cloud services; this issue is critical because FERPA in particular requires contextspecific, app-by-app mapping to understand how different types of services interact with the statute. Participants suggested that this legislative reality offers another strong reason to create general checklists / good practice documents around the requirements for a good contract, rather than offering up more narrowly tailored, precise contractual language.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
10

The full text of the Oklahoma law is accessible at http://webserver1.lsb.state.ok.us/cf_pdf/201314%20ENR/hB/HB1989%20ENR.PDF, and the model ALEC Student Data Accessibility, Transparency, and Accountability Act language is available at http://www.alec.org/model-legislation/student-data-accessibilitytransparency-accountability-act/. 11 For instance, a checklist might offer a set of questions that a school district official should ask before entering into any contractual agreement, such as What information is collected, and for what purpose(s) is that information used? The Student Privacy Initiative is currently working with Harvard Law Schools Cyberlaw Clinic and the Consortium for School Networking to develop such checklists. The checklist included in Appendix B of Fordham CLIPs study offers another helpful example, and is accessible along with the full study at: http://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?article=1001&context=clip.

Increasing accessibility of terms of use and privacy policies in both click wrap agreements and pursuant to negotiated contracts so that they are comprehensible to parents, teachers, administrators, school districts, and other stakeholders who may not be technical experts. Multiple contributors agreed on the potential power of translating such documents into plain English, in an interoperable way that might be repurposed to cultivate shared good practices across multiple settings. Participants also emphasized the complexity of this task, stressing that current contract language may be problematic for at least two reasons: it may contain hidden terms that should be made transparent, and the content of these and other contractual terms often fails to reflect sound privacy practices. Fostering shared understandings of the purposes of and best practices around legal, regulatory, and policy requirements. Participants stressed the need to make sure that stakeholders achieve a strong sense of shared purpose around why laws, regulations, and policies are so important in the K-12 edtech landscape. o An open question is how best to circulate the summaries, guidance, and other materials produced within this cluster such that they reach their intended audience(s) as well as generate helpful feedback that informs any revisions of these materials and future efforts by the authors. Bridging the law and policy and norms and values clusters of activity, participants discussed and emphasized the importance of ongoing public relations and education campaigns with teachers, parents, public at large, and other stakeholders on the general and specific requirements of existing laws, regulations, and policies.

2) Norms, Values, Attitudes, and Practices

Though much progress can be made in the law, policy, and regulation cluster, participants overwhelmingly concurred that it cannot be the entire solution: exploration and discussion of the normative commitments held by stakeholders in the K-12 educational technology space, as well as their personal preferences and behaviors with respect to technology, are critical in the development of a meaningful toolkit and other outputs. Contributors expressed a strong sense that communicating the what (substantive information) and how (the implementation process) of edtech adoption and use is not enough. Invested stakeholders must develop a coherent message explaining why they are implementing a particular educational innovation. Such an effort should not be misunderstood as mere messaging or public relations work; there is a critical need for substantive, well-considered stances that support the deployment of a particular edtech solution, along with clearer communication about the rationale for these decisions. Empirical evidence on teacher, student, and parent privacy attitudes and expectations in K-12 educational contexts should inform such work. This data-driven effort must grapple with difficult questions around the sort of learning environment that educators, parents, policymakers, and other stakeholders wish to promote, and then clarify how the ideal pedagogical outcome relates to possible risks and benefits of specific technical interventions. To succeed, several participants advocated for the cultivation of a conversation of trust among edtech stakeholders, with an eye to changing cultural norms and developing a shared sense of mission around the potential power of edtech to improve educational outcomes. At the same time, others warned about the danger of adopting innovations without empirical evidence as to their

efficacy. Striking the proper balance between a culture that permits progress and affords opportunities for evaluation seems likely to be an ongoing challenge, both within individual districts and at the national level. Across all steps in this cluster, participants agreed that communications at several levels will be critical: (1) invested stakeholders who are involved with the effort on a near-daily basis; (2) a slightly wider circle of involved parties, from the parents of K-12 aged students to the industry providers who make general tech products that are used often in schools; and (3) the broader public.12 It will be imperative to think carefully about which messages to communicate to which groups (e.g., a parents may desire different information than school district technology leaders), and to offer opportunities for bi-directional feedback and incorporation of different points of view early on in any process. Possible Next Steps Include: Developing a shared vocabulary, including a shared taxonomy / common lexicon that fully and accurately reflects the purposes of different technologies. The Student Privacy Initiatives K-12 Edtech Cloud Services Inventory13 serves as one example of this kind of work. Some participants recommended that it might be helpful to build upon such a service inventory by defining legitimate and illegitimate uses for each kind of data, in the context of particular services. Others suggested that it would be productive to add analysis specifying the benefits and perceived risks of a given technology, though certain participants warned that too much fixation on risk might lead to fear-mongering and impede the ability to build trust with parents in particular. o The proper scope represents an unresolved and pressing open question in developing a shared vocabulary. For instance, to what extent is it necessary to make distinctions between edtech and personal tech that may be used in the education context? Participants emphasized that the frame should not be so narrow as to cut out connected learning opportunities across school and home, yet also must not be so broad as to preclude effective policies. A general sense seemed to be that stakeholders need advice on such a tight timelinegiven the rapid pace of technological innovationthat scoping questions will have to be resolved in process rather than elucidated entirely in advance. Cultivating shared norms and values as part of a national conversation. Many contributors also asserted that analysis and research should be only one part of an ongoing effort that must more broadly reframe the conversation. As a shared culture and conversation of trust develops, it may make sense to reference a set of common principles and / or minimum standards so that documentation is not only descriptive, but also helps to support normative values. Weekly norming conversations with parents and teachers in particular may also support this effort at the school and district level. o An open question around common principles involves how to reach a consensus that both builds from the discrete work and goals of existing individual organizations and supports a productive and crosscutting national conversation. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
12

This shared sense echoes the findings of the April 2013 workshop; please see Student Privacy in the Cloud Computing Ecosystem: State of Play & Potential Paths Forward, Section 1 (pp. 4-5) for possible suggestions on how to convene and engage stakeholders (report accessible at: http://cyber.law.harvard.edu/publications/2013/student_privacy_in_the_cloud_computing_ecosystem). 13 The K-12 Edtech Cloud Service Inventory is available for download at http://cyber.law.harvard.edu/publications/2014/edtech_cloud_service_inventory.

One partial solution that builds on lessons learned from other fields may involve incubating and sharing good practices that could be generalized to different settings, rather than aiming for a wholly monolithic shared vision or set of principles to apply across all cases. To do so, one potentially powerful idea involves building communities of practice within small, medium, and large districts (consisting, perhaps, of the CIO, CFO, Superintendent, etc. for a given district) that are data exemplary, and then conducting case studies of these districts, distilling lessons, and making them generalizable in ways that can be integrated into analysis and guidance documents. Empowering district and school-level actors through education, guidance, and ongoing consultation will help to develop and sustain strong shared practices. Work on law, policy, and regulation, particularly increasing the accessibility of terms of service and privacy policies (discussed more fully above), may represent one piece of this endeavor; however, participants stressed that successful education of all stakeholders must communicate why a change is implemented, and cannot revolve around either technical terms or legal compliance issues alone. Encouraging groups of schools or districts to work together, in formal or informal consortiums. One creative idea that garnered enthusiasm from many participants involved having groups of schools work together to create a centralized and vetted internal application (app) store for teachers, using existing app store providers as gateways. Contributors also suggested increasing school and district bargaining power, perhaps through collective bargaining modeled after HIPPA efforts, so that individual institutions are able to more effectively negotiate terms with industry vendors. Others warned that vendor and industry malintent should not be assumed, and that for vendors who wish to adopt good practices should have opportunities to constructively engage through the negotiation process. That being said, many participants felt that vendors were unlikely to make the terms of click-through agreements comply with their needs until districts and schools increased their bargaining power. Some suggested that a state-level Chief Privacy Officer might be able to assist in these efforts. Others also suggested that it is important to learn from other relevant sectors / good practices elsewhere. Assessing risks and opportunities constructively, in a way that is realistic and grounded and yetgiven the sensitive and potentially emotional nature of student privacy conversationsneither heightens fear nor blocks future opportunities. One proposed research output might be a specific analysis of the risks and benefits of existing technological tools, perhaps in the form of a heat map or risk assessment map for different stakeholders. However, others warned that any such effort should not proceed without pausing for PR and messaging work, lest the conversation become one centered on privacy problems rather than more broadly assessing the goal of readying kids for their graduation into the knowledge economy. o One important open question involves the need for additional research to elucidate different stakeholders observations of actual and perceived risks. Parent and teacher surveys and/or focus groups, perhaps building from the Berkman Center Youth and Media programs student focus group work,14 might represent a particularly helpful next step. More generally, this open question reinforces the !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
14

The latest Youth and Media report, Youth Perspectives on Tech in Schools: From Mobile Devices to Restrictions and Monitoring, is accessible at http://cyber.law.harvard.edu/publications/2014/youth_perspectives.

importance of empirical data in K-12 student privacy research and advocacy. Convenings of district and school edtech thought leaders might also prove helpful in surfacing experiences on the ground. Such data empowers actors to develop guides to combat misinformation and separate out unfounded fears from legitimate concerns (e.g., mythbusters style documents like those produced by the Data Quality Campaign), thereby strengthening an overall culture of transparency and trust. Fostering transparency and clarity around data collection and use. Participants agreed that current knowledge of data lifecycle is generally inadequate, and that there is a need for additional research and work to clarify (1) what student or school data is actually being used, (2) how it is used, and (3) with whom it is shared within each cloud service. Participants stressed that this information should be clear in two cases: both when everything works as planned, and when security breaches occur. o A critical unresolved open question involves identifying the parties that are best positioned to obtain such information, and which research strategies may be most effective. Additionally, in gathering and assessing such information, it is important to take into account the ways in which districts may differ, and the constraints these differences may create around data collection and use in context.

FINAL TAKEAWAYS
Participants agreed on the vital importance of engaging in ongoing group communication and leveraging participants many resourcesboth in their individual and collective capacitiesto make progress within and across the clusters identified above. Contributors recognized that different stakeholders might not have identical visions of how the edtech landscape should unfold. They felt strongly, however, that they could continue to build a common culture and further a shared overarching purpose of respectful, timely, and cutting-edge dialogue about edtech while maintaining their individual identities and objectives. To that end, participants agreed to use various modes of asynchronous communicationsuch as listservs or Google groupsto continue their exchange between in-person meetings. They also flagged as a somewhat open question the issue of branding of materials that participants generate on edtech; that is, whether there should be some sort of standardized or group branding that appears on these materials. For the time being, participants agreed to continue to provide consistent and complete attribution to all parties involved in a given output. Many participants voiced support for the creation of a national center on K-12 edtech, which would serve as a central repository of edtech materials and a clearinghouse for quality of materials. Open questions exist surrounding funding opportunities for such a center. Moving forward, there emerged a shared sense of urgency around generating outputs around edtechboth those set forth above and othersdue to the fields rapid evolution. They further affirmed their commitment to continuing conversations about edtech with each other and other stakeholders in a collaborative, iterative fashion.