As technology becomes more inextricably tied to the student-learning experience, reporting on the implications for student data privacy and security is paramount.
Data privacy and security are often overlapping topics — and ones that are top of mind for both university administrators and advocates. Sixty-five percent of the 105 colleges that responded to a 2022 United Educators survey identified “data security” as a top risk to their institutions. And their concerns aren’t unfounded. The educational-services sector remains a primary target for ransomware attacks; a notable case is Lincoln College, a private predominantly Black institution, which credited its closure last year in part to a cyberattack.
Issues around student data privacy have also made headlines: Public colleges banning TikTok and a student lawsuit around the use of proctoring software, for example. It’s an area that’s ripe for accountability reporting as new educational technologies enter the market faster than federal and state governments are developing oversight measures. This is especially the case in higher education. According to data provided by the nonprofit Data Quality Campaign, just two of the 15 privacy bills it monitored during the 2022 legislative session included provisions that applied to postsecondary students and institutions.
Covering data privacy and security requires an ability to thoughtfully separate the wheat from the chaff, and avoid unnecessary rabbit holes and jargon. This blog post will dig into the top developments you need to know right now and offer tips for getting started.
Privacy and Security Developments to Have on Your Radar
Experts and journalists interviewed cited a handful of developments around data privacy and security that higher-education reporters should be watching.
The most commonly cited was institutions’ use of monitoring technologies. This extends beyond proctoring software for remote testing. Jason Kelley, associate director of digital strategy at the Electronic Frontier Foundation (EFF), also pointed to software colleges use to track students’ location or their social media activity. Dozens of colleges, for example, reportedly use Social Sentinel, an Artificial Intelligence-supported software that scans public social media posts to identify potential safety threats.
These surveillance tools, which some institutions say they’ve adopted as a security measure to avert tragedies like school shootings, risk imposing a “chilling effect” that “kills student speech and expression” around controversial topics in particular, and they impede their self-development, said Elana Zeide, an assistant professor at the University of Nebraska College of Law. This can especially be the case for issues such as gender identity and abortion, which have become increasingly politicized in states like Florida.
Todd Feathers, an enterprise reporter at The Markup, said it’s also important to keep an eye on the mergers and acquisitions happening in the ed-tech space and consider the ramifications on student data privacy and security. (EAB, a consulting firm that works with colleges on enrollment management and other services, has acquired at least six companies in the last three years, for example, according to its press release archive).
There is often not a lot of transparency on what happens to students’ data in these cases, Feathers said. Not to mention, “Having all of this very broad, disparate data brought together in one place by one company means that data is more vulnerable to cyberattacks and other kinds of exposures,” he said.
Speaking about student data more broadly, Feathers added that the “explosion” in institutions’ use of predictive analytics to help them make decisions about students in areas such as admissions and advising is worth keeping an eye on, too.
This model, which relies on historical data to predict how students will perform and act in the future, can do more harm than good if the data that’s informing it is biased and no longer accurately reflects the current reality. (For example, a female student of color could be steered away from majoring in physics if the historical data feeding the algorithm is largely data on white men).
Tips for Reporting on Student Data Privacy and Security
Feeling out of your element? Experts and reporters offered some tips:
- Follow people (or organizations) who know this space. Feathers reads Matthew Tower’s newsletter every week on the state of ed tech. Daniel Mollenkamp, a reporter at EdSurge, follows organizations like the Center for Democracy and Technology on Twitter. (Check out this tweet, too, for more follow ideas.) Zeide also regularly skims the International Association of Privacy Professionals’ website, which has some free resources, including its digest of U.S. privacy and security news.
- Research. It’s never too late to build up some baseline knowledge and context on relevant laws to this beat — namely, the Family Educational Rights and Privacy Act (FERPA). The Electronic Privacy Information Center has a good primer on FERPA.
- When weighing whether to pursue a privacy or security story, consider your organization’s readership. Reporters’ inboxes are chock full of press releases. The question Mollenkamp at EdSurge always comes back to is, “Does this mean anything for a student, or a teacher, or someone who’s within my mission statement?”
- While reporting, admit what you don’t know. Call an expert to talk, and “don’t be prideful; don’t pretend you know things you don’t,” Mollenkamp said. “The thing I always tell sources is to talk to me like I’m many, many grade levels below you,” so they break things down.
- Avoid going down rabbit holes. Feathers said that reporters can minimize the risk of taking their readers down unnecessary rabbit holes by making sure their stories revolve around people, and how a particular development around data privacy and security is affecting those people.
- Always be open to nuance. Advancements in tech come with pros and cons. Zeide gave the example of the aforementioned use of predictive analytics in areas like advising. On the one hand, Zeide said, there are ethical dilemmas, such as the risk of historical data bias. But on the other hand, if due diligence is done, predictive analytics can be an important way for learners to get more immediate guidance and advice.
Places to Get Started
Sources offered a few story ideas on the topics of data privacy and security to get reporters started.
If an institution has a new partnership with a private ed-tech company — and the college in question is public — file a public records request for the contract. Then dig in to see how robust, or lean, the privacy and security provisions are. (I did this last year for The Chronicle).
Mollenkamp also recommended doing follow-up reporting. Identify a ransomware attack that happened at a college six months to a year ago, and check in with the institution: What’s happened since? Have there been any updates to its data security protocols?
Kelley, at EFF, said he’d also be curious for reporters to look into what colleges have done with the apps they adopted during the pandemic to track users’ exposure to Covid-19. Have they been repurposed?
Kelley added that reporters might be able to glean additional story ideas, especially pertaining to data privacy issues, by reading student newspapers.
“Often, student journalists care about this stuff,” and will write about it, he said.