Kendrah Foster is extra, extra vigilant these days.
The kinship mother of three children has new territory to navigate as her kids embark on e-learning at Allegheny K-5 amid the COVID-19 pandemic, while juggling regular mom duties, assignment assistance and troubleshooting devices. But with new digital learning terrain came new concerns.
She worries whether her kids will be safe from hackers. And she’s concerned about privacy, now that three cameras and microphones broadcast live during school days from their pseudo-public Observatory Hill home.
“Sometimes you forget that kids are online and people can see everything,” Foster said. “Sometimes I feel like I don’t have privacy…just because the cameras are always on, unless it’s lunchtime.”
For Foster, and parents like her, the shift to e-learning raises many questions about how privacy at home is changing with the digital environment. For school districts, the shift to virtual learning came with a spike of cyber threats, increased student vulnerabilities to cyber threats and an increase in cyberattacks, which privacy experts say can have an overwhelming impact on schooling and students, disrupting educational or personal needs.
The issue is not hypothetical.
The first day of classes for Pittsburgh Public Schools [PPS] was overtaken by hackers who interrupted virtual-learning lessons with offensive comments, racial slurs and a possible pornographic image. PPS, which shifted all students back to remote learning on Nov. 16, did not provide comment for this story after multiple requests.
Hackers broke into the system of Fairfax County Public Schools, Virginia's largest school district. An e-learning tool in Chicago Public Schools gave teachers access to thousands of students’ computer cameras and microphones without their knowledge or permission in the first few weeks of school, though the problem was corrected. Hackers also breached the network of Nevada's Clark County School District, which includes Las Vegas. The infiltrators threatened to disclose information such as employee Social Security numbers and student names and grades unless a ransom was paid.
Cyber threats and cyberattacks on K-12 learning institutions aren’t a new phenomenon.
The K-12 Cybersecurity Research Center found more than 1,000 cyber incidents were reported since 2016. Some threats are old – phishing and ransomware attacks and data breaches – and some are new, birthed strictly from the shift to a virtual learning environment amid COVID-19, such as “Zoom-bombing,” where an unauthorized person enters and disrupts a Zoom meeting.
But as schools grow more reliant on digital and online platforms to provide a virtual learning environment amid the pandemic, cybersecurity experts say students also become more vulnerable to privacy and cyber threats, so schools need to better protect students from digital privacy concerns.
Educational institutions “will need to evolve their understanding and their preparation in order to prevent these things from happening,” including hacks and data breaches, said Elizabeth Laird, who leads the Student Privacy Project at the Center for Democracy and Technology [CDT].
As parents, like Foster at PPS, navigate uncharted e-learning terrain, how can K-12 learning institutions better protect their students from cyberthreats? And as lines blur between the living room and the classroom, what’s at stake for students when it comes to the future of privacy and the perception of privacy?
To navigate her new lifestyle for about seven hours each day, Foster closes the laundry room door for privacy. She double checks that the house is clean. If she takes a phone call, it’s in a room where the audio can’t be heard by a classroom full of kids. She’s careful of what she watches on TV.
She worries that with her kids — ages 6, 7 and 8 — and other students spending full days in front of a camera broadcast to their peers and teachers, it’s “intensifying that need to be seen, that need to be liked, that need to be always on.”
The virtual learning environment has already provided educators a clear glimpse into their students’ home lives in ways like never before. As stories emerge about what it means now that school is in the home — such as a teacher raising funds to ensure their students have fire detectors in their home after hearing beeping through student cameras — it raises questions about the larger implications for K-12 schools and concerns about a normalization of surveillance and a changing idea of privacy.
“For me, it's almost more of a philosophical thing, which is, you know, what you experience as a child is what you end up thinking is normal,” said Timothy Libert, a special faculty instructor in Carnegie Mellon University’s [CMU] Computer Science Department.
“I'm very worried that we're making this type of surveillance normal for students,” said Libert, who also teaches at CyLab, the Security and Privacy Institute at CMU. “The idea that your teacher is going to see what's on your computer screen, the idea that your parents and your teachers can see every time you click your mouse or that someone's going to be looking over your shoulder the whole time…You have a generation of people growing up thinking this is normal.”
He also worries that with how quickly our lives are changing with COVID-19, and how quickly schools must make decisions, parents may not be informed enough to make good digital privacy decisions for their children. This moment, he worries, could reshape how young people view privacy as classroom sessions are streamed into the home.
Attacks on the rise
Since the shift to virtual learning, “security has become even more important to us,” said Superintendent Jeffrey Soles of the West Mifflin Area School District. The district in September recalled district-issued student devices for “urgent security updates” as a preemptive measure against cyber threats, to ensure “a safe remote learning experience” after laptops were unable to connect to the internet due to a vendor issue.
“Us being able to protect our kids' privacy as well as district information is [of] the utmost [importance],” Soles said.
Steven Fort, the district’s director of technology, said that while a breach hadn’t occurred, the district has worked to build on its security maintenance and monitoring. Fort said the district uses firewall protections, real-time threat analysis and active filtering technology, among other methods to keep students and district information safe.
Fort’s sage advice to other districts? “If it looks suspicious, act on it.”
A report released in October by the U.S. Government Accountability Office [GAO] describes how the transition to distance learning during the COVID-19 pandemic has presented additional cybersecurity challenges for districts, including incidents of students being exposed to pornography or hate speech. These moments disrupted class and often caused class cancellation.
“When schools suffer from these cyber attacks, oftentimes they will shut down, especially when their systems or the data is held for ransom,” Laird said.
The same report found that between 2016 and 2020 thousands of K-12 students had their personal information compromised in data breaches, including academic records, medical records, social security numbers, discipline records, and bullying incident information. Breaches were accidental and intentional — with a variety of responsible actors and motives.
Cyber incidents can have an overwhelming impact on schooling, disrupting educational, social and emotional needs.
“We're so dependent in all aspects of our life, including education, on data and technology that they can't deliver educational services,” Laird said. “And so that means that students literally are not receiving instruction because their school is closed because of a security issue.”
The disclosure of this information can also directly harm students, including their financial, physical and emotional wellbeing. Information such as social security numbers can be sold on the black market, and harm student finances, say financial and cybersecurity experts.
Schools are uniquely vulnerable to data breaches, hacks and cyberattacks resulting in the disclosure of personal data, with some having barriers to better security, such as lack of funding to update antiquated equipment or software.
How to better protect
How common are cyberattacks? We don't really know.
When it comes to cyberattacks on K-12 schools, “we only know what is made publicly available, which is either because the district has chosen to share for whatever reason or it's reported in the media,” Laird said. “So I think there is an issue with even understanding how widespread this issue is.”
School districts aren’t required to disclose incidents of cyber attacks, but in Pennsylvania, they are required to disclose data breaches involving personal identifiable information. The databases which track incidents of cyberattacks, such as the K-12 Cybersecurity Research Center, often collect information from a patchwork of sources since there’s no centralized tracking system.
As schools provide more devices and internet access, they must also ensure they are not violating student privacy. Experts say districts should minimize data collection and activity tracking and ensure any data sharing complies with state laws. Learning institutions must also know what information is being collected, how it’s being stored and for how long.
An October report from CDT found that most parents support the use of education technology, and 76% of parents surveyed nationwide said they were likely to support more online learning at home, even after the pandemic. However, parents had concerns about protecting their children’s digital privacy and became increasingly concerned as they learned more about safety threats and potential vulnerabilities to data breaches.
With school districts in Pittsburgh and beyond relying on complex technology systems that are collecting more student data electronically, and as government officials and schools report surges in cyberattacks, school districts must grapple with how to best protect students and staff from increasing cyberattacks and hackers.
Districts can first better protect themselves against cybersecurity threats by training teachers to become more “cyber-savvy,” said Erik Avakian, chief information security officer for the Commonwealth of Pennsylvania.
He suggested districts implement security awareness training and take advantage of resource programs with information and services to enhance education, awareness and monitoring.
“Enabling our teachers and our workforce across the teacher spectrum to really be cyber educated and cyber-savvy so that as they're doing their work, that they're protecting information, they're handling information properly,” he said.
Laird said there are a number of ways school districts can protect students, staff and their personal information, including building on existing cybersecurity and privacy knowledge, enacting policies and processes to vet software and training staff to use tools responsibly.
‘A huge gap’
There are a handful of federal laws that protect or address student privacy; Family Educational Rights and Privacy Act [FERPA] protects student education records; Protection of Pupil Rights Amendment [PPRA] outlines parents’ rights to limit personal information collected by schools; and the Children’s Online Privacy Protection Act [COPPA] outlines what’s required of online service operators to protect student privacy, such as receiving parent permission before collection information for children under 13.
At the state level, however, laws are fragmented. Laird said there are nearly 130 state student privacy laws across 45 states.
And many are still not evolved enough to address new technologies being developed.
Judges are often interpreting decades-old laws in cases of new, developing technology and that there’s a need for fresh legislation, Libert said.
“There's a huge gap between how up to date our technology is and how up to date the laws are,” Libert said. “I think we just need laws that are written for the technology we have today.”
TyLisa C. Johnson covers education for PublicSource. She can be reached at firstname.lastname@example.org.