For several years, the ACLU has expressed concerns about school district policies that provide officials indiscriminate remote access to school-loaned computer devices. When the ACLU of RI surveyed school districts three years ago on their policies governing home use of such devices, almost every district authorized wholesale access to the laptop’s content – including files, photos, and web history – at any time and for any reason, even when families were encouraged to use the computers for non-academic purposes. The authorization rarely barred school access to, and activation of, the device’s microphone and camera.
Earlier this year, school district responses to an ACLU open records request revealed that very little has changed. At least twenty-six district policies explicitly note that students have no expectation of privacy whatsoever in their use of the devices, and 21 policies fail to ban unauthorized remote access to the device’s camera and microphone. A chart summarizing the policies can be found here.
As a result of the virtual learning currently taking place in almost every school district, some third-party programs are being utilized to provide school officials broad access to the computers that students use for their schoolwork. For example, one program being used by some school districts – GoGuardian – not only provides real-time access to a student’s computer, but can allow school personnel to examine weeks of web history and other data on certain browsers, which could include the private search history of the student’s family, well beyond the access to information necessary for classwork.
The ACLU letter to school districts called for the adoption of specific privacy protections, if they were not already in place:
- An outright prohibition on school officials’ ability to access the microphone or camera of a school-loaned device except during live teaching activities and with the student and family’s full knowledge.
- A ban on accessing the data on a school-loaned device unless (1) a parent or guardian has signed a valid opt-in agreement which allows access by the district to explicitly-specified data, or (2) a school official has reasonable suspicion that a student has violated school policy, and data on the device contains evidence of the suspected violation.
- A restriction on remotely tracking the location of a school-loaned device without cause.
- Disabling privacy-invasive features on any third-party programs that students are required to download in order to participate in virtual learning.
- Ensuring that any third-party programs used in the course of remote education are in compliance with a state law barring use of student data for commercial purposes.
The ACLU letter concluded by stating:
“Since the implementation of school-loaned device programs, the ACLU of RI has been approached by many parents who felt uncomfortable with signing away their child’s privacy rights but were given no other option for engagement in the important educational activities taking place with them. Now that students, and their parents and guardians, have no other option but to continue their education through such devices – and sometimes utilize their home computers for this learning – we believe it is imperative that the privacy rights of students be protected. Clear standards on access to the visual and audio components of the computers – whether school-loaned or personal – are essential. Also of tantamount importance is ensuring that platforms such as Go Guardian do not expose sensitive information about students and their families to school staff, and that the usage of such platforms does not unintentionally facilitate the ability for school staff to access more data than they need to complete their job responsibilities.”
ACLU of RI executive director Steven Brown said today: “A review of school district policies shows that ‘remote’ instruction may be a lot more intimate than you think. It is essential that schools take action to assure parents that virtual learning cannot be used as a tool to spy on families.” ACLU policy associate Hannah Stern added: “The emergency transition to virtual learning only emphasizes the need for districts to preserve data and computer privacy for students. School districts must update their policies so that no student is in danger of having sensitive information about themselves or their families inappropriately exposed.”