Montana schools are asking Gov. Steve Bullock to waive requirements under a new state cyber security law aimed at protecting student information as teachers scramble to move classes online.
School districts say they need more flexibility to move classes online amid the novel coronavirus pandemic, and that they’re currently limited by the 2019 Montana Pupil Online Personal Information Protection Act.
The law requires districts to make sure the websites and software they use to teach students aren’t mining, sharing or selling student data and information. In particular, small districts just wading into web-based learning say the law is a major barrier.
“We made a full 180-degree pivot two weeks ago, and went from basically no distance learning to now 4-12 is all digital distance,” Superintendent Alex Astor said.
Astor is the superintendent of Roberts School District southwest of Billings, which serves just a little over 100 students. He said the district chose Google Classroom for its online delivery system.
“And it’s just basically a really good way to share information,” Astor said. “But in no way, shape or form does Google Classroom provide any educational services.”
Roberts School District teachers are flocking to a number of web-based tools to fill out their curriculum. English teachers might be trying to hold discussion on video chat services, or a math teacher might want to use a website that helps determine what aspects of trigonometry a student might be struggling with.
But there’s a hang-up: districts need to sift through every user agreement to make sure it complies with Montana’s student data protection law. If it doesn’t, districts need to get companies to sign agreements outlining protections for students before they can use a new web-based tool.
“And we have great teachers that are going after this stuff, and trying to pump the breaks on people trying new things is discouraging in education,” Astor said.
The Montana Educational Technologist Association is trying to speed up that process by working with the state, which has already signed a large privacy agreement okaying districts to use Zoom video chats. School Administrators of Montana is asking Bullock to give districts until July 1 to fully comply with the state’s 2019 student privacy law.
Bullock’s office says it’s looking into the request. But there are risks that come with that flexibility, according to Amelia Vance with the Future Privacy Forum. The Washington D.C.-based think tank focuses on data privacy. Vance said the quick jump to online learning is leading teachers and districts to consider unconventional tools.
“‘Cause the biggest privacy issue that we've seen here is that there is a lot of non-education software that's being adopted or contemplated, from webinar platforms to social media, even gaming platforms,” she said.
Vance added that in recent years, many districts across the country have found teachers are using hundreds of online tools not approved by administrators. That’s only expected to get worse during the COVID-19 outbreak. A recent 2019 national survey from Common Sense Media also found issues with training teachers received.
“Only 25% who participated in professional development were trained in understanding student data privacy requirements and strategies around the use of ed tech,” she said.
In Montana, many school districts had different opinions on how they should be complying with current requirements under the state’s student privacy law, especially smaller districts without dedicated tech departments. Dot Wood is the curriculum director at Columbia Falls Public Schools.
“And so people like me, who are curriculum directors, or other classroom-based people, are trying to figure out things sometimes without having clear guidance about what are the software adoption guidelines from the state,” she said.
Wood added her district worries about general cyber security concerns as it quickly scales up to online learning. Like other Montana districts, Columbia Falls schools were hacked in 2017.
Jeff Patterson is the president of K12 Montana, a business that helps districts set up web-based learning systems. He said the best way to avoid hacking is to train teachers, students and parents on the safety features featured in online platforms such as Zoom.
Patterson explained bad actors can do more than expose students to inappropriate content including pornography or racist rhetoric. After gaining access to chat sessions, they can share malicious links.
“That link can actually pass your login credentials to your computer along with it, to try and gain access to a resource that’s secured on the other side with your username and password," he explained.
That could lead hackers right to a student’s private information.
Patterson said these vulnerabilities will continue to be discovered with time. Districts need to make sure students, staff and administrators are educated on these attacks and on older scams such as phishing emails.
“We may be moving a little bit faster than we would be comfortable with, and I think it’s ok for administrators to take a pause, and it’s ok for teachers to say, ‘We need some support,’” Patterson said.
If a district isn’t sure whether an online tool is being used safely, Patterson said it’s ok to stop using that service and find another way to engage students. Even if it’s good old-fashioned paper packets.