Like many privacy-minded parents of elementary students, Tony Porterfield tries to keep close tabs on the personal information collected about his two sons. So when he heard that their school district in Los Altos, Calif., had adopted Edmodo, an online learning network connecting more than 20 million teachers and students around the world, he decided to check out the program.
Edmodo’s free software allows teachers to set up virtual classrooms where they can post homework assignments, give quizzes and use third-party apps to complement lessons. Students can create individual profiles, including their photograph and other details, within their teacher’s class and post comments to a communal class feed.
Porterfield, an engineer at Cisco Systems, examined Edmodo’s data security practices by registering himself on the site as a fictional home-school teacher. As he went about creating imaginary students — complete with cartoon avatars — for his fictitious class, he noticed that Edmodo did not encrypt user sessions using a standard encryption protocol called Secure Sockets Layer.
That cryptography system, called SSL for short and used by many online banking and e-commerce sites, protects people who log in to sites over an open Wi-Fi network — like the kind offered by many coffee shops — from strangers who might be using snooping software on the same network. (An “https” at the beginning of a URL indicates SSL encryption.)
Without that encryption, Porterfield says, he worried about the potential for a stranger to gain access to student information and thus hypothetically be able to identify or even contact students.
To test this hypothesis, he used a computer on his home Wi-Fi network to log in as an imaginary student; then, using another computer, he installed free security auditing software, called Cookie Cadger, to spy on the student’s online activities. Though the risk of this happening with actual students seemed small — Edmodo and other companies say they have no evidence that this kind of breach has occurred — he contacted his school district about his concerns.
“There’s a lot of contextual information you could use to gain trust, to make yourself seem familiar to the child,” he says. “As a parent, that’s the scariest thing.”
Sara Mandel, a spokeswoman for Edmodo, told the New York Times the service provided “a safe alternative to open, consumer social networking sites” because students could participate only in groups created by their teachers and because teachers decided whether students could send private messages to one another.
She added that “any school that chooses” had been able to use a completely encrypted version of the site since 2011 and that the company “is working to ensure that all of our users are using an SSL-encrypted version.”
School administrators and teachers said they liked these online learning systems because they could control the information that students might share.
“Kids can’t talk to each other. They can only speak to the group,” says Heather Peretz, a special-education teacher at Great Neck South Middle School in Great Neck, N.Y., who uses Edmodo in her English class. “It helps them learn to be good digital citizens so they are not making inappropriate posts.”
But as school districts rush to adopt learning-management systems, some privacy advocates warn that educators may be embracing the bells and whistles before mastering fundamentals like data security and privacy.
Although a federal law protecting children’s online privacy requires online services to take reasonable measures to secure personal information — like names and email addresses — collected from children under 13, the law doesn’t specifically require SSL encryption. Yet school districts often issue only general notices about classroom technology, leaving many parents unaware of the practices of the online learning systems their children use. Moreover, schools often require online participation so students can gain access to course assignments or collaborate on projects.
“What we are finding with this type of database is that parents are uninformed,” says Khaliah Barnes, a lawyer at the Electronic Privacy Information Center. “Most don’t understand how the technology works.”
Online security experts have long warned consumers about unencrypted websites that collect personal details. That is because on open Wi-Fi networks, hackers using simple software programs can see and copy the unique code, called a session cookie, that servers issue to authenticate a person who has logged into a website. By replicating that cookie, a hacker can acquire the same privileges, like the ability to edit a profile or grade a quiz, of the authenticated user for that session.
To call attention to this risk, a software developer in 2010 released a free program called FireSheep that was capable of hijacking unencrypted sessions of people using open Wi-Fi. Early the next year, Facebook began rolling out full encryption. But, because that kind of cryptography requires more computing power, it can slow down sites and increase costs. That is why many sites — even some dating services that ask personal questions — remain largely unencrypted.
“It’s not good to trade performance for security when you are talking about people’s personal information,” says Michael Clarkson, an assistant professor of computer science at George Washington University who teaches an annual course on software security.
Last fall, Porterfield, who was coaching his younger son’s soccer team, was asked by the league to use a free youth sports site provided by Shutterfly, a photo-sharing service, to post team rosters, player contact information, game locations and player photos. He discovered that the site was not fully encrypted — an issue reported in a May article in Mother Jones. A spokeswoman for Shutterfly told the New York Times the company planned to introduce full SSL encryption on its youth sports and other sites by the end of July.
It was Porterfield’s experience with Shutterfly that made him curious about data security practices of K-12 online learning services and led him to set up imaginary classes on several sites.
Porterfield found that for the fictitious classroom he set up in May using Schoology’s free software, the login page did use SSL. But the profile pages that included students’ email addresses, birth dates, phone numbers and home addresses were not protected.
To check Porterfield’s concerns, the Times asked Ashkan Soltani, an independent security analyst, to look at both Edmodo and Schoology. He found that each site’s login page was encrypted, but not student sessions themselves.
“Anyone at a local cafe with Wi-Fi will have access to the information that the student is viewing or transmitting,” he said.
Full-session encryption may not have seemed so important several years ago, when students logged into the sites primarily on secure networks at school or at home. But now that so many students use mobile devices, learning networks say they are moving toward full encryption.
For individual teachers who wanted to set up online groups, for instance, Schoology until mid-June offered free software that encrypted login pages. For customers like school districts who paid for more comprehensive packages, the site offered the option of full-session encryption. Jeremy Friedman, the chief executive of Schoology, said the company recently completed its plans to provide sitewide encryption.
Schools are also developing methods to protect student data. The Palo Alto Unified School District in California uses Schoology as a clearinghouse for course assignments in its secondary schools and a couple of elementary schools. But administrators prevent students from entering personal data, like email addresses, in their profiles. They encourage students to upload an avatar, not a photo of themselves. And the district doesn’t post grades on the site.
“We take security very seriously,” says Ann Dunkin, the school district’s chief technology officer, “and one way to take it seriously is to limit the amount of information students can put into the system.”
But Porterfield says schools, no matter their vigilance, should be transparent with parents about the potential risks of online learning networks.
“It’s not the school’s decision to make,” he said. “You should let the parents know.”
Central Texas policies
How some area school districts deal with online learning networks, according their spokespersons:
Austin: Use of an online learning network varies depending on campus and teacher.
Pflugerville: Teachers and students use the network Edmodo, which uses Secure Sockets Layer (SSL) encryption. Students enter the district’s Edmodo domain only through a teacher’s group, using the code provided by their teacher and their first name. Students cannot make independent accounts, and teachers can provide the parents of each child with a code so they can view their child’s submissions or help them submit work.
Eanes: Teachers and students use networks with SSL encryption for authentication and access, such as Ebackpack and Google Apps for Education.
Hays: Teachers and students use Edgenuity networks, which use SSL encryption. Student data is stored on Microsoft servers with no direct connection to the Internet.
Leander: Teachers and students primarily use Google Apps for Education, which has SSL encryption. The district is exploring use of other services, including Edmodo, which also has SSL.
Dripping Springs: No particular program is broadly used, though some teachers use the state-provided Project Share and others use Edmodo.
Hutto: Does not use online learning sites, only sites hosted by the district that use the district’s security and encryption.