Become a Catalyst member

Join the conversation

We encourage our readers to leave comments and engage in dialogue about our stories. But before you do, please check out our "rules of the road."

Current Issue

Drugs in schools

Most drug violations in CPS involve an ounce or less of marijuana. Schools are quick to call police, yet rarely have the resources to offer education, counseling or other non-punitive help to students.

Cloud computing raises student privacy concerns

Districts moving to the cloud, like CPS, must insist on the proven security and privacy provisions that most private-sector cloud customers demand.

Chicago Public Schools (CPS) recently made a critical decision that many schools systems are making around the country: to move massive amounts of student data to a more cost-effective storage system of computer servers often referred to by technology experts as the “cloud.” On its surface, the decision seems rather benign. Cost savings…check. Ease of use…check.  Streamlined services…check.

But in digging deeper, there are significant security and privacy concerns that this decision raises that present real and potential dangers to the students, teachers and administrators in CPS.

Consider just two examples among many:

You are a student using the school-provided email service. Without logging off of your email account, you decide to click on a web browser to conduct research for a school report on birth control in developing countries. Without your express consent, the commercial provider of the email service collects and stores your search history and the content of your emails. Later, you are surprised - and mortified - when you receive a targeted pop-up advertisement for reproductive services.

Or consider a student who suddenly finds himself inundated with foreign-language emails and social media messages – some harmless, but some loaded with viruses that can destroy his computer – all because of a data breach on a server in a country temporarily storing that student’s supposedly secure data.

These scenarios aren’t far-fetched. Former Secretary of Homeland Security Michael Chertoff recently warned of the threat of off-shore cloud data breaches that poorly-secured cloud hosting can make more likely. Breaches like this can happen when school districts outsource their data and related services to cloud computing companies, particularly cloud companies that focus on monetizing user data for advertising purposes.

Cloud vendors need tough vetting

There are tremendous benefits to cloud computing, not the least of which is that it promises significant savings to cash-strapped districts by allowing them to outsource their email services, data storage and collaboration technologies. Doing this cuts district costs for servers, hardware, software and technology support and permits them to invest more in key priorities like teacher salaries.

But districts moving to the cloud, like CPS, must insist on the proven security and privacy provisions that most private-sector cloud customers demand. Security risks, already visible in an Internet-connected world, are magnified in the cloud. One issue is that school employees – hired and overseen by school administrators – will no longer control school data. Cloud computing vendor employees will have access to children’s field trip photos, parent-teacher email exchanges, student and teacher dates of birth and social security numbers, and on and on. And sometimes, these employees may make use of sensitive data for their own purposes, as occurred in 2010 when a Google employee was reportedly fired for accessing a minor’s call logs, chat transcripts and contact lists.

While employee malfeasance is also a risk with school-based databases, the loss of control over those who manage school data in the cloud is a security wrinkle that schools must address. Before moving to the cloud, districts should ask cloud vendors several questions, including: Will student data be stored in countries with lower privacy requirements than the U.S.? What information is mined by advertisers? How are employees of cloud vendors with access to student data vetted and supervised? Will all information that a student flows through a third-party vendor’s platform be unavailable to advertisers? Hopefully, CPS asked these questions when choosing their cloud vendor. If they were not asked, we have to ask ourselves, why not? Our children’s privacy and data is at stake.

Privacy issues that do not arise in school-based server environments can quickly become apparent when schools resort to the cloud. In particular, cloud vendors’ mining of school data for commercial purposes can be a very unwelcome intrusion for students, parents and educators alike. Schools should demand assurances from cloud vendors that school information stored in the cloud will not be data-mined, used for targeted advertising or sold to third parties. While schools can never be sheltered entirely from commercial ads, they should not become marketing free-fire zones simply because they have opted to embrace cloud computing technology.

There are clear advantages when districts migrate to the cloud, with cost savings being a significant impetus. However, schools should not ignore new and more complicated data security and privacy issues presented by this appealing data management option. When making vendor choices, however, there is no free lunch. What is not paid for in dollars is instead paid for using the currency of our children's private information. Do we really want to trade our children's private lives for cheap email?  

Jon Bernstein is the president and founder of The Bernstein Strategy Group, a Washington, D.C.-based education technology consultancy. Bernstein is a consultant to Safegov.org, an online forum that focuses on privacy and security issues for public sector cloud users.

13 comments

Concerned Parent and Researcher wrote 2 years 11 weeks ago

What happened to the CPS Office of Performance website?

Is this cloud conversion process the reason why the Office of Performance website has been down for the last two weeks? https://research.cps.k12.il.us/cps/accountweb/. I've been relying on this website for years to evaluate school stats like test scores and racial/ethnic percentages at each school across the district. Even if CPS is converting to a new data system, why couldn't it keep the old one up in the meantime? Is it illegal to not provide the public with this important information?

I relied on that website much more than ISBE's Interactive Report Card because the data was consistent, provided in excel spreadsheets, and went back at least 10 years for most topics. Plus, the CPS website had the school's unit number so you could easily track a school even when the name changed (and they often do at CPS) and each charter school campus was listed separately - ISBE clumps them all together by charter operator so you can't tell how much worse one UNO school is from another.

- Sarah Hainds

Sarah Karp wrote 2 years 11 weeks ago

Research and Accountability website

Hi. Here at Catalyst we have been asking the same question. At first spokeswoman Robyn Ziegler said it was temporarily down. But now the CPS website says: "Going forward, www.cps.edu/performance will be the new conduit for performance data." Compared to the historical and easily downloadable spreadsheets that were on the REA website, this page's information is paltry. We will keep asking for the return of our beloved data!!!

George N. Schmidt wrote 2 years 10 weeks ago

Cloud will neither save money nor improve transparency

One of the ongoing myths about the outsourcing and privatization of CPS services is that there are "cost benefits." But of course nobody but Substance has ever tracked the actual performance against the public relations claims made when the changes are brought on. Since 1995 - 96, when Paul Vallas first privatized some CPS janitorial functions and outsourced some lunchroom services, the privatizations have always been accompanied by the same "efficiency" hooplas (that a plural).

(Rahm's been getting away with the same nonsense daily about all those jobs that his corporate buddies are creating, but that's another noisome story from the current era for another post.. Basically, if all the jobs Rahm's corporate buddies have "created" since last August, when I watched him hype Chase Bank, the Groupon, actually existed, the Chicago unemployment rate would be about zero — or even less. But BS is "news" if it can dump into the news cycle from an executive source, uncritically, and Rahm's flacks know this...).

There is very little upside to the so-called "cloud" and lots and lots of serious downside, only part of which is included under the subject line SECURITY. The biggest danger is that the cloud will eat and then dissolve massive amounts of information that can never be gotten back — ever — because there was no serious physical backup. CPS is gambling that the people who are pushing the current nonsense (the "cloud" is just part of that menu of nonsense) will have escaped to other jobs before the crashes take place.

They are all mercenaries on their way to elsewhere, but we have to live and work in the city they leave messier than before they arrived. My favorite mercenary example this week is Pedro Martinez. Four years ago, he was standing with Arne Duncan and Beth Swanson and the mayor at City Hall assuring the world that as CFO of CPS we didn't need to go to the "cap" on property taxes because — in July 2008! — the economy and CPS management were so great that, well, things would continue to be fine. That was in July 2008! That was AFTER Bear Sterns and less than 60 days before Lehman Brothers and AIG. But, of course, CPS took care of Pedro while the Broad Foundation found a place to park him after he helped ruin Chicago, and sure enough, within a couple of months he was recycled as a curriculum and instruction chief in Nevada (the guy never taught and knew nothing about either, but for the Broads, everything is possible as long as you're a loyal merc...).

Now to the latest fantasy, and the current Broad bunch of fantasists.

It would be nice if Catalyst or somebody took the time to compare the risks of "cloud" with the supposed benefits, not only nickel and diming it (as Rahm is doing daily), but actually considering the importance of a safety and secure way of maintaining the integrity of information.

More than 20 years ago, while I was teaching at Amundsen, we had a public/public partnership with the CPS Department of Information Processing, the old Pershing Road computer people. They maintained one of the most accurate and comprehensive systems anywhere. Naturally, when Paul Vallas and the privatizers took over, they began undermining that (usually, with libels and slanders as their preliminary barrages, like artillery in a war). Instead of making reasonable transitions for the important data systems, CPS lurches from one privatization experiment to another (Oracle? People Soft? now both in The Cloud), each time screwing up more and more reality.

And now...

The Cloud.

This is a dangerous fantasy, no matter how many sound bites and Power Points mindlessly promote it. Already, there are people getting in the back door to CPS data, although now it seems like the Brizard administration wants to welcome them in the front door and give away the information (witness the "Batelle for Kids" thingy with verifying CPS student data for the upcoming mess with "value added" teacher gradings... as just one example).

The "cloud" only makes sense to airheads, people whose technie fantasies and efficiency urges block out context, consent, and reality.

Anonymous wrote 2 years 10 weeks ago

Maybe you should focus a little more...

This article keeps referring to "the cloud" over and over. If I'm not mistaken, I assume you mean CPS's decision to go with Google Apps for Education for email and apps. If you took a second to investigate this you would see that the security and privacy of all the data is perfectly fine. Here's a link to Google's security and privacy for Google Apps for Education. I'd love to see a reply that could poke holes in this policy. If you want to point fingers at other cloud hosting providers, fine, but there is a reason that hundreds of schools have opted to use Google Apps for Education- it's free, secure and private. I might sound like a Google employee but I'm not, I'm a fan of their product and I support a good product when I can. I'm not a fan of articles like this that I wasted time reading thinking it might contain valuable insight into the security of a solution that I use on a daily basis and rely on. There's 5 minutes I'll never get back...

http://www.google.com/apps/intl/en/edu/privacy.html

Concerned about kid's privacy wrote 2 years 10 weeks ago

Response to Anonymous on privacy

Regarding the privacy policies for Google Apps for Education, if you click on the Google link that was provided by Anonymous and then click on the Privacy Policy link, you will be taken to Google's standard consumer privacy policy (http://www.google.com/intl/en/policies/privacy/). Read it. Now imagine how this policy plays out with our children's personal information. This gives Google the right to collect everything about our kids, combine it with other data collected and use it for any of their services including advertising (which is their main business). For me, this is not "perfectly fine".

Anonymous wrote 2 years 10 weeks ago

to Google Champion

No system is 100% secure. Haven't you heard of laptops being stolen and information stolen from some pretty big companies, Pentagon Cyber Attacks, credit card companies. To say that any system is FULL proof is being very naive. Maybe it's more secure than what we have now? However ,it is Google....a commercial entrerprise...BTW if you dont want to waste your precious 5 minutes I would suggest staying away from reading and writing Blogs????

I am sure things will be safe..but how do you know its 100% safe??????? I am a little leary once again giving private control of schools: This is what I have seen:

Food Service (Chartwells...don’t forget the bribery case and the odd timing for Universal Breakfast)

Charter Schools (funded by Gates foundation with its "conditions" and government manipulation)

First it was testing (Pearson NWEA-although it non profit it still is private)

Then it is student records (Batelle Group)

Then Google (Storing our records) who is to say when they get us "addicted" to free service they will charge a "nominal charge"

“Consultants”-How many private consultants have we seen around our schools as of late?

I never used to believe in conspiracies …but at what point do we say our schools are being taken over by private industries???? Perhaps the balance right now is good…but one day it could be 100% private run schools. Then our students will learn under the Profit Motive!!

district299reader wrote 2 years 9 weeks ago

Where's the transparency?

Since when has the Catalyst published opinion pieces on technology? What's the author's interest in publishing an opinion in a Chicago-centric news source when he is based in DC? Did no one at Catalyst check this guy's firm and see that he is a lobbyist?

L Forte wrote 2 years 8 weeks ago

technology op-ed

Our opinion space is open to anyone with the background and expertise to write about a topic related to education.

Anonymous wrote 2 years 8 weeks ago

Wrong!

If you read the EDU privacy policy that I initially provided the link for you would have seen this:

No advertising to students, faculty, or staff
We offer Google Apps for Education to schools for free. It's also completely ad-free -- which means your school's content is not processed by Google's advertising systems.

And, you would have seen this:

Google's privacy policy protects your users:

We don't share your content. Google does not share personal information with advertisers or other 3rd parties without your consent.

Anonymous wrote 2 years 8 weeks ago

Response to "To Google Champion"

When did I ever say that it was 100% secure? I said secure... think about it this way, don't you think that Google is better at securing data than any school? If you read the link to the EDU privacy policy you would have seen that Google has obtained "SSAE 16 Type II attestation". I doubt any school in the country can say the same, I know the school I work for hasn't.

Also, systems would be "FOOL PROOF", not "FULL PROOF", your bad grammar proves your incompetence.

Regarding my 5 minutes, I was forced to read this article by my supervisor because they thought this article provided meaningful insight into our usage of Google Apps, which it clearly does not. I felt obligated to comment on the article because I think everyone who reads this article should know that the author was obviously trying to comment on CPS's use of Google Apps for EDU but the article clearly lacked the focus and knowledge of Google Apps for EDU's privacy policy.

Regarding schools being "taken over by private industries", last time I checked, schools decide to use whatever product they want. Google isn't forcing anyone to use their services. Microsoft also provides the same free email and apps for schools, they aren't forcing anyone to use it. Schools administrators run schools, not private industries. School administrators choose to utilize the best resources they can with the money they are given. If a school can get free email and applications backed by a solid privacy policy that protects student data....seems like a no-brainer to me.

Anonymous wrote 2 years 8 weeks ago

Google

Lets attack the issue..not the writer. Errors do occur! I guess being in a school environment, I, too, get worried about the profit motive taking over the school system. I agree Google can do anything better than CPS when it comes to data protection. I am just worried what will happen the day when Google Runs our Data, NWEA runs our tests, our schools are charter. NWEA, for example, may be non profit....but they pay some employees large salaries.

The whole school system will be run by for profit (or quasi for profit) companies (using tax dollars). Our schools will become a businesses not learning environments. It scares me. Just because it scares me doesn't mean I am right. However, I prefer the PEOPLE of the USA will make education decisions and not Board Rooms (non profit like Gates Foundation or for Profit Like google.)

I don't think Google wants to help us out of the kindness of their hearts.

sarasota wrote 27 weeks 2 days ago

There are certainly a lot of

There are certainly a lot of options for cloud service providers. I can definitely see why people are a little confused about which service to choose. One of the best ways to figure out which one to choose is to read review on sites, such as HeatherR , which offers unbiased reviews of all the best companies out there

George N. Schmidt wrote 27 weeks 2 days ago

Waking up to Google evils

Many of us were warned as children to recognize hypocrites. Anyone who proclaims that their version of reality was to Do No Evil should be at the top of any list. The Sunday (January 19, 2014) New York Times had a great cartoon exposing the Google craze -- and craziness. Anyone who buys this Jim Jones "Kool Aid" will learn a very sad lesson of history and ethics before too long...

Add your comment

The content of this field is kept private and will not be shown publicly.
go here for more