2018 State of EdTech Privacy Report: Default Encryption

A majority of applications and services use Default Encryption of information for login and account creation.

May 25, 2018
Girard Kelly
Counsel & Director, Privacy Review

Jeff Graham Senior Engineer
Developer

CATEGORIES Privacy Evaluation Initiative

Among the applications and services we evaluated for our 2018 State of EdTech Privacy Report, approximately 92% observationally provide encryption of information collected during the login or account creation process. This is a notable improvement as compared to our previous login encryption survey findings which indicate only approximately 74% of the more than 1,000 applications or services surveyed support encryption at login.[1] We currently evaluate only encryption of services with login authentication, and not whether encryption is implemented for any authenticated mobile applications. Encryption of login information is expected to be disclosed, because it is an important tool necessary to protect children and student’s personal information online. In addition, approximately 7% disclosed not expected responses. However, approximately 8% of applications and services evaluated did not encrypt their their login or account creation information. Lack of encryption of collected information from children or students in this context is qualitatively worse, because a lack of protection of this information with reasonable security measures would likely violate several Federal and State laws. [2,3,4,5]

Key Finding: Default Encryption

Figure 1: This chart illustrates the percentage of question responses for Default Encryption. Qualitatively better question responses indicate the application or service does use encryption. Qualitatively worse question responses indicate the application or service does not use encryption.

For more information about our key findings download the full 2018 State of EdTech Privacy Report.

 

References:

[1] Common Sense Media, Login Encryption Survey: March 2017 (2017), https://www.commonsense.org/education/privacy/blog/encryption-survey-mar....

[2] California Data Breach Notification Requirements, Cal. Civ. Code §1798.81.5 (a person or business that owns, licenses, or maintains personal information about a California resident is required to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, and to protect the personal information from unauthorized access, destruction, use, modification, or disclosure).

[3] Children’s Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312.3(e) (an operator must maintain the confidentiality, security, and integrity of personal information collected from children). 36 Family Educational Rights and Privacy Act (FERPA), 34 C.F.R. Part 99.31(a)(1)(ii) (An educational institution must maintain physical, technical, and administrative safeguards to protect student information).

[4] Student Online Personal Information Protection Act (SOPIPA), Cal. B.&P. Code §22584(d)(1) (an operator is required to implement reasonable security procedures, practices, and protect student data from unauthorized access, destruction, use, modification, or disclosure).

[5] California AB 1584 - Privacy of Pupil Records, Cal. Ed. Code §49073.1(b)(5) (a local educational agency that enters into a contract with a third party must ensure the contract contains a description of the actions the third party will take, including the designation and training of responsible individuals, to ensure the security and confidentiality of pupil records).