The release of this 2018 State of EdTech Security Survey represents a yearly examination of security practices of education technology-related online services using our security assessment. In 2016 Common Sense privacy ran its initial encryption survey to determine a baseline for the state of edtech security. Then, in 2017, Common Sense privacy ran the encryption survey again and released our findings, which showed positive but non-significant trends in the edtech industry with increasing encryption since 2016, but with clear room for improvement. This 2018 security survey includes results from over 2,000 URLs of popular edtech online services. To determine this sample set, we interviewed various teachers, schools, and districts about which services they had used during the 12 months prior to the security survey. This is an increase in products scanned from 1,121 edtech products in 2017 and 1,100 edtech products in 2016. These services provide a representative sample of the wide range of educational technologies, including educational games and tools, for communication, collaboration, formative assessment, student feedback, content creation, and delivery of instructional content. These types of services are currently used by millions of children at home and by tens of millions of students in classrooms across the United States.
Our overall findings in 2018 indicate a significant increase in the percentage of services that both support and require encryption. In addition, our findings indicate that there was a modest decrease in the percentage of services that support encryption, but do not require encryption. However, there was no significant change in the percentage of services that implement HSTS. These findings illustrate that the edtech industry has made significant improvement in its use of encryption of personal information over the past three years, but, given that 22 percent of edtech products still do not require encryption, the industry has a long way to go to improve its security practices.
Security practices of edtech providers should have a higher standard than the industry standard for online services and applications generally given the potentially sensitive nature of personal information that may be gathered from children and students. These crucial observations are whether an edtech service: 1) supports encryption; 2) requires encryption; 3) supports encryption and requires encryption; and 4) supports encryption and uses HSTS directives in its headers. Given the size of the sample and the tools used to evaluate the edtech products, our key findings in the security survey hold a mirror up to the security practices of the edtech industry as a whole.
- A significant increase from 2017 of 16 percent in the percentage of services that support encryption.
- A significant increase from 2017 of 22 percent in the percentage of services that require encryption.
- A modest decrease from 2017 of 6 percent in the percentage of services that support encryption, but do not require encryption.
- No significant change from 2017 in the percentage of services (14 percent) that support encryption and implement HSTS.
For more information about our key findings download the full 2018 State of EdTech Security Survey.