Our 2019 EdTech Security Survey

Our semi-annual survey of edtech security practices shows no improvements since 2018.

March 15, 2019
Girard Kelly
Counsel & Director, Privacy Review

CATEGORIES Privacy Evaluation Initiative

We released this 2019 EdTech Security Survey as part of a semi-annual examination of security practices of education technology-related online services using our security assessment tools. The previous 2018 State of EdTech Security Survey found that approximately 87 percent of edtech services support encryption, and 78 percent of edtech services require encryption. Our findings in early 2019 indicate no meaningful improvements in the percentage of services that either support or require encryption or that implement HTTP strict transport security (HSTS) headers. Therefore, our results suggest there has been no change in awareness of encryption on the part of the edtech vendors who do not understand the importance of encrypting personal information, even though customers have come to expect educational sites that collect any personal information should use encryption.

2019 Results

The results from our security survey examined over 2,000 unique edtech product URLs to determine whether they support encryption with the return of successful status codes. Edtech products that respond successfully were surveyed to determine whether they also required encryption with HTTP to HTTPS redirection and whether they implemented HTTP strict transport security (HSTS) headers. More information about our security survey methodology and findings from previous years can be found in our 2018 State of EdTech Security Survey.

Successful Status Codes

A successful HTTPS response from a web request can indicate several factors about the configuration of the server that include the server’s support for encryption. Similar to previous years, we treat response codes in the range of 200- 399 as successful server responses. All other responses are considered non-successful. A response code of 0 likely indicates an issue with the server configuration or lack of support for HTTPS. Errors in the range of 400 or above indicate some form of error either in the request or in the server response. Approximately 88 percent of the URLs scanned in 2019 returned a successful status code in response to an HTTPS request, which is a non-significant decrease compared to 89 percent in 2018.

Figure 1: Comparison of HTTPS response codes across all four years.

Year 0 200 3xx 4xx 5xx
2016 0.20 0.71 0.07 0.01 0
2017 0.18 0.75 0.06 0.01 0
2018 0.09 0.88 0.01 0.01 0
2019 0.09 0.87 0.01 0.02 0

Table 1: Percentage of HTTPS status codes returned from a HTTPS request.

Supports Encryption

For this security survey we classify edtech services as: does not support encryption; supports, but does not require encryption; requires encryption; and needs review. Our most recent survey found that approximately 87 percent of the URLs scanned supported encryption. However, an increase in the amount of responses since 2018, approximately 3 percent, fell into our “needs review” classification. The increase of approximately 2 percent of responses falling into the "needs review" category, includes all variation in the data since 2018 and is well within our margin of known error. Therefore, our results indicate no significant changes in the percentage of edtech services that support encryption since 2018.

Figure 2: Comparison of HTTPS support across all four years.

  2016 2017 2018 2019
Does not support 0.25 0.23 0.09 0.09
Requires 0.52 0.56 0.78 0.79
Supports, but does not require 0.20 0.18 0.12 0.09
Needs review 0.03 0.03 0.01 0.03

Table 2: Percentage URLs that require encryption, support but does not require encryption, does not support encryption and that need further review across all four years.

Requires Encryption

Our security survey found that approximately 79 percent of URLs required encryption, which is a non-significant improvement compared to 78 percent in 2018 and an indication of a potential plateauing trend in the percentage of edtech products that require encryption. Additionally, our 2019 security survey found that approximately 9 percent of URLs supported encryption, but did not require it. This finding is similar to the results obtained in the 2018 study, where the results indicated that approximately 12 percent of the URLs surveyed supported encryption, but did not require it. However, the decrease of approximately 3 percent for URLs that supported encryption, but did not require it, incudes all variation in the data since 2018 and is well within our margin of known error.

HTTP Strict Transport Security (HSTS) Headers

Our security survey found that only approximately 12 percent of the URLs scanned implemented HSTS headers, which is a non-significant improvement compared to 13 percent in 2018 and an indication of a potential plateauing trend in the percentage of edtech products that implement HSTS headers. This means the remaining 87 percent of URLs did not implement HSTS headers, which indicate edtech services that did implement HTTPS encryption were still potentially exposing users to a man-in-the-middle (MITM) attack. Similarly, the decrease of approximately 1 percent for URLs that implemented HSTS headers, incudes all variation in the data since 2018 and is well within our margin of known error.

Year Supports HSTS
2016 0.14
2017 0.14
2018 0.13
2019 0.12

Table 3: Percentage of URLs that implement HTTP Strict Transport Security (HSTS) headers across all four years.