In early 2018, the Privacy Evaluation Initiative will be updating how we share the information we prepare and collect as part of our privacy evaluations. This revised and expanded information will continue to be accessible on the privacy evaluation site at privacy.commonsense.org, and will also be newly available on the flagship education site at commonsense.org/education.
From the beginning of the Privacy Evaluation Initiative, a core goal of the work has been to help people develop informed decisions with less effort. Simplifying things isn't easy, but our work here has been grounded in the need to make privacy and security more accessible.
We have been collecting and incorporating feedback from stakeholders about how to share the results of our privacy evaluations since July 2015. Over that time, we have spoken with teachers, students, parents, developers, vendors, privacy advocates, and industry representatives. From talking with these different stakeholders over time, we have repeatedly heard two common problems from all participants:
- Evaluating policies is difficult. Please make it easier.
- Aside from some basic best practices, there are no hard and fast rules that determine a level of privacy that is universally acceptable.
In schools and districts, people make decisions about privacy based on their specific needs -- and these needs can vary between districts and schools. The Privacy Evaluation Initiative is designed to support and augment local expertise, not replace it.
With these lessons and feedback in mind, we will be rolling out several updates to the Privacy Evaluations in early 2018. This post focuses on one element of these updates -- three new evaluation tiers:
- Use Responsibly
- Use with Caution
- Not Recommended
Descriptions of the three tiers are included below.
Applications in the "Use Responsibly" tier have met a minimum criteria for transparency and quality in their policies. Before using an application in this tier, teachers, schools, and districts are strongly advised to read the full privacy evaluation as a starting point for the process of vetting the service. A more detailed review should happen before any student data is shared with a service.
Use with Caution
Applications in the "Use with Caution" tier have issues narrowly focused around data uses related to creating profiles that aren't associated with any educational purpose, and/or using data to target advertisements. We include data use from both the first party (i.e., the vendor that builds the service) and third parties (any company given access by the vendor). Using data to profile students can potentially violate multiple state laws, and in some cases also violates federal law.
The questions listed below trigger inclusion in the "Use with Caution" tier. An application or service can be designated "Use with Caution" for either a lack of transparency around data use -- which creates the potential for profiling and behavioral targeting -- or for clearly stating the service uses data to target advertisements and/or create profiles. As with any application being considered for use within schools, school and/or district staff should review the privacy policies and terms of service to ensure that they meet the legal and practical requirements of their state laws and school policies.
- Do the policies clearly indicate the version or effective date of the policies?
- Do the policies clearly indicate whether or not a user's personal information is sold or rented to third parties?
- Do the policies clearly indicate whether or not personal information is shared with third parties for advertising or marketing purposes?
- Do the policies clearly indicate whether or not behavioral or contextual advertising based on a child's or student's personal information is displayed?
- Do the policies clearly indicate whether or not third-party advertising services or tracking technologies collect any information from a user of the application or service?
- Do the policies clearly indicate whether or not a user's personal information is used to track and target advertisements on other third-party websites or services?
- Do the policies clearly indicate whether or not the vendor allows third parties to use a student's data to create a profile, engage in data enhancement, social advertising, or target advertising to students, parents, teachers, or the school?
An evaluation designation of "Use with Caution" is not a sign that a vendor is doing anything unethical or illegal. It is a sign that, based on publicly available policies, we do not have adequate guarantees that data will not be used by first or third parties to create non-educational profiles or to target behavioral ads.
Three criteria trigger a "Not Recommended" designation:
- Do the account creation page, the login page, and all pages accessed while logged in support encryption with HTTPS?
- Do the account creation page, the login page, and all pages accessed while logged in require encryption with HTTPS?
The criteria for "Not Recommended" measure whether or not a vendor has done the bare minimum to provide users with a rudimentary understanding about how the vendor protects user privacy. The three criteria here are all basics of sound privacy and security practice. Vendors that do not meet these basic requirements can potentially run afoul of state and federal privacy laws.
As with the "Use with Caution" criteria described above, a "Not Recommended" designation is not a sign that a vendor is doing anything unethical or illegal. It is a sign that, based on publicly available policies and observable security practices, their systems do not provide adequate guarantees that information stored in their systems will be protected.
In this work, we have always attempted to be clear and transparent. This has governed how we ran our encryption surveys and how we published our questions, our information security primer, and our process online under an open license. We have never wanted to surprise anyone or to have our process shrouded in secrecy. Our hope is that by making this information openly and freely available, and by announcing these updates with ample time for people to read and digest our process, we can work together to do something we all agree is necessary: Make technology use in education safer and more secure for kids.