MANHATTAN — The cloud-based storage system inBloom that's set to upload New York students' data has many city parents in an uproar.
More than 4,000 parents have signed a petition to stop the New York State Department of Education from sharing students' sensitive information with inBloom — or any other data collection services — without their consent. Parents fear that if the nonprofit, which has come under fire across the nation, gets access to their children's names, addresses, grades, disciplinary records, economic status, medical and mental health records and more, it could be hacked, sabotaged or possibly used for commercial purposes.
InBloom promises that its security measures prevent, detect and respond to possible problems by using encryption technologies to prevent unauthorized access. The new system would be preferable to existing "antiquated" databases, company spokesman Adam Gaber said.
But some parents, including outspoken inBloom critic Karen Sprowal, who has signed on to a lawsuit to block the data-sharing plan, say data breaches such as Target's in 2013, make her wary of opening the Pandora's box.
"As his mother, I decide what information needs to be shared, with whom and for what purposes," Sprowal said of her son, Matthew, a fifth-grader with special needs at the Upper West Side's P.S. 75.
"If his records got into the wrong hands, it could damage his prospects for life."
The state Education Department has delayed moving ahead with inBloom's system until April, blaming technical difficulties. But as the debate over the database moves forward, here's what you need to know about protecting your child's student data:
1. The Dangers of Data Breaches Are Real — and Long-Term
David Bloomfield, a professor of educational leadership, law and policy at Brooklyn College and the CUNY Graduate Center, said parents are in a brave new world of security issues because of the central way in which their child's school data is stored online.
"It used to be that all of this data was simply in a kid's file, and you'd worry about where the file went and whether it was accurate and if you could get your hands on it if you needed or wanted it," Bloomfield said. "Now, if it's living on some server somewhere that's infinitely duplicable — and wrong — the dangers are magnified."
"It's particularly worrisome because it's children, and it begins a lifetime of data collection and distribution," Bloomfield said.
In addition to identity-theft problems, there could be personal information contained in the files that could expose a child to future problems. For example, a fifth-grader's suspension could haunt him years later if used in the wrong context, Bloomfield noted.
2. You Have a Right to Know What Information Your School Is Sharing
The amount and scope of student data that schools are handing over to third-party companies is unprecedented, and parents need to ask their schools to be explicit about what they plan to disclose, experts say.
"Students are required to hand over certain information to the schools, so they have to rely on schools to be strong data stewards," said Khaliah Barnes of the Washington, D.C.-based Electronic Privacy Information Center.
"[But] a lot of schools poorly manage student information. They don’t have strong contracts that protect student privacy. InBloom is just one of many examples in which parents and students have lost control over student information."
Parents should ask questions about what data is being collected, for what purposes and what the data retention policies are — meaning how long will the information be stored, she said.
They should know what level of access they will have to their children's information, whether they can amend any data and if there's information they can withhold (such as Social Security numbers).
3. Safety Oversight Laws Are Subject to Change
The Federal Educational Rights and Privacy Act (FERPA) protects the confidentiality of schools' records and limits their disclosure, while guaranteeing students’ rights to access and amend their records.
Many security precautions that third-party vendors take are largely driven by this federal regulation, Bloomfield said.
But he warned that FERPA, like any other legislation, is only as good as those who defend it.
"[FERPA] can be watered down by corporations with an interest in accessing that information," Bloomfield said. "All you need is a few good corporate lobbyists. To rely on a flexible definition of privacy might not give parents and districts the types of protections they desire."
4. You Can Put in Safeguards to Shield Your Child's Personal Data From Identity Theft
"Child identity theft is pervasive and is the fastest growing type of identity theft,” said Tim Woda, an Internet and child safety advocate who co-founded uknowkids.com, to help families monitor their kids online.
“It’s far more valuable to a criminal to steal a child’s identity because they'll get away with perpetrating a crime until the victim finds out," he added, explaining that data theft might not be discovered until the child is much older, and applying for college or trying to get an apartment.
Just as adults get identity protection to protect their bank accounts, they “should absolutely require” getting it for their children, Woda suggested.
“You can usually get $4 or $5 a month — we're talking the cost of a cup of coffee — and it can help you identify whether a child's information [like a Social Security number] goes up for sale on a black market website.”
Woda said the investment is invaluable, since some identity thieves steal little batches of information at a time, over the course of many years, in order to fly under the radar of parents and watchdog organizations.
5. You Can Help Your Children Understand What Information to Keep Private Online
Kids contribute to data being compromised "more than any school website," Woda said, noting that many children put their email addresses, phone numbers, parents' names and pet names — which, for example, is a common security question — on social media or online.
Parents should talk to their kids about connecting only with people who are "real friends" and about disclosing too much information.
"There needs to be some personal responsibility and monitoring what kids are doing and saying online, not because I think my kids are bad or untrustworthy," Woda said, "but in a digital society someone needs to be educating our children what is smart, safe and responsible."