Date post: | 14-Apr-2018 |
Category: |
Documents |
Upload: | aspentaskforce |
View: | 216 times |
Download: | 0 times |
of 27
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
1/27
1
InBloom:BuildingTrustforTheProtectedSharingandAnalysis
ofStudentDataforPersonalizedLearning
Dr.JohnHenryClippinger
MITMediaLabID3
Abstract
Overthelastseveralyearstherehasbeenanexplosioninthecollection,
analysisandmonetizationofpersonaldata.Thistrendhasspurredgrassroot
movementsandregulatorsaroundtheworldtoupdateantiquatedprivacy
policiestoreflecttherealitiesofthepresentera.Ineducation,thecollection
andanalysisofstudentdatapresentsspecialchallenges.Whilepotentially
valuableindesigningpersonalizedlearningprograms,suchdataaretakenwithouttheconsentandunderstandingofstudentsandtheirfamiliesandhave
theOrwellianpotentialforsignificantabuseandstigmatization.Privacypolicesandpracticesformed40yearsago,suchasFERPA,havefaintcredibility
andevenefficacyinaneraofsensors,BigData,andthemobileInternet.InBloomsprivacypolicies,practicesandpartnershipshavedonelittleto
assuageitscritics,andsignificantlylagcontemporaryprivacypoliciesinthe
U.SandtheEU.Hence,ifInBloomistoachieveitsexemplarygoalsof
personalizedlearning,itwillneedtodevelopprivacypoliciesandpracticesthat
areconsistentwiththeObamaAdministrationsDataConsumerBillofRights,
aswellastheconcernsofnumerousadvocacyandstakeholdergroups.This
paperoutlinesfiveconcretestepsthatInBloomcouldundertaketohelpquellitscritics,addressitsshortcomings,andrestoretrustandcredibilityamongits
stakeholderstoachieveitsgoalsofpersonalizedlearning.
Introduction
Withinjustthelastfiveyears,therehasbeenanexplosionofonlineandmobile
servicesthatcollect,analyzeandmonetizepersonaldata.Inoneofitsreports,the
WorldEconomicForum,PersonalData:TheEmergenceofaNewAssetClass,January,
2011)hascalledsuchpersonaldataanewassetclassandthenewoil,signifying
itsimportanceasanewbusinessresourcethatcanbeusedtobuildanewglobal
economy.Entrepreneurs,governments,enterprises,andNGOsareallpursingthis
newoilwithavengeance,andinacomparablemetaphoricalfashion,oftenwith
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
2/27
2
littleregardforcollateral,ecologicalsideeffectstheerosionofpersonalprivacy
andtrust.
WiththeimminentproliferationofbillionsofsensorstheInternetofthings
combinedwiththelocationandsensordatacapturedonover5billionmobile
phonesnoonewillbeinvisibletothewatchfuleyesofdataaggregatorsand
analyzers.Giventheubiquityofanyonesdatafootprintsandtheever-compounding
powerofmachinelearningandanalytics,noonecanoptout.Everyoneisbeing
trackedandanalyzed.Wearequicklytransitioningtoaglobaldataecologyand
economywhereonesdataistheequivalentofonesidentityandreputationthe
markerforhowoneisknownandtreatedattheworldatlarge.Proposalstolegally
requiredatabrokerstodonottracki.e,donotcollectpersonaldataareas
realisticabstinencevowsasapolicytopreventteenagepregnancies;itworksonly
foraconscientiousfew.
Thesadtruthisthattodaysprivacypoliciesarestillweddedtoprinciplesand
expectationsshapedinthe70sand80s,whentherewerenolaptops,Internet,
mobilephones,sensorsortablets,anddatawererelativelyscarceandexpensive.It
wasawhollydifferenterainwhichthegreatestharmsweretheunauthorized
collectionanduseofpersonaldata.ItwasalsoatimewhenregulatorswithintheUS
andtheEUbelievedthatregulatoryremediescouldbetimelyandeffectivein
protectingpersonalidentifyinginformation.
Buttodaydigitaldataareessentialtoagrowingspectrumoftechnologiesand
infrastructuresthatrevolvearoundtheuseoflargedatabases.Whileprivacy
violationsfromimproperdisclosuresanduseofdataremainaproblem,awholenewclassofpublicandprivateharmsmaynowresultfrominhibitionsintheflows
anduseofdata.Ineducation,newpersonallearninganalyticsandtechniquesare
absolutelydependentuponthecollectionofstudentdataovertime.Failuresto
appropriatelysharedatacanresultincatastrophicsecuritybreaches,epidemic
outbreaks,medicalfailures,andpublicsafetyfailures,letalonefailededucational
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
3/27
3
opportunities,Withtheimminentadventofsmartcitiesandsensorstomonitor
cars,food,appliances,homes,vehicles,pets,andchildren,howdataarecollected,
sharedandanalyzedwilleffectivelydefineourpersonalfreedomsandthequalityof
civiclife.
Ineducation,thecollection,sharing,andanalysisofpersonaldataareessentialto
devisingtailoredlearningprogramsandassessments.Betterdatameansbetter
learningandeducationalinnovationandadvancement.Yetwhiletheveryintimate
informationrevealedbypersonaldatacanenablebetterlearningexperiences,
supervisionandresults,italsoincreasesthevulnerabilityofstudentsandtheir
families.Testingdata,teacherassessments,truancydata,healthrecords,
personalityandaptitudeassessments,residencedata,policerecordsallcanbe
usedtoimprovelearningandtostigmatizeandcontrolthefateofstudentsandtheir
families.
Themorehandsthattouchthedata,thegreatertherisksthattheinterestsofthe
childandherfamilywillnotbeputfirst.Themanyteachers,counselors,social
workersandadministratorswhohavesomerelationshipswithstudentsarenot
alwaysmotivatedorevencapableofactingintheirbestinterests.Such
professionalshaveenormouslyvariedcompetencies,commitmentsand
understandingaboutwhatisbestforachild.Whenthesefactorsareblendedwith
commercialinterestsandinfluencesoverachildseducationalongwiththe
institutionalpowersoflargeenterprisesandgovernmentagencies,thepotentialfor
realharmsandabusesescalate.
Inthiscontext,simplyrelyinguponassurancesofprofessionalismandtrustbyeducators,researchers,andadministratorsisinadequate.Parentsalreadyhavetoo
littletrustinoureducationalmuchlessgovernmentalinstitutions.Thepublicis
understandablyskepticalthatregulationssuchasthe1974FamilyEducational
RightsandPrivacyAct(FERPA)willbefollowed,orwillactuallyprotectthe
interestsofstudentsandtheirfamilies.Suchregulationsareoftenwrittenwiththe
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
4/27
4
interestsofeducators,administratorsandevenprivatethirdpartiesinmind.Inthe
caseofbreaches,thechildandfamiliesarerelativelypowerless,anditistheythat
bearthelifelongburdenofinstitutionalfailures.
Inshort,educationaldata,especiallychildrensdata,areaprecious,personaland
vulnerableresourcethatcannotbehandledcrediblythroughtraditionaltermsof
serviceagreements,opaqueprivacypoliciesordisclosureagreements.FERPAis
nearlyfortyyearsoldandwaswrittenwithoutcontemplationofcurrentdata
collection,protection,analysis,anddisseminationmethods.Furthermore,thetype
ofstudentdatanowavailable(seeAppendix)isinherentlynotonlyPII(Personal
IdentifiableInformation),butpotentiallyhighlyprejudicialandinjurious.tostudents
andtheirfamilies.Conventionalregulations,eventhoseofmorerecentvintage,such
astheproposed,OnlineDoNotTrack,Actof2013,remainwoefullyinadequate
meanstoassurethatpeoplesprivacyinterestsarerigorouslyprotected.
ThedauntingchallengefacingprogramssuchasInBloom,whichfunctionprimarily
throughlocalschoolsandstateeducationalinstitutions,istoestablishitselfasa
legitimate,trustedstewardofstudentdataintheeyesofparents,students,and
advocacygroups.
TechnologyandPolicyTrendsFavorUserControlandaNewDealonData
Itishardtooverstatehowquicklymobile,sensoranddigitaltechnologiesare
changingthewaydataarebeingcollected,analyzedandmonetized.Virtuallyall
formsofhumanactivitycalls,purchases,personalmovements,socialandcommercialinteractions,texting,health,financialdealingsarebeingcapturedas
dataandanalyzed.Largeinstitutionswiththecapacitytoassessthedatacan
therebymakeanastonishingassortmentofpredictions,commercialoffersand
assessmentsofmarkets,publicbehavior,socialactivities,andmore.
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
5/27
5
Usersandregulatorshaverespondedtothistrendbyseekingtogivepeoplegreater
controlovertheirpersonaldatathroughthecreationofprotectedPersonalData
Stores(PDS)forindividuals.TheObamaAdministrationhasembracedthisposition
throughabroadarrayofdataprotectioninitiativesthatincludeconsumerdata
protectionpolicy,guidelinesissuedbytheNationalStrategiesonTrustedIdentities
inCyberspace(NSTIC),theDepartmentofCommercesGreenPaperin2011andthe
FederalTradeCommissionsPrivacyReportin2012.IntheEU,theDataPrivacy
CommissionhasadvocatedaBillofRightsforData,andtheWorldEconomicForum
inthreeannualreportshasadvocatedusercontroloverpersonaldata.
Thisshifttowardsuser-centriccontrolofpersonaldataisalsoreflectedintherapid
riseofpersonaldatalockerservicessuchasDropBox,Box,iDrive,Mega,SkyDrive,
Singly,iCloudandmanyothers.Inasimilarfashion,theU.S.Governmenthasled
initiativesthatgivecitizenseasier,reliableaccesstotheirgovernmentdata:the
GreenButtonforutilitydata,theBlueButtonforVAhealthdata,andtheMy
DatainitiativelaunchedbytheDepartmentofEducation.
Thisshiftinnormsisnotonlyaboutgivingpeopletherighttocontroltheirdata,but
aboutenablingself-service,onlinemanagementofpersonalandfamilyaffairs.
Increasingly,weexpectpeopletousetheirpersonaldatatomanagetheirpersonal
affairsandtonegotiateacceptabletermsofservicewithretailersandonlineservice
providers.ThistrendwillcertainlygrowstrongerineducationalservicesfromK-12
andpostsecondaryinthefuture.
WithintheU.S.amajordriverfortheseuser-centricpoliciesisdistrustof
governmentalinstitutionsingeneralandespeciallyafearordisdainforgovernmentaloverreach.Whetherthisfeariswarranted,orsimplyasymptomof
othersociologicalandculturefactors(thepaceofchange,institutionaldysfunction,
thesheercomplexityofcontemporarytechnology),suchattitudesarecommonon
boththepoliticalleftandright.Advocacygroupsarequicktoseepotentialdangers,
howeverimprobablyremote,withoutacknowledgingthepotentialeducational
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
6/27
6
benefitsofdatasharing,corestandardsandanactivegovernmentrole,evenalocal
one.
Suchfearsanddistrustcannotbedispelledbyblandassurancesofjusttrustus,PR
campaigns,orevendetailedcitationsoflegalagreementsandregulations.Rather,
parentsneedtofeelthattheyareindeedincontrol,especiallywhenitcomesto
protectingandeducatingtheirchildren.Thiscanonlybeachievedbygivingthem
controlinwaysthattheycanunderstand,influenceandtrustdirectlyand
personally.Theymustbeabletooptinandoutinofprotectivesystemsinsimple
andmeaningfulways.Theymustbeabletocontroltheflowanduseoftheir
personaldataorthatoftheirchildinwaysthattheyunderstand.Thenotionthat
parentscanbemadetodefertoschoolauthoritiesorthird-partyvendorstoactin
yourchildsbestinterests,orthatdata-sharingcansimplybemandated,simply
doesnotexistanymore.Theskepticismanddistrustareallthemorepronouncedas
theprocessforprotectingprivacybecomesmoreopaqueandconvolutedandasthe
personalbenefitsappearmoreremoteandabstract.Assurancesbasedonfederalor
stateprotectionsaregreetedwithsimilardistrust.
InBloomsPrivacyPoliciesandAssurances
IconsiderInBloomIdentityTheft.Weneedaclassactionlawsuitto
protectstudentsprivacy. --DianeRavitch,educationpolicyexpert
Fromitsinception,InBloomsgoalofcollectingstudentdatatoimproveeducational
successthroughpersonalizedlearning,wasgreetedwithsignificantskepticismin
manyquarters.EspeciallyworrisometoitscriticswasInBloomspartnershipwith
RupertMurdochsWirelessGeneration.LeonieHalmson,co-founderofParents
AcrossAmerican,makesthesepoints:
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
7/27
7
TheGatesFoundation,inassociationwithWirelessGeneration,asubsidiaryof
RupertMurdochsNewsCorporation,recentlyformedaprivateLLCcalledtheSharedLearningCollaborative.ThisLLCwillcollectconfidentialstudentand
teacherdataprovidedtothembystatesthroughoutthecountry,andinsomeform,shareitwithvendorsandothercommercialenterprises.Thepurposeof
thisprojectisatleastinparttohelpvendorsdevelopandmarkettheireducationalproducts.NYSandNYC,alongwithschooldistrictsinColorado,
Illinois,Massachusetts,andNorthCarolina,haveagreedtoparticipateinPhase
oneofthisproject,startinginlate2012,withDelaware,Georgia,Kentuckyand
LouisianaparticipatinginPhaseIIsoonafter.
Thisprojectprovokesseriousprivacyconcernsastothesecurityofthis
confidentialinformation,andthelackofanyparentalconsentinthedecisiontoshareitwiththeLLC.TheconcernsareintensifiedbythefactthatNewsCorp
hasbeenchargedwithseriousprivacyviolations,includingphoneand
computerhackingandbribingofpublicofficialsintheUK.TheNYPost,
anothersubsidiaryofNewsCorp,recentlyprovokedcontroversybypublishingteacherdatareportsbasedonstudenttestscoresinitspaper,andrunning
inflammatoryarticlesaboutteacherswhoreceivedlowscores.
Therearealsoseriousquestionsaboutthelegalityofthisproject.TheUSDept.
ofEducationhasrecentlyrewrittentheregulationsforFERPA,ortheFamilyEducationalRightsandPrivacyAct,toallowmoreliberalsharingofstudent
data,especiallyforresearchpurposes.Thenewregulationswentintoeffectin
Januaryof2012.
Thegrowingpublicsdistrustofbusinessasusualapproachestoprivacy
protectioncanbeseenintherecentadversereactionstoInBloompresentationat
theSXSWprograminMarch2013.Thisfollowedintensepubliccriticismof
InBloomforitsprivacypoliciesandrelationshipswiththird-partyeducational
servicevendors.Educational,privacyandcivillibertyactivistgroupsacrossthe
countryhavechallengedthelegalityandethicsoftheInBloomprogram.Students
andtheirfamiliesfoundlittlereassurancefromtheReutersarticlethatdescribes
theInBloomprogram(March13,2013),whichwascitedbyDianeRavitchshighly
chargedblogpost,IdentityTheft.AsReuterswrote:
Federalofficialssaythedatabaseprojectcomplieswithprivacylaws.
Schoolsdonotneedparentalconsenttosharestudentrecordswithany
schoolofficialwhohasa"legitimateeducationalinterest,"accordingto
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
8/27
8
theDepartmentofEducation.Thedepartmentdefinesschoolofficial
toincludeprivatecompanieshiredbytheschool,solongastheyuse
thedataonlyforthepurposesspelledoutintheircontracts .
Thedatabasealsogivesschooladministratorsfullcontroloverstudent
files,sotheycouldchoosetosharetestscoreswithavendorbutwithhold
socialsecuritynumbersordisabilityrecords
Indeed,itcouldbearguedthattheDepartmentofEducationprivacyregulations
privilegetheinterestsofschooladministratorsandthirdpartiesmorethanthe
privacyinterestsofthestudentsandtheirparents.Recentmodificationsinthe
FERPAregulationsdolittletodispelsuchconcernsthroughtheirlegalobfuscation
andself-servingbureaucratese.Itishardtoimagineatypicalparentbeing
reassuredifpresentedwiththefollowingtext:
Notice of Proposed Rulemaking
In the NPRM, we proposed regulations to:
Amend 99.3 to define the term authorized representative to includeindividuals or entities designated by FERPA-permitted entities to carryout an audit or evaluation of Federal- or State-supported education
programs, or for the enforcement of or compliance with Federal legal
requirements related to these programs (audit, evaluation, or enforcement
or compliance activity);
Amend the definition of directory information in 99.3 to clarify thata unique student identification (ID) number may be designated as
directory information for the purposes of display on a student ID card or
badge if the unique student ID number cannot be used to gain access to
education records except when used in conjunction with one or more
factors that authenticate the users identity, such as a PersonalIdentification Number, password, or other factor known or possessed only
by the authorized user;
Amend 99.3 to define the term education program as any programprincipally engaged in the provision of education, including, but not
limited to, early childhood education, elementary and secondary
education, postsecondary education, special education, job training,
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
9/27
9
career and technical education, and adult education;
Amend 99.31(a)(6) to clarify that FERPA-permitted entities are notprevented from redisclosing PII from education records as part of
agreements with researchers to conduct studies for, or on behalf of,
educational agencies and institutions;
Remove the provision in 99.35(a)(2) that required that any FERPA-permitted entity must have legal authority under other Federal, State, or
local law to conduct an audit, evaluation, or enforcement or compliance
activity;
Amend 99.35(a)(2) to provide that FERPA-permitted entities areresponsible for using reasonable methods to ensure that their authorized
representatives comply with FERPA;
Add a new 99.35(a)(3) to require that FERPA-permitted entities mustuse a written agreement to designate an authorized representative (other
than an employee) under the provisions in 99.31(a)(3) and 99.35 thatallow the authorized representative access to PII from education records
without prior written consent in connection with any audit, evaluation, or
enforcement or compliance activity;
Add a new 99.35(d) to clarify that in the event that the DepartmentsFamily Policy Compliance Office (FPCO or Office) finds an improper
redisclosure in the context of 99.31(a)(3) and 99.35 (the audit or
evaluation exception), the Department would prohibit the educational
agency or institution from which the PII originated from permitting the
party responsible for the improper disclosure (i.e., the authorized
representative, or the FERPA-permitted entities, or both) access to PII
from education records for a period of not less than five years (five- year
rule);
Amend 99.37(c) to clarify that while parents or eligible students(students who have reached 18 years of age or are attending a
postsecondary institution at any age) may opt out of the disclosure of
directory information, this opt out does not prevent an educational agency
or institution from requiring a student to wear, display, or disclose a
student ID card or badge that exhibits directory information;
Amend 99.37(d) to clarify that educational agencies or institutionsmay develop policies that allow the disclosure of directory information
only to specific parties, for specific purposes, or both; and
Add 99.60(a)(2) to authorize the Secretary to take appropriate actionsto enforce FERPA against any entity that receives funds under any
program administered by the Secretary, including funds provided by
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
10/27
10
grant, cooperative agreement, contract, subgrant, or subcontract.
Thislanguageisimpenetrableatbesttoanylayman.(Reader:Idoubtthatyou
actuallyreaditallorunderstoodittobealegalstandard.)Suchtextisinsiderlegaljargonthatisself-referential,self-protectiveandnottransparenttothosewhomit
mostaffects.Thishasbeenwidelynotedbyhighlyrespectedorganizationssuchas
theACLU,theElectronicPrivacyInformationCenter,CitizensforPubicSchools,
Mass.PTA.BelowisthetestimonyofJoshGolinofCampaignforaCommercialFree
Childhood:
CommissionerChesterassuresthatallpartiesinvolvedwillbeobligated
tocomplywiththeFamilyEducationalRightsandPrivacyAct(FERPA).YetcriticshavechargedthattheU.S.DepartmentofEducations2011
changestoFERPAviolatetheoriginalintentofthelaw.Recently,the
ElectronicPrivacyInformationCenterfiledsuitagainsttheDOEfor
thesechangestoFERPA.CommissionerChestersletteralsodidnot
referencetheFederalTradeCommissionsrecentchangestothe
ChildrensOnlineProtectionandPrivacyRule.Thesechangesrestrict
thecaptureanduseofachildspersonallyidentifiableinformationin
recognitionofthehugeriskstosafetyandprivacythatoccurwhen
commercialentitiesobtainaccesstoit
Giventheaboveconcerns,webelieveitisimperativethatparentalconsentbeobtainedbeforeanychildsdataissharedwithInBloomor
anyprivatecorporation.WealsorequestthatyoumakepublicthetypesofdatathathavebeenorwillbecollectedfromstudentsinEverett
aspartoftheinitialpilot.
WhenoneconsultstheInBloomwebsitetoreviewitsprivacypolicy,thelanguage
andapproachisminimal,vague,perfunctoryandhardlyreassuring.More
significantly,asnotedintheGolinstestimony,theInBloomprivacypolicyand
deferencetoFERPAdoesnotacknowledgethemorerecentpoliciesoftheObama
AdministrationsFTCreport,ProtectingConsumerPrivacyinanEraofRapidChange
ortheWhiteHousesreport,ConsumerDataPrivacyinaNetworkedWorld:
FrameworkforProtectingPrivacyandPromotingInnovationinTheGlobalDigital
Economy.
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
11/27
11
Theseandotherreportsespouseaprivacybydesignapproachtoenforceanew
ConsumerPrivacyBillofRights(ConsumerDataPrivacyinaNetworkedWorld,A
FrameworkforProtectingPrivacyandPromotingInnovation;intheGlobalDigital
Economy,WhiteHouse,p.1,2012)thatendorses:
Individual Control: Consumers have a right to exercise control over what
personal data companies collect from them and how they use it.
Transparency: Consumers have a right to easily understandable and accessibleinformation about privacy and security practices.
Respect for Context: Consumers have a right to expect that companies willcollect, use, and disclose personal data in ways that are consistent with the
context in which consumers provide the data.
Security: Consumers have a right to secure and responsible handling of personaldata.
Access and Accuracy: Consumers have a right to access and correct personaldata in usable formats, in a manner that is appropriate to the sensitivity of the
data and the risk of adverse consequences to consumers if the data is inaccurate.
Focused Collection: Consumers have a right to reasonable limits on the personaldata that companies collect and retain.
Accountability: Consumers have a right to have personal data handled bycompanies with appropriate measures in place to assure they adhere to the
Consumer Privacy Bill of Rights.
Thesegeneralprinciplesforthecollectionanduseofpersonaldata-including
studentdata-presentsignificantchallengesforaccommodatinglegitimateresearch
andcommercialusesofpersonaldatawithprivacyprotections.
IfonelooksatthescopeandtypeofdatathatInBloomintendstocollect(see
Appendix),itisascomprehensiveandlatentforabuseasanymedicalrecords.WithintheInBloomwebsite,PrivacyPolicy,thereisnomentionoffocused
collection,respectforcontext,securityoraccountability.Noristhereany
acknowledgementofFairInformationPracticesandPrinciples(FIPPS)orofrole-
basedpermissionsthatarecontingentonthepurpose,retentionanduseofstudent
data.Suchstudentdataiseasilyre-identifiable(seeProfessorLatanyaSweeny,
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
12/27
12
Policy and Law: Identifiability of de-identified, 2013),andgiventhelikelylackof
budget,training,sophistication,andenforcementwithinpubliceducation
institutions,thelikelihoodofsecuritybreachesandleakswillbeunacceptably
high.Whatthinprotectionsdoexistwillonlybefurthererodedbythestrong
financialincentivesofthirdpartiestomonetizethedata.ThefactthatInBloom
managementcomesfromtheveryindustrythatseekstobenefitfromthe
monetizationofthedata,assobluntlydescribedintheReutersarticle,doeslittleto
quellparentalandactivistconcerns.
GiventhegroundswellofoppositiontotheInBloomdatacollection,sharing,
monetization,andprivacypolicies,itishardtoseehowwithitscurrentprivacy
policiesitcanachieveitsexemplarygoalofprovidingevidence-basedpersonalized
learning.Theserviceisnotlikelytowinconsumeracceptancewithoutamajor
overhaulofitsprivacypoliciesandextensivedialogueandtrust-buildingwithkey
stakeholdergroups.Theprojectneedsacomprehensivelegal,policy,andtechnical
frameworkthatconformstocurrentstandardsandexpectations(e.g.,theFTCand
WhiteHousepolicyreports),recognizestherightofstudentsandtheirfamiliesto
havecontrolovertheireducationaldata,andprovidesdemonstrablesystemsof
transparencyandaccountability.
ProposedCourseofActionandRemedyforInBloomPrivacyIssues
Thisproblemwillnotgoawayandcannotbefinessed.Itthreatenstounderminethe
overallgoalsoftheInBloomprogram.Itneedstobedealtwithswiftlyandopenly,
anditneedstosquarelyaddressthelegitimateconcernsofparents,students,
activistsandotherstakeholders.
Iwouldrecommendaconcertedefforttodevelopatransparentandaccountable
privacypolicyalongthelinesofprivacybydesign,theConsumerPrivacyBillof
RightsandtheNSTICtrustframeworks,andtailoredtomeettheneedsofall
studentsandtheirfamilies.Thiswillentailnotonlydraftingnewlegallanguage,but
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
13/27
13
developingandtestingactualimplementationsoftrustedplatforms.Differenttrust
frameworksandmechanismsfortheprotectedsharingofpersonaldatamustbe
independentlyfield-testedandevaluated.Itwouldmakepracticalsensetodevelop
effective,reliableusecasesthatarecredibleforresearchers,educatorsandthird
partiesaswellasforstudentsandtheirfamilies.Suchusecasescouldbevettedby
differentstakeholderstoassesshoweffectivelytheyaddresstheirconcerns.
Theremaybeawayofconductingfieldtrialstoaddresssomestakeholdersfears
andhelprestorecredibility.ID3inconjunctionwithMITMediaLaboverthelast
twoyearshasbeendevelopinganopensourcesoftwareplatformthatgives
individualscontrolovertheirpersonaldataandprovidesahighlysecureand
auditablemeansforpermissions/policybasedsharingofhighlysensitivepersonal
data.Aspartofaprojecttohelpreturningveteransidentifyandcopewith
depressionandPTSD,theDefenseAdvancedResearchProjectAgenda(DARPA)
fundedthedevelopmentofatrustframeworkforthecollection,analysisand
sharingofmobilesensordataThisplatformisnowbeingusedintesttrialsby
Telefonica,TelecomItaliainTrento,Italy,aspartoffieldtrialsfortheprotected
sharingandanalysisofmobiledatatooffernewurbanandotherservices.
TheOpenMustardSeed(OMS)versionoftheplatformisnowbeingdevelopedto
supportQuantifiedSelfandotherapplicationsusinglocationandsensordata.This
systemusestrustframeworksandrule-basedpermissionenginestoenforce
context,age,andjurisdictionsensitive-datasharingrules.OMSisalsodesignedto
expressandenforcedifferentgovernanceandenforcementagreements,suchas
auditlogsdetailingaccesstodataandtheenforcementofpermissions,andthe
resolutionofdisputes.Inshort,aversionofOMSmaybehighlyusefulintestingoutdifferentusecasestodeterminehowtrustandconfidencemightberestoredtothe
InBloomendeavorthroughhighlydemonstrable,transparentandtestablemeans.
ProspectiveNextStepsforRestoringTrust:
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
14/27
14
1. DevelopaComprehensivePrivacyandDataSharingFrameworkforStudentDataReflectingBestPractices:Asnotedearlier,theInBloom
privacypolicyasrepresentedonitswebsiteisneithertransparentnor
reflectsthelatestorbestprivacypractices.Moreover,itisnotsufficientto
juststatepolicies,aspirationsandassurances.Itisimportanttohavea
technologyarchitectureandappropriatesecurityandprivacyprotecting
principles(authentication,authorization,permissions,auditing,etc.)thatare
alignedwiththeappropriatesoftwarecomponents(SeeElectronicPrivacy
InformationCenter:www.epic.orgOpenIDConnect,Oauth2.0,encryption,
dataminimization,anonymization,role-basedpermissions,zeroknowledge
proofs,ephemeralidentifiers,independentauditlogs,etc.).Theobjectiveis
toexpressandenforceprivacybydesignprinciplesinthedata-sharing
modulesthemselves.
.
2. ConveneStakeholderstoHelpAssessandSetTrustFrameworkPrinciples,StudentDataCommons,andIdentifyUseCases:Thegoal
hereistoengagethekeystakeholders(researchers,students,parents,
teachers,administrators,thirdparties,activists,regulators)andlearnabout
theirrequirements,aspirations,fearsandobjections.Also,InBloomshould
workwithstakeholderstoidentifyusecasesandcriteriaofsuccessthatif
achievedwouldovercomeusersobjectionsandgaintheirapproval.Identify
thekeydealbreakersandsetprioritiesofdesignandevenaphased-in
processforbuildingcredibleacceptance.Thiscanbeginasanopenprocess
butthenshouldevolvetoahighlystructuredandrigorousprocesswhere
options,remediesandprioritiescanbearticulatedandagreedupon.Inother
words,referenceusecasesareneededtoproducetestabletrialsthatwouldallowanyonetoscrutinizeandquestiontheresults.Itwouldbenecessaryto
havearoughstakeholderconsensusonmeasurableoutcomesforsuccess
notonlyintermsofuseracceptanceandprivacy,butalsoincollecting,
sharing,andanalyzingdataforsuccessfullearninganalytics.
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
15/27
15
3. ManageStudentDataasaCommonPoolResourceandConductFieldTrialsofUseCasesinRepresentativeSettings:Thegoalhereistoapply
principlesfromtheNobelLaureateeconomistElinorOstrom,whoseworkon
themanagementofcommonpoolresourcessuggestswaysthatdifferent
stakeholderscouldforgeappropriatelegalagreementsandsocial
understandingsforusingasharedpoolofdata.Fieldtrialscouldbe
undertakenthatusemobilephones,tabletsandPCs,andreflectdifferent
kindsoflikelysettingsandenvironmentsforthecollectionanduseof
studentdata.Dependingupontheexperimentaldesign,thefieldtrialscould
includethousandsofusers.Hence,therewouldneedtobeexperimental
designsthataddresstheconcernsofstakeholdersandproviderigorousand
replicableresults.
4. CompileandAssessResultswithStakeholders:Ameetingofstakeholderscouldbeconvenedandtheresultspresentedanddiscussed.Outofthat
meetingwouldcomeguidelinesfordatacollection,sharingandanalysisand
proposalsforadditionalresearch.Itwouldbehopedthattheexperiments
wouldbesufficientlysuccessfulinkeyrespectsastoidentifynearterm
projectsthatcouldbeundertakenaspilots.
5. DevelopScalable,User-CentricApproachForTheProtectedSharingofStudentDataforInBloomLearningObjectives:Dependinguponthe
successandreceptivityofthefieldtrialstothedifferentstakeholders,a
followongoalwouldbetodevelopascalableplatform,modelagreements
andgovernancepracticestousedbyresearchers,students,parents,third
partiesandschooladministratorstoconducttheirfieldtrialsandexperiments.Suchaplatformwouldprovideusercontrol,auditsand
transparencythroughoutthecourseofdevelopingandtestingeffective,
personalizedlearningprograms.Itwouldalsohavespecializedpolicies,
potentiallywithsafeharborprovisionstoenableexploratoryresearch
whileatthesametimeprovidinganonymityandprivacy.
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
16/27
16
Conclusion
Wearelivinginadata-richenvironmentswherethetrustedcollectionanduseof
personaldataisbothaneconomicnecessityandabasichumanright.Thisposes
someunprecedentedchallengesinmovingforward.Newwaysmustbedeveloped
togiveindividualsandfamiliesmeaningfulcontrolovertheirpersonaldata,bothin
protectingtheirprivacyandingivingthemnewopportunitiestousetheirdataas
theyseefit.Thisprincipleappliesespeciallytotheuseofstudentdata.
Inthiscontext,astechnologiesandsocialnegotiationsabouttheiruseevolve,itis
untenableforbusinessestorelyonhistoricstandardsorgovernmentpoliciesalone.
Educators,students,parents,researchersandthirdpartiesareincreasingly
distrustfulofopaqueprivacyagreementsandtheassurancesofstateandFederal
regulators.Futureinnovationinthisfieldthereforerequiresthattheeducational
communitytaketheleadinpioneeringnewbestpracticesinprivacy-by-designand
safeguardsforthedatarightsofstudentsandtheirfamilies.Movinginthisdirection
willrequireanewconveningofallstakeholdersinanopenandcontinuousprocess
thatlookstoblendexperimentationandvalidationofprivacyprotectionpracticeswithimportanteducationalresearchgoals.Inordertobealeaderinlearning
analyticsandthedesignofeffectivepersonalizedlearning,InBloomwillalsoneedto
becomeathoughtleaderandadvocatefortheprivacyanddatarightsofstudents
andtheirfamilies.
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
17/27
17
Bibliography
Clippinger,JohnHenry,ACrowdofOne,TheFutureOfIndividualIdentity,Public
Affairs,Perseus,2007
DARPADCAPS:
DetectionandComputationalAnalysisofPsychologicalSignals(DCAPS),http://www.darpa.mil/Our_Work/I2O/Programs/Detection_and_Computational_A
nalysis_of_Psychological_Signals_%28DCAPS%29.aspx
deMontjoye,Y.-A.,WangS.,PentlandA.,OntheTrustedUseofLarge-ScalePersonal
Data(http://sites.computer.org/debull/A12dec/issue1.htm).IEEEData
EngineeringBulletin,35-4(2012)
DepartmentofCommerce,CommercialDataPrivacyandInnovationintheInternet
Economic:ADynamicFramework,2012
ElectronicPrivacyInformationCenter,(EPIC),www.epic.org
FederalTradeCommission,ProtectingConsumerPrivacyinanEraofRapidChange,
RecommendationsforBusinessesandPolicyMakers,March2012
InBloomhttps://www.inbloom.org
Lohr,Steve,BigDataIsOpeningDoors,butMaybeTooMany.TheNewYorkTimesBusinessDayTechnology,March23,2013
MobileTerritorialLabs.
[press]Pivato,Marco,Iltuosmartphonetiosservaestudiacosafaiecosapensi.TestaTrentoincollaborazioneconilMit.LaStampa-TuttoScienze,
April17,2013
TheTelefonicaM2MTeam,TelefnicaandTelecomItaliacollaboratein
SmartCityinnovationprojectsinTrento,
http://blog.digital.telefonica.com/?press-release=telefonica-and-telecom-italia-collaborate-in-smart-city-innovation-projects-in-trento,October31,
2012
TelecomItaliaSKILLab,MobileTerritorialLab(MTL),
http://skil.telecomitalia.com/index.php?option=com_content&view=article&
id=96%3Amtlproject&catid=35%3Acatprogetti&Itemid=68
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
18/27
18
TrentoMobileTerritorialLab(MTL),http://www.mobileterritoriallab.eu
OpenMustardSeed,http://idcubed.org/open-platform/platform/
Ostrom,Elinor,andGardner,Roy,andWalker,James,Editors,Rules,Games,
andCommonPoolResources.AnnArbor,UniversityofMichiganPress,1994
Ostrom,ElinorandHess,Charlotte,Editors,
UnderstandingKnowledgeasaCommons:FromTheorytoPracticeTheMIT
Press,Cambridge,Massachusetts,2006
Pure,CPSsettosignawaystudentprivacy,Tuesday, May 22nd, 2012,http://pureparents.org/?tag=ferpa-gates-foundation-murdoch
Ravitch,Diane,DianeRavitchsBlog
http://dianeravitch.net/2013/04/07/is-inbloom-engaged-in-identity-theft/
Simon,StephanieK-12databasejazzestechstartups,spooksparents,March3,2013
Sweeny,Latanya,Policy and Law: Identifiability of de-identified , 2013,
datahttp://latanyasweeney.org/work/identifiability.html
WhiteHouse,ConsumerDataPrivacyinaNetworkedWorld,AFrameworkfor
ProtectingPrivacyandPromotingInnovationinTheGlobalDigitalEconomy,Feb.
2012
WhiteHouse,NationalStrategyforTrustedIdentitiesinCyberspace,Enhancing
OnlineChoice,Security,EfficiencyPrivacy,February2010
WorldEconomicForum,RethinkingPersonalData:StrengtheningTrust,,2012
WorldEconomicForum,UnlockingtheValueofPersonalData:FromCollectionto
Use,January,2013
http://www.weforum.org/reports/personal-data-emergence-new-asset-class
http://www.weforum.org/issues/rethinking-personal-data
http://www3.weforum.org/docs/WEF_IT_UnlockingValuePersonalData_CollectionU
sage_Report_2013.pdf
http://www3.weforum.org/docs/WEF_IT_UnlockingValuePersonalData_CollectionU
sage_Report_2013.pdf
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
19/27
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
20/27
20
Other
CourseRepeatCodeType
Indicatesthatanacademiccoursehasbeenrepeatedbyastudentandhowthatrepeatistobecomputedinthestudent'sacademicgradeaverage.Likeall
enumerationsininBloom,CourseRepeatCodeTypeisderivedfromtheW3Cdatatypetoken.
RepeatCounted
RepeatNotCounted
ReplacementCounted
ReplacedNotCounted
RepeatOtherInstitution
NotCountedOther
AssessmentReportingMethodType
Themethodthattheinstructoroftheclassusestoreporttheperformanceandachievementofallstudents.Itmaybeaqualitativemethodsuchasindividualizedteachercommentsoraquantitativemethodsuchasaletteroranumericalgrade.In
somecases,morethanonetypeofreportingmethodmaybeused.LikeallenumerationsininBloom,AssessmentReportingMethodTypeisderivedfromthe
W3Cdatatypetoken.
Achievement/proficiencylevel
ACTscore
Adaptivescalescore
Agescore
C-scaledscores
CollegeBoardexaminationscoresCompositeScore
CompositeRating
CompositionScoreGradeequivalentorgrade-levelindicator
Gradeequivalentorgrade-levelindicatorGraduationscore
Growth/value-added/indexing
InternationalBaccalaureatescoreLettergrade/mark
Masterylevel
NormalcurveequivalentNormalizedstandardscore
Numberscore
Pass-fail
Percentile
Percentilerank
Proficiencylevel
Promotionscore
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
21/27
21
Ranking
RatioIQ'sRawscore
ScalescoreStandardagescore
StandarderrormeasurementStaninescore
Stenscore
Theta
T-score
Verticalscore
Workplacereadinessscore
Z-score
Other
NotapplicableQuantileMeasure
LexileMeasureVerticalScaleScoreNationalCollege-BoundPercentile
StateCollege-BoundPercentile
AssessmentCategoryType
Thecategoryofanassessmentbasedonformatandcontent.Forexample:
AchievementtestAdvancedplacementtestAlternateassessment/grade-level
standardsAttitudinaltestCognitiveandperceptualskillstest...Likeall
enumerationsininBloom,AssessmentCategoryTypeisderivedfromtheW3Cdatatypetoken.
Achievementtest
AdvancedPlacementInternationalBaccalaureate
AptitudetestAttitudinaltest
Benchmarktest
Classtestclassquiz
Collegeentranceexam
CognitiveandperceptualskillstestDevelopmentalobservation
Englishproficiencyscreeningtest
Foreignlanguageproficiencytest
Interestinventory
Manualdexteritytest
Mentalability(intelligence)test
Performanceassessment
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
22/27
22
Personalitytest
PortfolioassessmentPsychologicaltest
PsychomotortestReadingreadinesstest
Statesummativeassessment3-8generalStatehighschoolsubjectassessment
Statehighschoolcourseassessment
Statealternativeassessment/grade-levelstandards
Statealternativeassessment/modifiedstandards
Statealternateassessment/ELL
StateEnglishproficiencytest
Other
IncidentLocationType
Identifieswheretheincidentoccurredandwhetherornotitoccurredonschool.LikeallenumerationsininBloom,IncidentLocationTypeisderivedfromtheW3Cdatatypetoken.
OnSchoolAdministrativeofficesarea
Cafeteriaarea
Classroom
Hallwayorstairs
Lockerroomorgymareas
Restroom
Library/mediacenter
ComputerlabAuditorium
On-Schoolotherinsidearea
AthleticfieldorplaygroundStadium
ParkinglotOn-Schoolotheroutsidearea
OffSchool
BusstopSchoolbus
Walkingtoorfromschool
Off-SchoolatotherschoolOff-Schoolatotherschooldistrictfacility
Online
Unknown
OldEthnicityType
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
23/27
23
PreviousdefinitionofEthnicitycombiningHispanic/LatinoandRace.Likeall
enumerationsininBloom,OldEthnicityTypeisderivedfromtheW3Cdatatypetoken.
AmericanIndianOrAlaskanNativeAsianOrPacificIslander
Black,NotOfHispanicOriginHispanic
White,NotOfHispanicOrigin
PersonalInformationVerificationType
Theevidencepresentedtoverifyone'spersonalidentity;forexample:drivers
license,passport,birthcertificate,etc.LikeallenumerationsininBloom,
PersonalInformationVerificationTypeisderivedfromtheW3Cdatatypetoken.
Baptismalorchurchcertificate
BirthcertificateDriverslicense
EntryinfamilyBibleHospitalcertificateImmigrationdocument/visa
LifeinsurancepolicyOther
Othernon-officialdocument
Otherofficialdocument
Parentsaffidavit
Passport
Physicianscertificate
Previouslyverifiedschoolrecords
State-issuedID
ReasonNotTestedType
Theprimaryreasonstudentisnottested.Forexample:AbsentRefusalbyparent
RefusalbystudentMedicalwaiverIllnessDisruptivebehaviorLEPExempt...LikeallenumerationsininBloom,ReasonNotTestedTypeisderivedfromtheW3Cdatatype
token.
AbsentLEPexempt
LEPpostponement
Notappropriate(ARDdecision)Nottested(ARDdecision)
Alternateassessmentadministered
Parentalwaiver
Foreignexchangestudentwaiver
Refusalbyparent
Refusalbystudent
Medicalwaiver
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
24/27
24
Disruptivebehavior
PreviouslypassedtheexaminationOther
RelationType
Thenatureofanindividual'srelationshiptoastudent.LikeallenumerationsininBloom,RelationTypeisderivedfromtheW3Cdatatypetoken.
Adopteddaughter
Adoptedson
Adoptiveparents
Advisor
Agencyrepresentative
Aunt
Brother,half
Brother,natural/adoptiveBrother,step
Brother-in-lawCaseWorker,CPSCourtappointedguardian
CousinDaughter
Daughter-in-law
Dependent
Doctor
Employer
EmergencyContact
Familymember
Father'ssignificantotherFather,foster
Father
Father,stepFather-in-law
FianceFiancee
Formerhusband
FormerwifeFosterdaughter
Fosterparent
FostersonFriend
Granddaughter
Grandparent
GreatGrandparent
Grandson
Greataunt
Greatuncle
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
25/27
25
Guardian
HusbandLifepartner
LifepartnerofparentMinisterorpriest
Mother'ssignificantotherMother,foster
Mother
Mother,step
Mother-in-law
Nephew
Niece
None
Other
ParentPartner
PartnerofparentProbationofficerSibling
Sister,halfSister,natural/adoptive
Sister,step
Sister-in-law
Son
Son-in-law
Spouse
Stepdaughter
StepsonStepsibling
Uncle
WardWife
ResponseIndicatorType
Indicatoroftheresponse.Forexample:NonscorableresponseIneffectiveresponse
EffectiveresponsePartialresponse...LikeallenumerationsininBloom,ResponseIndicatorTypeisderivedfromtheW3Cdatatypetoken.
Nonscorableresponse
IneffectiveresponseEffectiveresponse
Partialresponse
RestraintEventReasonItemType
Theitemsofcategorizationofthecircumstancesorreasonfortherestraint.Likeall
enumerationsininBloom,RestraintEventReasonItemTypeisderivedfromtheW3C
datatypetoken.
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
26/27
26
ImminentSeriousPhysicalHarmToThemselves
ImminentSeriousPhysicalHarmToOthersImminentSeriousPropertyDestruction
SeparationReasonType
Reasonforterminatingtheemployment;forexample:Employmentineducation,Employmentoutsideofeducation,Retirement,Family/personalrelocation,Change
ofassignmentLikeallenumerationsininBloom,SeparationReasonTypeisderived
fromtheW3Cdatatypetoken.
Employmentineducation
Employmentoutsideofeducation
Retirement
Family/personalrelocation
Changeofassignment
FormalstudyorresearchIllness/disability
Homemaking/caringforafamilymemberLayoffduetobudgetaryreductionLayoffduetoorganizationalrestructuring
LayoffduetodecreasedworkloadDischargeduetounsuitability
Dischargeduetomisconduct
Dischargeduetocontinuedabsenceortardiness
Dischargeduetoafalsifiedapplicationform
Dischargeduetocredentialrevokedorsuspended
Dischargeduetounsatisfactoryworkperformance
Death
PersonalreasonLayoffduetolackoffunding
Lostcredential
UnknownOther
StaffIdentificationSystemType
Acodingschemethatisusedforidentificationandrecord-keepingpurposesby
schools,socialservices,orotheragenciestorefertoastaffmember.LikeallenumerationsininBloom,StaffIdentificationSystemTypeisderivedfromtheW3C
datatypetoken.
DriversLicenseHealthRecord
Medicaid
ProfessionalCertificate
School
District
State
Federal
7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning
27/27
OtherFederal
SelectiveServiceSSN
USVisaPIN
CanadianSINOther
WeaponItemType
Theenumerationitemsforthetypesofweaponusedduringanincident.Likeall
enumerationsininBloom,WeaponItemTypeisderivedfromtheW3Cdatatype
token.
Firearm
IllegalKnife
Non-IllegalKnifeClub
OtherSharpObjectsOtherObjectSubstanceUsedasWeapon
KnifeUnknown
None
Other