The theme for this issue, Security, was prompted by an article in the New York Times about a tech savvy parent who realized an online service used by schools, and his kids, was not secure. Their names and grades were transmitted across the internet in a way easily intercepted. While no one has proof that happened, the Times reported on the issue and did a decent amount of additional reporting on the topic. (The article, Data Security is a Classroom Worry, Too, is linked below.)
The reasons for the security problems, it turned out, were garden variety. The software provider had not installed an SSL certificate for the entire application, even though Google for several years now has encouraged website owners and software vendors to use SSL certificates. And even though many hosting companies that provide web site hosting services for these online services also provide SSL certificates. For example, the certificate for this site, hosted on a cloud, costs me $2/month for the IP address while the annual cost of the certificate is free.
(If you're wondering what an SSL certificate is, be sure to read the article in this issue.)
But there are deeper issues to consider here. Software vendors don't need to know the name of your child. They don't even need to know the school or state, for that matter. They may not need to know the grade level of the child taking their online course or using their technology. In theory, a teacher might let a bright student take classes one or more grade levels higher.
What software vendors do need is a unique identifier for each child. To be most secure, the school should have the ability to generate these identifiers, to control their creation and local use. Teachers and schools should be the gatekeepers, determining how the child is identified online, what courses they can take, as well as the ability to delete student data after some reasonable time. Definitely when the child graduates high school, perhaps earlier.
Why bother?
As a kid, my struggles in school stayed in school. Same for college. At each stage, I was given the opportunity to start over. My concern is our kids will not be afforded the same natural ability to grow that we had, and that is critical for personal growth. We grow by trying and failing, as well as doing dumb things and learning from our mistakes. School should be a safe haven.
Instead, if the child's name or identity can be stored online, out of local control, it is possible (some would say likely) our kids will be confronted in a job interview or other setting where someone has access to their intimate school data. Worse, in that scenario, they may never be given the opportunity to interview for a job based on what happened in school.
Today people are denied job interviews because of their photos on LinkedIn and elsewhere, as well as immature but regretted Facebook posts, both situations that were private before our digital age. Imagine if you have a job candidate’s name and can match the name to every grade, every teacher comment, every counseling session, and so on. While you and I can forgive someone and move on, such a world is unforgiving, lacking in humanity, compassion, and kindness.
Is that the world we want for our kids?
In the financial world, trading systems use a common standard to define trades. The standard is called FIX, or Financial Industry XML. Stakeholders in the industry worked together to define a common language their software can use to create, handle, and process trades. While FIX can be slow, and there are other options, FIX ensures any software vendor creating a trading system will be compatible with other software, for example, trading exchanges.
Educational software needs a similar common open source standard. A standard driven by schools and technologically savvy parents and teachers.
What would be in this standard? Here are some ideas, as a start point:
- What is the minimum amount of student data needed by online course vendors? Could it be one unique identifier?
- Software to be used locally at schools to manage creation, assignment, and use of unique identifiers for each student.
- Software schools use to connect, engage, and draw results from remote online learning resources.
- Software schools use to organize and display locally and securely the online learning results by student, course, and grade, among other criteria.
- Software schools could use to aggregate anonymous student results to send upstream to course vendors, for example, results by grade or age.
In this ideal world, software vendors would only have to grab the unique identifier for each student. They would use open source data standards to track the course outcomes and send results downstream to the school. Instead of reinventing the user identity and data storage wheel, course vendors could focus more of their time on developing unique course work. Developers also could focus on creating software and secure, easy to manage server environments to handle student data at the local school level.
Let's not only make software used by our kids more secure with SSL certificates, which was the point in the New York Times article. Let's go beyond and create a common open source standard to handle student data, a standard that protects privacy and gives control of personal data to the teachers and schools that know our kids best.
Then every software vendor providing educational tools can be assured their next great thing is compatible with software schools have. Schools can be assured they have total control over their student data and privacy. And parents can be certain their kids are truly free to be themselves in school, to try and fail at many things instead of living in fear somehow their data will live on for decades after they graduate. Our kids deserve the basic right to privacy we enjoyed before the internet. The benefits of the internet and the right to privacy can co-exist easily, if we choose.
As a former kid, and as a parent, every kid deserves the chance to grow up in school with no worries about the future impact of their choices in school. That's probably the true definition of security online: the ability to control your data locally, to limit your data to the minimum viable data set needed, and the ability to delete your data.
