Advice on video-conference apps and student privacy

With the mass school closures due to COVID-19, there has been a sudden shift to crisis schooling via remote learning, and in the wake of this existing student data privacy concerns about education technology have ballooned.

Unfortunately, in many cases, parents’ need and desire to protect their children’s privacy has been put in direct conflict with how schools are attempting to provide a substitute for education away from the physical classroom.

[Update 11.23.2020: For updated advice, please see this more comprehensive policy recommendations doc for tech use in remote learning developed by a coalition of advocacy organization this fall. It covers an array of issues including use of video conference tools, recording classes in remote learning, surveillance of devices and more.]

Real-time instruction via streaming video-conference apps is in use across the state and country. There are numerous concerns with this technology—concerns that are greater with certain software than with others. Zoom in particular has come under fire seemingly every day with a new privacy or security risk. The FBI issued a security warning about Zoom last week, and over the weekend, the New York City school system said that teachers should stop using Zoom. Lawmakers are urging the FTC to investigate Zoom if they haven’t begun to do so already. Google Meet as a part of the G Suite for Education presents the same issues that other G Suite apps do with respect to student data collection—and more because the data from Google Meet may contain a child’s face and voice.

In addition, with the development and ever-wider distribution of face recognition software, like the Clearview AI system, the privacy risks of sharing digital images of one’s face online are greater than ever.

Requiring children to participate in video discussions, recorded or not, is especially problematic for families whose well-being is directly threatened by lack of privacy, e.g. families with undocumented members or domestic violence survivors; this is yet another equity issue with online learning.

Families should know that their privacy rights under state and federal law have not changed or been waived due to the pandemic. You still have a right to access and protect your child’s educational records, and schools should be compliant with the Illinois School Student Records Act, the federal laws, the Family Educational Rights and Privacy Act (FERPA) and the Children Online Privacy Protection Act (COPPA).

Particularly relevant to real-time video instruction, the US Dept of Education’s recent guidance (FERPA and Virtual Learning During Covid-19) says:       

"Video recordings of virtual classroom lessons qualify as 'education records' protected under FERPA only if they directly relate to a student and are maintained by an educational agency or institution or by a party acting on their behalf. FERPA’s nondisclosure provisions may still apply to such video recordings even if they do not qualify as 'education records,' if the video recording contains PII from student education records." (Slide 24)

The US Dept of Ed has more guidance on FERPA and videos here. If class instruction held via an online video-conference tool is recorded by the instructor, and the recording contains a child’s face and voice, it is highly likely that such a recording qualifies as an educational record.  In addition, if the child is under 13, it will likely count as PII for the purposes of COPPA.

This means that under FERPA, parents have the right to access/inspect the recordings and the right not to have the record disclosed inappropriately, and, under COPPA, they have the right to request to have the recording deleted. Given that such a recording of a class will likely have more than one child in it, this presents a lot of complexity for school districts and vendors complying with these laws.

(Note that COPPA’s requirements apply for the most part not to schools, but to the companies themselves that collect, use or disclose personal information from children under 13, so a request to have data deleted under COPPA would need to be made to the tech vendor holding the data. Here’s more info on COPPA from the FTC.

What’s the best course of action for families?

Faced with the need for emergency provision of education via remote learning, parents are likely to feel they have little real choice but to allow their child to participate in whatever medium the school provides a curriculum right now. 

The truth is, the quality of real-time instruction via video is simply not comparable to in-person instruction. For a general assessment of online learning, see this review of the research from Network of Public Education’s report. We also recommend this first-person account of the drawbracks of teaching via video-conferencing from a current college-level instructor. 

That said, right now, due to the length of separation from normal schooling, children may appreciate seeing their classmates and teachers, simply for the social-emotional bond rather than any academic instruction benefits.

Our recommendation is—to the extent possible given your family’s situation—limit your child’s exposure via these tools and hold schools and districts accountable for following existing policies, laws and regulations. 

Not all parents have the resources to push back on privacy violations right now, but even during an emergency, our children shouldn’t have to pay for a public education with their personal data. If you by yourself or with other parents in your school district join together, you can make a difference for more than just your own family.

Do reach out to us directly if you need help or advice; we may also be able to connect you with legal assistance: [email protected]

The practicalities of the matter are that it is in the interest of a school district as a whole, not just individual children, to limit their legal exposure to tech vendors, whether free or not, selling software that is not compliant with laws that cover students and children. (See here for some additional legal recommendations for school districts using videoconferencing tools.)

Below are some of the things you may be able to do:

  1. Avoid using Zoom, and inform your district that school districts around the country have either banned Zoom (Clark County, NV; NYC) or have encouraged teachers not to use it (Chicago, Los Angeles). If schools or districts do not want to sign a contract for a video-conference application, a better choice than Zoom is open-source Jitsi, as recommended by the Parent Coalition for Student Privacy, and which can be hosted on a school district’s own server.
  2. Make use of whatever non-digital forms of instruction the school or district is offering. In districts where internet and device access is not universal, provisions are being made for hard-copy materials and also electronic materials distributed not via the internet. These present little to no privacy issues.
  3. Have your child participate in real-time video-conferences without using their video camera. If their microphone is on, their voice can still be recorded, but it still helps to limit the personally-identifiable information being shared.
  4. Inform your school that video sessions with your child should not be recorded or the recorded portions should not include your child, and/or that you plan to request to have any recorded video images of your child deleted. If your child is under age 13, you have the legal right to have this data deleted. In some states, parents already have the right to request that this data be deleted for any age student; this will be the law in Illinois in July 2021.
  5. Get a copy of the contract between your school and the vendor of the video-conferencing app. Parent Coalition for Student Privacy has posted a model contract between Google and a school district in New York State. Push your school board to match the privacy provisions in this contract. The Parent Coalition also has more detailed information on what to look for in contracts in their toolkits for parents and for educators.

The National Education Policy Center has a helpful document for parents here: Children’s Data Privacy During COVID-19 Closures: 10 Questions to Ask

Policies specific to Chicago Public Schools’ use of video-conferencing software

Prior to the COVID-19 school closures, under Chicago Public Schools' acceptable use policy, video conferencing between students and staff was not allowed (with a few very narrow exceptions.) 

Once schools closed, CPS told schools that they could ask parents for consent for their child to use Zoom or some other software for video-conferencing.

Then on March 27th, they announced that Google Meet via CPS' G Suite accounts was now going to be allowed and provided teachers with this document on how to use Google Meet. According to this document, all video sessions should be recorded. 

CPS further said that tools other than Google Meet are also allowed also, but schools must give parents the opportunity to opt their child out of using them via this form. Note that this form contains very problematic wording that says that it is a parent’s responsibility to review the privacy policy and terms of use of whatever tool is used, not the school’s and that by allowing the child to use the tool, the parent is releasing the school and the district from any liability for use of the tool even if they do not sign the form and submit it to the school.

CPS has not made its prior contract (which ended on March 31, 2020) with Google available online; the agreement can be found here. The Chicago Board of Ed voted on a new agreement with Google on February 26, 2020.



[Graphic used via Creative Commons]