Edtech vendors invaded student privacy: Human Rights Watch

Updated: The NSW and Victorian Departments of Education have promised investigations into the educational software they use, after Human Rights Watch accused vendors of tracking children through their products.

HRW says the adoption of edtech during the Covid-19 pandemic gave vendors the chance to greatly expand their harvesting of information about children.

The HRW investigation, "How Dare They Peep into My Private Life”, was released to 13 media outlets in 16 countries, including to the ABC in Australia.

HRW said its raw data and technical analysis will be released in early June.

Student privacy is a sensitive issue. Victoria's Department of Education faced criticism in April for using Zscaler certificates to decrypt traffic to and from students' own devices. 

HRW's research was conducted in response to the huge increase in student time spent online since the start of the global Covid-19 pandemic.

The organisation conducted a technical and policy analysis of 164 products used in 49 countries, including Australia, and found data was shared with nearly 200 companies.

For mobile apps, the research focused on those released for Android, because most government-endorsed edtech products in the study were offered on that platform.

Edtech products offered on websites were also analysed.

“Human Rights Watch finds that governments’ endorsements of the majority of these online learning platforms put at risk or directly violated children’s privacy and other children’s rights, for purposes unrelated to their education," the report stated.

“Of the 164 Edtech products reviewed, 146 (89 percent) appeared to engage in data practices that put children’s rights at risk, contributed to undermining them, or actively infringed on these rights.”

The products had at least the capacity to monitor children, and often harvested data such as identity, location, classroom activities, who their family and friends are, and what devices they use.

“Most online learning platforms installed tracking technologies that trailed children outside of their virtual classrooms and across the internet, over time”, HRW wrote, and often trackers pushed onto children’s devices can’t be eradicated.

Types of data collected

The report identifies a product’s use of Android advertising identifiers (AAIDs); MAC address and IMEI number collection; canvas fingerprinting where the product was offered through a website; precise and coarse location data; wi-fi SSID; user contact data possibly shared with third parties; session recording; key logging; SDK-based data collection; and cookies.

Products used in Australia which received unfavourable attention in the report included:

• For AAID use – Minecraft Education Edition and Cisco’s Webex;
• MAC address collection – Minecraft Education Edition;
• IMEI collection – Webex; 
• Fine location data – Microsoft Teams, Zoom, Webex, and Minecraft Education Edition; 
• SSID collection – Teams, Zoom, and Webex;
• User contact data – Teams, Zoom, and Webex;
• Key logging – Education Perfect’s Science product includes the Hsforms key logger;
• Analytical data – Minecraft Education Edition, Teams, and Adobe Connect all used SDK hooks for data collection.

Nearly every website examined by HRW used ad trackers, with only 13 out of 125 not collecting children’s data via cookies or other third-party trackers. 

The only edtech websites used in Australia to get a clean bill of health in that regard were Stile Education, used in Victoria; and Zoom, used in NSW.

HRW explained that because of the scale of the investigation, only NSW and Victoria were investigated as Australia's most populous states.

Both states' education departments told the ABC they would investigate potential privacy violations in the edtech they're using.

iTnews invited the Office of the Australian Information Commissioner to comment on the HRW investigation.

Update:

Microsoft has contacted iTnews to say that it's been in touch with HRW about its research.

A spokesperson told iTnews: “After speaking with Human Rights Watch, we’ve determined that the conclusions reached in the report are either inaccurate or based on unofficial builds of the Android version of Minecraft: Education Edition which are different from the official builds we publish to the Google Play Store.

“We continue to be engaged with Human Rights Watch and are investigating all claims within our products and will take any necessary action.”