Hackers have stolen data about your child.
No parent wants to hear these words, yet many New York City parents heard them last week.
Last Friday, the New York City Department of Education revealed that hackers had accessed the personal information of roughly 820,000 current and former students. The hack occurred in January, but the software vendor Illuminate did not inform the DOE of the data breach until last week. Hackers gained access to student names, academic schedules, birthdays, and special-education status.
Doug Levin, national director of the nonprofit K12 Security Information Exchange, told the New York Daily News that hacks of third-party vendors are becoming more common. The “why” is no mystery. When “student data” meant simply grades, attendance, and discipline records, they held limited allure for malicious actors. But the rise of software-enabled behavior-management and modification practices has changed the character of school data.
Software systems like Skedula, which was breached in the hack, contain detailed writeups of student misbehavior. More and more schools are implementing Social and Emotional Learning initiatives; SEL spending has increased by about 45 percent, to $765 million, between November 2019 and April 2021. These initiatives frequently include surveys that ask students highly sensitive questions about their beliefs, their families, and even their sexuality. The data are stored either by the school district or by a third-party vendor. Those vendors provide districts with assurances about their data-security practices, but in this case, a DOE spokesman declared himself “outraged” that those assurances weren’t well-founded.
As the information collected becomes more robust and sensitive, it also becomes potentially more valuable—and vulnerable. Ten years ago, a hacker might have discovered that Johnny had been suspended in the fourth grade. Today, hackers could discover salient details of that event (for example, what triggered Johnny’s misbehavior) or that Johnny frequently felt depressed, identified as “genderqueer,” and didn’t want his parents to know.
Though school districts often do their best to keep student data safe, they’ve never been noted for having world-class IT departments. And third-party assurances of data security, as we’ve seen, can prove dubious. There’s no predicting how widespread a phenomenon student data breaches will become, but further student data hacks are inevitable.
Even if parents got an ironclad security guarantee, the question still looms: Should schools be in the business of collecting highly sensitive behavioral, social, and emotional data? “What gets measured gets managed,” as the old saying goes. In the No Child Left Behind era, schools measured standardized reading and math test scores, in an attempt to manage academic instruction more effectively—sometimes for the better, and sometimes not. Critics argued that NCLB’s data-driven emphasis on reading and math narrowed the curricular and human scope of education. The education establishment’s impulse to pivot toward school culture and SEL was, therefore, perfectly comprehensible. But applying the tools of “data-driven” management to student attitudes and mindsets essentially invites school administrators to act as social engineers.
In practice, the collection of sensitive student data frequently serves as a pretext for school districts to hire other third-party “equity” vendors, who peddle woke ideology under various names. State policymakers already have their hands full wrestling with the importation of Critical Race Theory and gender ideology into public schools. They’d better turn their attention to safeguarding student data, too.
The threat that “this will go on your permanent record” was scary enough when that record was basic, and students were concerned only that college admissions officers would see it. When the data become extensive and sensitive, and potentially vulnerable to malicious third-party hackers, it’s a whole new ballgame.
Photo: SB Arts Media/iStock