Tom Riggins: Schools and cybersecurity

Public schools, and by extension publicly funded charter schools, are some of the least secure institutions in the country. The politicians who decry violence in schools are the first to shun common-sense solutions to the problems. This involves issues such as school shootings and, bullying but also extends to cybersecurity.

Those who sit behind their armed security and eschew armed presence in schools also totally ignore threats of identity theft that can potentially haunt for a lifetime. It is a known fact that governments at all levels are the least secure with personal information. School districts generally are at the bottom of that list.

The problem arises with the issuing by schools of school-issued Chromebooks or similar devices to students. When that happens the student is also assigned an email address and password. That information is then tied to the student’s entire academic record and history.

We have all done it. We start a new app or program and a user agreement pops up. All you need to do is check the right box to proceed, that being an agreement to the terms of use. When was the last time you read one of those? Me, either. Yet we somehow expect children and teachers to do so. If you read one of the user agreements for the school-issued devices and programs it should scare the crap out of you.

If the data could be limited to the issuing school or district it might be less of a risk. However, the electronic device is tied to an online source with the data stored in a cloud. Google and Microsoft donate many of the devices and programs to the schools. That in itself is admirable. The catch is that these companies also have access to the data in exchange for using their services at a free or greatly reduced price.

If you accept Google’s user agreement, you have essentially agreed to give away your child’s information. They will own that data as intellectual property. Neither you nor the school district have any control over how that data is secured, where it goes, how it is used, or who uses it. You will have to trust Google. Given recent headlines about Google’s business model, do you really trust them?

The problem is serious enough that the FBI on Sept. 13 issued a Public Service Announcement on the issue. It is Alert Number I-091318-PSA for reference. It lists the type of data collected and safety recommendations. The data collected can include personally identifiable information, biometric data, academic progress, behavioral, disciplinary, and medical information, Web browsing history, students’ geolocation, IP addresses used by students, and classroom activities.

It goes on to say “Malicious use of this sensitive data could result in social engineering, bullying, tracking, identity theft, or other means for targeting children. Therefore, the FBI is providing awareness to schools and parents of the important role cybersecurity plays in the securing of student information and devices.”

It also says that cybersecurity issues were discovered in 2017 for two large educational technology companies that resulted in public access to the data of millions of students. Without naming the companies it stated that one exposed information by storing it on a public-facing server. The other company was hacked and the data offered for sale on the Dark Web.

Cybersecurity threats are a way of life in today’s world. Private companies and government agencies are hacked on an increasingly regular basis. Most of those contain information that, while problematic, rarely have the student life history that is often kept on students as outlined in the FBI’s PDA. That, combined with budgetary restrictions that often limit available security, is what makes breaches of student data so serious.

Make no mistake, I am in favor of using electronic devices as teaching tools. I believe that is one way to deal with increased class size and greater educational budget problems. However, common sense must be applied as well. One way might be to segregate a student’s sensitive personal data from day to day online instructional activity. In other words, keep sensitive student data off-line. Yes, it is more work to collate grades and other data with the off-line records, but it is secure. It requires a physical break-in to steal offline data.

In closing, my intent is not to panic you but to suggest that you be cautious. Read user agreements before proceeding, and ask questions. Don’t place your child’s identity at risk.

Tom Riggins can be reached at


Use the comment form below to begin a discussion about this content.

Sign in to comment