Report Says PPSD Could Spy on Chromebooks

Last September, the Rhode Island American Civil Liberties Union (ACLU) reported that Providence Schools and most other districts in Rhode Island have alarmingly few privacy protections for students using school-loaned technology like Chromebooks or tablets. Rhode Island school districts give officials unlimited, unconditional remote access to the cameras, microphones, and contents of all district devices. To learn more about the report and what it means for Classical students, the Chronicle spoke with ACLU Policy Associate Hannah Stern.

“Many students are doing one hundred percent of their learning from home. The fact that a school could look into a student’s private life and that of their families at any given moment is really concerning,” she explains. “Students should have the security of not feeling like at any given moment their school could be spying on them.”

While there have been no cases in Rhode Island of school districts using their power to spy on or discipline students, Stern says it’s best to be proactive: “The harm of one incident [of schools spying on students] would be irreparable.”

There is also the privacy of the family to consider: “There are some districts that explicitly say ‘you can use [school-loaned devices] for non-school activities.’” While Providence has not gone that far, Stern says it does not matter, “Even if they don’t say [that families can use school loaned technology for non-academic purposes] it’s probably inevitable that families and students, if they really have to, are going to utilize [those devices].”

The ACLU has suggested that Providence Schools stop allowing themselves to potentially spy on students and their families. Last April, near the beginning of distance learning in Rhode Island, the RI ACLU sent a letter to every school district in Rhode Island, requesting districts change their inadequate privacy policies to include:

1. Not recording students’ cameras and microphones without their permission

2. Not remotely or locally looking at the contents of students’ computers without their permission or reasonable suspicion that the student has broken school or district policy or the law and that there is evidence of that on a specific area of the computer.

3. Not remotely tracking the location of students’ take-home devices without cause.

4. Disabling privacy-invasive features on third-party applications students are required to download to take part in virtual learning.

5. Ensuring that any third-party programs used in the course of remote education are in compliance with the state’s data-cloud computing privacy law, §16-104-1

Stern notes, “There are legitimate circumstances [that allow for a school to search a computer’s contents] where there is a documented, reasonable suspicion that there’s been very specified misconduct.” She warns against having total, unwarranted searches, saying that students should not be afraid that researching certain topics (medical or sexual health information, etc.) will trigger disciplinary action from their school.

Of the 36 districts in Rhode Island, the ACLU found that only one district, Newport Public Schools, had adequately comprehensive policies in place that were publicly and easily accessible. Besides Newport, the only district to respond to the ACLU’s letter was Tiverton, which is currently in the process of improving their privacy policy.

Providence is one of four districts in Rhode Island that already bans remotely tracking students’ location except in instances of theft or loss. Of the ACLU’s five recommendations for adequately protecting student privacy, this is the only one Providence follows.

While students technically agree to the PPSD privacy policy by using their school-loaned computer, Providence Schools’ privacy policy is not easily accessible. As of this article being published, PPSD links on their website to the privacy policy of a third-party computer managing service they use called Blackboard. Because Blackboard is a multinational third party corporation, their privacy policies largely depend on the contracts they have with the district, which are not easily accessible either. There is virtually no accountability for Providence Public Schools’ privacy policy. (The policy can be found in its entirety at the bottom of this article.)

School districts in other states have already abused school-loaned technology to spy on students. In October 2009, a school district in Pennsylvania used a school-loaned Macbook to take photos of sophomore Blake Robbins in his bedroom. The school took many photos of him partially or entirely indecent, and showed his family in compromising positions as well. School officials then tried to use those photos to discipline him for using and selling drugs. The district monitored students’ computers through a now-discontinued software called TheftTrack. The system, once activated, took screenshots of whatever was on its webcam and sent them directly to district databases. The district took deliberate steps to prevent students from knowing they were being monitored. Some officials asserted that if students knew they were being tracked, the spyware would not have been as effective.

In February 2010, Robbins filed a class-action lawsuit against his school district, followed later that year by 17 year old Jalil Hasan and his mother on similar grounds. In October of 2010, the district reached a $610,000 settlement for both the Robbins and Hasan cases. The court also ordered the district to promise to monitor the contents of school computers only with reasonable suspicion that a student is violating district/school policy or the law or if the student consents to the search. Ten years later, Providence Schools still refuses to adopt the same policies.

As students transitioned to distance learning, they began to use more third-party apps. Some of those apps further compromise student privacy. “Another one of the really important things that has come out of COVID-19,” says Stern, “is that it has created an opportunity for tech companies to prey on districts that are now desperate for ways to keep their students engaged and learning. That’s not the district’s fault, that is a combination of a lack of regulation for these companies on a national and an inclination tech companies have to exploit openings.” However, districts do not prevent this kind of company from exploiting students’ education. Many districts’ third-party privacy agreements do not actually reference the statute put in place to prevent this.

The fifth item on the ACLU’s list of suggested policy changes is to incorporate the 2014 statute §16-104-1, which says that tech companies cannot profit off of the educational experiences of students. So far, most school districts have nevertheless ignored this law. Providence’s third party system, Blackboard, has a privacy policy that directly contradicts Rhode Island state law. Blackboard is using aggregate student data, which is addressed more specifically in the full law, to advance itself commercially. Blackboard uses the data¹ to find the demographics of its students, perform internal research, and market itself to other districts. (full policy linked below) It is profiting off of the educational experiences of students.

These third party corporations create another problem by regulating student privacy rights: since many set their own policy, and districts in Rhode Island pick and choose which services they use, it is very difficult to tell what privacy protections a student has from one district to another.

The Rhode Island ACLU says that in order to be adequately protecting student’s privacy, Providence Schools needs to make three promises:

1. The district will not give themselves unlimited and unconditional remote access to students’ cameras and microphones

2. The district will not give themselves unlimited and unconditional remote access to the contents of school-loaned devices

3. The district will not explicitly state that students have no expectation of privacy in their privacy policy

Until then, students should be aware that the intimacies of their private lives are fully exposed to district officials. When they ask a question to their Zoom class, their parents might get a call about it. When they read a controversial article, it might put them on a list of students with controversial thoughts. When they write an essay, it might be the subject of a random spot check. These are the decisions Providence Schools makes to avoid rules and accountability: the ones that hurt kids.