Arrowhead internet policy has students, parents seeing red
Security advocates worry students’ personal data could be hacked or sold
Students and parents at Arrowhead High School are pushing back against a new web-filtering service the school is putting in place, calling it an invasion of privacy and an attempt to micromanage students’ lives online.
One of the chief gripes, for the kids at least, is that the parents now can opt to get a weekly accounting of all the websites they visit during the school day. The filters will run not only on all school-owned devices but also studentowned devices if they are connected to the school’s Wi-Fi.
But that, experts suggest, might be the least of their worries.
Security and privacy advocates have raised concerns about the capacity of such providers to collect vast amounts of information about students that may be stored for years and could be hacked or co-opted for unintended purposes if not adequately protected.
“Imagine, if we had the internet search histories of a young George Bush or Barack Obama,” said Bradley Shear, a Maryland attorney who has launched a national campaign urging schools to annually delete reams of student data, including internet browsing histories, all digital communications and the biometric data — finger and palm prints, for example — some schools are now using to manage their lunch lines, libraries and more.
“This type of information is very valuable — to employers, insurance companies, colleges, law enforcement ... to advertisers,” he said.
The Arrowhead controversy erupted this month after school officials announced they would move in January to a new cloud-based system provided by Securly Inc., a 4-year-old San Josebased company that provides web-filtering and control services to schools and parents.
In addition to blocking inappropriate sites, it said, Securly will monitor students’ internet searches and social media posts; flag them for references that suggest such things as drug use, cyberbullying or suicide; and share students’ internet browsing histories with parents who want them.
Arrowhead Superintendent Laura
Myrah said the only thing that’s new is the parent notifications, and that the district has monitored students’ online activities for years. But the announcement touched a nerve among students and parents.
“That’s the first I’ve ever heard that they were monitoring social media,” said 18-yearold senior Skyler Phillips, who signed an online petition calling on Arrowhead to ditch the Securly service. “The main concern is our privacy. How much can the school actually see? And how much can the company see?” she said.
The petition, started by junior Owen Harvey, has drawn more than 1,300 signatures from around the world. Harvey says he’s been called in repeatedly to discuss the petition with administrators.
“They asked me to take it down and change it, because they told me it’s not correct,” Harvey said. “But they never said exactly what they’re doing.”
Arrowhead administrators sent an update to students on Wednesday to clarify that Securly monitors social media posts only while connected to the school’s internet service or on a Chromebook logged into an Arrowhead account, and that the digital certificate they were asked to download does not filter sites or identify students.
Federal law requires schools to protect students from obscene and harmful material on the internet to qualify for federal technology funding. And Myrah said schools use companies like Securly, GoGuardian and others to do that.
Arrowhead blocks only pornography and gambling sites but can add others if they’re deemed problematic, said Donna Smith, the district’s director of library media and technology. And the monitoring of students’ online activities is an extension of the school’s mission to promote student safety, Myrah said.
“That is the primary reason we and other districts use these . ... The first concern is safety,” she said.
Securly co-founder and Chief Technology Officer Bharath Madhusudan said the confusion at Arrowhead stemmed from the school’s request that students install the digital certificate onto their devices without fully explaining what it does and doesn’t do.
(Devices without the certificate will get a popup on some sites saying their connection is not secure.) And Securly is working on a document that will help parents better understand exactly what the service does.
He said in an interview with the Journal Sentinel that Securly will be monitoring only Facebook, Google and Twitter activity at Arrowhead, and that it does not decrypt information on banking, private medical or other similarly personal sites.
He said it does see personally identifiable information, such as a Google ID, but it does not see the content of students’ devices, such as photographs or past social media posts.
Madhusudan said the company retains only six months of student data, and it keeps data for six months after the end of a school’s contract.
It said it may share it with
“Imagine, if we had the internet search histories of a young George Bush or Barack Obama. This type of information is very valuable — to employers, insurance companies, colleges, law enforcement ... to advertisers.” Bradley Shear Attorney
third parties as needed, but only school officials, law enforcement and Amazon.com, which operates the servers where the data are stored.
He said the company does not sell its information and is able to delete data at any time at the request of the school.
But the company’s privacy policy is not as clear. It says Securly may retain data for as long as necessary and that it may not be possible to delete all personally identifiable information “due to technological and legal constraints.”
Like Myrah, he said the objective is student safety.
“In Wisconsin,” Madhusudan said, “we have saved the lives of students who have searched ‘can I OD onibuprofen’ or ‘i want to kill myself in the most painful way.’ “
Smith, Arrowhead’s technology director, said it selected Securly because of its reputation for protecting student privacy. The company has been recognized by organizations like iKeepSafe and the Internet Watch Foundation for upholding the highest standards of internet safety, according to its website.
Still, caution is warranted when dealing with young people online, say internet security experts.
“This is the basic dilemma of cloud computing. Your data is no longer yours. And the only thing that protects your data is the contract with whoever you’re doing business with,” said Joel Rosenblatt, director of computer and network security for Columbia University, who has written extensively on data security issues.
Problems can arise, he said, if a company subcontracts with a third party who may not be held to the same contractual terms; if a provider goes out of business or is acquired by another entity; or if data are stored in foreign countries, which may have looser privacy laws.
“It’s a really complicated problem we’re building here,” Rosenblatt said. “We don’t know where stuff is anymore, we don’t know who’s responsible for it. That’s just the way it is. If you want to use the service, you don’t have a choice.”
And no system is entirely failsafe, said Rosenblatt and Shear, pointing to high-profile breaches at the National Security Agency, Equifax, the federal Office of Personnel Management and other organizations in recent years.
“Anything can be hacked,” Rosenblatt said. “It’s not a question of if, but when.”