San Francisco Chronicle

Student privacy takes a hit with online learning

- By Jill Tucker

At least two Bay Area school districts have suffered recent cybersecur­ity breaches in the wake of the sudden switch to digital learning during coronaviru­srelated school closures.

In Oakland and Berkeley, student privacy has been compromise­d and, in one case, an unknown adult male exposed himself to teenagers during a class video conference.

In Berkeley, a man somehow gained access to an online Zoom video conference Tuesday, exposed himself to the high school students

and shouted obscenitie­s before the teacher ejected him from the session.

The district immediatel­y banned all video conferenci­ng with students until security could be ensured.

In Oakland, the district suffered a more widespread breach of student privacy after administra­tors inadverten­tly publicly posted hundreds of access codes and passwords used by teachers and students to log into online classrooms and video conference­s.

The codes allowed anyone with a Gmail account to join the Google Classroom sites set up by teachers across the district, allowing access to students’ full names as well as their comments posted in the class. The documents also included the time, access codes and passwords for Zoom video conference­s with teachers and students.

In Oakland, district officials were unaware of the exposure of the informatio­n until The Chronicle notified them of easily found informatio­n and access to the sites.

Such breaches of student privacy and digital security have plagued school districts across the Bay Area and the country as classrooms have moved online for several weeks if not months because of COVID19 containmen­t efforts. The breaches have been widespread in other areas as well, with company meetings, church gatherings and other events suddenly interrupte­d by hackers.

The school incidents exemplify how unprepared districts and technology companies were to meet an instantane­ous and massive demand for ways to educate and communicat­e with students online, experts said.

“You throw this curveball at everybody and they’re scrambling,” said Joel Schwarz, cybersecur­ity expert and adjunct professor at Albany Law School. “They’re trying to figure out what the heck to do.”

Teachers and administra­tors are faced with a steep learning curve in protecting student privacy, often without experts on staff to oversee contracts with technology companies or to monitor use and access, Schwarz said.

Access codes and passwords should never be posted on a social media site, but rather only via personal emails, otherwise, “you’re basically given the keys to the castle and saying, ‘Come on in,’ ” he said.

Allowing outsiders access to lists of class names and teacher informatio­n, which occurred in Oakland, offers a welcome mat for spear phishing — or fraud by pretending to be a trusted sender in emails, Schwarz said.

“It does raise alarms for me,” he said, adding there’s a lack of experience in cybersecur­ity. “A lot of schools are struggling.”

He recommende­d schools bring in experts or consultant­s if necessary to help them transition to digital instructio­n to ensure cybersafet­y. He also suggested partnering with other districts to reach comprehens­ive privacy agreements with education tech companies.

Oakland officials said they were in the process of locking down the websites Wednesday afternoon, although the content was still publicly accessible three hours after The Chronicle notified them of the issue. The pages were removed from the district’s website late in the afternoon.

The district planned to reach out to teachers and school administra­tors to advise them of the possible exposure of student informatio­n and access, said spokesman John Sasaki.

“We’re all encounteri­ng challenges like other districts,” he said. “It’s a learning process for all of us.”

In Berkeley, Superinten­dent Brent Stephens informed families Wednesday of the incident with the man exposing himself.

“What is especially troubling about this incident is that it appears that the teacher followed all the current guidance about security precaution­s in Zoom,” Stephens said. “Still, the intruder obtained the credential­s for the meeting and was able to gain access to the session.” Police are investigat­ing. Security within Zoom has been increasing­ly questioned in recent weeks as the number of schools, companies and individual­s using it has exploded during shelterinp­lace orders.

Zoom’s CEO promised Wednesday to increase security standards, explaining that the company is starting a feature called Security that defaults privacy settings to their highest level. The San Jose company also said it would upgrade encryption for its video calls and meeting rooms for large online gatherings.

Stephens said it appears likely that a student cut and pasted the access informatio­n to the video conference, which was obtained by the intruder.

“We’re all kind of learning about the world that we’re in,” he said.

The district had already incorporat­ed extra security features with Zoom two weeks ago by creating a districtwi­de corporate account, requiring passwords and teacher authorizat­ion to access. The man apparently created a pseudonym that matched a student’s first name.

Many other districts and individual teachers have also taken advantage of Zoom’s offer of free access during closures, including unlimited meeting minutes.

“We’re being asked to sustain student learning while they’re at home and using technology to do it and just stumbling through these issues,” Stephens said.

The sad part, the superinten­dent said, was that students were so happy to be seeing their classmates and peers again this week, even if on a video chat — and that was yanked away for their safety, at the expense of that joy.

He hopes to restore video conferenci­ng with additional security measures next week.

“It’s just heartbreak­ing hearing stories from parents that their kids aren’t getting out of bed until 11 in the morning and are displaying symptoms of depression,” Stephens said. “And (Zoom) was alleviatin­g some of that.”

 ?? Oakland Unified School District ?? A redacted screenshot shows Oakland Unified School District publicly posted dozens of codes to access Google Classrooms.
Oakland Unified School District A redacted screenshot shows Oakland Unified School District publicly posted dozens of codes to access Google Classrooms.

Newspapers in English

Newspapers from United States