Student privacy takes a hit with online learning
At least two Bay Area school districts have suffered recent cybersecurity breaches in the wake of the sudden switch to digital learning during coronavirusrelated school closures.
In Oakland and Berkeley, student privacy has been compromised and, in one case, an unknown adult male exposed himself to teenagers during a class video conference.
In Berkeley, a man somehow gained access to an online Zoom video conference Tuesday, exposed himself to the high school students
and shouted obscenities before the teacher ejected him from the session.
The district immediately banned all video conferencing with students until security could be ensured.
In Oakland, the district suffered a more widespread breach of student privacy after administrators inadvertently publicly posted hundreds of access codes and passwords used by teachers and students to log into online classrooms and video conferences.
The codes allowed anyone with a Gmail account to join the Google Classroom sites set up by teachers across the district, allowing access to students’ full names as well as their comments posted in the class. The documents also included the time, access codes and passwords for Zoom video conferences with teachers and students.
In Oakland, district officials were unaware of the exposure of the information until The Chronicle notified them of easily found information and access to the sites.
Such breaches of student privacy and digital security have plagued school districts across the Bay Area and the country as classrooms have moved online for several weeks if not months because of COVID19 containment efforts. The breaches have been widespread in other areas as well, with company meetings, church gatherings and other events suddenly interrupted by hackers.
The school incidents exemplify how unprepared districts and technology companies were to meet an instantaneous and massive demand for ways to educate and communicate with students online, experts said.
“You throw this curveball at everybody and they’re scrambling,” said Joel Schwarz, cybersecurity expert and adjunct professor at Albany Law School. “They’re trying to figure out what the heck to do.”
Teachers and administrators are faced with a steep learning curve in protecting student privacy, often without experts on staff to oversee contracts with technology companies or to monitor use and access, Schwarz said.
Access codes and passwords should never be posted on a social media site, but rather only via personal emails, otherwise, “you’re basically given the keys to the castle and saying, ‘Come on in,’ ” he said.
Allowing outsiders access to lists of class names and teacher information, which occurred in Oakland, offers a welcome mat for spear phishing — or fraud by pretending to be a trusted sender in emails, Schwarz said.
“It does raise alarms for me,” he said, adding there’s a lack of experience in cybersecurity. “A lot of schools are struggling.”
He recommended schools bring in experts or consultants if necessary to help them transition to digital instruction to ensure cybersafety. He also suggested partnering with other districts to reach comprehensive privacy agreements with education tech companies.
Oakland officials said they were in the process of locking down the websites Wednesday afternoon, although the content was still publicly accessible three hours after The Chronicle notified them of the issue. The pages were removed from the district’s website late in the afternoon.
The district planned to reach out to teachers and school administrators to advise them of the possible exposure of student information and access, said spokesman John Sasaki.
“We’re all encountering challenges like other districts,” he said. “It’s a learning process for all of us.”
In Berkeley, Superintendent Brent Stephens informed families Wednesday of the incident with the man exposing himself.
“What is especially troubling about this incident is that it appears that the teacher followed all the current guidance about security precautions in Zoom,” Stephens said. “Still, the intruder obtained the credentials for the meeting and was able to gain access to the session.” Police are investigating. Security within Zoom has been increasingly questioned in recent weeks as the number of schools, companies and individuals using it has exploded during shelterinplace orders.
Zoom’s CEO promised Wednesday to increase security standards, explaining that the company is starting a feature called Security that defaults privacy settings to their highest level. The San Jose company also said it would upgrade encryption for its video calls and meeting rooms for large online gatherings.
Stephens said it appears likely that a student cut and pasted the access information to the video conference, which was obtained by the intruder.
“We’re all kind of learning about the world that we’re in,” he said.
The district had already incorporated extra security features with Zoom two weeks ago by creating a districtwide corporate account, requiring passwords and teacher authorization to access. The man apparently created a pseudonym that matched a student’s first name.
Many other districts and individual teachers have also taken advantage of Zoom’s offer of free access during closures, including unlimited meeting minutes.
“We’re being asked to sustain student learning while they’re at home and using technology to do it and just stumbling through these issues,” Stephens said.
The sad part, the superintendent said, was that students were so happy to be seeing their classmates and peers again this week, even if on a video chat — and that was yanked away for their safety, at the expense of that joy.
He hopes to restore video conferencing with additional security measures next week.
“It’s just heartbreaking hearing stories from parents that their kids aren’t getting out of bed until 11 in the morning and are displaying symptoms of depression,” Stephens said. “And (Zoom) was alleviating some of that.”