For any organization who doesn't take privacy seriously, the demise of inBoomshould be a loud wake up call. Funded by $100 million from the Gates Foundation, inBloom was a non-profit organization aiming to store student data so that school officials and teachers could use it to learn about their students and how to more effectively teach them and improve their performance in school. Who would have thought that a project with so much funding and promise would be shutting down just a few years after its creation? What went wrong?
The main instrument of inBloom's death was privacy. Because inBloom involved so much student data, privacy concerns began to swirl about, and eventually turned into a tornado that resulted in a backlash inBloom was ill-prepared to handle. In light of the privacy concerns, school districts started to back out of using inBloom, and states began to pass legislation to restrict the sharing of student data.
With more privacy battles looming on the horizon, with mounting attacks and increasing state legislative activity in response to inBloom, the mighty dragon collapsed.
There is an important lesson here, and it is one that I think is being lost amid the discussion. The lesson is not that privacy legislation is evil and anti-innovation. Nor is it that crazy ill-founded concerns killed a good things. Nor is it that inBloom was a greedy gobbler of data and would have caused harm.
According to the statement by inBloom's CEO: "It is a shame that the progress of this important innovation has been stalled because of generalized public concerns about data misuse, even though inBloom has world-class security and privacy protections that have raised the bar for school districts and the industry as a whole." He also stated that inBloom "has been the subject of mischaracterizations and a lightning rod for misdirected criticism."
But inBloom didn't die because it was mistakenly singled out for attack. It died because of a more fundamental problem with education privacy. The problem is that education privacy is lagging so far behind other industries and is so poorly regulated and addressed. Any company trying to do business with K-12 schools where privacy is involved is like a company trying to build a world-class research facility in the middle of an untamed jungle.
There is no privacy infrastructure in K-12 schools. This is akin to there being no roads, no running water, no electricity, no police system, no fire protection, and no hospitals. The lack of this infrastructure is what doomed inBloom.
Unlike other industries, K-12 schools lack effective privacy regulation. The Family Educational Rights and Privacy Act (FERPA) is an outdated law that lacks a meaningful enforcement remedy, fails to address many key issues, and lacks much of a governance structure. Without a governance structure -- a set of requirements for ensuring that institutions develop an effective privacy program -- a privacy law is just empty words on a page. A governance structure involves having someone responsible for privacy -- a Chief Privacy Officer or someone designated as a privacy point person who can coordinate a privacy program. There must be an assessment of privacy risks, someone who is responsible for data security, adequate policies that comply with the law, and training of personnel. For example, what good are policies if people don't know they exist and have no idea what to do to follow them? People need to be trained! I discussed many other shortcomings of FERPA in an earlier post.
A 2009 study by Fordham Law School's Center on Law and Information Policy found that "privacy protections for the longitudinal databases were lacking in the majority of states." Even more strongly, the study characterized the privacy protections as "weak." A more recent study by the same organizationfound that the contracts that K-12 school districts had with cloud service providers were derelict. Only 25% of school districts provide adequate notice to parents about the use of cloud services. About “20% of the responding districts had no policies addressing teacher use of information resources.” Only 25% of the agreements “gave districts the right to audit and inspect the vendor’s practices with respect to the transferred data.” None of the contracts “specifically prohibited the sale and marketing of children’s information.” And only one agreement "required the vendor to notify the district in the event of a data security breach.”
Schools lack officials who know about what key terms should be in such contracts. They lack officials who know how to vet third party vendors when it comes to privacy and data security. Without auditing of privacy risks, they lack an awareness of what data they are collecting and how the various personnel and departments in a school are using that data. They have no idea about all the various federal and state privacy laws that regulate them. School personnel have no training about when they must maintain the confidentiality of student data, when they can share that data, how they should protect the data, and what good data security practices they should be following.
Parents are naturally concerned when they hear about how little protection is being given to their children’s personal data. How does this affect companies like inBloom? When a school starts sharing data with inBloom and it raises questions and concerns, whom are parents to call? There are no privacy officers at schools who can answer these questions. There are no disclosures to parents explaining what is going on and how privacy and security will be protected. There is nothing to educate parents or to address fears and concerns.
Imagine a school with a healthy and sophisticated privacy program. There’s a privacy and security officer. These officials vet inBloom and publicize the results of their vetting process, explaining the risks and why they think that any concerns are appropriately dealt with. Parents are informed and feel confident that appropriate care and consideration were given before sharing data. These officials are available to answer questions that parents have. The key terms of the contract between inBloom and the school are disclosed to parents so they understand exactly what responsibilities and limitations inBloom has regarding their children’s data. Parents know definitively and exactly lines that cannot be crossed and what things data can be used for and what things it can’t be used for. And if the law provided effective enforcement, parents would know that if there was any misuse, there would be an investigation and potent sanctions for both the school and inBloom.
The above privacy regime would provide a lot more knowledge and confidence that personal data was being adequately protected.
The lesson in the inBloom demise is that the real problem is the lack of a privacy infrastructure at the K-12 level. This is essential because there is so much data about students, and a lot of it is sensitive data. Using this data can bring great benefits, but we need an appropriate infrastructure in which to use it. Otherwise, it’s like building a nuclear reactor on a fault line or near a tsunami zone . . . and we all know what happens next.
K-12 schools currently are woefully underfunded. I doubt that schools will soon have the funding to develop privacy programs. But there is hope. If companies want to do business with K-12 schools – if they want schools to share data and not have the pushback that inBloom received – then they need to find a way to help bring schools into the 21st Century when it comes to privacy. So if you build the facility in the jungle, you also need to build the roads, the electricity, the water, and so on. If you build a good privacy environment, organizations like inBloom might actually be able to bloom.
Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School, the founder of TeachPrivacy, a privacy/data security training company, and a Senior Policy Advisor at Hogan Lovells. He is the author of 9 books including Understanding Privacy and more than 50 articles. Follow Professor Solove on Twitter @DanielSolove.
The views here are the personal views of Professor Solove and not those of any organization with which he is affiliated.