When Tony Porterfield’s two sons came home from elementary school with an assignment to use a reading assessment site called Raz-Kids.com, he was curious, as a parent, to see how it worked. As a software engineer, he was also curious about the site’s data security practices.
And he was dismayed to discover that the site not only was unencrypted, but also stored passwords in plain text — security weaknesses that could potentially have allowed unauthorized users to gain access to details like students’ names, voice recordings or skill levels. He alerted the site to his concerns. More than a year later, the vulnerabilities remain.
“A lot of education sites have glaring security problems,” said Mr. Porterfield, the principal engineer at a software start-up in Los Altos, Calif. “A big part of the problem is that there’s not even any consensus of what ‘good security’ means for an educational website or app.”
Contacted last week by a reporter, John Campbell, the chief executive of the Cambium Learning Group, the company behind Raz-Kids.com, said that his company took privacy very seriously and that the site did not store sensitive personal details like student addresses or phone numbers.
“We are confident that we have taken the necessary steps to protect all student and teacher data at all times and comply with all federal and state laws,” Mr. Campbell wrote in an emailed statement.
Mr. Porterfield, though, has gone on to examine nearly 20 digital education products, used collectively by millions of teachers and students, and found other potential security problems. He alerted makers of those products, too — among them school-districtwide social networks, classroom assessment programs and learning apps.
Some, including Pearson, a leading educational publisher, and ClassDojo, a popular classroom management app for teachers, addressed the issues he brought to their attention. Others did not.
While none of the security weaknesses appear to have been exploited by hackers, some technologists say they are symptomatic of widespread lapses in student data protection across the education technology sector. They warn that insecure learning sites, apps and messaging services could potentially expose students, many of them under 13, to hacking, identity theft, cyberbullying by their peers, or even unwanted contact from strangers.
At fault, these experts say, is a common practice among start-ups of concentrating primarily on increasing their market share.
“For many younger companies, the focus has been more on building the product out and less on guaranteeing a level of comprehensive privacy and security protection commensurate with the sensitive information associated with education,” said Jonathan Mayer, a lawyer and computer science graduate student at Stanford University. “It seems to be a recurring theme.”
The New York Times asked Mr. Mayer to review the vulnerabilities in education tech software discovered by Mr. Porterfield and described in this article.
To help schools evaluate companies’ security practices, the Consortium for School Networking, a national association of school district chief technology officers, published a list of security questions last year for schools to ask before they sign purchase agreements with technology vendors.
“It is a huge challenge because there hasn’t been the time and attention and investment placed in security that school districts need,” said Keith R. Krueger, the group’s chief executive. His group has received financing from Dell, Google, Pearson, Microsoft and other companies involved in the education sector.
Security lapses are not limited to education software devised for prekindergarten through 12th-grade students, an annual market estimated at about $8 billion.
In the fall, as Mr. Mayer, the digital security expert, was preparing to teach a class at Stanford Law School for Coursera, a start-up that provides hundreds of free open online courses, he discovered a security weakness that could have allowed instructors to gain access to the names and email addresses of millions of Coursera students. Another flaw would have potentially allowed other websites, digital advertising networks or online analytics firms to compile lists of the students’ courses.
Coursera, which has raised $85 million from investors, quickly ameliorated the situation. In an explanation posted on its site, the company acknowledged that it had been more focused on deflecting potential attacks from outsiders than on the possibility of misuse of student data by insiders.
“If we were too trusting, we learned our lesson on this,” Richard C. Levin, the chief executive of Coursera, said in a recent interview.
Protection of student data is gaining attention as schools across the country are increasingly introducing learning sites and apps that may collect information about a student’s every keystroke. The idea is to personalize lessons by amassing and analyzing reams of data about each student’s actions, tailoring academic material to individual learning levels and preferences.
But some privacy law scholars, educators and technologists contend that federal protections for student data have not kept pace with the scope and sophistication of classroom data-mining. Although a federal privacy law places some limits on how schools, and the vendors to which they outsource school functions, handle students’ official educational records, these experts say the protections do not extend to many of the free learning sites and apps that teachers download and use independently in their classrooms.
In an effort to bolster confidence in their products, more than 100 learning companies recently signed on to a voluntary industry pledge on student privacy. The signers agree, among other commitments, to “maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality and integrity of student personal information against risks — such as unauthorized access or use.”
Although President Obama endorsed the industry pledge in a speech last month, it does not require ed tech vendors to comply with specific basic security measures — like encrypting students’ names, screen names or other personal details. Nor does it prohibit companies from using weak security, like storing users’ passwords in plain text, practices that could easily permit hackers to hijack teacher or student accounts, potentially linking students’ names to private details about their academic performance.
These kinds of security weaknesses are commonplace on consumer sites. But the law has long treated educational information as a category worthy of special protections, like credit or medical records. Considering the recent data breaches at even large, well-financed companies like Anthemand Sony, some privacy advocates want federal regulators to mandate that the education technology industry beef up student data protection.
“Bottom line, both the Federal Trade Commission and the Education Department could and should ramp up their student privacy enforcement,” said Khaliah Barnes, director of the student privacy project at the Electronic Privacy Information Center, a nonprofit group. “Students have little recourse against current abuses.”
Some learning companies were quite responsive to Mr. Porterfield’s concerns. The Pearson product in which he found vulnerabilities last fall is an online student learning and assessment system, Pearson Realize. The weaknesses could have allowed unauthorized users to gain access to details about class rosters like student names.
The company’s security experts corrected the issues in two days. Pearson was the only company to ask Mr. Porterfield to run his own tests afterward to make sure the fixes had worked.
“We should welcome the reporting of even a suspicion,” said Rod Wallace, Pearson’s chief information security officer. “We need to encourage the people who report them, engage them and let them know we are fixing them.”
Last fall, Mr. Porterfield also contacted ClassDojo, a free classroom management program for teachers that, according to its developer, is used by at least one teacher in roughly one-third of American schools. The software engineer alerted company executives to security weaknesses that could potentially have allowed unauthorized users to gain access to students’ names, behavior records and behavior scores.
Since then, ClassDojo has encrypted its mobile apps and instituted other security measures. Liam Don, the co-founder of ClassDojo, said its software was regularly subject to audits by security experts.
“We hope to see regular audits become standard practice across our industry,” Mr. Don said.