InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning

7/27/2019 InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning

1/27

1

InBloom:BuildingTrustforTheProtectedSharingandAnalysis

ofStudentDataforPersonalizedLearning

Dr.JohnHenryClippinger

MITMediaLabID3

Abstract

Overthelastseveralyearstherehasbeenanexplosioninthecollection,

analysisandmonetizationofpersonaldata.Thistrendhasspurredgrassroot

movementsandregulatorsaroundtheworldtoupdateantiquatedprivacy

policiestoreflecttherealitiesofthepresentera.Ineducation,thecollection

andanalysisofstudentdatapresentsspecialchallenges.Whilepotentially

valuableindesigningpersonalizedlearningprograms,suchdataaretakenwithouttheconsentandunderstandingofstudentsandtheirfamiliesandhave

theOrwellianpotentialforsignificantabuseandstigmatization.Privacypolicesandpracticesformed40yearsago,suchasFERPA,havefaintcredibility

andevenefficacyinaneraofsensors,BigData,andthemobileInternet.InBloomsprivacypolicies,practicesandpartnershipshavedonelittleto

assuageitscritics,andsignificantlylagcontemporaryprivacypoliciesinthe

U.SandtheEU.Hence,ifInBloomistoachieveitsexemplarygoalsof

personalizedlearning,itwillneedtodevelopprivacypoliciesandpracticesthat

areconsistentwiththeObamaAdministrationsDataConsumerBillofRights,

aswellastheconcernsofnumerousadvocacyandstakeholdergroups.This

paperoutlinesfiveconcretestepsthatInBloomcouldundertaketohelpquellitscritics,addressitsshortcomings,andrestoretrustandcredibilityamongits

stakeholderstoachieveitsgoalsofpersonalizedlearning.

Introduction

Withinjustthelastfiveyears,therehasbeenanexplosionofonlineandmobile

servicesthatcollect,analyzeandmonetizepersonaldata.Inoneofitsreports,the

WorldEconomicForum,PersonalData:TheEmergenceofaNewAssetClass,January,

2011)hascalledsuchpersonaldataanewassetclassandthenewoil,signifying

itsimportanceasanewbusinessresourcethatcanbeusedtobuildanewglobal

economy.Entrepreneurs,governments,enterprises,andNGOsareallpursingthis

newoilwithavengeance,andinacomparablemetaphoricalfashion,oftenwith


2/27

2

littleregardforcollateral,ecologicalsideeffectstheerosionofpersonalprivacy

andtrust.

WiththeimminentproliferationofbillionsofsensorstheInternetofthings

combinedwiththelocationandsensordatacapturedonover5billionmobile

phonesnoonewillbeinvisibletothewatchfuleyesofdataaggregatorsand

analyzers.Giventheubiquityofanyonesdatafootprintsandtheever-compounding

powerofmachinelearningandanalytics,noonecanoptout.Everyoneisbeing

trackedandanalyzed.Wearequicklytransitioningtoaglobaldataecologyand

economywhereonesdataistheequivalentofonesidentityandreputationthe

markerforhowoneisknownandtreatedattheworldatlarge.Proposalstolegally

requiredatabrokerstodonottracki.e,donotcollectpersonaldataareas

realisticabstinencevowsasapolicytopreventteenagepregnancies;itworksonly

foraconscientiousfew.

Thesadtruthisthattodaysprivacypoliciesarestillweddedtoprinciplesand

expectationsshapedinthe70sand80s,whentherewerenolaptops,Internet,

mobilephones,sensorsortablets,anddatawererelativelyscarceandexpensive.It

wasawhollydifferenterainwhichthegreatestharmsweretheunauthorized

collectionanduseofpersonaldata.ItwasalsoatimewhenregulatorswithintheUS

andtheEUbelievedthatregulatoryremediescouldbetimelyandeffectivein

protectingpersonalidentifyinginformation.

Buttodaydigitaldataareessentialtoagrowingspectrumoftechnologiesand

infrastructuresthatrevolvearoundtheuseoflargedatabases.Whileprivacy

violationsfromimproperdisclosuresanduseofdataremainaproblem,awholenewclassofpublicandprivateharmsmaynowresultfrominhibitionsintheflows

anduseofdata.Ineducation,newpersonallearninganalyticsandtechniquesare

absolutelydependentuponthecollectionofstudentdataovertime.Failuresto

appropriatelysharedatacanresultincatastrophicsecuritybreaches,epidemic

outbreaks,medicalfailures,andpublicsafetyfailures,letalonefailededucational


3/27

3

opportunities,Withtheimminentadventofsmartcitiesandsensorstomonitor

cars,food,appliances,homes,vehicles,pets,andchildren,howdataarecollected,

sharedandanalyzedwilleffectivelydefineourpersonalfreedomsandthequalityof

civiclife.

Ineducation,thecollection,sharing,andanalysisofpersonaldataareessentialto

devisingtailoredlearningprogramsandassessments.Betterdatameansbetter

learningandeducationalinnovationandadvancement.Yetwhiletheveryintimate

informationrevealedbypersonaldatacanenablebetterlearningexperiences,

supervisionandresults,italsoincreasesthevulnerabilityofstudentsandtheir

families.Testingdata,teacherassessments,truancydata,healthrecords,

personalityandaptitudeassessments,residencedata,policerecordsallcanbe

usedtoimprovelearningandtostigmatizeandcontrolthefateofstudentsandtheir

families.

Themorehandsthattouchthedata,thegreatertherisksthattheinterestsofthe

childandherfamilywillnotbeputfirst.Themanyteachers,counselors,social

workersandadministratorswhohavesomerelationshipswithstudentsarenot

alwaysmotivatedorevencapableofactingintheirbestinterests.Such

professionalshaveenormouslyvariedcompetencies,commitmentsand

understandingaboutwhatisbestforachild.Whenthesefactorsareblendedwith

commercialinterestsandinfluencesoverachildseducationalongwiththe

institutionalpowersoflargeenterprisesandgovernmentagencies,thepotentialfor

realharmsandabusesescalate.

Inthiscontext,simplyrelyinguponassurancesofprofessionalismandtrustbyeducators,researchers,andadministratorsisinadequate.Parentsalreadyhavetoo

littletrustinoureducationalmuchlessgovernmentalinstitutions.Thepublicis

understandablyskepticalthatregulationssuchasthe1974FamilyEducational

RightsandPrivacyAct(FERPA)willbefollowed,orwillactuallyprotectthe

interestsofstudentsandtheirfamilies.Suchregulationsareoftenwrittenwiththe


4/27

4

interestsofeducators,administratorsandevenprivatethirdpartiesinmind.Inthe

caseofbreaches,thechildandfamiliesarerelativelypowerless,anditistheythat

bearthelifelongburdenofinstitutionalfailures.

Inshort,educationaldata,especiallychildrensdata,areaprecious,personaland

vulnerableresourcethatcannotbehandledcrediblythroughtraditionaltermsof

serviceagreements,opaqueprivacypoliciesordisclosureagreements.FERPAis

nearlyfortyyearsoldandwaswrittenwithoutcontemplationofcurrentdata

collection,protection,analysis,anddisseminationmethods.Furthermore,thetype

ofstudentdatanowavailable(seeAppendix)isinherentlynotonlyPII(Personal

IdentifiableInformation),butpotentiallyhighlyprejudicialandinjurious.tostudents

andtheirfamilies.Conventionalregulations,eventhoseofmorerecentvintage,such

astheproposed,OnlineDoNotTrack,Actof2013,remainwoefullyinadequate

meanstoassurethatpeoplesprivacyinterestsarerigorouslyprotected.

ThedauntingchallengefacingprogramssuchasInBloom,whichfunctionprimarily

throughlocalschoolsandstateeducationalinstitutions,istoestablishitselfasa

legitimate,trustedstewardofstudentdataintheeyesofparents,students,and

advocacygroups.

TechnologyandPolicyTrendsFavorUserControlandaNewDealonData

Itishardtooverstatehowquicklymobile,sensoranddigitaltechnologiesare

changingthewaydataarebeingcollected,analyzedandmonetized.Virtuallyall

formsofhumanactivitycalls,purchases,personalmovements,socialandcommercialinteractions,texting,health,financialdealingsarebeingcapturedas

dataandanalyzed.Largeinstitutionswiththecapacitytoassessthedatacan

therebymakeanastonishingassortmentofpredictions,commercialoffersand

assessmentsofmarkets,publicbehavior,socialactivities,andmore.


5/27

5

Usersandregulatorshaverespondedtothistrendbyseekingtogivepeoplegreater

controlovertheirpersonaldatathroughthecreationofprotectedPersonalData

Stores(PDS)forindividuals.TheObamaAdministrationhasembracedthisposition

throughabroadarrayofdataprotectioninitiativesthatincludeconsumerdata

protectionpolicy,guidelinesissuedbytheNationalStrategiesonTrustedIdentities

inCyberspace(NSTIC),theDepartmentofCommercesGreenPaperin2011andthe

FederalTradeCommissionsPrivacyReportin2012.IntheEU,theDataPrivacy

CommissionhasadvocatedaBillofRightsforData,andtheWorldEconomicForum

inthreeannualreportshasadvocatedusercontroloverpersonaldata.

Thisshifttowardsuser-centriccontrolofpersonaldataisalsoreflectedintherapid

riseofpersonaldatalockerservicessuchasDropBox,Box,iDrive,Mega,SkyDrive,

Singly,iCloudandmanyothers.Inasimilarfashion,theU.S.Governmenthasled

initiativesthatgivecitizenseasier,reliableaccesstotheirgovernmentdata:the

GreenButtonforutilitydata,theBlueButtonforVAhealthdata,andtheMy

DatainitiativelaunchedbytheDepartmentofEducation.

Thisshiftinnormsisnotonlyaboutgivingpeopletherighttocontroltheirdata,but

aboutenablingself-service,onlinemanagementofpersonalandfamilyaffairs.

Increasingly,weexpectpeopletousetheirpersonaldatatomanagetheirpersonal

affairsandtonegotiateacceptabletermsofservicewithretailersandonlineservice

providers.ThistrendwillcertainlygrowstrongerineducationalservicesfromK-12

andpostsecondaryinthefuture.

WithintheU.S.amajordriverfortheseuser-centricpoliciesisdistrustof

governmentalinstitutionsingeneralandespeciallyafearordisdainforgovernmentaloverreach.Whetherthisfeariswarranted,orsimplyasymptomof

othersociologicalandculturefactors(thepaceofchange,institutionaldysfunction,

thesheercomplexityofcontemporarytechnology),suchattitudesarecommonon

boththepoliticalleftandright.Advocacygroupsarequicktoseepotentialdangers,

howeverimprobablyremote,withoutacknowledgingthepotentialeducational


6/27

6

benefitsofdatasharing,corestandardsandanactivegovernmentrole,evenalocal

one.

Suchfearsanddistrustcannotbedispelledbyblandassurancesofjusttrustus,PR

campaigns,orevendetailedcitationsoflegalagreementsandregulations.Rather,

parentsneedtofeelthattheyareindeedincontrol,especiallywhenitcomesto

protectingandeducatingtheirchildren.Thiscanonlybeachievedbygivingthem

controlinwaysthattheycanunderstand,influenceandtrustdirectlyand

personally.Theymustbeabletooptinandoutinofprotectivesystemsinsimple

andmeaningfulways.Theymustbeabletocontroltheflowanduseoftheir

personaldataorthatoftheirchildinwaysthattheyunderstand.Thenotionthat

parentscanbemadetodefertoschoolauthoritiesorthird-partyvendorstoactin

yourchildsbestinterests,orthatdata-sharingcansimplybemandated,simply

doesnotexistanymore.Theskepticismanddistrustareallthemorepronouncedas

theprocessforprotectingprivacybecomesmoreopaqueandconvolutedandasthe

personalbenefitsappearmoreremoteandabstract.Assurancesbasedonfederalor

stateprotectionsaregreetedwithsimilardistrust.

InBloomsPrivacyPoliciesandAssurances

IconsiderInBloomIdentityTheft.Weneedaclassactionlawsuitto

protectstudentsprivacy. --DianeRavitch,educationpolicyexpert

Fromitsinception,InBloomsgoalofcollectingstudentdatatoimproveeducational

successthroughpersonalizedlearning,wasgreetedwithsignificantskepticismin

manyquarters.EspeciallyworrisometoitscriticswasInBloomspartnershipwith

RupertMurdochsWirelessGeneration.LeonieHalmson,co-founderofParents

AcrossAmerican,makesthesepoints:


7/27

7

TheGatesFoundation,inassociationwithWirelessGeneration,asubsidiaryof

RupertMurdochsNewsCorporation,recentlyformedaprivateLLCcalledtheSharedLearningCollaborative.ThisLLCwillcollectconfidentialstudentand

teacherdataprovidedtothembystatesthroughoutthecountry,andinsomeform,shareitwithvendorsandothercommercialenterprises.Thepurposeof

thisprojectisatleastinparttohelpvendorsdevelopandmarkettheireducationalproducts.NYSandNYC,alongwithschooldistrictsinColorado,

Illinois,Massachusetts,andNorthCarolina,haveagreedtoparticipateinPhase

oneofthisproject,startinginlate2012,withDelaware,Georgia,Kentuckyand

LouisianaparticipatinginPhaseIIsoonafter.

Thisprojectprovokesseriousprivacyconcernsastothesecurityofthis

confidentialinformation,andthelackofanyparentalconsentinthedecisiontoshareitwiththeLLC.TheconcernsareintensifiedbythefactthatNewsCorp

hasbeenchargedwithseriousprivacyviolations,includingphoneand

computerhackingandbribingofpublicofficialsintheUK.TheNYPost,

anothersubsidiaryofNewsCorp,recentlyprovokedcontroversybypublishingteacherdatareportsbasedonstudenttestscoresinitspaper,andrunning

inflammatoryarticlesaboutteacherswhoreceivedlowscores.

Therearealsoseriousquestionsaboutthelegalityofthisproject.TheUSDept.

ofEducationhasrecentlyrewrittentheregulationsforFERPA,ortheFamilyEducationalRightsandPrivacyAct,toallowmoreliberalsharingofstudent

data,especiallyforresearchpurposes.Thenewregulationswentintoeffectin

Januaryof2012.

Thegrowingpublicsdistrustofbusinessasusualapproachestoprivacy

protectioncanbeseenintherecentadversereactionstoInBloompresentationat

theSXSWprograminMarch2013.Thisfollowedintensepubliccriticismof

InBloomforitsprivacypoliciesandrelationshipswiththird-partyeducational

servicevendors.Educational,privacyandcivillibertyactivistgroupsacrossthe

countryhavechallengedthelegalityandethicsoftheInBloomprogram.Students

andtheirfamiliesfoundlittlereassurancefromtheReutersarticlethatdescribes

theInBloomprogram(March13,2013),whichwascitedbyDianeRavitchshighly

chargedblogpost,IdentityTheft.AsReuterswrote:

Federalofficialssaythedatabaseprojectcomplieswithprivacylaws.

Schoolsdonotneedparentalconsenttosharestudentrecordswithany

schoolofficialwhohasa"legitimateeducationalinterest,"accordingto


8/27

8

theDepartmentofEducation.Thedepartmentdefinesschoolofficial

toincludeprivatecompanieshiredbytheschool,solongastheyuse

thedataonlyforthepurposesspelledoutintheircontracts .

Thedatabasealsogivesschooladministratorsfullcontroloverstudent

files,sotheycouldchoosetosharetestscoreswithavendorbutwithhold

socialsecuritynumbersordisabilityrecords

Indeed,itcouldbearguedthattheDepartmentofEducationprivacyregulations

privilegetheinterestsofschooladministratorsandthirdpartiesmorethanthe

privacyinterestsofthestudentsandtheirparents.Recentmodificationsinthe

FERPAregulationsdolittletodispelsuchconcernsthroughtheirlegalobfuscation

andself-servingbureaucratese.Itishardtoimagineatypicalparentbeing

reassuredifpresentedwiththefollowingtext:

Notice of Proposed Rulemaking

In the NPRM, we proposed regulations to:

Amend 99.3 to define the term authorized representative to includeindividuals or entities designated by FERPA-permitted entities to carryout an audit or evaluation of Federal- or State-supported education

programs, or for the enforcement of or compliance with Federal legal

requirements related to these programs (audit, evaluation, or enforcement

or compliance activity);

Amend the definition of directory information in 99.3 to clarify thata unique student identification (ID) number may be designated as

directory information for the purposes of display on a student ID card or

badge if the unique student ID number cannot be used to gain access to

education records except when used in conjunction with one or more

factors that authenticate the users identity, such as a PersonalIdentification Number, password, or other factor known or possessed only

by the authorized user;

Amend 99.3 to define the term education program as any programprincipally engaged in the provision of education, including, but not

limited to, early childhood education, elementary and secondary

education, postsecondary education, special education, job training,


9/27

9

career and technical education, and adult education;

Amend 99.31(a)(6) to clarify that FERPA-permitted entities are notprevented from redisclosing PII from education records as part of

agreements with researchers to conduct studies for, or on behalf of,

educational agencies and institutions;

Remove the provision in 99.35(a)(2) that required that any FERPA-permitted entity must have legal authority under other Federal, State, or

local law to conduct an audit, evaluation, or enforcement or compliance

activity;

Amend 99.35(a)(2) to provide that FERPA-permitted entities areresponsible for using reasonable methods to ensure that their authorized

representatives comply with FERPA;

Add a new 99.35(a)(3) to require that FERPA-permitted entities mustuse a written agreement to designate an authorized representative (other

than an employee) under the provisions in 99.31(a)(3) and 99.35 thatallow the authorized representative access to PII from education records

without prior written consent in connection with any audit, evaluation, or

enforcement or compliance activity;

Add a new 99.35(d) to clarify that in the event that the DepartmentsFamily Policy Compliance Office (FPCO or Office) finds an improper

redisclosure in the context of 99.31(a)(3) and 99.35 (the audit or

evaluation exception), the Department would prohibit the educational

agency or institution from which the PII originated from permitting the

party responsible for the improper disclosure (i.e., the authorized

representative, or the FERPA-permitted entities, or both) access to PII

from education records for a period of not less than five years (five- year

rule);

Amend 99.37(c) to clarify that while parents or eligible students(students who have reached 18 years of age or are attending a

postsecondary institution at any age) may opt out of the disclosure of

directory information, this opt out does not prevent an educational agency

or institution from requiring a student to wear, display, or disclose a

student ID card or badge that exhibits directory information;

Amend 99.37(d) to clarify that educational agencies or institutionsmay develop policies that allow the disclosure of directory information

only to specific parties, for specific purposes, or both; and

Add 99.60(a)(2) to authorize the Secretary to take appropriate actionsto enforce FERPA against any entity that receives funds under any

program administered by the Secretary, including funds provided by


10/27

10

grant, cooperative agreement, contract, subgrant, or subcontract.

Thislanguageisimpenetrableatbesttoanylayman.(Reader:Idoubtthatyou

actuallyreaditallorunderstoodittobealegalstandard.)Suchtextisinsiderlegaljargonthatisself-referential,self-protectiveandnottransparenttothosewhomit

mostaffects.Thishasbeenwidelynotedbyhighlyrespectedorganizationssuchas

theACLU,theElectronicPrivacyInformationCenter,CitizensforPubicSchools,

Mass.PTA.BelowisthetestimonyofJoshGolinofCampaignforaCommercialFree

Childhood:

CommissionerChesterassuresthatallpartiesinvolvedwillbeobligated

tocomplywiththeFamilyEducationalRightsandPrivacyAct(FERPA).YetcriticshavechargedthattheU.S.DepartmentofEducations2011

changestoFERPAviolatetheoriginalintentofthelaw.Recently,the

ElectronicPrivacyInformationCenterfiledsuitagainsttheDOEfor

thesechangestoFERPA.CommissionerChestersletteralsodidnot

referencetheFederalTradeCommissionsrecentchangestothe

ChildrensOnlineProtectionandPrivacyRule.Thesechangesrestrict

thecaptureanduseofachildspersonallyidentifiableinformationin

recognitionofthehugeriskstosafetyandprivacythatoccurwhen

commercialentitiesobtainaccesstoit

Giventheaboveconcerns,webelieveitisimperativethatparentalconsentbeobtainedbeforeanychildsdataissharedwithInBloomor

anyprivatecorporation.WealsorequestthatyoumakepublicthetypesofdatathathavebeenorwillbecollectedfromstudentsinEverett

aspartoftheinitialpilot.

WhenoneconsultstheInBloomwebsitetoreviewitsprivacypolicy,thelanguage

andapproachisminimal,vague,perfunctoryandhardlyreassuring.More

significantly,asnotedintheGolinstestimony,theInBloomprivacypolicyand

deferencetoFERPAdoesnotacknowledgethemorerecentpoliciesoftheObama

AdministrationsFTCreport,ProtectingConsumerPrivacyinanEraofRapidChange

ortheWhiteHousesreport,ConsumerDataPrivacyinaNetworkedWorld:

FrameworkforProtectingPrivacyandPromotingInnovationinTheGlobalDigital

Economy.


11/27

11

Theseandotherreportsespouseaprivacybydesignapproachtoenforceanew

ConsumerPrivacyBillofRights(ConsumerDataPrivacyinaNetworkedWorld,A

FrameworkforProtectingPrivacyandPromotingInnovation;intheGlobalDigital

Economy,WhiteHouse,p.1,2012)thatendorses:

Individual Control: Consumers have a right to exercise control over what

personal data companies collect from them and how they use it.

Transparency: Consumers have a right to easily understandable and accessibleinformation about privacy and security practices.

Respect for Context: Consumers have a right to expect that companies willcollect, use, and disclose personal data in ways that are consistent with the

context in which consumers provide the data.

Security: Consumers have a right to secure and responsible handling of personaldata.

Access and Accuracy: Consumers have a right to access and correct personaldata in usable formats, in a manner that is appropriate to the sensitivity of the

data and the risk of adverse consequences to consumers if the data is inaccurate.

Focused Collection: Consumers have a right to reasonable limits on the personaldata that companies collect and retain.

Accountability: Consumers have a right to have personal data handled bycompanies with appropriate measures in place to assure they adhere to the

Consumer Privacy Bill of Rights.

Thesegeneralprinciplesforthecollectionanduseofpersonaldata-including

studentdata-presentsignificantchallengesforaccommodatinglegitimateresearch

andcommercialusesofpersonaldatawithprivacyprotections.

IfonelooksatthescopeandtypeofdatathatInBloomintendstocollect(see

Appendix),itisascomprehensiveandlatentforabuseasanymedicalrecords.WithintheInBloomwebsite,PrivacyPolicy,thereisnomentionoffocused

collection,respectforcontext,securityoraccountability.Noristhereany

acknowledgementofFairInformationPracticesandPrinciples(FIPPS)orofrole-

basedpermissionsthatarecontingentonthepurpose,retentionanduseofstudent

data.Suchstudentdataiseasilyre-identifiable(seeProfessorLatanyaSweeny,


12/27

12

Policy and Law: Identifiability of de-identified, 2013),andgiventhelikelylackof

budget,training,sophistication,andenforcementwithinpubliceducation

institutions,thelikelihoodofsecuritybreachesandleakswillbeunacceptably

high.Whatthinprotectionsdoexistwillonlybefurthererodedbythestrong

financialincentivesofthirdpartiestomonetizethedata.ThefactthatInBloom

managementcomesfromtheveryindustrythatseekstobenefitfromthe

monetizationofthedata,assobluntlydescribedintheReutersarticle,doeslittleto

quellparentalandactivistconcerns.

GiventhegroundswellofoppositiontotheInBloomdatacollection,sharing,

monetization,andprivacypolicies,itishardtoseehowwithitscurrentprivacy

policiesitcanachieveitsexemplarygoalofprovidingevidence-basedpersonalized

learning.Theserviceisnotlikelytowinconsumeracceptancewithoutamajor

overhaulofitsprivacypoliciesandextensivedialogueandtrust-buildingwithkey

stakeholdergroups.Theprojectneedsacomprehensivelegal,policy,andtechnical

frameworkthatconformstocurrentstandardsandexpectations(e.g.,theFTCand

WhiteHousepolicyreports),recognizestherightofstudentsandtheirfamiliesto

havecontrolovertheireducationaldata,andprovidesdemonstrablesystemsof

transparencyandaccountability.

ProposedCourseofActionandRemedyforInBloomPrivacyIssues

Thisproblemwillnotgoawayandcannotbefinessed.Itthreatenstounderminethe

overallgoalsoftheInBloomprogram.Itneedstobedealtwithswiftlyandopenly,

anditneedstosquarelyaddressthelegitimateconcernsofparents,students,

activistsandotherstakeholders.

Iwouldrecommendaconcertedefforttodevelopatransparentandaccountable

privacypolicyalongthelinesofprivacybydesign,theConsumerPrivacyBillof

RightsandtheNSTICtrustframeworks,andtailoredtomeettheneedsofall

studentsandtheirfamilies.Thiswillentailnotonlydraftingnewlegallanguage,but


13/27

13

developingandtestingactualimplementationsoftrustedplatforms.Differenttrust

frameworksandmechanismsfortheprotectedsharingofpersonaldatamustbe

independentlyfield-testedandevaluated.Itwouldmakepracticalsensetodevelop

effective,reliableusecasesthatarecredibleforresearchers,educatorsandthird

partiesaswellasforstudentsandtheirfamilies.Suchusecasescouldbevettedby

differentstakeholderstoassesshoweffectivelytheyaddresstheirconcerns.

Theremaybeawayofconductingfieldtrialstoaddresssomestakeholdersfears

andhelprestorecredibility.ID3inconjunctionwithMITMediaLaboverthelast

twoyearshasbeendevelopinganopensourcesoftwareplatformthatgives

individualscontrolovertheirpersonaldataandprovidesahighlysecureand

auditablemeansforpermissions/policybasedsharingofhighlysensitivepersonal

data.Aspartofaprojecttohelpreturningveteransidentifyandcopewith

depressionandPTSD,theDefenseAdvancedResearchProjectAgenda(DARPA)

fundedthedevelopmentofatrustframeworkforthecollection,analysisand

sharingofmobilesensordataThisplatformisnowbeingusedintesttrialsby

Telefonica,TelecomItaliainTrento,Italy,aspartoffieldtrialsfortheprotected

sharingandanalysisofmobiledatatooffernewurbanandotherservices.

TheOpenMustardSeed(OMS)versionoftheplatformisnowbeingdevelopedto

supportQuantifiedSelfandotherapplicationsusinglocationandsensordata.This

systemusestrustframeworksandrule-basedpermissionenginestoenforce

context,age,andjurisdictionsensitive-datasharingrules.OMSisalsodesignedto

expressandenforcedifferentgovernanceandenforcementagreements,suchas

auditlogsdetailingaccesstodataandtheenforcementofpermissions,andthe

resolutionofdisputes.Inshort,aversionofOMSmaybehighlyusefulintestingoutdifferentusecasestodeterminehowtrustandconfidencemightberestoredtothe

InBloomendeavorthroughhighlydemonstrable,transparentandtestablemeans.

ProspectiveNextStepsforRestoringTrust:


14/27

14

1. DevelopaComprehensivePrivacyandDataSharingFrameworkforStudentDataReflectingBestPractices:Asnotedearlier,theInBloom

privacypolicyasrepresentedonitswebsiteisneithertransparentnor

reflectsthelatestorbestprivacypractices.Moreover,itisnotsufficientto

juststatepolicies,aspirationsandassurances.Itisimportanttohavea

technologyarchitectureandappropriatesecurityandprivacyprotecting

principles(authentication,authorization,permissions,auditing,etc.)thatare

alignedwiththeappropriatesoftwarecomponents(SeeElectronicPrivacy

InformationCenter:www.epic.orgOpenIDConnect,Oauth2.0,encryption,

dataminimization,anonymization,role-basedpermissions,zeroknowledge

proofs,ephemeralidentifiers,independentauditlogs,etc.).Theobjectiveis

toexpressandenforceprivacybydesignprinciplesinthedata-sharing

modulesthemselves.

.

2. ConveneStakeholderstoHelpAssessandSetTrustFrameworkPrinciples,StudentDataCommons,andIdentifyUseCases:Thegoal

hereistoengagethekeystakeholders(researchers,students,parents,

teachers,administrators,thirdparties,activists,regulators)andlearnabout

theirrequirements,aspirations,fearsandobjections.Also,InBloomshould

workwithstakeholderstoidentifyusecasesandcriteriaofsuccessthatif

achievedwouldovercomeusersobjectionsandgaintheirapproval.Identify

thekeydealbreakersandsetprioritiesofdesignandevenaphased-in

processforbuildingcredibleacceptance.Thiscanbeginasanopenprocess

butthenshouldevolvetoahighlystructuredandrigorousprocesswhere

options,remediesandprioritiescanbearticulatedandagreedupon.Inother

words,referenceusecasesareneededtoproducetestabletrialsthatwouldallowanyonetoscrutinizeandquestiontheresults.Itwouldbenecessaryto

havearoughstakeholderconsensusonmeasurableoutcomesforsuccess

notonlyintermsofuseracceptanceandprivacy,butalsoincollecting,

sharing,andanalyzingdataforsuccessfullearninganalytics.


15/27

15

3. ManageStudentDataasaCommonPoolResourceandConductFieldTrialsofUseCasesinRepresentativeSettings:Thegoalhereistoapply

principlesfromtheNobelLaureateeconomistElinorOstrom,whoseworkon

themanagementofcommonpoolresourcessuggestswaysthatdifferent

stakeholderscouldforgeappropriatelegalagreementsandsocial

understandingsforusingasharedpoolofdata.Fieldtrialscouldbe

undertakenthatusemobilephones,tabletsandPCs,andreflectdifferent

kindsoflikelysettingsandenvironmentsforthecollectionanduseof

studentdata.Dependingupontheexperimentaldesign,thefieldtrialscould

includethousandsofusers.Hence,therewouldneedtobeexperimental

designsthataddresstheconcernsofstakeholdersandproviderigorousand

replicableresults.

4. CompileandAssessResultswithStakeholders:Ameetingofstakeholderscouldbeconvenedandtheresultspresentedanddiscussed.Outofthat

meetingwouldcomeguidelinesfordatacollection,sharingandanalysisand

proposalsforadditionalresearch.Itwouldbehopedthattheexperiments

wouldbesufficientlysuccessfulinkeyrespectsastoidentifynearterm

projectsthatcouldbeundertakenaspilots.

5. DevelopScalable,User-CentricApproachForTheProtectedSharingofStudentDataforInBloomLearningObjectives:Dependinguponthe

successandreceptivityofthefieldtrialstothedifferentstakeholders,a

followongoalwouldbetodevelopascalableplatform,modelagreements

andgovernancepracticestousedbyresearchers,students,parents,third

partiesandschooladministratorstoconducttheirfieldtrialsandexperiments.Suchaplatformwouldprovideusercontrol,auditsand

transparencythroughoutthecourseofdevelopingandtestingeffective,

personalizedlearningprograms.Itwouldalsohavespecializedpolicies,

potentiallywithsafeharborprovisionstoenableexploratoryresearch

whileatthesametimeprovidinganonymityandprivacy.


16/27

16

Conclusion

Wearelivinginadata-richenvironmentswherethetrustedcollectionanduseof

personaldataisbothaneconomicnecessityandabasichumanright.Thisposes

someunprecedentedchallengesinmovingforward.Newwaysmustbedeveloped

togiveindividualsandfamiliesmeaningfulcontrolovertheirpersonaldata,bothin

protectingtheirprivacyandingivingthemnewopportunitiestousetheirdataas

theyseefit.Thisprincipleappliesespeciallytotheuseofstudentdata.

Inthiscontext,astechnologiesandsocialnegotiationsabouttheiruseevolve,itis

untenableforbusinessestorelyonhistoricstandardsorgovernmentpoliciesalone.

Educators,students,parents,researchersandthirdpartiesareincreasingly

distrustfulofopaqueprivacyagreementsandtheassurancesofstateandFederal

regulators.Futureinnovationinthisfieldthereforerequiresthattheeducational

communitytaketheleadinpioneeringnewbestpracticesinprivacy-by-designand

safeguardsforthedatarightsofstudentsandtheirfamilies.Movinginthisdirection

willrequireanewconveningofallstakeholdersinanopenandcontinuousprocess

thatlookstoblendexperimentationandvalidationofprivacyprotectionpracticeswithimportanteducationalresearchgoals.Inordertobealeaderinlearning

analyticsandthedesignofeffectivepersonalizedlearning,InBloomwillalsoneedto

becomeathoughtleaderandadvocatefortheprivacyanddatarightsofstudents

andtheirfamilies.


17/27

17

Bibliography

Clippinger,JohnHenry,ACrowdofOne,TheFutureOfIndividualIdentity,Public

Affairs,Perseus,2007

DARPADCAPS:

DetectionandComputationalAnalysisofPsychologicalSignals(DCAPS),http://www.darpa.mil/Our_Work/I2O/Programs/Detection_and_Computational_A

nalysis_of_Psychological_Signals_%28DCAPS%29.aspx

deMontjoye,Y.-A.,WangS.,PentlandA.,OntheTrustedUseofLarge-ScalePersonal

Data(http://sites.computer.org/debull/A12dec/issue1.htm).IEEEData

EngineeringBulletin,35-4(2012)

DepartmentofCommerce,CommercialDataPrivacyandInnovationintheInternet

Economic:ADynamicFramework,2012

ElectronicPrivacyInformationCenter,(EPIC),www.epic.org

FederalTradeCommission,ProtectingConsumerPrivacyinanEraofRapidChange,

RecommendationsforBusinessesandPolicyMakers,March2012

InBloomhttps://www.inbloom.org

Lohr,Steve,BigDataIsOpeningDoors,butMaybeTooMany.TheNewYorkTimesBusinessDayTechnology,March23,2013

MobileTerritorialLabs.

[press]Pivato,Marco,Iltuosmartphonetiosservaestudiacosafaiecosapensi.TestaTrentoincollaborazioneconilMit.LaStampa-TuttoScienze,

April17,2013

TheTelefonicaM2MTeam,TelefnicaandTelecomItaliacollaboratein

SmartCityinnovationprojectsinTrento,

http://blog.digital.telefonica.com/?press-release=telefonica-and-telecom-italia-collaborate-in-smart-city-innovation-projects-in-trento,October31,

2012

TelecomItaliaSKILLab,MobileTerritorialLab(MTL),

http://skil.telecomitalia.com/index.php?option=com_content&view=article&

id=96%3Amtlproject&catid=35%3Acatprogetti&Itemid=68


18/27

18

TrentoMobileTerritorialLab(MTL),http://www.mobileterritoriallab.eu

OpenMustardSeed,http://idcubed.org/open-platform/platform/

Ostrom,Elinor,andGardner,Roy,andWalker,James,Editors,Rules,Games,

andCommonPoolResources.AnnArbor,UniversityofMichiganPress,1994

Ostrom,ElinorandHess,Charlotte,Editors,

UnderstandingKnowledgeasaCommons:FromTheorytoPracticeTheMIT

Press,Cambridge,Massachusetts,2006

Pure,CPSsettosignawaystudentprivacy,Tuesday, May 22nd, 2012,http://pureparents.org/?tag=ferpa-gates-foundation-murdoch

Ravitch,Diane,DianeRavitchsBlog

http://dianeravitch.net/2013/04/07/is-inbloom-engaged-in-identity-theft/

Simon,StephanieK-12databasejazzestechstartups,spooksparents,March3,2013

Sweeny,Latanya,Policy and Law: Identifiability of de-identified , 2013,

datahttp://latanyasweeney.org/work/identifiability.html

WhiteHouse,ConsumerDataPrivacyinaNetworkedWorld,AFrameworkfor

ProtectingPrivacyandPromotingInnovationinTheGlobalDigitalEconomy,Feb.

2012

WhiteHouse,NationalStrategyforTrustedIdentitiesinCyberspace,Enhancing

OnlineChoice,Security,EfficiencyPrivacy,February2010

WorldEconomicForum,RethinkingPersonalData:StrengtheningTrust,,2012

WorldEconomicForum,UnlockingtheValueofPersonalData:FromCollectionto

Use,January,2013

http://www.weforum.org/reports/personal-data-emergence-new-asset-class

http://www.weforum.org/issues/rethinking-personal-data

http://www3.weforum.org/docs/WEF_IT_UnlockingValuePersonalData_CollectionU

sage_Report_2013.pdf

http://www3.weforum.org/docs/WEF_IT_UnlockingValuePersonalData_CollectionU

sage_Report_2013.pdf


19/27


20/27

20

Other

CourseRepeatCodeType

Indicatesthatanacademiccoursehasbeenrepeatedbyastudentandhowthatrepeatistobecomputedinthestudent'sacademicgradeaverage.Likeall

enumerationsininBloom,CourseRepeatCodeTypeisderivedfromtheW3Cdatatypetoken.

RepeatCounted

RepeatNotCounted

ReplacementCounted

ReplacedNotCounted

RepeatOtherInstitution

NotCountedOther

AssessmentReportingMethodType

Themethodthattheinstructoroftheclassusestoreporttheperformanceandachievementofallstudents.Itmaybeaqualitativemethodsuchasindividualizedteachercommentsoraquantitativemethodsuchasaletteroranumericalgrade.In

somecases,morethanonetypeofreportingmethodmaybeused.LikeallenumerationsininBloom,AssessmentReportingMethodTypeisderivedfromthe

W3Cdatatypetoken.

Achievement/proficiencylevel

ACTscore

Adaptivescalescore

Agescore

C-scaledscores

CollegeBoardexaminationscoresCompositeScore

CompositeRating

CompositionScoreGradeequivalentorgrade-levelindicator

Gradeequivalentorgrade-levelindicatorGraduationscore

Growth/value-added/indexing

InternationalBaccalaureatescoreLettergrade/mark

Masterylevel

NormalcurveequivalentNormalizedstandardscore

Numberscore

Pass-fail

Percentile

Percentilerank

Proficiencylevel

Promotionscore


21/27

21

Ranking

RatioIQ'sRawscore

ScalescoreStandardagescore

StandarderrormeasurementStaninescore

Stenscore

Theta

T-score

Verticalscore

Workplacereadinessscore

Z-score

Other

NotapplicableQuantileMeasure

LexileMeasureVerticalScaleScoreNationalCollege-BoundPercentile

StateCollege-BoundPercentile

AssessmentCategoryType

Thecategoryofanassessmentbasedonformatandcontent.Forexample:

AchievementtestAdvancedplacementtestAlternateassessment/grade-level

standardsAttitudinaltestCognitiveandperceptualskillstest...Likeall

enumerationsininBloom,AssessmentCategoryTypeisderivedfromtheW3Cdatatypetoken.

Achievementtest

AdvancedPlacementInternationalBaccalaureate

AptitudetestAttitudinaltest

Benchmarktest

Classtestclassquiz

Collegeentranceexam

CognitiveandperceptualskillstestDevelopmentalobservation

Englishproficiencyscreeningtest

Foreignlanguageproficiencytest

Interestinventory

Manualdexteritytest

Mentalability(intelligence)test

Performanceassessment


22/27

22

Personalitytest

PortfolioassessmentPsychologicaltest

PsychomotortestReadingreadinesstest

Statesummativeassessment3-8generalStatehighschoolsubjectassessment

Statehighschoolcourseassessment

Statealternativeassessment/grade-levelstandards

Statealternativeassessment/modifiedstandards

Statealternateassessment/ELL

StateEnglishproficiencytest

Other

IncidentLocationType

Identifieswheretheincidentoccurredandwhetherornotitoccurredonschool.LikeallenumerationsininBloom,IncidentLocationTypeisderivedfromtheW3Cdatatypetoken.

OnSchoolAdministrativeofficesarea

Cafeteriaarea

Classroom

Hallwayorstairs

Lockerroomorgymareas

Restroom

Library/mediacenter

ComputerlabAuditorium

On-Schoolotherinsidearea

AthleticfieldorplaygroundStadium

ParkinglotOn-Schoolotheroutsidearea

OffSchool

BusstopSchoolbus

Walkingtoorfromschool

Off-SchoolatotherschoolOff-Schoolatotherschooldistrictfacility

Online

Unknown

OldEthnicityType


23/27

23

PreviousdefinitionofEthnicitycombiningHispanic/LatinoandRace.Likeall

enumerationsininBloom,OldEthnicityTypeisderivedfromtheW3Cdatatypetoken.

AmericanIndianOrAlaskanNativeAsianOrPacificIslander

Black,NotOfHispanicOriginHispanic

White,NotOfHispanicOrigin

PersonalInformationVerificationType

Theevidencepresentedtoverifyone'spersonalidentity;forexample:drivers

license,passport,birthcertificate,etc.LikeallenumerationsininBloom,

PersonalInformationVerificationTypeisderivedfromtheW3Cdatatypetoken.

Baptismalorchurchcertificate

BirthcertificateDriverslicense

EntryinfamilyBibleHospitalcertificateImmigrationdocument/visa

LifeinsurancepolicyOther

Othernon-officialdocument

Otherofficialdocument

Parentsaffidavit

Passport

Physicianscertificate

Previouslyverifiedschoolrecords

State-issuedID

ReasonNotTestedType

Theprimaryreasonstudentisnottested.Forexample:AbsentRefusalbyparent

RefusalbystudentMedicalwaiverIllnessDisruptivebehaviorLEPExempt...LikeallenumerationsininBloom,ReasonNotTestedTypeisderivedfromtheW3Cdatatype

token.

AbsentLEPexempt

LEPpostponement

Notappropriate(ARDdecision)Nottested(ARDdecision)

Alternateassessmentadministered

Parentalwaiver

Foreignexchangestudentwaiver

Refusalbyparent

Refusalbystudent

Medicalwaiver


24/27

24

Disruptivebehavior

PreviouslypassedtheexaminationOther

RelationType

Thenatureofanindividual'srelationshiptoastudent.LikeallenumerationsininBloom,RelationTypeisderivedfromtheW3Cdatatypetoken.

Adopteddaughter

Adoptedson

Adoptiveparents

Advisor

Agencyrepresentative

Aunt

Brother,half

Brother,natural/adoptiveBrother,step

Brother-in-lawCaseWorker,CPSCourtappointedguardian

CousinDaughter

Daughter-in-law

Dependent

Doctor

Employer

EmergencyContact

Familymember

Father'ssignificantotherFather,foster

Father

Father,stepFather-in-law

FianceFiancee

Formerhusband

FormerwifeFosterdaughter

Fosterparent

FostersonFriend

Granddaughter

Grandparent

GreatGrandparent

Grandson

Greataunt

Greatuncle


25/27

25

Guardian

HusbandLifepartner

LifepartnerofparentMinisterorpriest

Mother'ssignificantotherMother,foster

Mother

Mother,step

Mother-in-law

Nephew

Niece

None

Other

ParentPartner

PartnerofparentProbationofficerSibling

Sister,halfSister,natural/adoptive

Sister,step

Sister-in-law

Son

Son-in-law

Spouse

Stepdaughter

StepsonStepsibling

Uncle

WardWife

ResponseIndicatorType

Indicatoroftheresponse.Forexample:NonscorableresponseIneffectiveresponse

EffectiveresponsePartialresponse...LikeallenumerationsininBloom,ResponseIndicatorTypeisderivedfromtheW3Cdatatypetoken.

Nonscorableresponse

IneffectiveresponseEffectiveresponse

Partialresponse

RestraintEventReasonItemType

Theitemsofcategorizationofthecircumstancesorreasonfortherestraint.Likeall

enumerationsininBloom,RestraintEventReasonItemTypeisderivedfromtheW3C

datatypetoken.


26/27

26

ImminentSeriousPhysicalHarmToThemselves

ImminentSeriousPhysicalHarmToOthersImminentSeriousPropertyDestruction

SeparationReasonType

Reasonforterminatingtheemployment;forexample:Employmentineducation,Employmentoutsideofeducation,Retirement,Family/personalrelocation,Change

ofassignmentLikeallenumerationsininBloom,SeparationReasonTypeisderived

fromtheW3Cdatatypetoken.

Employmentineducation

Employmentoutsideofeducation

Retirement

Family/personalrelocation

Changeofassignment

FormalstudyorresearchIllness/disability

Homemaking/caringforafamilymemberLayoffduetobudgetaryreductionLayoffduetoorganizationalrestructuring

LayoffduetodecreasedworkloadDischargeduetounsuitability

Dischargeduetomisconduct

Dischargeduetocontinuedabsenceortardiness

Dischargeduetoafalsifiedapplicationform

Dischargeduetocredentialrevokedorsuspended

Dischargeduetounsatisfactoryworkperformance

Death

PersonalreasonLayoffduetolackoffunding

Lostcredential

UnknownOther

StaffIdentificationSystemType

Acodingschemethatisusedforidentificationandrecord-keepingpurposesby

schools,socialservices,orotheragenciestorefertoastaffmember.LikeallenumerationsininBloom,StaffIdentificationSystemTypeisderivedfromtheW3C

datatypetoken.

DriversLicenseHealthRecord

Medicaid

ProfessionalCertificate

School

District

State

Federal


27/27

OtherFederal

SelectiveServiceSSN

USVisaPIN

CanadianSINOther

WeaponItemType

Theenumerationitemsforthetypesofweaponusedduringanincident.Likeall

enumerationsininBloom,WeaponItemTypeisderivedfromtheW3Cdatatype

token.

Firearm

IllegalKnife

Non-IllegalKnifeClub

OtherSharpObjectsOtherObjectSubstanceUsedasWeapon

KnifeUnknown

None

Other

Documents

InBloom: Building Trust for the Protected Sharing and Analysis of Student Data for Personalized Learning