Summit Learning Poses Significant Privacy Concerns

Today’s New York Timesran an article on its front page about Summit Learning, an online learning platform funded by Mark Zuckerberg and developed by Facebook engineers.  For those who don’t have a subscription to the Times, the article is summarized by Diane Ravitch in her blog today.  Summit claims to be used in 380 schools in 38 states and the District of Columbia but, as the Timesarticle describes, it’s being met with growing resistance from students, parents, and teachers alike.

I don’t need to repeat their concerns here.  But what caught my eye is the fact that the platform is provided for free.  Facebook is free, too, and yet it’s worth around $70 billion.

Just as Mark Zuckerberg has found a way to monetize his free Facebook platform by harvesting user data, you can bet he has found a way to monetize Summit Learning.  How?  Could it be data harvesting? In a blog posted in 2016, the Parent Coalition for Student Privacy raised a number of concerns regarding Summit Learning and the potential for data harvesting and provided a list of 25 questions that Summit should be required to answer regarding it privacy policies.  

I’ve read Summit’s privacy policy and terms of use, and to the uninitiated they seem to provide pretty good protection. But there are loopholes.  

For example, Summit agrees to comply with the federal Children’s Online Privacy Protection Act (COPPA), which of course it is required to do by federal law.  However, COPPA only applies to children up to age 12 and students with disabilities.  Its protections do not extend to many middle schoolers or any high schoolers without disabilities. And COPPA provides only a limited amount of protection against the use of user data for direct advertising.

In addition, while Summit agrees to abide by the requirements of the federal Family Educational Rights and Privacy Act (FERPA), this, too, is not as ironclad as it sounds.  FERPA places restrictions on the use and disclosure of information in school records.  However, the FERPA “lock box” applies only to school records.  This means that student information that is obtained from a source other than school records—such as through a Summit Learning platform—is not protected by FERPA, even if it’s the same information.

 But what about student information that Summit obtains from school records? Surely that’s protected, right? Well, no, because Summit’s terms of use give it the keys to the lock box. Here is a direct quote from their TOU: “For the purposes of FERPA, to the extent Personally Identifiable Information from Education Records are transmitted to Summit Learning from Partner School, Summit Learning shall be considered a School Official, under the control and direction of the Partner Schools as it pertains to the use of Education Records…” This is huge, because FERPA gives “school officials” the authority to make critical decisions about the disclosure of student information from school records without the prior written approval of a parent or guardian.

Generally, FERPA prohibits the disclosure of student information without the prior written approval of the parent or guardian.  However, there are certain exceptions to this general prohibition.  For example, prior written approval is not needed to send student records to another school to which a student is transferring.  Another exception is the disclosure of information to organizations conducting certain studies for or on behalf of the school. As a “school official,” Summit has the authority to disclose student information to other organizations, such as, but not restricted to, third party contractors without getting prior written approval from the parents or guardians. 

This is regarded as a major problem by the Electronic Frontier Foundation.  And the concern is not merely academic.  Last November students at the Secondary School for Journalism in Brooklyn walked out in protest of the school’s use of the Summit Learning platform. Two organizers of the walkout co-signed a letter, which included the following:

 “Another issue that raises flags to us is all our personal information the Summit program collects without our knowledge or consent. We were never informed about this by Summit or anyone at our school, but recently learned that Summit is collecting our names, student ID numbers, email addresses, our attendance, disability, suspension and expulsion records, our race, gender, ethnicity and socio-economic status, our date of birth, teacher observations of our behavior, our grade promotion or retention status, our test scores and grades, our college admissions, our homework, and our extracurricular activities. Summit also says on its website that they plan to track us after graduation through college and beyond. Summit collects too much of our personal information, and discloses this to 19 other corporations.”

You can read more about it here.

If you are still comfortable with the level of data protection provided by the terms of use, you should know that they can be changed unilaterally by Summit at any time.  Its terms of use state, “Summit reserves the right to modify or replace these Terms at any time.”  And if you don’t like the changes?  Well, Summit has an answer for you: “If you do not agree to the changes, please stop using the Platform.”  It is silent on what happens to the information already collected.