This week President Trump signed into law a measure that critics say clears a path for internet service providers to share and sell customers’ web browsing histories and other personal data, a decision that has drawn scorn from many privacy and consumer advocates.
But what will the new law mean for school districts and students? Gauging the policy’s reach into K-12 requires some speculation, but a number of backers of privacy protections see reason to be worried.
The law has received scant scrutiny in education circles compared to the intense interest paid in recent years to worries about students’ potential loss of privacy to ed-tech vendors selling products in schools.
The legislation that Trump signed nixed rules approved by the Federal Communications Commission while President Obama was in office that set privacy restrictions on data the telecoms collect on customers.
Those rules had not yet taken effect. The new law, approved along partisan lines by the Republican majority in Congress, ensures they will not.
Schools and districts typically have their own contracts with internet service providers. So the information those companies can collect and sell to marketers and advertisers probably depends on the language of individual K-12 contracts, said Bill Fitzgerald, director of the education privacy initiative at Common Sense Media.
There are a “spectrum of possibilities” for how the law could shape internet providers’ behavior, Fitzgerald said. Knowing how internet service providers will respond is difficult, because those companies “are pretty opaque in terms of the data they collect now, anyway.”
The picture is made more confusing by the myriad ways in which schools and individual students use computers on their campuses today. Some districts give out devices to students, while others give out few or none at all. Some districts rely on “bring-your-own-device” policies.
Whether students’ individual browsing histories and other personal data are identifiable by internet service providers would presumably depend in part on whether they’re logging in through the school or through their own, separate connection under a different data agreement, Fitzgerald said.
The law “creates a huge amount of doubt that can really only be answered at the district level,” Fitzgerald observed.
Seeking ‘Expert Privacy Cop’
A federal privacy law, FERPA, protects the privacy of educational records. But a lot of sensitive information is not covered by that law, and it’s unclear under what circumstances a student’s web browsing history would be deemed an educational record. In many cases, it would depend upon the contract between the district and the internet service provider, Fitzgerald said.
Districts can cut through that uncertainty by demanding that internet service providers spell out what data they’re collecting on students’ browsing histories and other information; how long they’re storing that data; and how the data are being used, Fitzgerald said. Parents should also ask school boards those same questions, he said.
Backers of the new law include FCC Chairman Ajit Pai, a Republican named by Trump to that post, who said that the regulations approved by the agency during Obama’s tenure were an overreach.
“President Trump and Congress have appropriately invalidated one part of the Obama-era plan for regulating the Internet,” Pai said in a statement.
The rules approved by the FCC under Pai’s Democratic predecessor, former Chairman Tom Wheeler, “were designed to benefit one group of favored companies, not online consumers,” Pai added. “American consumers’ privacy deserves to be protected regardless of who handles their personal information.”
Pai argued that “consistent and comprehensive protection” could be better delivered by the FCC working with the Federal Trade Commission to give the latter agency greater authority “to police internet service providers’ privacy practices.”
“We need to put America’s most experienced and expert privacy cop back on the beat,” he said.
Craig Aaron, the president and CEO of Free Press, an advocacy group that opposed the law, said that while the policy’s upshot for K-12 is unclear, the unknowns create an unnerving picture.
On the one hand, if a lot of students are logging into a school’s ISP connection at once, Aaron said, it’s hard to tell how much easily identifiable, individual data could be sold to marketers and advertisers.
But Aaron said the law is almost certain to create new privacy risks, particularly given students’ overwhelming dependence on the web today for conducting research and completing assignments, at school and at home.
“You can no longer really be a student without access to the internet,” he said. Congress should have guaranteed “simple, basic privacy protections that would allow people to opt in to what’s being used, and of course, opt-in for things affecting their children.”
One prominent observer who also sees reason for the K-12 community to be concerned about Trump’s action is Wheeler, the former FCC chairman.
In an interview this week with my colleague Ben Herold, Wheeler said, “[s]uddenly, all of the information that goes across the network is available to be sold.”
Wheeler, a former cable and wireless industry lobbyist, also drew a distinction between media giants like Facebook, which mine customer data for advertising purposes, and the potential actions of internet service providers.
“But two-thirds of the American people have one choice or less in who they get to subscribe to for their internet service,” Wheeler said. “The networks are monopoly providers.”