Better data and privacy regulation needed to protect Australian students from unsafe and intrusive 'education' apps

  • Data Security
Decorative image

New research from Human Rights Watch has demonstrated the need for new Government commitments to improving online protections and privacy for young people.

The research explores the EdTech apps and websites that NSW & Victorian students were required to use during the covid lockdowns, and found that these apps and websites harvested a mass of data about students. This included collecting their precise locations, tracking them online even after they have left the virtual classroom, and directly sharing students’ data with advertising companies and Big Tech, including Facebook and Google. These practices constitute a deep breach of young people’s privacy and pose unnecessary safety risks.

Research has shown that Australian teenagers and parents are [increasingly unhappy](are increasingly unhappy) with the lack of privacy protections and the ways their data is misused for predatory advertising purposes. A poll of 500 16 & 17 year olds conducted by YouGov in March found that only 27% of young people trust digital platforms and apps with their data.

Despite this distrust, EdTech products are now built into Australia’s education system and will continue to be a part of how students learn. It is imperative that students, parents and teachers are assured that these products are built in safer, privacy-preserving ways that protect students in the first instance.

Tabled in the last parliament, the proposed Enhancing Online Privacy Bill was set to improve young people’s privacy and safety, but would have excluded EdTech products. This research provides significant evidence that regulation is needed, and that an opportunity exists for the new Government to see develop legislation that ensures all digital services young people use are included within their scope.

Comments attributable to Chris Cooper, Executive Director of Reset Australia:

“This is dystopian. While students were at their most vulnerable, and States were scrambling to work out how best to provide high quality education to young people in lockdown, private companies used this as a chance to track students, build commercial profiles about them and hone their invasive advertising practice. It’s the commercialisation of our education system by stealth”

“We don’t allow advertising in schools, so why global ad tech companies think they have the right to be inside schools beggars belief. Privacy and security are really important for a child’s development. You can’t experiment, grow and learn if you think you’re being watched. And companies creating these intimate data profiles for advertising purposes pose real privacy and safety risks for young people”

“No one is going to read this report and think it’s acceptable that so-called ‘education products’ passed kid’s data on to Google’s Ad Manager, or embedded Facebook tracking pixels. Australian teenagers and parents have consistently told us they want more protections from exploitation online. This is a great opportunity for the new Government to step up for our kids.”

NOTES TO THE EDITOR

The research explored at least seven digital products that were endorsed or purchased by New South Wales and Victoria for students during the pandemic. These were websites and apps that students had to use to continue learning during the lockdowns, many of which are still used today.

Intrusions uncovered include:

  • Thirteen programmes (SDKs) embedded in products that can allow other companies to access student data, including Google and Facebook Advertising products (Google AdMob and Facebook Ads). These give surveillance advertising titans direct access to data about Australian students
  • Tracking pixels for Facebook that ‘track’ and follow young people across the internet, after they have logged out of the educational product
  • Apps that collected student’s precise GPS location information. These are unnecessary in an education setting, and create privacy and security risks
  • Apps that collected details about the contacts in student’s phones, including the profile pictures associated with them. These are unnecessary, and just a bit creepy
  • Apps that collect student’s unique identifiers (unique codes associated with their device and profiles) enabling them to identify students and link this data to other data sources, to build ‘profiles’ about alarmingly detailed profiles about young people
  • Websites that log what students type, including names and passwords
  • Third party advertising trackers built into apps or websites that send student’s data directly to advertising companies

Many of these intrusions were not identified correctly in products’ privacy policies, raising real questions about consent.

EdTech products endorsed or procured in NSW & Vic investigated in the research released so far include:

  1. Cisco WebEx (Vic)
  2. Zoom (NSW)
  3. Microsoft Teams (NSW)
  4. Adobe Connect (NSW)
  5. Minecraft Education Edit (Vic)
  6. Education Perfect (Vic)
  7. Stile Education (Vic)

Only one was found to behave in privacy preserving, safe ways that meet community expectations.

Below is a breakdown of the different companies highlighted throughout the report, and the subsequent findings related to each.

Cisco WebEx (Vic) - An app that is used to facilitate calls and communication. It is not specifically targeted at students, but was recommended for use in Victoria.

  • The investigation found this app was collecting student’s unique identifiers (unique phone serial codes etc). This means they can identifying individual students and ‘linking’ their data to enhance profiles
  • The investigation found this app collecting student’s precise location data, time of current location & last known location
  • The investigation found this app was also collecting student’s contacts’ information (i.e. phone book), including their saved profile photos
  • The investigation found 3 programmes (SDKs) embedded in this product that can allow other companies to access the student datathat Cisco has: Google Firebase Analytics, Crashanalytics and Amplitude

Zoom (NSW) - Zoom is an app that is used to facilitate communication. It is not specifically targeted at students, but was recommended for use in NSW.

  • The investigation found this app collecting student’s precise location data, time of current location & last known location
  • The investigation found this app was also collecting student’s contacts’ information (i.e. phone book) including their saved profile photos
  • The investigation found 1 programmes (SDKs) embedded in this product that can allow other companies to access the student data that Zoom has: Google Firebase Analytics

Microsoft Teams (NSW) - Microsoft Teams is an app that is used to facilitate communication. It is not specifically targeted at students, but was recommended for use in NSW.

  • The investigation found this app collecting student’s precise location data, time of current location & last known location
  • The investigation found this app was also collecting student’s contacts’ information (i.e. phone book) including their saved profile photos, and student’s call logs
  • The investigation found 3 programmes (SDKs) embedded in this product that can allow other companies to access the student data that MS Teams has: Google Firebase Analytics, Microsoft Visual Studio App Center Analytics & Microsoft Visual Studio App Crashes

Adobe Connect (NSW) - Adobe Connect is an app that is used to facilitate communication. It is not specifically targeted at students, but was recommended for use in NSW

  • The investigation found 1 programme (SDK) embedded in this product that can allow other companies to access the student data, Google Analytics

Minecraft: Education Edit (Vic) - Minecraft: Education Edit is an app primarily directed at students, and was recommended for use in Victoria.

  • The investigation found this app was collecting student’s unique identifiers (unique phone serial codes etc). This means they can identifying individual students and ‘linking’ their data to enhance profiles
  • The investigation found this app collecting student’s precise location data, time of current location & last known location
  • The investigation found 7 programmes (SDKs) embedded in this product that can allow other companies to access the student data that Minecraft: Education Edit has, this included Google AdMob and Facebook Ads.

Education Perfect (Vic) - Education Perfect is a website primarily directed at students, and was recommended for use in Victoria.

  • The investigation found third party trackers _s_ending data about children to commercial advertising companies
  • The investigation also found 1 active tracking pixel, tracking students across the internet (Facebook Pixel)
  • The investigation found the website using Key Logging techniques, to track what students type, including names and passwords

Stile Education (Vic) - Stile Education is a website primarily directed at secondary school students, and was recommended for use in Victoria.

  • Stile Education was not found to be collecting nor sharing students data, demonstrating that it is possible to have privacy preserving EdTech products