Millions of children had their online behaviors and personal information tracked by the apps and websites they used for school during the pandemic, according to an international investigation that raises concerns about the impact remote learning had on children’s privacy online.
The educational tools were recommended by school districts and offered interactive math and reading lessons to children as young as prekindergarten. But many of them also collected students’ information and shared it with marketers and data brokers, who could then build data profiles used to target the children with ads that follow them around the Web.
Those findings come from the most comprehensive study to date on the technology that children and parents relied on for nearly two years as basic education shifted from schools to homes.
Researchers with the advocacy group Human Rights Watch analyzed 164 educational apps and websites used in 49 countries, and they shared their findings with The Washington Post and 12 other news organizations around the world. The consortium, EdTech Exposed, was coordinated by the investigative nonprofit the Signals Network and conducted further reporting and technical review.
What the researchers found was alarming: nearly 90 percent of the educational tools were designed to send the information they collected to ad-technology companies, which could use it to estimate students’ interests and predict what they might want to buy.
Researchers found that the tools sent information to nearly 200 ad-tech companies, but that few of the programs disclosed to parents how the companies would use it. Some apps hinted at the monitoring in technical terms in their privacy policies, the researchers said, while many others made no mention at all.
The websites, the researchers said, shared users’ data with online ad giants including Facebook and Google. They also requested access to students’ cameras, contacts or locations, even when it seemed unnecessary to their schoolwork. Some recorded students’ keystrokes, even before they hit “submit.”
The “dizzying scale” of the tracking, the researchers said, showed how the financial incentives of the data economy had exposed even the youngest Internet users to “inescapable” privacy risks — even as the companies benefited from a major revenue stream.
“Children,” lead researcher Hye Jung Han wrote, were “just as likely to be surveilled in their virtual classrooms as adults shopping in the world’s largest virtual malls.”
School districts and the sites’ creators defended their use, with some companies saying researchers had erred by including in their study homepages for the programs, which included tracking codes, instead of limiting their analysis to the internal student pages, which they said contained fewer or no trackers. The researchers defended the work by noting that students often had to sign in on the homepages before their lessons could begin.
The coronavirus pandemic abruptly upended the lives of children around the world, shuttering schools for more than 1.5 billion students within the span of just a few weeks. Though some classrooms have reopened, tens of millions of students remain remote, and many now depend on education apps for the bulk of their school days.
Yet there has been little public discussion of how the companies that provided the programs remote schooling depends on may have profited from the pandemic windfall of student data.
The learning app Schoology, for example, says it has more than 20 million users and is used by 60,000 schools across some of the United States’ largest school districts. The study identified code in the app that would have allowed it to extract a unique identifier from the student’s phone, known as an advertising ID, that marketers often use to track people across different apps and devices and to build a profile on what products they might want to buy.
The policy also said that it “does not knowingly collect any information from children under the age of 13,” in keeping with the Children’s Online Privacy Protection Act, or COPPA, the U.S. law that requires special restrictions on data collected from young children. The company’s software, however, is marketed for classrooms as early as kindergarten, which for many children starts around age 4.
The investigation acknowledged that it could not determine exactly what student data would have been collected during real-world use. But the study did reveal how the software was designed to work, what data it had been programmed to seek access to, and where that data would have been sent.
School districts and public authorities that had recommended the tools, Han wrote, had “offloaded the true costs of providing education online onto children, who were forced to pay for their learning with their fundamental rights to privacy.”
The researchers said they found a number of trackers on websites common among U.S. schools. The website of ST Math, a “visual instructional program” for prekindergarten, elementary and middle school students, was shown to have shared user data with 19 third-party trackers, including Facebook, Google, Twitter and the e-commerce site Shopify.
Kelsey Skaggs, a spokeswoman for the California-based MIND Research Institute, which runs ST Math, said in a statement that the company does not “share any personally identifiable information in student records for the purposes of targeted advertising or other commercial purposes” and does not use the same trackers on its student platform as it does on its homepage.
Google spokesperson Christa Muldoon said the company is investigating the researchers’ claims and will take action if they find any violations of their data privacy rules, which include bans on personalized ads aimed at minors’ accounts. A spokesperson for Facebook’s parent company Meta said it restricts how businesses share children’s data and how advertisers can target children and teens.
The study comes as concern grows over the privacy risks of the educational-technology industry. The Federal Trade Commission voted last week on a policy statement urging stronger enforcement of COPPA, with Chair Lina Khan arguing that the law should help “ensure that children can do their schoolwork without having to surrender to commercial surveillance practices.”
COPPA requires apps and websites to get parents’ consent before collecting children’s data, but schools can consent on their behalf if the information is designated for educational use.
In an announcement, the FTC said it would work to “vigilantly enforce” provisions of the law, including bans against requiring children to provide more information than is needed and restrictions against using personal data for marketing purposes. Companies that break the law, it said, could face fines and civil penalties.
Clearly, the tools have wide impact. In Los Angeles, for example, more than 447,000 students are using Schoology and 79,000 are using ST Math. Roughly 70,000 students in Miami-Dade County Public Schools use Schoology.