In response to an inquiry by ����Ӱ��, the nonprofit Future of Privacy Forum said last week it would review Raptor Technologies’ status as a Student Privacy Pledge signatory after a maintained by the company were readily available without any encryption protection despite Raptor’s claims that it scrambles its data. 

“We are reviewing the details of Raptor Technologies’ leak to determine if the company has violated its Pledge commitments,” David Sallay, the Washington-based group’s director of youth and education privacy, said in a Jan. 24 statement. “A final decision about the company’s status as Pledge signatory, including, if applicable, potential referrals to the [Federal Trade Commission] and relevant State Attorneys General, is expected within 30 days.” 

Should the privacy forum choose to take action, Raptor would become just the second-ever education technology company to be removed from the pledge. 

Texas-based , which counts roughly 40% of U.S. school districts as its customers, offers an extensive suite of software designed to improve campus safety, including a tool that screens visitors’ government-issued identification cards against sex offender registries, a management system that helps school leaders prepare for and respond to emergencies, and a threat assessment tool that allows educators to report if they notice “something a bit odd about a student’s behavior” that they believe could become a safety risk. This means, according to a Raptor guide, that the company collects data on kids who appear ‘unkempt or hungry,” withdrawn from friends, to engage in self-harm, have poor concentration or struggle academically. 
Rather than keeping students safe, however, cybersecurity researcher Jeremiah Fowler said the widespread data breach threatened to put them in harm’s way. And as cybersecurity experts express concerns about , they’ve criticized the Student Privacy Pledge for lackluster enforcement in lieu of regulations and minimum security standards. 

Fowler, a cybersecurity researcher at and a self-described “data breach hunter,” has been tracking down online vulnerabilities for a decade. The Raptor leak is “probably the most diverse set of documents I’ve ever seen in one database,” he said, including information about campus surveillance cameras that didn’t work, teen drug use and the gathering points where students were instructed to meet in the event of a school shooting. 

vpnMentor in December and Fowler said the company was responsive and worked quickly to fix the problem. The breach wasn’t the result of a hack and there’s no evidence that the information has fallen into the hands of threat actors, though Fowler in the last several months. 

The situation could have grown far more dire without Fowler’s audit. 

“The real danger would be having the game plan of what to do when there is a situation,” like an active shooting, Fowler said in an interview with ����Ӱ��. “It’s like playing in the Super Bowl and giving the other team all of your playbooks and then you’re like, ‘Hey, how did we lose?’”

David Rogers, Raptor’s chief marketing officer, said last week the company is conducting an investigation to determine the scope of the breached data to ensure “that any individuals whose personal information could have been affected are appropriately notified.” 

“Our security protocols are rigorously tested, and in light of recent events, we are committed to further enhancing our systems,” Rogers said in a statement. “We take this matter incredibly seriously and will remain vigilant, including by monitoring the web for any evidence that any data that has been in our possession is being misused.” 

‘Maybe this is a pattern’

Raptor is currently among more than 400 companies that , a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children. 

Raptor and the other companies have vowed against selling students’ personally identifiable information or using it for targeted advertising, among other commitments. They also agreed to “maintain a comprehensive security program that is reasonably designed to protect the security, confidentiality and integrity” of student’s personal information against unauthorized or unintended disclosure. Cybersafeguards, the pledge notes, should be “appropriate to the sensitivity of the information.” 

Raptor touts its pledge commitment on its website, where it notes the company takes “great care and responsibility to both support the effective use of student information and safeguard student privacy and information security.” The company that it ensures “the highest levels of security and privacy of customer data,” including encryption “both at rest and in-transit,” meaning that data is scrambled into an unusable format without a password while it is being stored on servers and while it’s being moved between devices or networks. 

Its , however, offers a more proscribed assurance, saying the company takes “reasonable” measures to protect sensitive data, but that it cannot guarantee that such information “will be protected against unauthorized access, loss, misuse or alterations.” 

Districts nationwide have spent tens of millions of dollars on Raptor’s software, according to GovSpend, a government procurement database. Recent customers include the school districts in Dallas, Texas, Broward County, Florida, and Rochester, New York. Under , education technology companies that collect student data are required to maintain a cybersecurity program that includes data encryption and controls to ensure that personally identifiable information doesn’t fall into the hands of unauthorized actors. 

Countering Raptor’s claims that data were encrypted, Fowler told ����Ӱ�� the documents he accessed “were just straight-up PDFs, they didn’t have any password protections on them,” adding that the files could be found by simply entering their URLs into a web browser. 

Officials at the Rochester school district didn’t respond to requests for comment about whether they had been notified about the breach and its effects on their students or if they were aware that Raptor may not have been in compliance with state encryption requirements. 

Doug Levin, the national director of the nonprofit K12 Security Information eXchange, said the Raptor blunder is reminiscent of a 2022 data breach at the technology vendor Illuminate Education, which exposed the information of at least 3 million students nationwide, including 820,000 current and former New York City students. Levin noted that both companies claimed their data was encrypted at rest and in transit — “except maybe it wasn’t.” 

A decade after the privacy pledge was introduced, he said “it falls far short of offering the regulatory and legal protections students, families and educators deserve.”

“How can educators know if a company is taking security seriously?” Levin asked. Raptor “said all of the right things on their website about what they were doing and, yet again, it looks like a company wasn’t forthright. And so, maybe this is a pattern.” 

State data breach rules have long focused on personal information, like Social Security numbers, that could be used for identity theft and other financial crimes. But the consequences of data breaches like the one at Raptor, Fowler said, could be far more devastating — and could harm children for the rest of their lives. He noted the exposure of health records, which could violate federal privacy law, could be exploited for various forms of fraud. Discipline reports and other sensitive information, including about student sexual abuse victims, could be highly embarrassing or stigmatizing. 

Meanwhile, he said the exposure of confidential records about physical security infrastructure in schools, and district emergency response plans, could put kids in physical danger. 

Details about campus security infrastructure have been exploited by bad actors in the past. After Minneapolis Public Schools fell victim to a ransomware attack last February that led to a large-scale data breach, an investigation by ����Ӱ�� uncovered reams of campus security records, including campus blueprints that revealed the locations of surveillance cameras, instructions on how to disarm a campus alarm system and maps that documented the routes that children are instructed to take during an emergency evacuation. The data can be tracked down with little more than a Google search. 

“I’ve got a 14-year-old daughter and when I’m seeing these school maps I’m like, ‘Oh my God, I can see where the safe room is, I can see where the keys are, I can see the direction they are going to travel from each classroom, where the meetup points are, where the police are going to be,” Fowler said of the Raptor breach. “That’s the part where I was like, ‘Oh my God, this literally is the blueprint for what happens in the event of a shooting.” 

‘Sweep it under the rug’

The Future of Privacy Forum’s initial response to the Raptor breach mirrors the nonprofit’s actions after the 2022 data breach at Illuminate Education, which was previously listed among the privacy pledge signatories and became the first-ever company to get stripped of the designation. 

The forum’s decision to remove Illuminate followed an article in ����Ӱ��, where student privacy advocates criticized it for years of failures to enforce its pledge commitments — and accused it of being a tech company-funded effort to thwart government regulations. 

The pledge, which was created by the privacy forum in partnership with the Software and Information Industry Association, a technology trade group, was created in 2014, placing restrictions on the ways ed tech companies could use the data they collect about K-12 students. 

Along with stripping Illuminate of its pledge signatory designation, the forum referred it to the Federal Trade Commission, which the nonprofit maintains can hold companies accountable to their commitments via consumer protection rules that prohibit unfair and deceptive business practices. The company was also referred to the state attorneys general in New York and California to “consider further appropriate action.” It’s unclear if regulators took any actions against Illuminate. The FTC and the California attorney general’s office didn’t respond to requests for comment. The New York attorney general’s office is reviewing the Illuminate breach, a spokesperson said. 

“Publicly available information appears to confirm that Illuminate Education did not encrypt all student information” in violation of several Pledge provisions, Forum CEO Jules Polonetsky told ����Ӱ�� at the time. Among them is a commitment to “maintain a comprehensive security program” that protects students’ sensitive information” and to “comply with applicable laws,” including New York’s  “explicit data encryption requirement.” 

After the breach and before it was removed from the pledge, the Software and Information Industry Association recognized Illuminate with the sector’s equivalent of an Oscar. 

Raptor isn’t the only pledge signatory to fall victim to a recent data breach. In December, a cybersecurity researcher disclosed a security vulnerability at Education Logistics, commonly known as EduLog, which offers a GPS tracking system to give parents real-time information about the location of their children’s school buses. A statement the forum provided ����Ӱ�� didn’t mention whether it had opened an inquiry into whether EduLog had failed to comply with the pledge commitments. 

Despite the forum’s actions against Illuminate Education, and its new inquiry into Raptor, the pledge continues to face criticism for having little utility, including from Fowler, who likened it to “virtue signaling” that can be quickly brushed aside. 

“Pledges are just that, they’re like, ‘Hey, that sounds good, we’ll agree to it until it no longer fits our business model,” he said. “A pledge is just like, “whoops, our bad,” a little bit of bad press and you just sweep it under the rug and move on.” 

Chad Marlow, a senior policy counsel at the American Civil Liberties Union focused on privacy and surveillance issues, offered a similar perspective. Given the persistent threat of data breaches and a growing number of cyberattacks on the K-12 sector, Marlow said that schools should take a hard look at the amount of data that they and their vendors collect about students in the first place. He said Raptor’s early intervention system, which seeks to identify children who pose a potential threat to themselves or others, is an unproven surveillance system that could become a vector for student discrimination in the name of keeping them safe. 

Although he said he has “a great deal of admiration” for the privacy forum and the privacy pledge goals, it falls short on accountability when compared to regulations that mandate compliance.

“Sometimes pledges like this, which are designed to make a little bit of progress, actually do the opposite because it allows companies to point to these pledges and say, ‘Look, we are committed to doing better,’ when in fact, they’re using the pledge to avoid being told to do better,” he said. “That’s what we need, not people saying, ‘On scout’s honor I’ll do X.’”  

Disclosure: The Bill & Melinda Gates Foundation and the Chan Zuckerberg Initiative provide financial support to the Future of Privacy Forum and ����Ӱ��.

Embattled education technology vendor Illuminate Education has become the first-ever company to get booted from the Student Privacy Pledge, an unprecedented move that follows a massive data breach affecting millions of students and allegations the company misrepresented its security safeguards. 

The Future of Privacy Forum, which created the self-regulatory effort nearly a decade ago to promote ethical student data practices by education technology companies, announced on Monday it had stripped Illuminate of its pledge signatory designation and referred the company to the Federal Trade Commission and state attorneys general in New York and California, where the biggest breaches occurred, to “consider further appropriate action,” including sanctions. 

“Publicly available information appears to confirm that Illuminate Education did not encrypt all student information while” it was being stored or transferred from one system to another, forum CEO Jules Polonetsky said in a statement. He said the decision to de-list Illuminate came after a review including “direct outreach” to the company, which “would not state” that such privacy practices had been in place.

 “Such a failure to encrypt would violate several pledge provisions,” Polonetsky said, including a commitment to “maintain a comprehensive security program” to protect students’ sensitive information and to “comply with applicable laws,” including an “explicit data encryption requirement” in New York.

Encryption is the cybersecurity practice of scrambling readable data into an unusable format to prevent bad actors from understanding it without a key. Amazon Web Services to store student data on accounts that were easy to identify. 

Through the voluntary pledge, have agreed to to protect students’ online privacy. Though the privacy forum maintains that the pledge is legally binding and can be enforced by federal and state regulators, the move against Illuminate marks a dramatic shift in enforcement. The extent of the Illuminate breach remains unclear, encompasses districts in six states affecting an . 

Illuminate Education spokesperson Jane Snyder said the company is disappointed in the privacy forum’s decision, but it “will not detract from our commitment to safeguard the privacy of all student data in our care.” The privately held company founded in 2009 claims some 5,000 schools serving 17 million students use its tools.

“We will continue to monitor and enhance the security of our systems, and we will continue to work with students and school districts to resolve any concerns related to this matter while prioritizing the privacy and protection of the data we maintain,” Snyder said in a statement.

In a recent article in ����Ӱ��, student privacy experts criticized the Big Tech-funded privacy forum for failing to sanction companies that break the agreement terms. 

The action taken against Illuminate comes just three months after the Federal Trade Commission announced efforts to ramp up enforcement of federal student privacy protections, including against companies that sell student data for targeted advertising and that lack reasonable systems “to maintain the confidentiality, security and integrity of children’s personal information.” 

The privacy forum maintains that the Federal Trade Commission and state attorneys general can hold companies accountable to their pledge commitments via consumer protection rules that prohibit unfair and deceptive business practices, but such action has never been taken. Education companies have long used the pledge as a marketing tool and the privacy forum has touted it as an assurance to schools as they shop for new technology. 

Signs of a data breach at California-based Illuminate first emerged in January when several of its popular digital tools, including programs used in New York City to track students’ grades and attendance, went dark. City officials announced in March that the personal data of some 820,000 current and former students had been compromised. Outside New York City, home to America’s largest school district, state officials said the breach affected an additional 174,000 students across the state. Student information in Los Angeles, the country’s second-largest school district, was also breached. 

Compromised data includes information about students’ eligibility for special education services and free or reduced-price lunch, their names, demographic information, immigration status and disciplinary records. 

New York City officials have accused Illuminate of misrepresenting its security safeguards and instructed educators to stop using its tools. New York State Education Department officials are investigating whether the company’s security practices run afoul of state law, which requires education vendors to maintain “reasonable” data security safeguards and to notify schools about data breaches “in the most expedient way possible and without unreasonable delay.” 

School districts in California, Colorado, Connecticut, Oklahoma and Washington have since that their personal information was compromised in the breach. Illuminate Education has never said how many people were affected by the lapse while at the that it has “no evidence that any information was subject to actual or attempted misuse.” 

“FPF believes that the privacy and security of students’ information is essential,” Polonetsky said in the statement, declining to comment further. “To help ed tech companies better protect student data, we will be providing training for Pledge signatories, with a specific focus on data governance and security.”

For years, critics have accused the pledge of providing educators and parents with a false affirmation about the safety of education technology while being a tech-funded effort to thwart meaningful government regulation. 

The privacy forum’s decision to yank Illuminate doesn’t suggest stronger pledge enforcement going forward, said Doug Levin, the national director of The K12 Security Information eXchange. Rather, he accused the privacy forum of acting more in response to media coverage than a desire to hold companies to their promises.

“The only time that the Future of Privacy Forum has considered de-listing an organization is when the practices of a company have come under the attention of national media,” he said, adding that the press is an insufficient tool to hold tech companies accountable. “I think this is a case where [the privacy forum] was looking at collateral reputational damage and damage to the pledge and they had to act to protect their own self-interests and the interests of other pledge members. I do not read it as a signal that enforcement of the pledge will be enhanced going forward.”

Meanwhile, Levin sees Illuminate’s unwillingness to discuss its security practices with the privacy forum as another reason to believe the company acted negligently.

Illuminate is “clearly in legal jeopardy and I think they are concerned about making statements that could be used in a legal context to hold them accountable,” Levin said.

Still, the privacy forum’s decision to remove Illuminate raises the stakes from its previous enforcement efforts, most notably against the College Board, a nonprofit that administers the widely used SAT college admissions exam. In 2018, the privacy forum placed the nonprofit’s after found it was selling student data to third parties. The College Board was reinstated as an active pledge signatory a year later. It remains , despite a 2020 investigation by Consumer Reports that uncovered it was sending student data to major digital advertising platforms.

While some have argued that the College Board should have been removed from the pledge, the privacy forum has previously resisted efforts to de-list signatories. When the group learns about complaints against pledge signatories, it typically works with companies to resolve issues and ensure compliance, according to . 

Removing companies from the pledge, the post argued “could result in fewer privacy protections for users, as a former signatory would not be bound by the Pledge’s promises for future activities.”

Disclosure: The Bill & Melinda Gates Foundation and the Chan Zuckerberg Initiative provide financial support to the Future of Privacy Forum and ����Ӱ��.

Since that disclosure in New York City schools, the scope of the breach has only grown, with districts in six states announcing that some had become victims. Illuminate has never disclosed the full extent of the blunder, even as critics decry significant harm to kids and security experts question why the company is being handed awards instead of getting slapped with sanctions. 

Amid demands that Illuminate be held accountable for the breach — and for allegations that it misrepresented its security safeguards — the company could soon face unprecedented discipline for violating , a self-regulatory effort by Big Tech to police shady business practices. In response to inquiries by ����Ӱ��, the Future of Privacy Forum, a think tank and co-creator of the pledge, disclosed Tuesday that Illuminate could soon get the boot.

Forum CEO Jules Polonetsky said his group will decide within a month whether to revoke Illuminate’s status as a pledge signatory and refer the matter to state and federal regulators, including the Federal Trade Commission, for possible sanctions. 

“We have been reviewing the deeply concerning circumstances of the breach and apparent violations of Illuminate Education’s pledge commitments,” Polonetsky said in a statement to ����Ӱ��. 

Illuminate did not respond to interview requests. 

In a twist, the pledge was co-created by the Software and Information Industry Association, the trade group that last month as being  among “the best of the best” in education technology. The pledge, created nearly a decade ago, is designed to ensure that education technology vendors are ethical stewards of kids’ most sensitive data. Its staunchest critics have assailed the pledge as being toothless — if not an outright effort to thwart meaningful government regulation. Now, they are questioning whether its response to the massive Illuminate breach will be any different. 

“I have never seen anybody get anything more than a slap on the wrist from the actual people controlling the pledge,” said Bill FItzgerald, an independent privacy researcher. Taking action against Illuminate, he said, “would break the pledge’s pretty perfect record for not actually enforcing any kind of sanctions against bad actors.”

Through the voluntary pledge, launched in 2014, hundreds of education technology companies have agreed to a slate of safety measures to protect students’ online privacy. Pledge signatories, , they will not sell student data to third parties or use the information for targeted advertising. Companies that sign the commitment also agree to “maintain a comprehensive security program” to protect students’ personal information from data breaches. 

The privacy forum, which is , has long maintained that the and offers assurances to school districts as they shop for new technology. In the absence of a federal consumer privacy law, the forum argues the pledge grants “an important and unique means for privacy enforcement,” giving the Federal Trade Commission and state attorneys general an outlet to hold education technology companies accountable via consumer protection rules that prohibit unfair and deceptive business practices. 

For years, critics of providing educators and parents false assurances that a given product is safe, than a pinky promise. Meanwhile, schools and technology companies have become increasingly entangled — particularly during the pandemic. As districts across the globe rushed to create digital classrooms, few governments checked to make sure the tech products officials endorsed were safe for children, by the Human Rights Watch. Shoddy student data practices by leading tech vendors, the group found, were rampant. Of the 164 tools analyzed, 89 percent “engaged in data practices that put children’s rights at risk,” with a majority giving student records to advertisers.

As companies suck up a mind-boggling amount of student information, a lack of meaningful enforcement has let tech companies off the hook for violating students’ privacy rights, said Hye Jung Han, a Human Rights Watch researcher focused on children. As a result, she said, students whose schools require them to use certain digital tools are being forced to “give up their privacy in order to learn.” Paired with large-scale data breaches, like the one at illuminate, she said students’ sensitive records could be misused for years. 

“Children, as we know, are more susceptible to manipulation based on what they see online,” she said. “So suddenly the information that’s collected about them in the classroom is being used to determine the kinds of content and the kinds of advertising that they see elsewhere on the internet. It can absolutely start influencing their worldviews.”

But the regulatory environment under the Biden administration may be entering a new, more aggressive era. The Federal Trade Commission announced in May that it would scale up enforcement on education technology companies that sell student data for targeted advertising and that “illegally surveil children when they go online to learn.” Even absent a data breach like the one at Illuminate, the commission wrote in a policy statement, education technology providers violate the if they lack reasonable systems “to maintain the confidentiality, security and integrity of children’s personal information.” 

The FTC  declined to comment for this article. Jeff Joseph, president of the Software and Information Industry Association, said its recent awards were based on narrow criteria and judges “would not be expected to be aware of the breach unless the company disclosed it during the demos.” News of the breach was . 

The trade group “takes the privacy and security of student data seriously,” Joseph said in a statement, adding that the Future of Privacy Forum “maintains the day-to-day management of the pledge.” 

‘Absolutely concerning’

Concerns of a data breach at California-based Illuminate in January when several of the privately held company’s popular digital tools, including programs used in New York City to track students’ grades and attendance, went dark. 

Yet it that city leaders announced that the personal data of some 820,000 current and former students — including their eligibility for special education services and for free or reduced-price lunches — had been compromised in a data breach. In disclosing the breach, city education officials of misrepresenting its security safeguards. The Department of Education, which over the last three years, to stop using the company’s tools. 

A month later, officials at the New York State Education Department launched an investigation into whether the company’s data security practices ran afoul of state law, department officials said. Under the law, education vendors are required to maintain “reasonable” data security safeguards and must notify schools about data breaches “in the most expedient way possible and without unreasonable delay.” 

Outside New York City, state officials said the breach affected about 174,000 additional students across the state.

Doug Levin, the national director of The K12 Security Information eXchange, said the state should issue “a significant fine” to Illuminate for misrepresenting its security protocols to educators. Sanctions, he said, would “send a strong and very important signal that not only must you ensure that you have reasonable security in place, but if you say you do and you don’t, you will be penalized.” 

Meanwhile, Illuminate has since become the subject of two federal class-action lawsuits in New York and California, including one that alleges that students’ sensitive information “is now an open book in the hands of unknown crooks” and is likely being sold on the dark web “for nefarious and mischievous ends.” 

Plaintiff attorney Gary Graifman said that litigation is crucial for consumers because state attorneys general are often too busy to hold companies accountable. 

“There’s got to be some avenue of interdiction that occurs so that companies adhere to policies that guarantee people their private information will be secured,” he said. “Obviously if there is strong federal legislation that occurs in the future, maybe that would be helpful, but right now that is not the case.”

School districts in California, Colorado, Connecticut, Oklahoma and Washington have since disclosed to current and former students that their personal information had been compromised in the breach. But the full extent remains unknown because “Illuminate has been the opposite of forthcoming about what has occurred,” Levin said. 

companies to disclose data breaches to the public. Some 5,000 schools serving 17 million students use Illuminate tools, according to the company, which was founded in 2009.

“We now know that millions of students have been affected by this incident, from coast to coast in some of the largest school districts in the nation,” including in New York City and Los Angeles, Levin said. “That is absolutely concerning, and I think it shines a light on the role of school vendors,” who are a significant source of education data breaches. 

Nobody, , can guarantee that their cybersecurity infrastructure will hold up against motivated hackers, Levin said, but Illuminate’s failure to disclose the extent of the breach raises a major red flag. 

“The longer that Illuminate does not come clean with what’s happened, the worse it looks,” he said. “It suggests that this was maybe leaning on the side of negligence versus them being an unfortunate victim.”

‘A public relations tool’

When six years ago, it acknowledged the importance of protecting students’ data and said it offered a “secure online environment with data privacy securely in place.” , Illuminate touts an “unwavering commitment to student data privacy,” and offers a link to the pledge. 

“By signing this pledge,” the company wrote in a 2016 blog post, “we are making a commitment to continue doing what we have already been doing from the beginning — promoting that student data be safeguarded and used for encouraging student and educator success.” 

Some pledge critics have accused tech companies of using it as a marketing tool. In 2018, argued that pledge noncompliance was rampant and accused it of being “a mirage” that offered comfort to consumers “while providing little actual benefit.” 

“The pledge may be more valuable as a public relations tool than as a means of actually effecting — or reflecting — industry improvements,” according to the report. Gaps between the pledge’s public declarations and companies business practices, it concluded, “is likely to mislead consumers.” 

In 2015, a software researcher found a large share of pledge signatories infrastructure to guard student data from hackers. Three years later, The New York Times published , a nonprofit that administers the widely used SAT college admissions exam. College Board, the report exposed, was selling student data to third parties in violation of the privacy pledge. In response, the College Board’s status as a pledge signatory had been placed “under review,” but as an active signatory a year later. The College Board, it said in a press release, had committed to changing its business practices. 

Still, in 2020 found the College Board was sending student data to major digital advertising platforms, including those operated by Microsoft and Google. The College Board, . 

The nonprofit is “resolute in protecting student data privacy,” a spokesperson said in a statement. “Organizations that receive data from College Board, such as high schools, districts, colleges, universities, and scholarship organizations, must adhere to strict guidelines when using that data.”

Some critics have argued the College Board should have been removed from the pledge, but the Future of Privacy Forum has held that taking such action against signatories could do more harm than good. When the forum becomes aware of a complaint against a pledge signatory, it typically works with the company to resolve issues and ensure compliance, . The think tank argued it’s best to work with noncompliant companies to improve their business practices rather than exile them from the pledge outright. Removing companies “could result in fewer privacy protections for users, as a former signatory would not be bound by the Pledge’s promises for future activities.” 

Attorney Amelia Vance, a former privacy forum employee and the founder and president of Public Interest Privacy Consulting, said the pledge has nudged education technology companies to change their business practices to ensure they’re following its provisions. 

“I almost always thought of it as a way to make companies better and more aware of student privacy than something to be enforced with specific teeth,” said Vance, who declined to comment on whether Illuminate should be removed. “After all, the Federal Trade Commission and state [attorneys general] are the ones who really have the enforcement powers here.”

But self-policing efforts, like the pledge, are “only as effective as the enforcement,” said Levin, the school security expert. Otherwise, it can only serve as “a nice window dressing” for Big Tech efforts to fend off stricter state and federal regulations — provisions he said must be strengthened. 

At a minimum, he said the privacy forum should disclose companies that have been credibly accused of violating the pledge and to conduct investigations. If they find a company out of compliance, he said “it’s not clear to me that they should be allowed to re-sign the pledge.”

“If I were another signatory of the pledge, I would be quite concerned about whether or not the value of that pledge is being diminished” by including companies that violate its provisions, he said. “If it’s going to serve its purpose, there needs to be some policing.”

But to Fitzgerald, the privacy researcher, the forum’s failure to take action against bad actors has long rendered the pledge useless. 

“It’s not like the pledge finally doing what the pledge should have been doing five years ago would make a difference,” he said. “It’s never too late to start” removing companies that violate its provisions, he said, but “the fact that it hasn’t happened yet seems to indicate that it’s not going to happen.” 

Disclosure: The Bill & Melinda Gates Foundation and the Chan Zuckerberg Initiative provide financial support to the Future of Privacy Forum and ����Ӱ��