With Congress engaged in broader debates about education, technology and data privacy, this is a moment when FERPA modernization is no longer an abstract policy discussion. Congress should update FERPA so it can do what its original authors intended: safeguard student privacy and serve families.

FERPA was enacted in 1974 — over 50 years ago — to codify with whom and under what circumstances schools could share students’ personally identifiable information. But since then, the ways in which student data is handled have seismically shifted. 

Today, districts and schools store and share data digitally — not on paper stored in filing cabinets. Yet FERPA remains rooted in a paper-record era that predates real-time dashboards and digital tools. The law does not yet account for the rapidly evolving technology-driven practices that affect student privacy.

Parents are rightly wary of how their children’s data is collected, stored and used — especially as data breaches continue to make headlines. A FERPA that reflects America’s current digital landscape is long overdue. 

Because FERPA has never been statutorily updated, states and school systems are left to navigate a murky and complicated legal landscape as they work to both protect students and share data in smart ways. This ambiguity can result in states, school districts or colleges and universities from responsible data-sharing practices out of fear of violating FERPA’s convoluted provisions.

All this ultimately denies families access to the very insights and information they need to advocate for their children. Heightened concern about student data privacy should be met with clearer rules designed to modernize security protections and build trust with families, not used as an excuse to prevent action or to cease sharing useful information with parents.

This is not what student data privacy should look like. And it’s certainly not what families deserve. The nation can — and must — do better.

A modernized FERPA must ensure that student information is safeguarded with the highest standards of security and ethical use, while empowering families with the information they need to make informed decisions. Parents are clear that they want access to this information: say they support requiring schools to provide access to transparent data on student achievement, discipline and enrollment for families and policymakers. And say easier access to information would help them feel more confident about their ability to help their child make decisions about life after high school. 

It’s time for Congress to modernize FERPA so it works for today’s families. That means setting strong, enforceable privacy standards to ensure student data is protected. It also means affirming families’ rights to access information that empowers them: data on academic progress, school quality and services available to help students thrive.

An updated FERPA should also unlock the potential of state data systems that securely connect longitudinal information across early childhood, K-12, postsecondary and workforce programs — systems that can enable parents, students, educators, policymakers and the public to understand what’s working for students and what’s not. Today, FERPA’s framework does not reflect how cross-agency data can be used to, for example, connect high school students with college scholarship programs or assess return on investment for a district’s tutoring programs.

Student privacy and parent empowerment are not competing goals. With the right legal framework, congressional leaders can achieve both. Parents shouldn’t have to choose between protecting their children’s information and knowing how to help them succeed.

While the matter focused on a student with disabilities, Trump officials appear to have homed in on it because it addressed a separate question central to the administration’s agenda: Do parents have a right to read staff emails about their children?

With the administration accusing districts of hiding students’ gender transitions from parents, experts say their answer is yes. 

“I don’t think there’s any question that they’re going to say [emails] should be available to parents,” said Amelia Vance, president of the nonprofit Public Interest Privacy Center. 

Education Secretary Linda McMahon signaled the department’s intention when she said districts have turned the “concept of privacy on its head to facilitate ideological indoctrination … without parental interference or even involvement.” 

In a message to the Wisconsin district, a department official acknowledged the issue’s importance to parents, students and school officials and said that districts can expect “guidance or regulations in the foreseeable future.” Contacted Aug. 14, department spokeswoman Madison Biedermann had no updates on timing. 

Enforcing the Family Educational Rights and Privacy Act, which gives parents the right to inspect and amend their children’s education records, is a central focus of the administration’s parental rights agenda. The law was enacted 50 years ago, long before the advent of digital records. In the past, courts have sided with districts that argued emails were not education records, while parents say they should be treated just like report cards or schoolwork. Districts are likely to push back on being required to disclose internal messages about students, Vance said. Not only might a search eat up staff time, but “people say stupid things in emails.”

‘Numerous’ requests

Biedermann, the department spokeswoman, would not say why officials revived the 12-year-old complaint.

But in the March letter reminding states of their responsibilities under FERPA, McMahon said “schools are routinely hiding information about the mental and physical health of their students from parents.”

In a sign of its commitment to reshaping FERPA, the department hired Lindsay Burke in June as its deputy chief of staff for policy and programs. The author of the education section of , a vision for Trump’s second term, she contends that FERPA should offer parents the right to sue districts they think have violated their rights. Filing a complaint is currently the only option under the law. She also argues that students shouldn’t be able to change their gender identity at school without a parent’s permission.  

Like many districts faced with similar FERPA requests, Middleton Cross Plains, northwest of Madison, leaned on a that many experts feel is out of step with the digital age. It suggests that communications like email are not part of a student’s official record unless they are printed and physically placed there. 

FERPA was originally intended to target records “stored in file folders and cabinets,” said Andrew Manna, an Indiana attorney who represents districts. “There is no software that I am aware of that can sort through the digital storage of emails, so it is a ‘hide and seek’ approach to trying to find the email specific to a student.” 

Districts also say that combing through years of emails is too burdensome for staff and is likely to produce irrelevant communication. Vance suggested that argument might be outdated “at this moment in time with what AI is capable of.”

But while there might be more tech tools to conduct searches, there’s no guarantee AI is secure, said Stephanie Jones, an attorney with a firm representing districts in Illinois. 

Searching emails “is both an art and a science,” she said. As an example, a district she represents once had a request for emails related to a student with the last name Fridge. “You wouldn’t believe how many employees try to sell their college kid’s dorm room fridge through district email.”

In the Wisconsin case, Frank Miller, acting director of the Education Department’s privacy office, determined that the district was simply following long-standing legal precedents on FERPA when it declined to provide a parent with staff emails about her child. 

Superintendent Dana Monogue wasn’t in charge when the parent filed the complaint, but said she was pleased with the outcome.

“Like all districts, we receive numerous student record requests each year and this letter will provide useful guidance regarding our obligations,” Monogue said. 

But while he gave the district a pass, Miller had more to say. 

He referenced a second court ruling, from 2009, that often guides the way districts handle requests for emails. In , a federal district court in California said an email about a student is only part of the official record if the district “maintains” it in a central location.

Emails “have a fleeting nature” and “may be sent, received, read and deleted within moments,” the judge said in that case. 

The department, Miller said, rejects the Tulare interpretation, even though it’s been widely adopted by districts. Middleton Cross Plains officials told the parent that it used Infinite Campus, a “third-party, cloud-based” system to store emails, and said that emails that are “simply still on a server” are not education records.

A recent is another sign that the legal landscape could be shifting. The state Supreme Court ruled that emails stored in an online platform are still subject to FERPA.

‘Defies reality’

Jim Wheaton, an associate professor at William and Mary Law School, has little tolerance for districts that turn down parents’ requests for emails.

“Essentially, a school [or] district can simply decide not to physically put something in a file, and important, relevant discussions about a child suddenly fall outside FERPA,” said Wheaton, who runs a law clinic for students who intend to work as special education advocates. “The idea that files continue to be physical paper defies reality.”

As an alternative, some parents file public records requests to obtain emails, but districts often charge hefty fees to cover the staff time involved, and may heavily redact the documents before releasing them. Wheaton said public records laws are not an adequate FERPA substitute.

“I once received a letter asking me to prepay a quarter million dollars before they would do the search,” he said.

In 2024, Tamara Quick, a Virginia mother of five, asked the Spotsylvania school district for emails regarding her ninth-grader. Because of her dyslexia, Brennan attends a private school at the district’s expense.

When Quick learned teachers weren’t following her daughter’s special education plan, she hoped some email exchange between the district and the school might reveal why Brennan wasn’t being challenged in reading and spelling. 

“Any information you have about my kids, I have a right to see,” she said. 

Instead, the district said it had not “maintained” any communications with the girl’s teachers and, therefore, had “no education records responsive” to her request. Quick ultimately took the district to court, saying she couldn’t get the emails through the Virginia Freedom of Information Act either. 

In court records, the district said she never filed a formal request. An attorney for the district said officials “make every effort” to produce the records parents want, but “do not have time for games.”

The district eventually offered to look for emails for Quick and give her a cost estimate. But she didn’t think she should have to pay. Under the Individuals with Disabilities Act, parents have a their children’s records before a meeting to discuss special education services. 

She’s paying anyway. To this date, she’s spent over $30,000 on her case, withdrawing funds from a retirement account.

“Obviously it would have been cheaper for me to say, ‘OK, I’ll pay $2,000 for you to search for these emails,’ but that would be me agreeing that was appropriate,” she said.

‘Very negative things’

Parents may have multiple reasons for requesting staff emails, but McMahon’s March letter about privacy focused primarily on gender issues. Schools, she said, “promote and enable the transitioning of minor children, regardless of their mental state or their vulnerabilities.”

That’s what worried Amber Lavinge, a Maine parent, when she sought emails between staff members in the Great Salt Bay Community School district. It was late 2022 and she had just learned that a school social worker had given her 13-year-old daughter a chest binder to support a gender transition. But the district didn’t provide what she was looking for, said Adam Shelton, an attorney with the libertarian Goldwater Institute, which is handling her against the district. 

“She had a lot of questions and was just trying to understand what was going on,” he said. While the case, pending before the U.S. Court of Appeals for the First Circuit, doesn’t focus on emails or student records, he said he has a hard time understanding how any form of communication pertaining to a student wouldn’t constitute an education record. “Schools exist for the sole purpose of educating children.” 

Narrowing down which emails to release might be tricky, but Matt Cohen, a civil rights attorney in Chicago, said there are other reasons why districts avoid it.

“Sometimes teachers or administrators say very negative things about a child or the parents in the email that they’re not saying publicly,” he said. “It helps to establish that there is actual animus or discrimination going on.”

Jones, the other Illinois attorney, agrees that there can be a “reputational cost” for districts if they have to release embarrassing emails. That’s why she advises district staff to avoid “watercooler conversations” in emails — something many more are likely to take seriously if they know parents might read what they write, Jones said. 

“It has to pass the grandma test,” she said. â€œIf you don’t want your grandma reading it, then don’t put it in an email.”

An education technology company that built an app for Los Angeles students to receive telehealth services during the school day has fallen victim to a data breach that puts students’ sensitive information in jeopardy, a disclosure to state regulators reveals. 

The company, Kokomo Solutions, also hosts an anonymous tip line where Los Angeles community members can , safety threats and mental health crises to the school district’s police department. In filed with the California attorney general’s office, the company disclosed that an unspecified number of individuals’ personal information was compromised after an “unauthorized third party” accessed its computer network and the exposed files pertained to the Los Angeles Unified School District. 

The company, also known as Kokomo24/7, says it discovered the unauthorized access on Dec. 11, 2024, nearly eight months before it disclosed what happened to victims. The district has not issued any public statements alerting students and families that their sensitive information may have been compromised. 

Kokomo24/7, which has apparently scrubbed its website over the last few days of references to its work with the nation’s second-largest district, did not respond to requests for comment.

A Los Angeles Unified spokesperson said the company notified the school system on Dec. 12, 2024, “that an unauthorized user gained access to certain files containing personal information, stored on behalf of the District.” The spokesperson said the breach was not connected to LAUSD’s telehealth program or its student patients, but did not say whose information was exposed. They said it was Kokomo’s responsibility to handle disclosure to all affected parties and that, as far as L.A. school officials know, “there has been no evidence of personal information being shared as a result of the breach.”

While many details about the breach remain unknown, including the specific types of information that were compromised and whether it was the result of a cyberattack, the incident raises red flags because “there’s no question that [Kokomo is] managing exceptionally sensitive information” about campus safety issues and students’ medical information, school cybersecurity expert Doug Levin said. 

“This is another example of schools outsourcing the collection and management of exceptionally sensitive data on school communities which, if abused, could affect the health and safety of the school community,” said Levin, the co-founder and national director of the K12 Security Information eXchange. “We definitely would benefit from knowing more about how they were compromised and how they’re going to fix it.”

District officials have touted the telehealth service to parents since the data breach was disclosed. In an Aug. 8 live video session over Facebook, a district student and community engagement specialist gave that laid out L.A.’s back-to-school offerings.

Parent advocate Evelyn Aleman, who facilitated the event, said she was pleased to learn about the telehealth service during the presentation. Parents grew accustomed to telehealth during the pandemic and the virtual service could benefit families who have been advocating for better health services in schools, she said. But she hadn’t heard about the data breach before being contacted by ĂŰĚŇÓ°ĘÓ.

“I have a lot of questions: Was the person who was presenting to the group aware that [the breach] had happened?” asked Aleman, who founded the group Our Voice to advocate for low-income and Spanish-speaking L.A. families. “And how deep was the breach? Obviously that would be of concern to the parents.”

, the Los Angeles Schools Anonymous Reporting app allows students, parents and others in the community to report “suspicious activity, mental health incidents, drug consumption, drug trafficking, vandalism and safety issues” to the district’s . 

That same year, L.A. schools  â€” along with the Children’s Hospital Los Angeles and Hazel Health — to launch new . The $800,000 program, funded by , is designed to provide app-based mental and physical health care to students, including at school. Hazel Health provides virtual mental health services, according to the district’s website, while Kokomo24/7’s services focus on physical health issues, including minor injuries, allergies and headaches. 

In , the district describes its Kokomo24/7-managed telehealth program as an option for students “to access healthcare when not feeling well during school hours” with the supervision of a school nurse “while remaining in school and focusing on learning.” 

Kokomo founder and CEO Daniel Lee lauding the company’s ability to “transform” L.A. Unified’s COVID-tracking and health data system in a year after the school system’s previous tool became “clunky, difficult to customize and expensive to maintain.” The post notes the company’s role in creating the anonymous reporting application and the district’s Incident System Tracking Accountability Report, an internal tool to document injuries, medical emergencies and campus threats.

The Kokomo24/7 breach is the latest in a series of data privacy incidents affecting L.A. schools, including a high-profile ransomware attack in 2022 that led to the exposure of thousands of students’ mental health records. Schools Superintendent Alberto Carvalho at first categorically denied that students’ psychological evaluations had been exposed but then had to acknowledge that they were after ĂŰĚŇÓ°ĘÓ’s investigation revealed the records’ existence on the dark web.

Meanwhile, the district’s rollout last year of a highly touted AI chatbot named “Ed” was derailed after AllHere, the ed tech company hired to develop the $6 million project, shuttered abruptly and filed for Chapter 7 bankruptcy. The company’s founder and CEO, Joanna Smith-Griffin, was then indicted on charges she defrauded investors of some $10 million. A company whistleblower told ĂŰĚŇÓ°ĘÓ AllHere’s student data security practices violated both industry standards and the district’s own policies. 

The L.A. district for the chatbot bid — including Kokomo24/7 — before awarding the contract to AllHere. Both the bankruptcy and criminal cases are pending. In July, a school district spokesperson told ĂŰĚŇÓ°ĘÓ that Ed “remains on hold.” 

The Kokomo24/7 website lists a wide suite of products, primarily in physical security including building access control systems, emergency alarms and visitor management tools. It also names large companies among its customers, including The Oscars — the company was the “health and safety software provider” — United Airlines’ subsidiary United Express and Fifth Third Bank. 

But the Illinois-based company has a relatively small footprint in the education sector, according to records in the GovSpend government procurement database. Among the handful of its school district clients is the Hartford, Connecticut, school system where educators spent more than $60,000 between 2020 and 2023 for licenses to to screen students’ temperatures, track infections and conduct contact tracing. Glendale Unified, a neighboring district to Los Angeles, is also listed as a client on the company’s website.

Kokomo24/7’s connections to the L.A. district were widely featured on the company’s website until this week. In fact, listed four foundational events, including the 2023 launch of the “anonymous reporting app for students and an emergency alert system for staff” for the L.A. district.

The reference to the school district was removed from the company timeline this week, as was a banner attributing a quote to Carvalho, a picture of district police officers and the district police department’s logo. Press releases announcing Kokomo’s work with the L.A. district appear to have also been scrubbed from the internet. 

The since-removed Carvalho quote called “critically important.” Though slightly misstated, the remark comes from a March 2023 school board meeting where Carvalho boasted of people’s ability to “relay in an anonymous way — or not — potential threats” to a student or a school. 

The Los Angeles Schools Anonymous Reporting app hasn’t been universally praised, and last year filed by anti-surveillance activists who alleged the tool created “a culture of mass suspicion” and bolstered police interactions between students of color and those with disabilities. 

The Stop LAPD Spying Coalition, which filed the lawsuit seeking records about the app, students, parents and community members “to surveil each other” on behalf of school police and to file reports that don’t require evidence. It also questioned why the community was being encouraged to file reports on people in mental health crises as part of a broader effort to investigate “suspicious activity.” 

“The app criminalizes mental health, perpetuating the idea that if someone has a mental illness they are inherently a threat to others,” the activist .

BoardDocs parent company Diligent Corporation acknowledged Tuesday the breach was national in scope only after reporting by ĂŰĚŇÓ°ĘÓ confirmed its customers across the country were affected. The BoardDocs software, which allows school boards to disseminate agendas and other public documents to their communities while keeping other records private, is used by some 5,000 public sector entities in the U.S. and Canada, primarily public schools. 

The company declined to disclose the number of school districts that were affected after a glitch in its product erroneously published sensitive records to the web, but said only about 1% of documents stored on BoardDocs — or roughly 64,000 files — were exposed.

Company spokesperson Michele Steinmetz told ĂŰĚŇÓ°ĘÓ Diligent began notifying all BoardDocs customers — including those who were not directly affected  — on May 30, the same day into a BoardDocs breach affecting the Lower Merion school district. That instance appears to have been uncovered when plaintiffs in a legal case against the district came across privileged files while searching for public ones. 

Multiple additional school districts that contract with BoardDocs, however, said they were unaware of the incident until they were contacted this week by ĂŰĚŇÓ°ĘÓ and, in several instances, received confirmation of the breach from Diligent only after they reached out to the company directly to inquire about whether their own confidential records had been compromised. 

In an interview with ĂŰĚŇÓ°ĘÓ, one customer called the glitch “an improper misconfiguration of the vendor’s products.” An option to store records in “a private folder” within the district’s broader public library “could be misleading and people could think, and rightfully so, ‘Anything I put in there is not publicly available,’ when, in fact, it could be accessed by an unauthenticated user.”

The official, who spoke on the condition of anonymity because they weren’t authorized to discuss the BoardDocs situation or draw attention to their district’s cybersecurity practices, said their school system was not “notified proactively” about the fallibility that came to light in Lower Merion.

“It was something that should not have been in place,” the official said. “The vendor should have been more clear and thoughtful and communicative around that configuration and the implications of it.”

Nithya Das, Diligent’s chief legal and chief administrative officer, acknowledged the problem to ĂŰĚŇÓ°ĘÓ, saying, “Documents that were supposed to be set to private access were made accessible.”  She declined to elaborate on the misconfiguration but said the company took “immediate action to resolve the issue” once it was discovered. 

She stressed that the confidential records had been made available on the BoardDocs platform only “for a matter of a few months” and existed only on that platform, meaning that someone could not have “gone onto [their] web browser and pulled up Google or Yahoo or something like that” to find them. 

 â€œI don’t mean to downplay the situation, but I do think it’s important to just keep in mind that it was extremely limited in terms of scope, impact and duration,” Das said. “In order for these documents that were meant to be private to be publicly accessible, you would actually have to go into the BoardDocs application and do a fairly specific search.”

‘How am I reading this?’

It’s likely that some of the documents that may have been exposed would be those dealt with during school boards’ executive sessions, where to discuss sensitive or privileged subjects. These include personnel matters and employee disciplinary issues; litigation involving plaintiffs, often parents, alleging wrongdoing; union contract negotiations and pending real estate transactions.

Internal records from executive sessions were made publicly accessible in the Lower Merion breach, according to the school district’s lawyer. A parent who came upon a trove of confidential memos told the Inquirer the discovery felt “weird;”  “I was like, ‘Wait, how am I reading this?’”

Denise Marshall, chief executive officer of the nonprofit Council of Parent Attorneys and Advocates, which works to protect the legal and civil rights of students with disabilities and their families, said the breach was “a great concern” because school boards regularly discuss sensitive issues concerning these children. It’s unclear whether BoardDoc files related to special education services were compromised.

“We know of instances where families have been retaliated against because of information that’s been shared and made public through one means or another from board meetings,” she said. “It’s important that the school boards, and, of course, BoardDocs, take every effort to ensure that privacy is safeguarded.” 

The vulnerability at BoardDocs is the latest example of how school districts’ reliance on third-party technology vendors for critical systems can introduce weaknesses and put sensitive information about students, parents and educators at risk. Last week, 19-year-old Matthew Lane for his role in a recent cyberattack on education technology behemoth PowerSchool, which led to a data breach exposing the personal information of millions of students, parents and teachers globally. The PowerSchool cyberattack and subsequent data breach has prompted dozens of lawsuits filed by parents, students and school districts. 

The National School Boards Association, which represents more than , didn’t respond to requests for comment from ĂŰĚŇÓ°ĘÓ. On , the trade group gave a “special shout out to BoardDocs” for their “generous support” of the nonprofit’s 85th anniversary celebration.

BoardDocs doesn’t list its fees on its website. The New York State School Boards Association that the tool is available “for as little as $3,000 per year and a one-time $1,000 start-up fee.” 

School cybersecurity expert Doug Levin, co-founder and national director of the nonprofit K12 Security Information eXchange, said the BoardDocs incident is a cautionary tale for both school districts and their vendors. 

“Any reasonable person if, upon selecting a setting to private, would presume that it would not be searchable,” Levin said. “I certainly don’t fault anyone for taking a private setting at face value.”

Not trying ‘to hide the issue here’

After a large urban school district quizzed the company about the news out of Lower Merion, Diligent acknowledged in a notice obtained by ĂŰĚŇÓ°ĘÓ that the district’s private records “could have been returned as part of a public search result if specific search terms were used.”

“Our investigation determined that your organization’s BoardDocs site had documents” in the accessible private folder, MarKeith Allen, Diligent’s chief customer officer, wrote in an email to the district earlier this month. 

The record was provided to ĂŰĚŇÓ°ĘÓ on the condition that the district not be named. 

In addition to a general notification to all its customers, Das, Diligent’s chief legal and chief administrative officer, said that for “customers we believed could have been impacted,”  the company “sent them a different communication, obviously letting them know of that situation.” Das declined to provide copies of those communications to ĂŰĚŇÓ°ĘÓ and said the company is not required to notify impacted individuals under any state-level breach notification laws. 

“We did also have a process of doing some direct outreach to impacted clients like picking up the telephone and calling them, and so I guess I am surprised to hear that there might be clients who weren’t aware of the situation until you reached out,” said Das, who noted the company does not plan to release a public statement about the breach. “The goal was not to try to hide the issue here.”

Amy Buckman, the Lower Merion school district spokesperson, said in a statement that Diligent “admitted there had been an error by their company in protecting confidential documents stored on their site and said immediate corrective action would be taken.” Still, Buckman said the district put Diligent on notice that it “would hold BoardDocs responsible for any damages resulting from the breach.”

This isn’t Diligent’s first time responding to a data breach involving sensitive information. In 2022, the company suffered a cyberattack and subsequent breach involving a tool unrelated to its work with schools, with affected customers . That incident prompted at least three federal class action lawsuits, which led to court settlements. 

Officials with school districts across the country that contract with BoardDocs, including in Scottsdale, Arizona, and at the Illinois State Board of Education, told ĂŰĚŇÓ°ĘÓ they hadn’t received notices about the incident. 

“At this point in time we have no information on this topic,” Barth Paine, the spokesperson for California’s Fremont Unified School District, wrote to ĂŰĚŇÓ°ĘÓ. “Please email us back if you have more details about our specific District. We are now investigating this issue.”

The lawsuit is one in a barrage of legal challenges that have emerged since the company announced in early 2025 it was the target of a December cyberattack that, , led to a global breach of some 62.4 million students’ and 9.5 million educators’ personal information. Though the company hasn’t acknowledged how many people were affected, exposed sensitive files Social Security numbers, special education records and detailed medical information.

The St. Croix Falls breach of contract, unjust enrichment and false advertising, which sets it apart from other class action lawsuits charging negligence against the education technology company whose cloud-based student information system dominates the K-12 market.

“At the end of the day, we believe that there were fraudulent misrepresentations made to the clients to induce them to go and be in these contracts with PowerSchool,” attorney William Shinoff, whose firm represents the St. Croix Falls district, told ĂŰĚŇÓ°ĘÓ in an interview.

PowerSchool spokesperson Beth Keebler said in a statement the company “acted swiftly and effectively to protect our customers in compliance with the law.”

“PowerSchool believes the claims are without merit and will defend itself,” Keebler said. “However, our focus as a business continues to be our customers, ensuring they have the information and support they need while informing them of the steps we have taken to set a higher standard in cybersecurity for the entire industry.”

Students and parents nationwide have filed more than 30 federal class action lawsuits against PowerSchool in connection to the December breach. The lawsuits, which could soon be consolidated, collectively allege PowerSchool was negligent when it failed to protect sensitive data and opened victims to potential identity theft. 

But because these center on the data breach’s potential for future harms, legal experts said, the cases could be dismissed almost as quickly as they were filed. The lawsuit filed by St. Croix Falls schools, meanwhile, alleges PowerSchool broke contractual obligations to keep data secure — and failed to provide schools the services they were promised. 

“A cornerstone of the commercial relationship between” the school district and the company was educators’ “reliance on PowerSchool’s representation that it would adequately protect” students’ and educators’ sensitive information, according to the complaint filed in federal district court in Sacramento. Instead, PowerSchool “has done little to help” the school district and people whose information was compromised. 

Courts nationwide could soon be flooded with similar complaints. Shinoff said his firm, the Frantz Law Group, plans to “file thousands” of them on behalf of school districts across the country. The precise number of districts affected by the breach is unknown. 

“What I can tell you is we’ve already spoken to hundreds of districts,” Shinoff said. “Our hope is that they will all get involved in this to ensure that PowerSchool is held accountable, that they can ensure that this information moving forward is indeed protected, and to make sure they’re reimbursed these public dollars that were spent for their programs.” 

Shinoff represents large groups of school districts in several recent high-profile lawsuits, including against Facebook’s and Instagram’s and the . The lawsuits alleging that the social media giant Meta exacerbated the youth mental health crisis involve nearly 1,000 districts, according to the firm. 

PowerSchool has the hacker used a compromised password belonging to “an authorized support engineer” to breach PowerSource, its customer support portal for school staff seeking help with its software tools. The PowerSource portal reportedly lacked multi-factor authentication, according to and other records obtained by NBC News. 

The full audit, , found its systems were breached in August — months earlier than previously disclosed — but couldn’t say for certain it was by the same threat actors. 

The company “failed to implement the bare minimum security measures that are commonly utilized by similarly situated companies,” the complaint alleges. “Something as simple as providing for a multi-factor authentication log-in method would have been easily accomplished and would have prevented the Data Breach altogether.”

The that the Wisconsin district is accusing PowerSchool of breaching requires that the company employ multi-factor authentication and data encryption, standard industry security measures. Its reported failure to do so also made PowerSchool one of only a handful of companies to be removed from the Student Privacy Pledge, a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children. The company was Feb 13.

In an earlier statement to ĂŰĚŇÓ°ĘÓ, Keebler, the PowerSchool spokesperson, said the company “has and will continue to implement [multi-factor authentication] across all internal systems as part of its robust and ongoing security protocols.” 

“PowerSchool is accessed by tens of thousands of customers, posing challenges to MFA management,” the statement continued. “However, following the incident, PowerSchool has implemented additional hardening efforts, including MFA for any PowerSchool employee and contractor access to customer data on PowerSource.” 

‘Devil and the deep blue sea’

Despite PowerSchool’s promise to bolster security measures, its customer districts have lost confidence in the company, attorney Mark Williams, who is assisting school districts in filing suits against the company, told ĂŰĚŇÓ°ĘÓ. 

But because its student information system plays such a significant role in day-to-day operations — and contains so much information about students — he said that switching to a competitor could become a logistical nightmare. 

“Many school districts are between the devil and the deep blue sea,” Williams said. “Many of them don’t have confidence in PowerSchool to secure their data but they are very hesitant to change the vendor of their [student information system] because it is extraordinarily expensive and burdensome to do so.” 

While the company may not be a household name — save for a flood of recent press following the breach — its student information system is one of the largest ed tech services in the U.S. with teachers nationwide using it every day to track grades, attendance and other performance metrics. 

The company claims its software is used to support the learning for 60 million students globally at more than 18,000 institutions, including 90 of America’s 100 largest school districts. 

PowerSchool was by the Boston-based private equity firm Bain Capital for $5.6 billion. The company, which also owns the college- and career-readiness platform , has acquired , such as Schoology and SchoolMessenger, in recent years, furthering its reach into the nation’s K-12 classrooms.

Williams is the author of the central to the Wisconsin district’s claims against PowerSchool. Created by the , a collaborative effort between school districts and technology vendors to keep students’ information secure, the agreement is used by school districts in more than half of states to ensure the tech companies they contract with — — follow stringent security practices. 

Among its provisions is a requirement for companies to notify school district customers within 72 hours of learning data was accessed or obtained by an unauthorized third-party like a hacker. 

PowerSchool was reportedly unaware it had fallen victim to the December attack until the hacker came forward with a ransom demand, according to NBC’s reporting. The company then paid the hacker an undisclosed sum to prevent the stolen records from being shared publicly, the outlet reported, and was given a video by the threat actor apparently deleting the stolen files in their possession. 

Through the agreements, PowerSchool also vowed to “abide by and maintain adequate data security measures, consistent with industry standards” for the storage of sensitive records. 

Williams accused the company of breaching those requirements — laying the groundwork for a first-of-its-kind legal battle for the data privacy consortium. 

“We just felt that at some point you have to police the process, at some point you have to draw a red line,” Williams told ĂŰĚŇÓ°ĘÓ. “We’ve got to protect the contract because it protects schools and it protects kids. So that’s not negotiable for us.” 

Given the difficulty school districts face in migrating to different student information services, St. Croix Falls seeks a commitment from PowerSchool — and court-ordered accountability — to ensure the company follows stringent cybersecurity standards in the future, said Shinoff, its attorney.

“At this point their word, to us, can’t be trusted,” Shinoff said. “For them to have someone that they’re reporting to for a period of time is something that’s essential — especially when we’re dealing with thousands and thousands of districts across the country.”

Data practices under a microscope

Prior to the data breach, PowerSchool positioned itself as a national leader in K-12 education data security — and its CEO appeared at a White House event in 2023 to boast of its efforts to keep students’ personal information out of the hands of malicious actors. 

As an early adopter of a to design products with security at the forefront, CEO Hardeep Gulati spoke alongside then-First Lady Jill Biden at the first-ever White House summit on K-12 school cybersecurity, where PowerSchool and other technology companies highlighted the need to strengthen digital safeguards at schools nationwide. 

Watch: PowerSchool CEO Hardeep Gulati speaks at the first-ever White House summit on K-12 cybersecurity in 2023.

During the event, the company free webinars, training videos and other resources to help schools better secure their systems. 

In the year prior to the summit, Gulati said, the company successfully fended off 1 billion cyberattacks on its servers while ensuring schools were kept safe through a “relentless investment and focus on every element of security.” 

Now, the company has found itself under scrutiny by the tech industry, lawmakers and other elected officials. In North Carolina, state Attorney General Jeff Jackson into the PowerSchool breach, which exposed the sensitive information of nearly 4 million people in his state, “to determine if they broke any laws.”

The company is also facing bipartisan federal questioning. In , senators from New Hampshire, Indiana and Oklahoma blasted PowerSchool for maintaining inadequate cybersecurity measures and accused it of offering delayed notifications and insufficient information to affected individuals. 

“School district leaders who we have spoken with raised serious concerns about delays in your company’s response to the cybersecurity incident, including delayed notifications to impacted schools,” wrote Sens. Maggie Hassan, Jim Banks and James Lankford. Sufficient use of basic cybersecurity safeguards like multi-factor authentication, they wrote, could have prevented the breach. 

PowerSchool says it will provide two years of identity protection services to students and educators affected by the breach and credit monitoring services to “adult students and educators.” Keeber, the PowerSchool spokesperson, said in the statement the company has seen “no evidence of fraud or further misuse of the information involved to date.” 

But the senators wrote that PowerSchool “has not clearly communicated a date by which impacted individuals will receive” the services. 

“Your delayed and unclear communication is unacceptable,” the letter continued, “especially given the sensitive nature of the personal data that was stolen.”

Information PowerSchool takes is ‘virtually unlimited’

Even before the breach, PowerSchool has faced criticism for its data collection, use and security practices. In the last five years, it has been named as a defendant in numerous federal lawsuits related to its data collection and use practices, a review of federal court records shows.

They include complaints accusing the company of subjecting people to persistent and unsolicited robocalls and of failing to properly identify children experiencing homelessness.

One brought by a Seattle mother and former middle school teacher accuses the company of selling student data collected through Naviance and other services to more than 100 third-party “partners” with inadequate consent from students or their parents. That lawsuit, filed in May 2024 in San Francisco, also alleges the company has leveraged the data it collects on students to train an AI chatbot. 

“The information PowerSchool takes from students is virtually unlimited,” the complaint alleges. “It includes everything from education records and behavioral history to health data and information about a child’s family circumstances. PowerSchool collects this highly sensitive information under the guise of educational support, but in fact collects it for its own commercial gain.”

In a motion to dismiss the lawsuit, PowerSchool’s attorneys claimed Cherkin’s complaint relied on “broad, general social critiques condemning surveillance capitalism, cybercrimes and manipulative digital product design, in an apparent attempt to mask that they cannot make specific allegations of wrongdoing by PowerSchool.” 

Keebler, the company spokesperson, denied Cherkin’s claims that it sells data or uses personal data to train its chatbots. 

But Cherkin argues the vast amount of data PowerSchool collects and shares about millions of students have made it an attractive target for cybercriminals — and should have been a red flag all along. She compared Powerschool’s business model to that of social media companies that are built to amass and monetize user data. 

“I’m truly not at all shocked that this happened,” she said of the breach. “The only way, really, to keep data safe is to not collect it and stockpile it in the first place.”

“I used to be pretty suicidal last summer and I tried to commit suicide about two times.”

Since 2018, more than 36,000 students across the Seattle region have shared their hopes, fears and family secrets in an online questionnaire called Check Yourself. 

“My dog has … untreatable cancer and my great grandma died a week ago.”

“Some time i harm my self by not eating cause i don’t really like my body.”

Questions peer into students’ sexual preferences and romantic lives — even which gender they’re “most likely to have a crush on.” It’s the kind of information a 12-year-old might not tell their best friend.

“Do my parents see this survey?”

Districts promise students their answers to over 50 personal questions will be kept confidential. But a group of parents has been able to obtain reams of sensitive survey data from multiple districts through the state’s .

One of them, Stephanie Hager, is on a six-year crusade to expose what she considers to be the program’s lack of privacy safeguards. To prove her point, the former Microsoft program manager said she correctly identified six students based on nothing more than details they provided in the survey and a simple Google or social media search. 

“We know their school, gender, age on a certain date, grade level, language they speak, their dogs’ names, friends’ names, race, their unique interests, what sports they play, if they are religious, and anything else they feel like writing in — plus their whole mental health record,” said the Snoqualmie Valley mother of four, whose son took the survey in 2019.

 â€œI can’t imagine any parent saying OK to that.”

Researchers at Seattle Children’s Hospital and the University of Washington developed the Check Yourself program to better identify students in middle and high school silently suffering from depression, substance abuse or suicidal thoughts. 

Supported by a voter-approved encompasses Seattle, more than $21 million since 2018. The funds help pay for mental health counseling for students and to track trends across the 13 districts that participate. Seven schools in Spokane County, in eastern Washington, and a few districts in Oregon also use Check Yourself.

Backers of the survey have a simple defense: It saves lives.

Valerie Allen, director of social services and mental health in the Highline district, told ĂŰĚŇÓ°ĘÓ of a student who jumped into a pond at a city park in 2022 carrying a backpack laden with weights. The boy went missing after an argument with his dad. The family, Allen said, turned to a school counselor who had started meeting with the student after Check Yourself responses showed he was suicidal. The counselor tipped off police to the pond, the kid’s favorite spot, where they arrived just in time to save him.

The question of whether results like this justify the potential pitfalls have mired the program in controversy since its inception.

“The ultimate protection” against privacy risks is not to do the survey, said Evan Elkin, who helped adapt it for schools and serves as executive director of Reclaiming Futures, a project at Portland State University. But, he asks, is ending the program “worth the lives that you lose?” Officials said they could not determine the number of suicides prevented due to the survey.

For Hapsa Ali, a 2023 Highline district graduate, Check Yourself came at the right time. She suffered from “really bad social anxiety” and wasn’t getting along with her mom. Based on her answers, the school connected her to a counselor who regularly checked in on her, texting once a week.

“She was my safe space,” Ali said.

The clash over Check Yourself falls at the intersection of social forces that have only intensified since the pandemic. are experiencing extreme emotional and psychological stress. While show some improvement since 2021, 30% of 10th graders still say they have persistent feelings of depression and 15% reported thoughts of suicide, according to . 

At the same time, school districts house massive amounts of sensitive personal data and rely heavily on ed tech, making them prime targets for hackers. The Highline district, for example, closed for three days in September because of a . Nationally, more than doubled in 2023. Online mental health surveys also face backlash from activists and , who find them frequently intrusive, inappropriate and removed from school’s main purpose. 

“Schools are really under a huge amount of pressure to address student mental health,” said Isabelle Barbour, a consultant who developed a school-based mental health program for the state of Oregon. “But when they try to adopt something that can work in their setting, it brings up all of these other pressure points around privacy.”

‘I shouldn’t be seeing this’

The survey, which takes about 12 minutes to complete, leads students through a series of prompts, from simple tasks such as listing their top goals for the year to deeply personal queries like, “During the past year, did you ever seriously think about ending your life?”

Parents get two chances to opt their children out of the screener, and students can also decline to complete it on the day of the survey. But districts reveal nothing that would alert anyone to its potential risks. Quite the contrary. promotes it as a “successful, proactive approach to providing support to students.” “personalized feedback and strategies for staying healthy.”

In fact, assure parents that only counselors or other “relevant” staff can view individual students’ responses, which are stored on a “secure” platform by Tickit Health, a Canadian company. To participate in the county-led program, districts must sign an agreement saying they will remove all “potentially identifying” student data before submitting records to the county, which uses the information to evaluate the program’s effectiveness and respond to students’ needs. Districts promise that county officials and researchers only see.

But an investigation by county ombudsman Jon Stier, triggered by parents’ concerns, suggests this hasn’t always been the case. A report released last summer revealed that in the program’s early years, county officials were able to connect student names to their responses, although Stier said that practice has ended.

The issue of the survey’s confidentiality first emerged publicly in 2022, when 10 districts released spreadsheets of student answers in response to a public records request from a . Snoqualmie Valley parents asked districts for additional information, released as recently as February 2024, which they shared exclusively with ĂŰĚŇÓ°ĘÓ. 

A handful of districts concealed some personal details. But several redacted little, if anything.

This could put districts in violation of federal , which require districts to gain parental consent or remove all identifying information from records before releasing them publicly. 

Privacy experts say that wiping information such as race, home language and favorite activities from a document in order to make it is no easy task. But without such measures, a combination of answers could identify a student, in the language of the law, â€œwith reasonable certainty.”

Sometimes, just a simple data point can expose a student’s identity.

During the 2021-22 school year, for example, only one student in the Kent district who took the survey identified as being part of the Muckleshoot tribe, which has about statewide.

Most survey questions are multiple choice. But 13 allow students to write open-ended responses — and it is these answers that experts say vastly increase the chances of identifying potential students. 

At ĂŰĚŇÓ°ĘÓ’s request, Amelia Vance, president of the Public Interest Privacy Center, reviewed an Excel document with answers from more than 900 students in the Auburn district from the 2021-22 school year — details that included random factoids like a preference for techno music and proficiency in math, as well as very private revelations such as conflicts at home and incidents of self-harm. 

“I shouldn’t be seeing this spreadsheet,” Vance said. “It feels like everybody’s sticking their head in the sand about what the consequences could be.” 

Districts ‘caught off guard’

Marc Seligson, a King County spokesman, insisted that “student data security is paramount,” but that responsibility for interpreting privacy laws falls to the districts.

“We can’t give them legal advice. Each district has their own lawyer,” said Margaret Soukup, the county’s youth, family and prevention manager, who oversees the program.

She said she was shocked districts released records to parents. “I was very upset because I didn’t even think that that was a possibility.”

ĂŰĚŇÓ°ĘÓ reached out to the nine King County districts that released records to the public and still use Check Yourself.

Five didn’t respond, and a spokeswoman for Auburn declined to comment. Conor Laffey, a spokesman for the Snoqualmie Valley district, said officials there worked with the county to “safeguard confidential student information” and consulted the district’s legal counsel before releasing spreadsheets. He declined to elaborate.

Tahoma School District Superintendent Ginger Callison, a former Snoqualmie Valley official, said she didn’t remember details about past disclosures and is “confident” that in the future, “nothing will get released that isn’t allowed or required.”

A Seattle spokeswoman noted that records went through “multiple layers of review to remove potentially identifiable comments within student responses.” But the district didn’t redact very specific details about some students, like the one obsessed with reptiles who wanted a pet frog and another who speaks English, Russian, Spanish and sometimes Samoan. The district did not comment on why it included such information in the spreadsheet of students’ answers.

ĂŰĚŇÓ°ĘÓ also contacted , a University of Washington researcher who helped develop the survey and now evaluates the King County program. She said districts are obligated to protect “the confidentiality of student information,” but directed further questions to the county.

Parents say the county also bears responsibility for students potentially being exposed. 

Hager, Check Yourself’s most outspoken parent critic, obtained an email thread through an open records request that shows officials were well aware of the survey’s potential privacy pitfalls. In one email, a former Tickit Health executive warns county officials that if a student “were to enter identifiable information in the free-text sections, theoretically this would be accessible.”

One wrinkle in King County’s privacy dispute is that Washington has one of the strongest. In 2016, for example, the state Supreme Court upheld over half a million dollars in in a case against a state agency that was slow to turn over records. 

Elkin, from Portland State University, said districts were “caught off guard and panicked” when they received the open records requests. 

But the Washington districts are no different than many others nationally that currently find themselves fielding more public record requests than ever before — often from watchdogs like Hager or activists investigating curriculum materials they believe to be inappropriate. Spurred on by conservative groups like Parents Defending Education and Moms for Liberty, repeat filers dig for lesson plans, teacher training materials and financial records — particularly those relating to transgender issues and diversity, equity and inclusion.

Allen Miedema, executive director of the Northshore district’s technology department, said the districts that use Check Yourself could “do a better job of letting parents know” about the purpose of the survey.

If staff members failed to conceal student identities, he said, it’s often because they’re “swamped” with requests for documents and lack clear guidance from state or county officials on what’s allowed to be included.   

‘Survey gets dark very fast’

School leaders insist the danger is largely hypothetical.

Officials in King County, and from six districts that responded to a request from ĂŰĚŇÓ°ĘÓ, said they’ve received no reports of cyberthieves or child predators gaining access to Check Yourself and using results to target students.

They point to internal  showing that students feel more connected to school when they’re referred to an “intervention” after taking the survey. In focus groups, students expressed “favorable opinions” about the screener. In  of almost 400 students referred to a staff member after completing Check Yourself, the percentage saying that an adult at school listens, cares and tells them they do a good job increased. 

“The tool has been indispensable in pinpointing students who would benefit from urgent extra help — some of whom we never would have known were struggling,” said Laffey, the Snoqualmie Valley district spokesman.

But that doesn’t satisfy Hager.

She is among more than 20 Snoqualmie Valley parents who started asking questions about the program after the warned in 2018 that â€œmalicious use” of sensitive student data could lead to identity theft and “help child predators identify new targets.”

Hager, who attended school in King County, doesn’t have to imagine what it’s like to be preyed on by a trusted adult. In seventh grade, she said she was a victim of sexual misconduct involving a male teacher. 

“I know the FBI’s scenarios are real,” she said.

She points to students’ written reflections on the survey as proof that some find the questions disturbing.

“This survey gets dark very fast especially for a child.”

“Why does it act like I’m constantly breaking the law? I’m 12.” 

Many students expressed particular concern about questions related to sex and gender. One 12-year-old wrote:

“Female but kinda non binary sorta questioning but not? (Don’t tell my parents).”

Seligson, the King County spokesman, said the survey asks such questions because LGBTQ kids “are one of our most vulnerable populations.” State data released in 2023 showed that were nearly twice as likely as other students to report “depressive feelings.” 

The unease some students expressed about Check Yourself was echoed by several district staffers.

In 2019, an official in the Tukwila district, south of Seattle, wrote in that the survey was “causing considerable angst” and that with many “vulnerable” and “traditionally marginalized” families, educators didn’t want to “create unnecessary harm.”

That same year, a Seattle school counselor called it a “super personal survey,” according to an email ĂŰĚŇÓ°ĘÓ obtained through a public records request. She questioned why the district needed the information and whether it would be able to keep it confidential.

‘Absolute data privacy is a fantasy’

To be sure, not all King County parents have a problem with Check Yourself.

Erica Thomson, who works for a cloud communications company, said the notion of “absolute data privacy is a fantasy.”

She has two boys in the Seattle schools, one who is transgender and the other who has ADHD, and appreciates that the program gets her children to open up.

“Kids do not tell parents everything,” Thomson said. “Sometimes it is because they love their parents too much and do not want them to worry or suffer.”

Some students write that they appreciate the survey experience, which includes targeted recommendations based on their answers. A student who reports using marijuana, for example, will get facts about how it negatively affects memory and mental and physical health.

Ali, the former student who found Check Yourself beneficial to her well-being, had a distinctly nuanced take on her experience.

While praising the personal attention she received from a counselor,  Ali described a “rowdy” atmosphere in the sixth-period history classroom where she took the survey, with classmates buried in their phones and chatting with friends. It made it difficult to express some of the conflicts she was experiencing at the time. 

“It was a bunch of juniors just goofing off. I was sitting next to my friend, and she would just ask me, ‘Oh, what did you answer?’” she said. The atmosphere, she added, “felt like it wasn’t as serious as it should have been.”

The information is ‘too valuable’

As King County parents and school officials debate the merits and risks of Check Yourself, other districts have managed to use the program with relative ease.

In Oregon’s Hillsboro district, students’ responses stay on the Tickit platform — unavailable to outside evaluators or the public at large.

Spokane County officials not only eliminated questions about sexual orientation and romantic attractions, but also removed open-response fields.

“Why is it necessary for us to have that information?” asked Justin Johnson, who leads community services for Spokane. Additionally, clinicians monitor the administration of the survey in classrooms, allowing the results to be covered by . 

But Soukup, the King County official who oversees the program, said districts there find the write-in answers “too valuable” to do without because students often use them to open up about their problems.

For some King County districts, however, Check Yourself simply proved to be too much.

The Lake Washington district pulled out of the program three years ago and instead contracts with full-time mental health specialists to respond to students’ needs.

The intensely personal questions — and the resulting risk of privacy violations — also helped push the Bellevue school system to drop it in 2019. 

Officials opted for , and because of their sensitive nature, results are “considered some of the most privileged data the district has,” said Naomi Calvo, who served as Bellevue’s director of research, evaluation and assessment until 2023. “I didn’t even have access to it.”

Calvo understands why districts jumped to implement Check Yourself and most continue to use it. “Students have needs that were going unaddressed and there is a dearth of options available,” she said. 

But as a mental health professional with a young son at the time, she felt skeptical. 

“As a researcher, I believe in surveys,” she said. “But I would not have let my child take that survey.”

This story was co-published with .

If you or someone you know is having thoughts of suicide, call or text 988 to reach the National Suicide Prevention Lifeline. Additional resources are available at . For LGBTQ mental health support, you can contact The Trevor Project’s toll-free support line at 866-488-7386.

Free, confidential treatment referral and information is available in English and Spanish at 800-662-4357, the Substance Abuse and Mental Health Services Administration’s National Helpline.

It was October 2022 when Los Angeles schools Superintendent Alberto Carvalho made a false assurance about a massive ransomware attack on the country’s second-largest school district — and the leak of thousands of highly sensitive student mental health records — that set me off.

Published reports that the breach exposed students’ psychological evaluations, Carvalho said, were “absolutely incorrect.” The dark web proved otherwise: On a shady corner of the internet, I revealed, hackers used the detailed, very confidential records about Los Angeles children as leverage in a sick ploy for money. After my story ran, L.A. schools acknowledged publicly that some 2,000 student psych evals were indeed exposed by the Vice Society ransomware gang. 

And so began my descent down the rabbit hole, marking the early days of an in-depth investigation I published Tuesday and supported by a grant from the .

What I found is that as educators take steps to protect themselves, their school districts and their reputations after cyberattacks, they employ a pervasive pattern of obfuscation that leaves students, parents and teachers — the real victims of the hacks and subsequent data breaches — in the dark. 

I spent a year (OK, more than a year) learning everything I could about more than 300 K-12 school cyberattacks since the pandemic pushed students into online learning and educators became lucrative targets for hackers. I reconfigured a crappy old laptop to track ransomware gangs on the dark web and to analyze the reams of sensitive files published to their sketchy leak sites. I obtained thousands of public records from more than two dozen school districts. I used the government procurement database GovSpend to uncover school spending after attacks, including ransom payments made to cyberthieves in Bitcoin. I scoured news reports, state data breach disclosures and district websites for public confirmations and, oftentimes, denials — sometimes even after their students’ and employees’ personal information had already been published. 

My reporting documented that educators routinely offered incomplete, misleading or downright inaccurate information about cyberattacks — and the risks that subsequent data breaches pose to students, parents and teachers for identity theft, fraud and other forms of online exploitation. 

The hollowness in schools’ messaging and the mechanisms that leave school communities clueless are no coincidence. Staring down a cyberattack and the prospect of being sued over the leak of sensitive information, school leaders turn to insurance companies, consultants and privacy lawyers to steer “privileged investigations,” which keep key details hidden from the public. Often contacted before the police, the paid consultants who arrive in the wake of a cyberattack are portrayed to the public as an encouraging sign, trained to handle the bad actors and restore learning.

But what isn’t as apparent to students, parents and district employees is that these individuals are not there to protect them — but to protect schools from them. 

School cybersecurity expert Doug Levin had this to say about our investigation: “For institutions whose mission is to lift up and protect children and youth, it is unconscionable that they are incentivized to cover up the criminal acts perpetrated against them by malicious foreign actors.”

K-12 cyberattacks in focus: Now you can fall down the school cyberattack rabbit hole, too! Use our new search feature to read about how incidents unfolded in your own community, complete with investigative reveals you won’t want to miss. 

Emotional support

This story was brought to you with invaluable editing and guidance from ĂŰĚŇÓ°ĘÓ’s Kathy Moore.

And Matilda.

This article is published in partnership with

Schools have faced an onslaught of cyberattacks since the pandemic disrupted education nationwide five years ago, yet district leaders across the country have employed a pervasive pattern of obfuscation that leaves the real victims in the dark, an investigation by ĂŰĚŇÓ°ĘÓ shows. 

An in-depth analysis chronicling more than 300 school cyberattacks over the past five years reveals the degree to which school leaders in virtually every state repeatedly provide false assurances to students, parents and staff about the security of their sensitive information. At the same time, consultants and lawyers steer “privileged investigations”, which keep key details hidden from the public. 

In more than two dozen cases, educators were forced to backtrack months — and in some cases more than a year — later after telling their communities that sensitive information, which included, in part, special education accommodations, mental health challenges and student sexual misconduct reports, had not been exposed. While many school officials offered evasive storylines, others refused to acknowledge basic details about cyberattacks and their effects on individuals, even after the hackers made student and teacher information public. 

The hollowness in schools’ messaging is no coincidence. 

That’s because the first people alerted following a school cyberattack are generally not the public nor the police. District incident response plans place insurance companies and their phalanxes of privacy lawyers first. They take over the response, with a focus on limiting schools’ exposure to lawsuits by aggrieved parents or employees. 

The attorneys, often employed by just a handful of law firms —&˛Ô˛ú˛őąč;ťĺłÜ˛ú˛úąđťĺ  by one law professor for their massive caseloads — hire the forensic cyber analysts, crisis communicators and ransom negotiators on schools’ behalf, placing the discussions under the shield of attorney-client privilege. is for these specialized lawyers, who work to control the narrative.

The result: Students, families and district employees whose personal data was published online — from their financial and medical information to traumatic events in young people’s lives — are left clueless about their exposure and risks to identity theft, fraud and other forms of online exploitation. Told sooner, they could have taken steps to protect themselves.

Similarly, the public is often unaware when school officials quietly agree in closed-door meetings  to pay the cybergangs’ ransom demands in order to recover their files and unlock their computer systems. Research suggests that has been fueled, at least in part, by insurers’ willingness to pay. Hackers themselves have that when a target carries cyber insurance, ransom payments are “all but guaranteed.” 

In 2023, there were 121 ransomware attacks on U.S. K-12 schools and colleges, according to , a consumer-focused cybersecurity website whose researchers acknowledge that number is an undercount. An analysis by the  reported 265 ransomware attacks against the education sector globally in 2023 —  a 70% year-over-year surge, making it "the worst ransomware year on record for education."

Daniel Schwarcz, a University of Minnesota law professor, wrote criticizing the confidentiality and doublespeak that shroud school cyberattacks as soon as the lawyers — often called breach coaches — arrive on the scene. 

“There’s a fine line between misleading and, you know, technically accurate,” Schwarcz told ĂŰĚŇÓ°ĘÓ. “What breach coaches try to do is push right up to that line — and sometimes they cross it.”

When breaches go unspoken

ĂŰĚŇÓ°ĘÓ’s investigation into the behind-the-scenes decision-making that determines what, when and how school districts reveal cyberattacks is based on thousands of documents obtained through public records requests from more than two dozen districts and school spending data that links to the law firms, ransomware negotiators and other consultants hired to run district responses. It also includes an analysis of millions of stolen school district records uploaded to cybergangs’ leak sites. 

Some of students’ most sensitive information lives indefinitely on the dark web, a hidden part of the internet that’s often used for anonymous communication and illicit activities. Other personal data can be found online with little more than a Google search — even as school districts deny that their records were stolen and cyberthieves boast about their latest score.

ĂŰĚŇÓ°ĘÓ tracked news accounts and relied on its own investigative reporting in Los Angeles, Minneapolis, Providence, Rhode Island and St. Landry Parish, Louisiana, which uncovered the full extent of school data breaches, countering school officials’ false or misleading assertions. As a result, district administrators had to publicly acknowledge data breaches to victims or state regulators for the first time, or retract denials about the leak of thousands of students’ detailed psychological records. 

In many instances, ĂŰĚŇÓ°ĘÓ relied on mandated data breach notices that certain states, like Maine and California, report publicly. The notices were sent to residents in these states when their personal information was compromised, including numerous times when the school that suffered the cyberattack was hundreds, and in some cases thousands, of miles away. The legally required notices repeatedly revealed discrepancies between what school districts told the public early on and what they disclosed to regulators after extensive delays.

Some schools, meanwhile, failed to disclose data breaches, which they are required to do under state privacy laws, and for dozens of others, ĂŰĚŇÓ°ĘÓ could find no information at all about alleged school cyberattacks uncovered by its reporting — suggesting they had never before been reported or publicly acknowledged by local school officials.

Education leaders who responded to ĂŰĚŇÓ°ĘÓ’s investigation results said any lack of transparency on their part was centered on preserving the integrity of the investigation, not self-protection. School officials in Reeds Spring, Missouri, said when they respond “to potential security incidents, our focus is on accuracy and compliance, not downplaying the severity.” Those at Florida’s River City Science Academy said the school “acted promptly to assess and mitigate risks, always prioritizing the safety and privacy of our students, families and employees.” 

In Hillsborough County Public Schools in Tampa, Florida, administrators in the nation’s seventh-largest district said they notified student breach victims “by email, mail and a telephone call” and “set up a special hotline for affected families to answer questions.”

Hackers have exploited officials’ public statements on cyberattacks to strengthen their bargaining position, a reality educators cite when endorsing secrecy during ransom negotiations.

“But those negotiations do not go on forever,” said Doug Levin, who advises school districts after cyberattacks and is the co-founder and national director of the nonprofit K12 Security Information eXchange. "A lot of these districts come out saying, 'We're not paying,'” the ransom.

“All right, well, negotiation is over,” Levin said. “You need to come clean."

Confidentiality is king

The paid professionals who arrive in the wake of a school cyberattack are held up to the public as an encouraging sign. School leaders announce reassuringly that specialists were promptly hired to assess the damage, mitigate harm and restore their systems to working order. 

This promise of control and normality is particularly potent when cyberattacks suddenly cripple school systems, for days and disable online learning tools. News reports are fond of saying that educators were forced to teach students “

But what isn’t as apparent to students, parents and district employees is that these individuals are not there to protect them — but to protect schools from them.

The extent to which this involves keeping critical information out of the public’s hands is made clear in the advice that Jo Anne Roque, vice president of risk services account management at Poms & Associates Insurance Brokers, gave to leaders of New Mexico’s Gallup-McKinley County Schools after a 2023 cyberattack.

The district had hired Kroll, which conducts forensic investigations and intelligence gathering. Contracting with a privacy attorney was also necessary, Roque wrote, to shield Kroll’s findings from public view. 

“Without privacy counsel in place, public records would be accessible in the event of an information leak,” she wrote in an email to school leaders that was obtained by ĂŰĚŇÓ°ĘÓ through a public records request. School districts routinely denied ĂŰĚŇÓ°ĘÓ’s requests for cyberattack information on the very same grounds of attorney-client privilege.

Records obtained by ĂŰĚŇÓ°ĘÓ reveal Gallup-McKinley officials never notified the school community, state regulators or law enforcement about the attack, even after threat actors with the Hunters International ransomware gang listed the New Mexico district on its leak site in January 2024. 

In California’s Sweetwater Union High School District, administrators told the public at first that a February 2023 attack was an “information technology system outage” — and then went on to pay a $175,000 ransom to the hackers who encrypted their systems. The payoff didn’t stop the leak of data for more than 22,000 people, nor did the district’s initially foggy phrasing allay public suspicion for very long. 

During a , angry residents accused Sweetwater of being misleading and cagey. One, Kathleen Cheers, questioned whether lawyers or public relations consultants had advised school leaders to keep quiet. 

“What brainiac recommended this?” asked Cheers, who wanted the district to create a presentation within 30 days outlining  how the breach occurred and who “recommended the deceitful description.”

It wasn’t until June 2023 — four months after the attack — that Sweetwater their records were compromised. But the district’s breach notice never says what specific records had been taken, refers to files that “may have been taken” and tells those receiving the notice that their “personal information was included in the potentially taken files.”

“Well, was my information taken or not?” April Strauss, an attorney representing current and former employees in a class action lawsuit against Sweetwater, asked ĂŰĚŇÓ°ĘÓ. 

Strauss, the Las Vegas district in a similar lawsuit, accused school officials of downplaying cyberattacks “to avoid exacerbating their liability, quite frankly,” in a way that prevents families from being able to “assert their rights more competently.” 

śŮžą˛őłŮ°ůžąłŚłŮ˛ő’ vaguely worded breach notification letters to victims serve more to confuse than inform, she said. 

“The wording in notices is disheartening,” Strauss told ĂŰĚŇÓ°ĘÓ. “It’s almost like revictimization.”

Who’s in charge

Such hedged language used in required breach notices echoes the hazy descriptions districts give the public right after they’ve been hacked. Cyberattacks were called an  “encryption event” in Minneapolis; a “network security incident” in Blaine County, Idaho; “temporary network disruptions” in Chambersburg, Pennsylvania, and “anomalous activity” in Camden, New Jersey. 

In several cases, consultants advised educators against using words like “breach” and “cyberattack” in their communications to the public. Less than 24 hours after school officials in Rochester, Minnesota, discovered a ransom note and an April 2023 attack on the district’s computer network, they notified families but only after accepting input from the public relations firm FleishmanHillard.

“ ‘Cyberattack’ is severe language that we prefer to avoid when possible,” the firm’s representative wrote .

The district called it “irregular activity” instead. 

In cases where schools are being attacked, threatened and extorted by some of the globe’s most notorious cybergangs — many with known ties to Russia — officials have claimed in arresting and indicting some of the masterminds. Yet ĂŰĚŇÓ°ĘÓ identified instances where police took a secondary role.

In positioning themselves at the helm of cyberattack responses, attorneys have they should contact law enforcement only “in conjunction with qualified counsel.” 

In some cases, including one involving the Sheldon Independent School District in Texas, insurers have approved and covered costs associated with ransom payments, often harder-to-trace bitcoin transactions that have come under law enforcement scrutiny.

Biden's Deputy National Security Advisor Anne Neuberger,  writing in in the Financial Times, said insurers are right to demand their clients install better cybersecurity measures, like multi-factor authentication, but those who agree to pay off hackers have incentivized “payment of ransoms that fuel cyber crime ecosystems.” 

“This is a troubling practice that must end,” she wrote.

Records obtained by ĂŰĚŇÓ°ĘÓ show that in Somerset, Massachusetts, Beazley, the school district’s cybersecurity insurance provider, approved a $200,000 ransom payment after a July 2020 attack. The insurer also played a role in selecting other outside vendors for the district’s incident response, including Coveware, a cybersecurity company that specializes in negotiating with hackers.

If police were disturbed by the district’s course of action, they didn’t express it. In fact, William Tedford, then the Somerset Police Department’s technology director, requested in a July 31 email that the district furnish the threat actor’s bitcoin address “as soon as possible,” so he could share it with a Secret Service agent who “offered to track the payment with the hopes of identifying the suspect(s).” 

But he was quick to defer to the district and its lawyers.

“There will be no action taken by the Secret Service without express permission from the decision-makers in this matter,” Tedford wrote. “All are aware of the sensitive nature of this matter, and information is restricted to only [the officers] directly involved.”

While ransom payments are “ethically wrong because you’re funding criminal organizations,” insurers are on the hook for helping districts recover, and the payments are a way to limit liability and save money, said Chester Wisniewski, a director at cybersecurity company Sophos. 

“The insurance companies are constantly playing catch-up trying to figure out how they can offer this protection,” he told ĂŰĚŇÓ°ĘÓ. “They see dollar signs — that everybody wants this protection — but they’re losing their butts on it.” 

Similarly, school districts have seen their premiums climb. In by the nonprofit Consortium for School Networking, more than half said their cyber insurance costs have increased. One Illinois school district reported its 334% between 2021 and 2022.

Many districts told ĂŰĚŇÓ°ĘÓ that they were quick to notify law enforcement soon after an attack and said the police, their insurance companies and their attorneys all worked in concert to respond. But a pecking order did emerge in the aftermath of several of these events examined by ĂŰĚŇÓ°ĘÓ â€” one where the public did not learn what had fully happened until long after the attack.

When the Medusa ransomware gang attacked Minneapolis Public Schools in February 2023, it stole reams of sensitive information and demanded $4.5 million in bitcoin in exchange for not leaking it. District officials had a lawyer at Mullen Coughlin .  But at the same time school officials were refusing to acknowledge publicly that they had been hit by a ransomware attack, their attorneys were telling federal law enforcement that the district almost immediately determined its network had been encrypted, promptly identified Medusa as the culprit and within a day had its “third-party forensic investigation firm” communicating with the gang “regarding the ransom.”

Mullen Coughlin then told the FBI that it was leading “a privileged investigation” into the attack and, at the school district’s request, “all questions, communication and requests in connection with this notification should be directed” to the law firm. Mullen Coughlin didn’t respond to requests for comment. 

Minneapolis school officials would wait seven months before notifying more than 100,000 people that their sensitive files were exposed, including documents detailing campus rape cases, child abuse inquiries, student mental health crises and suspension reports. As of Dec. 1, all schools in Minnesota are now to the state but that information will be anonymous and not shared with the public.

One district took such a hands-off approach, leaving cyberattack recovery to the consultants’ discretion, that they were left out of the loop and forced to issue an apology.

When an April 2023 letter to Camden educators arrived 13 months after a ransomware attack, it caused alarm. An administrator had to assure employees in an email that the New Jersey district wasn’t the target of a second attack. Third-party attorneys had sent out notices after a significant delay and without school officials’ knowledge. Taken by surprise, Camden schools were not “able to preemptively advise each of you about the notice and what it meant.”

Other school leaders said when they were in the throes of a full-blown crisis and ill-equipped to fight off cybercriminals on their own, law enforcement was not of much use and insurers and outside consultants were often their best option. 

“In terms of how law enforcement can help you out, there’s really not a whole lot that can be done to be honest with you,” said Don Ringelestein, the executive director of technology at the Yorkville, Illinois, school district. When the district was hit by a cyberattack prior to the pandemic, he said, a report to the FBI went nowhere. Federal law enforcement officials didn’t respond to requests for comment. 

District administrators turned to their insurance company, he said, which connected them to a breach coach, who led all aspects of the incident response under attorney-client privilege.

Northern Bedford County schools Superintendent Todd Beatty said the Pennsylvania district contacted the federal to report a July 2024 attack, but “the problem is there’s not enough funding and personnel for them to be able to be responsive to incidents.” 

Meanwhile, John VanWagoner, the schools superintendent in Traverse City, Michigan, claims insurance companies and third-party lawyers often leave district officials in the dark, too. Their insurance company presented school officials with the choice of several cybersecurity firms they could hire to recover from a March 2024 attack, VanWagoner said, but he "didn’t know where to go to vet if they were any good or not.”

He said it had been a community member — not a paid consultant — who first alerted district officials to the extent of the massive breach that forced school closures and involved 1.2 terabytes — or over 1,000 gigabytes — of stolen data.

“We were literally taking that right to the cyber companies and going, ‘Hey, they’re finding this, can you confirm this so that we can get a message out?’ ” he told ĂŰĚŇÓ°ĘÓ. “That is what I probably would tell you is the most frustrating part is that you’re relying on them and you’re at the mercy of that a little bit.”

The breach coach

Breach notices and other incident response records obtained by ĂŰĚŇÓ°ĘÓ show that a small group of law firms play an outsized role in school cyberattack recovery efforts throughout the country. Among them is McDonald Hopkins, where Michigan attorney Dominic Paluzzi co-chairs a 52-lawyer data privacy and cybersecurity practice. 

Some call him a breach coach. He calls himself a “quarterback.” 

After establishing attorney-client privilege, Paluzzi and his team call in outside agencies covered by a district’s cyber insurance policy —  including forensic analysts, negotiators, public relations firms, data miners, notification vendors, credit-monitoring providers and call centers. Across all industries, the cybersecurity practice handled , 17% of which involved the education sector — which, Paluzzi noted, isn’t “always the best when it comes to the latest protections."

When asked why districts’ initial response is often to deny the existence of a data breach, Paluzzi said it takes time to understand whether an event rises to that level, which would legally require disclosure and notification.  

“It’s not a time to make assumptions, to say, ‘We think this data has been compromised,’ until we know that,” Paluzzi said. “If we start making assumptions and that starts our clock [on legally mandated disclosure notices], we’re going to have been in violation of a lot of the laws, and so what we say and when we say it are equally important.” 

He said in the early stage, lawyers are trying to protect their client and avoid making any statements they would have to later retract or correct.

“While it often looks a bit canned and formulaic, it’s often because we just don’t know and we’re doing so many things,” Paluzzi said. “We’re trying to get it contained, ensure the threat actor is not in our environment and get up and running so we can continue with school and classes, and then we shift to what data is potentially out there and compromised.”

A data breach is confirmed, he said, only after “a full forensic review.” Paluzzi said that process can take up to a year, and often only after it’s completed are breaches disclosed and victims notified. 

“We run through not only the forensics, but through that data mining and document review effort. By doing that last part, we are able to actually pinpoint for John Smith that it was his Social Security number, right, and Jane Doe, it's your medical information,” he said. “We try, in most cases, to get to that level of specificity, and our letters are very specific.”

Targets in general that without the help of a breach coach, according to a 2023 blog post by attorneys at the firm Troutman Pepper Locke, often fail to notify victims and, in some cases, provide more information than they should. When entities over-notify, they increase “the likelihood of a data breach class action [lawsuit] in the process.” Companies that under-notify “may reduce the likelihood of a data breach class action,” but could instead find themselves in trouble with government regulators. 

For school districts and other entities that suffer data breaches, legal fees and settlements are often . 

Law firms like McDonald Hopkins that manage thousands of cyberattacks every year are particularly interested in privilege, said Schwarcz, the University of Minnesota law professor who wonders whether lawyers are necessarily best positioned to handle complex digital attacks.

In his , Schwarcz writes that  the promise of confidentiality is breach coaches’ chief offering. By elevating the importance of attorney-client privilege, the report argues, lawyers are able to “retain their primacy” in the ever-growing and lucrative cyber incident-response sector. 

Similarly, he said lawyers’ emphasis on reducing payouts to parents who sue overstates schools’ actual exposure and is another way to promote themselves as “providing a tremendous amount of value by limiting the risk of liability by providing you with a shield.”

Their efforts to lock down information and avoid paper trails, he wrote, ultimately undermine “the long-term cybersecurity of their clients and society more broadly.”

Who gets hurt

School cyberattacks have led to the widespread release of records that heighten the risk of identity theft for students and staff and trigger data breach notification laws that typically center on preventing fraud. 

Yet files obtained by ĂŰĚŇÓ°ĘÓ show school cyberattacks carry particularly devastating consequences for the nation’s most vulnerable youth. Records about sexual abuse, domestic violence and other traumatic childhood experiences are found to be at the center of leaks. 

Hackers have leveraged these files, in particular, to coerce payments. 

In Somerset, Massachusetts, a hacker using an encrypted email service extorted school officials with details of past sexual misconduct allegations during a district “show choir” event. The accusations were investigated by local police and no charges were filed.

“I am somewhat shocked with the contents of the files because the first file I chose at random is about a predatory/pedophilia incident described by young girls in one of your schools,” the hacker alleges in records obtained by ĂŰĚŇÓ°ĘÓ. “This is very troubling even for us. I hope you have investigated this incident and reported it to the authorities, because that is some fucked up stuff. If the other files are as good, we regret not making the price higher.”

The exposure of intimate records presents a situation where “vulnerable kids are being disadvantaged again by weak data security,” said digital privacy scholar Danielle Citron, a University of Virginia law professor whose 2022 book, , argues that a lack of legal protections around intimate data leaves victims open to further exploitation. 

“It’s not just that you have a leak of the information,” Citron told ĂŰĚŇÓ°ĘÓ. “But the leak then leads to online abuse and torment.”

Meanwhile in Minneapolis, an educator reported that someone withdrew more than $26,000 from their bank account after the district got hacked. In Glendale, California, more than 230 educators were required to verify their identity with the Internal Revenue Service after someone filed their taxes fraudulently. 

In Albuquerque, where school officials said they prevented hackers from acquiring students’ personal information, a parent reported being contacted by the hackers who placed a “strange call demanding money for ransoming their child.”

Blood in the water

Nationally, about 135 state laws are devoted to student privacy. Yet all of them are “unfunded mandates” and “there’s been no enforcement that we know of,” according to Linnette Attai, a data privacy compliance consultant and president of . 

that require businesses and government entities to notify victims when their personal information has been compromised, but the rules vary widely, including definitions of what constitutes a breach, the types of records that are covered, the speed at which consumers must be informed and the degree to which the information is shared with the general public. 

It’s a regulatory environment that breach coach Anthony Hendricks, with the Oklahoma City office of law firm Crowe & Dunlevy, calls “the multiverse of madness.” 

“It's like you're living in different privacy realities based on the state that you live in,” Hendricks said. He said federal cybersecurity rules could provide a “level playing field” for data breach victims who have fewer protections “because they live in a certain state.” 

By 2026, proposed federal rules to the Cybersecurity and Infrastructure Security Agency, a division of the Department of Homeland Security. But questions remain about what might happen to the rules under the new Trump administration and whether they would come with any accountability for school districts or any mechanism to share those reports with the public. 

about the extent of cyberattacks and data breaches can face Securities and Exchange Commission scrutiny, yet such accountability measures are lacking for public schools.

The Family Educational Rights and Privacy Act, the federal student privacy law, prohibits schools from disclosing student records but doesn’t require disclosure when outside forces cause those records to be exposed. Schools that have “a policy or practice” of routinely releasing students‘ records in violation of FERPA can lose their federal funding, but such sanctions have never been imposed since the law was enacted in 1974. 

The patchwork of data breach notices are often the only mechanism alerting victims that their information is out there, but with the explosion of cyberattacks across all aspects of modern life, they’ve grown so common that some see them as little more than junk mail.  

Schwarcz, the Minnesota law professor, is also a Minneapolis Public Schools parent. He told ĂŰĚŇÓ°ĘÓ he got the district’s September 2023 breach notice in the mail but he "didn't even read it." The vague notices, he said, are “mostly worthless.” 

It may be enforcement against districts’ misleading practices that ultimately forces school systems to act with more transparency, said Attai, the data privacy consultant. She urges educators to “communicate very carefully and very deliberately and very accurately” the known facts of cyberattacks and data breaches. 

“Communities smell blood in the water,” she said, “because we’ve got these mixed messages.”

Development and art direction by Eamonn Fitzmaurice.  Illustrations by  for ĂŰĚŇÓ°ĘÓ.

This story was supported by a grant from the Fund for Investigative Journalism.

Aleeza Siddique, 15, was in a Spanish class earlier this year in her Northern California high school when a lesson about newscasts got derailed by her school’s internet filter. Her teacher told the class to open up their school-issued Chromebooks and explore a list of links he had curated from the Spanish language broadcast news giant Telemundo. The students tried, but every single link turned up the same page: a picture of a padlock. 

“None of it was available to us,” Aleeza said. “The site was completely blocked.” 

She said her teacher scrambled to pivot and fill the 90-minute class with other activities. From what she recalls, they went over vocabulary lists and independently clicked through online quizzes from Quizlet — a decidedly less dynamic use of time. 

 by the D.C.-based Center for Democracy & Technology shows just how often some of that blocking happens nationwide. The nonprofit digital rights advocacy organization conducted its fifth annual survey of middle and high school teachers and parents as well as high school students about a range of tech issues. About 70% of both teachers and students this year said web filters get in the way of students’ ability to complete their assignments. 

Virtually all schools use some type of web filter to comply with the Children’s Internet Protection Act, which requires districts taking advantage of the federal E-rate program for discounted internet and telecommunications equipment to keep kids from seeing graphic and obscene images online. A , which is now a part of CalMatters, discovered far more expansive blocking by school districts than federal law requires, some of it political, mirroring culture war battles over what students have access to in school libraries. That investigation found school districts blocking access to sex education and LGBTQ+ resources, including suicide prevention. It also found routine blocking of websites students seek out for academic research. And because school districts tend to set different restrictions for students and staff, teachers can be  because of how they complicate lesson planning.

Web filtering is  ‘subjective and unchecked’

Elizabeth Laird, director of equity in civic technology for the center and lead author of the report, said The Markup’s reporting helped inspire additional survey questions to better understand how schools are using filters as a “subjective and unchecked” method of restricting students’ access to information. 

“The scope of what is blocked is more pervasive and value-laden than I think we initially even knew to ask last year,” Laird said. 

While past surveys have revealed how often students and teachers report disproportionate filtering of content related to reproductive health, LGBTQ+ issues and content about people of color, the center asked respondents this year if they thought content associated with or about immigrants was more likely to be blocked. About one-third of students said yes. 

Aleeza would have said yes, after her experience with Telemundo. The California teen said how often she runs into blocks depends on how much research she’s trying to do and how much of it she has to do on her school computer. When she was taking a debate class, she ran into the blocks regularly while researching controversial topics. An article in Slate magazine about LGBTQ+ rights gave her a block screen, for example, because the entire news website is blocked. She said she avoids her school Chromebook as much as possible, doing homework on her personal laptop away from school Wi-Fi whenever she can. 

Nearly one-third of teachers surveyed by the Center for Democracy & Technology said their schools block content related to the LGBTQ+ community. About half said information about sexual orientation and reproductive health is blocked. And Black and Latino students were more likely to say content related to people of color is disproportionately blocked on their school devices.

For students like Aleeza, the blocking is frustrating in practice as well as principle. 

“The amount that they’re policing is actively interfering with our ability to have an education,” she said. Often, she has no idea why a website triggers the block page. Aleeza said it feels arbitrary and thinks her school should be more transparent about what it’s blocking and why. 

“We should have a right to know what we’re being protected from,” she said.

Audrey Baime, Olivia Brandeis, and Samantha Yee, all members of the CalMatters Youth Journalism Initiative, contributed reporting for this story.

This was originally published on .

Since the release of ChatGPT to the public in November 2022, the number of AI tools has skyrocketed, and there are now many advocates for the potential changes AI can cause in education.

But districts have not been as fast in providing teachers with training. As a result, many are experimenting without any guidance, an .

To learn about how teachers and other educators can protect student data and abide by the law when using AI tools, Chalkbeat consulted documents and interviewed specialists from school districts, nonprofits, and other groups. Here are nine suggestions from experts.

Get stories like this delivered straight to your inbox. Sign up for ĂŰĚŇÓ°ĘÓ Newsletter

Consult with your school district about AI

Navigating the details about the privacy policies in each tool can be challenging for a teacher. Some districts list tools that they have vetted or with which they have contracts.

Give preference to these tools, if possible, and check if your district has any recommendations about how to use them. When a tool has a contract with a school or a district, they are supposed to protect students’ data and follow national and state law, but always check if your district has any recommendations on how to use the tool. Checking with your school’s IT or education technology department is also a good option.

It is also essential to investigate if your school or district has guidelines or policies for the general use of AI. These documents usually review privacy risks and ethical questions.

Check for reviews about AI platforms’ safety

Organizations like and review ed-tech tools and provide feedback on their safety.

Be careful when platforms say they comply with laws like the Family Educational Rights and Privacy Act, or FERPA, and the Children’s Online Privacy Protection Rule. According to the law, the school is ultimately responsible for children’s data and must be aware of any information it shares with a third party.

Study the AI platform’s privacy policy and terms

The privacy policy and the terms of use should provide some answers about how a company uses the data it collects from you. Make sure to read them carefully, and look for some of the following information:

• What information does the platform collect?
• How does the platform use the collected data? Is it used to determine which ads it will show you? Does it share data with any other company or platform?
• For how long does it keep the collected data?
• Is the data it collects used to train the AI model?

The list of questions that Common Sense Media uses for their privacy evaluations is .

You should avoid signing up for platforms that collect a broad volume of data or that are not clear in their policies. One potential red flag: vague claims about “retaining personal information for as long as necessary” and “sharing data with third parties to provide services.”

Bigger AI platforms can be safer

Big companies like OpenAI, Google, Meta, and others are under more scrutiny: NGOs, reporters, and politicians tend to investigate their privacy policies more frequently. They also have bigger teams and resources that allow them to invest heavily in compliance with privacy regulations. For these reasons, they tend to have better safeguards than small companies or start-ups.

You still have to be careful. Most of these platforms are not explicitly intended for educational purposes, making them less likely to create specific policies regarding student or teacher data.

Use the tools as an assistant, not a replacement

Even though these tools provide better results when you input more information, try to use them for tasks that don’t require much information about your students.

AI tools can help provide suggestions on how to ask questions about a book, set up document templates, like an Individualized Educational Program plan or a behavioral assessment, or create assessment rubrics.

But even tasks that can seem mundane can increase risks. For example, providing the tool with a list of students and their grades on a specific assignment and asking it to organize it in alphabetical order could represent a violation of student privacy.

Turn on maximum privacy settings for AI platforms

Some tools allow you to adjust your privacy settings. Look online for tutorials on the best private settings for the tool that you are using and how to activate them. , for example, allows users to stop it from using your data to train AI models.

Doing this does not necessarily make AI tools completely safe or compliant with student privacy regulations.

Never input personal information to AI platforms

Even if you take all the steps above, do not input student information. Information that is restricted can include:

• Personal information: a student’s name, Social Security number, education ID, names of parents or other relatives, address and phone number, location of birth, or any other information that can be used to identify a student.
• Academic records: reports about absences, grades, and student behaviors in the school, student work, and teachers’ feedback on and assessments of student work.

This may be harder than it sounds.

If teachers upload student work to a platform to get help with grading, for example, they should remove all identification, including the student’s name, and replace it with an alias or random number that can’t be traced back to the student. It’s also wise to ensure the students haven’t included any personal information, like their place of birth, where they live or personal details about their families, friends, religious or political inclination, sexual orientation, and club affiliations.

One exception is for platforms approved by the school or the district and holding contracts with them.

Be transparent with others about using AI

Communicate with your school supervisors, principal, parents, and students about when and how you use AI in your work. That way, everyone can ask questions and bring up concerns you may not know about.

It is also a good way to model behavior for students. For example, if teachers ask students to disclose when they use AI to complete assignments, being transparent with them in turn about how teachers use AI might foster a better classroom environment.

If uncertain, ask AI platforms to delete information

In some states, the law says platforms must delete users’ information if they request it. And some companies will delete it even if you aren’t in one of these states.

Deleting the data may be challenging and not solve all of the problems caused by misusing AI. Some companies may take a long time to respond to deletion requests or find loopholes in order to avoid deleting it.

The tips listed above come from the , published by the American Federation of Teachers; the report by the U.S. Department of Education’s Office of Educational Technology; and the used by Common Sense Media to carry out its privacy evaluations.

Additional help came from Calli Schroeder, senior counsel and global privacy counsel at the Electronic Privacy Information Center; Brandon Wilmart, director of educational technology at Moore Public Schools in Oklahoma; and Anjali Nambiar, education research manager at Learning Collider.

This story was originally published by Chalkbeat. Chalkbeat is a nonprofit news site covering educational change in public schools. Sign up for their newsletters at . 

FERPA permits parents and eligible students (typically over 18) to inspect and correct their education records. It also requires consent before disclosure of personally identifiable information from those records, though there are numerous exceptions. In addition, schools must notify parents and eligible students annually of their FERPA rights.

With the advent of education technology, FERPA is really showing its age. Though it has slightly since its enactment, the last congressional update was over a decade ago, and regulations from the Department of Education are also woefully outdated. (Updates to the regulations from the Department are frequently said to be imminent, but as of this writing, none are public.)

Privacy concerns have steadily increased over the last few decades, as technology continues to develop and make increasingly intrusive incursions into every aspect of life. While FERPA does provide at least for students — unlike, say, consumers in general — the fact is, it does not mandate adequate safeguards.

Students and families in today’s digital world deserve modern protections that accurately reflect contemporary society and their learning experiences. Here are a few suggestions for bringing FERPA into its next half-century.

First, it should reflect that the information contained in student records is much broader than documents in files or scanned into computers. FERPA needs to protect students’ online information; protected “education records” should explicitly and unambiguously include online data created by students, including web browsing and search histories, interactions with tech tools and artificial intelligence chatbots, and other digital activity.

Second, the concept of directory information — things like a student’s name, address, telephone listing, email address, photograph, date and place of birth, height and weight (for athletic team members) and student ID numbers — needs an overhaul for the digital age. Under FERPA, schools can share this information with a third party or the public generally, unless a parent has opted out. 

is supposed to be data that is not considered harmful or invasive if disclosed. But given rapid advances in technology, much of it could lead to commercial profiling, identity theft and other harms. The definition should be narrowed, and parents should be allowed to choose what specific information schools can share. And that sharing should be opt-in, item by item, not the current blanket opt-out.

Third, the FERPA statute did not contemplate the extent to which ed tech and other third-party companies would be integrated into students’ daily lives. The Department of Education has since ” — to whom information can be shared without consent — to include ed tech vendors when they have a legitimate educational interest, perform a function the school would otherwise do, are under the school’s direct control with respect to use of student records and comply with other FERPA requirements. It would be helpful for Congress to very clearly indicate when FERPA-covered information may be shared with ed tech vendors and other third parties that students encounter on a daily basis.

FERPA should specify that students’ information — including and especially when shared with “school officials” — should be used for educational purposes only and not be offered for sale or used for targeted advertising.

Lastly, it is critical that schools safeguard student information. . It should mandate administrative, physical and technical safeguards, including training for individuals handling student information and prompt responses to data breaches. Schools need funding to better understand cybersecurity issues, as well as to build out necessary infrastructure to collaborate and coordinate cybersecurity efforts. Ideally, Congress would add new cybersecurity funding for schools, because many lack the financial means to implement adequate safeguards.

FERPA was passed 50 years ago in response to rising concerns about new technology. Technology has continued to evolve, and so must FERPA.

At the time, principals with Boston Impact Initiative were finalizing the firm’s annual impact assessment of AllHere, a 2016 startup that offered a tech-driven solution to chronic student absences. Officials with the were left with an impression that was, it turns out, far from reality. 

“There were conversations with the company and it was doing really well,” CEO Betty Francisco told ĂŰĚŇÓ°ĘÓ in a brief telephone conversation earlier this month.  

AllHere was actually on the verge of collapse and now, Francisco is questioning whether her firm may have been played. 

“We are trying to also understand what happened,” she said of the news that the company, the recipient of some $12 million in investor capital and much praise for being an AI education innovator, was in serious straits. Last month, a majority of its staff were furloughed, AllHere announced ; the ambitious AI chatbot that it built for the Los Angeles Unified School District was unplugged and its founder and chief executive officer, Joanna Smith-Griffin, was out of a job. 

Francisco said her firm was a minor player in AllHere’s venture capital fundraising and that the larger, institutional investors were now working with the company “to figure out the plan.” 

What that plan might be — and what necessitated it in the first place — remains a mystery. In the month since ĂŰĚŇÓ°ĘÓ first reported on the company’s downfall, key figures in AllHere’s rise have gone underground. ĂŰĚŇÓ°ĘÓ sought comments from more than a dozen company officials, including its founder, investors at prominent venture capital firms and members of its board of directors. None, aside from Francisco, would speak publicly about the company. 

It’s a major shift for AllHere’s backers, many of whom work at impact investment firms that fund startups through a social justice lens. These figures were once outspoken about AllHere and their shared place in the race to inject AI into schools. Among those who have gone silent is Andrew Parker of the firm , whose fundraising efforts landed him a seat on AllHere’s board of directors. In a 2021 blog post, he to chronic absenteeism, one of the pandemic’s most lasting impacts, as a profound innovation in the way schools communicate with parents. The company, he boasted, was a smart bet. 

“Being this primary conduit of communication is a terrific business opportunity, and it’s how AllHere will thrive in the years to come,” wrote Parker, who declined to comment for this story.

AllHere’s latest financial woes aren’t the first time that Smith-Griffin felt the pressure of a company mission gone wrong. Shortly after Boston-based AllHere emerged from a startup incubator at Harvard University, where Smith-Griffin was enrolled, its technological approach to bolster student attendance fell flat. 

“The first iteration of AllHere failed spectacularly,” Smith-Griffin, a former Boston charter school teacher and family engagement director, said in a 2017 interview on . “And it was one of the best things that could have happened to us.” 

In response to those early startup woes, Smith-Griffin changed course. She ditched her initial idea of using data to create lists for teachers of the students most likely to become chronically absent — a service that educators told her wasn’t much help — and pivoted to an automated text messaging service that sent personally tailored “nudges” to parents in the guise of a friendly chatbot. 

The $6 million chatbot that it would eventually build for L.A. schools — an animated sun named “Ed” meant to interact individually with and accelerate the learning of some 540,000 students — was in a different class entirely. AllHere, according to a former employee-turned-whistleblower, put students’ personal information at risk by taking shortcuts to meet the school district’s ambitious demands.

Meanwhile, AllHere’s investors publicly touted that it was the infusion of cash and leadership from altruistically inclined impact firms that transformed the company from one with an under-baked product to an AI innovator in the K-12 space. An examination of these firms’ outsized role suggests that AllHere’s venture-influenced embrace of artificial intelligence may have led it to fail once again — this time on a much grander scale. 

‘Disturbed by the allegations’ 

Reached by phone, four members of the company’s board of directors — including several with extensive and well-known education policy credentials — declined to comment for this story. In fact, much of the information about AllHere’s unraveling has been filtered through an unusual channel: The school district it left in a lurch. 

It was an L.A. Unified district spokesperson who first told news outlets that Smith-Griffin was no longer with AllHere and that the company was up for sale. Smith-Griffin, who records show lives in North Carolina, couldn’t be reached for comment. 

Investigators with the district’s independent inspector general’s office have launched an inquiry into the former AllHere executive’s claims that the company misused L.A. students’ personal data and Superintendent Alberto Carvalho last week proposed a task force to find out what went wrong. The inquiry, Carvalho said, will dig into the district’s procurement process and claims the chatbot handled students’ personal information in ways that violated district policy and basic data privacy principles. 

“I’m disturbed by the allegations,” Carvalho with the Los Angeles Times while speaking simultaneously on AllHere’s behalf. 

“We’ve had — our team has had — conversations with the company about those allegations,” Carvalho said. “The company has denied those allegations.” 

The task force, an LAUSD spokesperson said in a statement, will create a framework for the district to “continue leveraging technology responsibly.” AllHere, which has been paid about $3 million so far, won the five-year contract after a competitive bidding process, the spokesperson said, and was selected “because it was most aligned” with the district’s vision for the chatbot and “was an established educational technology company focused on personalized and interactive AI solutions to improve student attendance.” 

‘A truly amazing board’

After the pandemic shuttered in-person learning nationally and student absences surged to unprecedented highs, Rethink Education, an ed tech-focused impact investment firm that provided early capital to AllHere, saw an opening. A by Impact Capital Managers says that Rethink provided the company with more than cash flow; it oversaw a “strategic transition,” specifically “a pivot towards an AI chatbot” that observers would later say was outside the scope of AllHere’s capabilities.

Rethink Education partner Ebony Brown offered AllHere critical connections to influential education players and helped it build “a truly amazing board” of directors, by Matt Greenfield, Rethink’s managing partner. She successfully recruited Jeff Livingston, a at McGraw-Hill Education and a Bill & Melinda Gates Foundation , and Janice Jackson, the former CEO of Chicago Public Schools. 

“Ebony got introductions to several former superintendents of large districts, secured a meeting with Janice, and delivered an impassioned and ultimately successful pitch,” Greenfield wrote. The addition of Livingston and Jackson to the AllHere board was strategic, according to the case study, noting that they “have been instrumental in securing deals with major school districts and in developing a customer acquisition playbook to expand the company’s nationwide presence.” 

The extent to which board members’ helped AllHere land the LAUSD contract is unclear. Livingston and Jackson both declined to provide comment for this story. Greenfield and Brown didn’t respond to multiple requests for comment. 

Brown, who also gained a seat on AllHere’s board, then sought to improve the company’s visibility, helping Smith-Griffin “secure a spot as the featured entrepreneur” on the for education leaders in 2021. A year later, Smith-Griffin served as alongside Purdue University president and former Indiana governor Mitch Daniels and Deborah Quazzo, a managing partner at the investment company GSV Ventures. 

GSV is heavily involved in education technology companies. In April, Smith-Griffin and Carvalho unveiled the district’s buzzed-about chatbot in San Diego co-hosted by the venture firm and Arizona State University.

“The Forbes profile,” Greenfield’s post notes, “in turn led to inbound interest from venture capitalists, multiple term sheets [documents outlining the terms under which VCs fund startups] and a round” of investments totaling more than $8 million. 

On June 12, just before AllHere announced that it had furloughed most of its staff, the company got bad news from the U.S. Patent and Trademark Office. Officials for a chatbot that addressed student absenteeism, finding that the tool didn’t present eligible technological advancements. 

The office wrote: “No inventive concept exists sufficient to transform the abstract idea of ‘student monitoring’ into a patent-eligible application of that idea.” 

Investigators with the Los Angeles Unified School District’s inspector general’s office conducted a video interview with Chris Whiteley, the former senior director of software engineering at AllHere, after he told ĂŰĚŇÓ°ĘÓ his former employer’s student data security practices violated both industry standards and the district’s own policies. 

Whiteley told ĂŰĚŇÓ°ĘÓ he had alerted the school district, the IG’s office and state education officials earlier to the data privacy problems with Ed but got no response. His meeting with investigators occurred July 2, one day after ĂŰĚŇÓ°ĘÓ published its story outlining Whiteley’s allegations, including that the chatbot put students’ personally identifiable information at risk of getting hacked by including it in all chatbot prompts, even in those where the data weren’t relevant; sharing it with other third-party companies unnecessarily and processing prompts on offshore servers in violation of district student privacy rules. 

In an interview with ĂŰĚŇÓ°ĘÓ this week, Whiteley said the officials from the district’s inspector general’s office “were definitely interested in what I had to say,” as speculation swirls about the future of Ed, its ed tech creator AllHere and broader education investments in artificial intelligence. 

“It felt like they were after the truth,” Whiteley said, adding, “I’m certain that they were surprised about how bad [students’ personal information] was being handled.”

To generate responses to even mundane prompts, Whiteley said, the chatbot processed the personal information for all students in a household. If a mother with 10 children asked the chatbot a question about her youngest son’s class schedule, for example, the tool processed data about all of her children to generate a response. 

“It’s just sad and crazy,” he said.

The inspector general’s office directed ĂŰĚŇÓ°ĘÓ’s request for comment to a district spokesperson, who declined to comment or respond to questions involving the inquiry.

While the conversation centered primarily on technical aspects related to the company’s data security protocols, Whiteley said investigators probed him on his personal experiences with AllHere, which he described as being abusive, and its finances.

Whiteley was laid off from AllHere in April. Two months later, a notice posted to the said a majority of its 50 or so employees had been furloughed due to its “current financial position” and the LAUSD spokesperson said company co-founder and CEO Joanna Smith-Griffin had left. The former Boston teacher and Harvard graduate was successful in raising $12 million in venture capital for AllHere and appeared with L.A. schools Superintendent Alberto Carvalho at ed tech conferences and other events throughout the spring touting the heavily publicized AI tool they partnered to create.

Just weeks ago, Carvalho spoke publicly about how the project had put L.A. out in front as school districts and ed tech companies nationally race to follow the lead of generative artificial intelligence pioneers like ChatGPT. But the school chief’s superlative language around what Ed could do on an individualized basis with 540,000 students had some industry observers and AI experts speculating it was destined to fail.

The chatbot was supposed to serve as a “friendly, concise customer support agent” that replied “using simple language a third grader could understand” to help students and parents supplement classroom instruction, find assistance with kids’ academic struggles and navigate attendance, grades, transportation and other key issues. What they were given, Whiteley charges, was a student privacy nightmare. 

Smith-Griffin recently deactivated her LinkedIn page and has not surfaced since her company went into apparent free fall. Attempts to reach AllHere for comment were unsuccessful and parts of the company website have gone dark. LAUSD said earlier that AllHere is for sale and that several companies are interested in acquiring it.

The district has already paid AllHere $3 million to build the chatbot and “a fully-integrated portal” that gave students and parents access to information and resources in a single location, the district spokesperson said in a statement Tuesday, and “was surprised by the financial disruption to AllHere.” 

AllHere’s collapse represents a stunning fall from grace for a company that was named among the world’s top education technology companies by Time Magazine just months earlier. Scrutiny of AllHere intensified when Whiteley became a whistleblower. He said he turned to the press because his concerns, which he shared first with AllHere executives and the school district, had been ignored.

Whitely shared source code with ĂŰĚŇÓ°ĘÓ which showed that students’ information had been processed on offshore servers. Seven out of eight Ed chatbot requests, he said, were sent to places like Japan, Sweden, the United Kingdom, France, Switzerland, Australia and Canada. 

‘How are smaller districts going to do this?’

What district leaders failed to do as they heralded their new tool, Whiteley said, is conduct sufficient audits. As L.A. — and school systems nationwide — contract with a laundry list of tech vendors, he said it’s imperative that they understand how third-party companies use students’ information. 

“If the second-biggest district can’t audit their [personally identifiable information] on new or interesting products and can’t do security audits on external sources, how are smaller districts going to do this?” he asked.

Over the last several weeks, the district’s official position on Ed has appeared to shift. In late June when the district spokesperson said that several companies were “interested in acquiring Allhere,” they also said its predecessor would “continue to provide this first-of-its-kind resource to our students and families.” In its initial response to Whiteley’s allegations published July 1, the spokesperson said that education officials would “take any steps necessary to ensure that appropriate privacy and security protections are in place in the Ed platform.” 

In in the Los Angeles Times, a district spokesperson said the chatbot had been unplugged on June 14. ĂŰĚŇÓ°ĘÓ asked the spokesperson to provide documentation showing the tool was disabled last month but didn’t get a response. 

Even after June 14, Carvalho continued to boast publicly about LAUSD’s foray into generative AI and what he described with third-party vendors. 

On Tuesday, the district spokesperson told ĂŰĚŇÓ°ĘÓ that the online portal — even without a chatty, animated sun — “will continue regardless of the outcome with AllHere.” In fact, the project could become a source of district revenue. Under the contract between AllHere and LAUSD, which was obtained by ĂŰĚŇÓ°ĘÓ, the chatbot is the property of the school district, which was set to receive 2% in royalty payments from AllHere “should other school districts seek to use the tool to benefit their families and students.” 

In the statement Tuesday, the district spokesperson said that officials chose to “temporarily disable the chatbot” amid AllHere’s uncertainty and that it would “only be restored when the human-in-the-loop aspect is re-established.” 

Whiteley agreed that the district could maintain the student information dashboard without the chatbot and, similarly, that another firm could buy what remains of AllHere. He was skeptical, however, that Ed the chatbot would live another day because “it’s broken”

“The name AllHere,” he said, “I think is dead.”

As the eight-year-old startup rolled out Los Angeles Unified School District’s flashy new AI-driven chatbot — an animated sun named “Ed” that AllHere was hired to build for $6 million — a former company executive was sending emails to the district and others that Ed’s workings violated bedrock student data privacy principles. 

Those emails were sent shortly before ĂŰĚŇÓ°ĘÓ first reported last week that AllHere, with in investor capital, was in serious straits. A June 14 statement on the company’s website revealed a majority of its employees had been furloughed due to its “current financial position.” Company founder and CEO Joanna Smith-Griffin, a spokesperson for the Los Angeles district said, was no longer on the job. 

Smith-Griffin and L.A. Superintendent Alberto Carvalho went on the road together this spring to unveil Ed at a series of high-profile ed tech conferences, with the schools chief dubbing it the nation’s first “personal assistant” for students and leaning hard into LAUSD’s place in the K-12 AI vanguard. He called Ed’s ability to know students “unprecedented in American public education” at the ASU+GSV conference in April. 

Through an algorithm that analyzes troves of student information from multiple sources, the chatbot was designed to offer tailored responses to questions like “what grade does my child have in math?” The tool relies on vast amounts of students’ data, including their academic performance and special education accommodations, to function.

Meanwhile, Chris Whiteley, a former senior director of software engineering at AllHere who was laid off in April, had become a whistleblower. He told district officials, its independent inspector general’s office and state education officials that the tool processed student records in ways that likely ran afoul of L.A. Unified’s own data privacy rules and put sensitive information at risk of getting hacked. None of the agencies ever responded, Whiteley told ĂŰĚŇÓ°ĘÓ. 

“When AllHere started doing the work for LAUSD, that’s when, to me, all of the data privacy issues started popping up,” Whiteley said in an interview last week. The problem, he said, came down to a company in over its head and one that “was almost always on fire” in terms of its operations and management. LAUSD’s chatbot was unlike anything it had ever built before and — given the company’s precarious state — could be its last. 

If AllHere was in chaos and its bespoke chatbot beset by porous data practices, Carvalho was portraying the opposite. One day before ĂŰĚŇÓ°ĘÓ broke the news of the company turmoil and Smith-Griffin’s departure, spotlighted the schools chief at a Denver conference talking about how adroitly LAUSD managed its ed tech vendor relationships — â€œWe force them to all play in the same sandbox” — while ensuring that “protecting data privacy is a top priority.”

In a statement on Friday, a district spokesperson said the school system “takes these concerns seriously and will continue to take any steps necessary to ensure that appropriate privacy and security protections are in place in the Ed platform.” 

“Pursuant to contract and applicable law, AllHere is not authorized to store student data outside the United States without prior written consent from the District,” the statement continued. “Any student data belonging to the District and residing in the Ed platform will continue to be subject to the same privacy and data security protections, regardless of what happens to AllHere as a company.” 

A district spokesperson, in response to earlier questioning from ĂŰĚŇÓ°ĘÓ last week, said it was informed that Smith-Griffin was no longer with the company and that several businesses “are interested in acquiring AllHere.” Meanwhile Ed, the spokesperson said, “belongs to Los Angeles Unified and is for Los Angeles Unified.”

Officials in the inspector general’s office didn’t respond to requests for comment. The state education department “does not directly oversee the use of AI programs in schools or have the authority to decide which programs a district can utilize,” a spokesperson said in a statement.

It’s a radical turn of events for AllHere and the AI tool it markets as a “learning acceleration platform,” which were all the buzz just a few months ago. In April, Time Magazine education technology companies. That same month, Inc. Magazine dubbed Smith-Griffin in artificial intelligence in its Female Founders 250 list. 

Joanna Smith-Griffin, Founder and CEO of AllHere, joins on stage as he delivers the keynote at on Unlocking the Potential of AI. With Ed, students receive personalized support to help them excel in school.

— allherek12 (@allherek12)

Ed has been similarly blessed with celebrity treatment. 

“He’s going to talk to you in 100 different languages, he’s going to connect with you, he’s going to fall in love with you,” Carvalho said at ASU+GSV. “Hopefully you’ll love it, and in the process we are transforming a school system of 540,000 students into 540,000 ‘schools of one’ through absolute personalization and individualization.”

Smith-Griffin, who graduated from the Miami school district that Carvalho once led before going onto Harvard, couldn’t be reached for comment. Smith-Griffin’s LinkedIn page was recently deactivated and parts of the company website have gone dark. Attempts to reach AllHere were also unsuccessful.

‘The product worked, right, but it worked by cheating’

Smith-Griffin, a former Boston charter school teacher and family engagement director, founded AllHere in 2016. Since then, the company has primarily provided schools with a text messaging system that facilitates communication between parents and educators. , the tool relies on attendance data and other information to deliver customized, text-based “nudges.” 

The work that AllHere provided the Los Angeles school district, Whiteley said, was on a whole different level — and the company wasn’t prepared to meet the demand and lacked expertise in data security. In L.A., AllHere operated as a consultant rather than a tech firm that was building its own product, according to its contract with LAUSD obtained by ĂŰĚŇÓ°ĘÓ. Ultimately, the district retained rights to the chatbot, according to the agreement, but AllHere was contractually obligated to “comply with the district information security policies.” 

 The contract notes that the chatbot would be “trained to detect any confidential or sensitive information” and to discourage parents and students from sharing with it any personal details. But the chatbot’s decision to share and process students’ individual information, Whiteley said, was outside of families’ control. 

In order to provide individualized prompts on details like student attendance and demographics, the tool connects to several data sources, according to the contract, including , an online tool used to track students’ special education services. The document notes that Ed also interfaces with the stored on , a cloud storage company. , the Whole Child platform serves as a central repository for LAUSD student data to help educators monitor students’ progress and personalize instruction. 

Whiteley told officials the app included students’ personally identifiable information in all chatbot prompts, even in those where the data weren’t relevant. Prompts containing students’ personal information were also shared with other third-party companies unnecessarily, Whiteley alleges, and were processed on offshore servers. Seven out of eight Ed chatbot requests, he said, are sent to places like Japan, Sweden, the United Kingdom, France, Switzerland, Australia and Canada. 

Taken together, he argued the company’s practices ran afoul of data minimization principles, a standard cybersecurity practice that maintains that apps should collect and process the least amount of personal information necessary to accomplish a specific task. Playing fast and loose with the data, he said, unnecessarily exposed students’ information to potential cyberattacks and data breaches and, in cases where the data were processed overseas, could subject it to foreign governments’ data access and surveillance rules. 

Chatbot source code that Whiteley shared with ĂŰĚŇÓ°ĘÓ outlines how prompts are processed on foreign servers by a Microsoft AI service that integrates with ChatGPT. The LAUSD chatbot is directed to serve as a “friendly, concise customer support agent” that replies “using simple language a third grader could understand.” When querying the simple prompt “Hello,” the chatbot provided the student’s grades, progress toward graduation and other personal information. 

AllHere’s critical flaw, Whiteley said, is that senior executives “didn’t understand how to protect data.” 

“The issue is we’re sending data overseas, we’re sending too much data, and then the data were being logged by third parties,” he said, in violation of the district’s data use agreement. “The product worked, right, but it worked by cheating. It cheated by not doing things right the first time.”

In a 2017 policy bulletin, the district notes that all sensitive information “needs to be handled in a secure way that protects privacy,” and that contractors cannot disclose information to other parties without parental consent. A second policy bulletin, from April, outlines the district’s authorized use guidelines for artificial intelligence, which notes that officials, “Shall not share any confidential, sensitive, privileged or private information when using, prompting or communicating with any tools.” It’s important to refrain from using sensitive information in prompts, the policy notes, because AI tools “take whatever users enter into a prompt and incorporate it into their systems/knowledge base for other users.” 

“Well, that’s what AllHere was doing,” Whiteley said. 

‘Acid is dangerous’

Whiteley’s revelations present LAUSD with its third student data security debacle in the last month. In mid-June, a threat actor known as “Sp1d3r” began to sell for $150,000 a trove of data it claimed to have stolen from the Los Angeles district on Breach Forums, a dark web marketplace. LAUSD Bloomberg that the compromised data had been stored by one of its third-party vendors on the cloud storage company Snowflake, the repository for the district’s Whole Child Integrated Data. The Snowflake data breach may be one of the largest in history. The threat actor claims that the L.A. schools data in its possession include student medical records, disability information, disciplinary details and parent login credentials. 

The chatbot interacted with data stored by Snowflake, according to the district’s contract with AllHere, though any connection between AllHere and the Snowflake data breach is unknown. 

In its statement Friday, the district spokesperson said an ongoing investigation has “revealed no connection between AllHere or the Ed platform and the Snowflake incident.” The spokesperson said there was no “direct integration” between Whole Child and AllHere and that Whole Child data was processed internally before being directed to AllHere.

The contract between AllHere and the district, however, notes that the tool should “seamlessly integrate” with the Whole Child Integrated Data “to receive updated student data regarding attendance, student grades, student testing data, parent contact information and demographics.”

Earlier in the month, a second threat actor known as Satanic Cloud claimed it had access to tens of thousands of L.A. students’ sensitive information and had posted it for sale on Breach Forums for $1,000. In 2022, the district was victim to a massive ransomware attack that exposed reams of sensitive data, including thousands of students’ psychological evaluations, to the dark web. 

With AllHere’s fate uncertain, Whiteley blasted the company’s leadership and protocols.

“Personally identifiable information should be considered acid in a company and you should only touch it if you have to because acid is dangerous,” he told ĂŰĚŇÓ°ĘÓ. “The errors that were made were so egregious around PII, you should not be in education if you don’t think PII is acid.” 

L.A. parents and students, we want to hear from you.  using AllHere’s Ed:

Updated, correction appended April 18

In the middle of night, students at Utah’s Kings Peak High School are wide awake — taking mandatory exams. 

At this online-only school, which opened during the pandemic and has ever since, students take tests from their homes at times that work best with their schedules. Principal Ammon Wiemers says it’s this flexibility that attracts students — including athletes and teens with part-time jobs — from across the state. 

“Students have 24/7 access but that doesn’t mean the teachers are going to be there 24/7,” Wiemers told ĂŰĚŇÓ°ĘÓ with a chuckle. “Sometimes [students] expect that but no, our teachers work a traditional 8 to 4 schedule.” 

Any student who feels compelled to cheat while their teacher is sound asleep, however, should know they’re still being watched. 

For students, the cost of round-the-clock convenience is their privacy. During exams, their every movement is captured on their computer’s webcam and scrutinized by Proctorio, . Proctorio software conducts “desk scans” in a bid to catch test-takers who turn to “unauthorized resources,” “face detection” technology to ensure there isn’t anybody else in the room to help and “gaze detection” to spot anybody “looking away from the screen for an extended period of time.” 

Proctorio then provides visual and audio records to Kings Peak teachers with the algorithm calling particular attention to pupils whose behaviors during the test flagged them as possibly engaging in academic dishonesty. 

Such remote proctoring tools grew exponentially during the pandemic, particularly at U.S. colleges and universities where administrators seeking to ensure exam integrity during remote learning met with sharp resistance from students. Online end the surveillance regime; the tools of and that set off a red flag when the tool failed to detect Black students’ faces.  

At the same time, social media platforms like TikTok were flooded with videos purportedly highlighting service vulnerabilities that taught others

K-12 schools’ use of remote proctoring tools, however, has largely gone under the radar. Nearly a year since the federal public health emergency expired and several since the vast majority of students returned to in-person learning, an analysis by ĂŰĚŇÓ°ĘÓ has revealed that K-12 schools nationwide — and online-only programs in particular — continue to use tools from digital proctoring companies on students, including those as young as kindergarten. 

Previously unreleased survey results from the nonprofit Center for Democracy and Technology found that remote proctoring in K-12 schools has become widespread. In its August 2023 36% of teachers reported that their school uses the surveillance software.

Civil rights activists, who contend AI proctoring tools fail to work as intended, harbor biases and run afoul of students’ constitutional protections, said the privacy and security concerns are particularly salient for young children and teens, who may not be fully aware of the monitoring or its implications. 

“It’s the same theme we always come back to with student surveillance: It’s not an effective tool for what it’s being claimed to be effective for,” said Chad Marlow, senior policy counsel at the American Civil Liberties Union. “But it actually produces real harms for students.” 

Wiemers is aware that the school, where about 280 students are enrolled full time and another 1,500 take courses part time, must make a delicate “compromise between a valid testing environment and students’ privacy.” When students are first subjected to the software he said “it’s kind of weird to see that a camera is watching,” but unlike the uproar at colleges, he said the monitoring has become “normalized” among his students and that anybody with privacy concerns is allowed to take their tests in person.

“It’s always strange in a virtual setting — it’s like you’re watching yourself take the test in the mirror,” he said. “But when students use it more, they get used to it.”  

Children ‘don’t take tests’

Late last year, Proctorio founder and CEO Mike Olsen published   in response to research critical of the company’s efficacy. A tech-savvy Ohio college student had conducted an analysis and concluded Proctorio’s relied on an open-source software library with a — including a failure to recognize Black faces more than half of the time. 
The student tested the company’s face-detection capabilities against a dataset of nearly 11,000 images, , which depicted people of multiple races and ethnicities, with results showing a failure to distinguish Black faces 57% of the time, Middle Eastern faces 41% of the time and white faces 40% of the time. Such a high failure rate was problematic for Proctorio, which relies on its ability to flag cheaters by zeroing in on people’s facial features and movements. 

Olsen’s post sought to discredit the research, arguing that while the FairFace dataset had been used to identify biases in other facial-detection algorithms, the images weren’t representative of “a live test-taker’s remote exam experience.” 

“For example,” he wrote, “children and cartoons don’t take tests so including those images as part of the data set is unrealistic and unrepresentative.” 

To Ian Linkletter, a librarian from Canada embroiled in a long-running battle with Proctorio over whether its products were harmful, Olsen’s response was baffling. Sure, cartoon characters don’t take tests. But children, he said, certainly do. What he wasn’t sure about, however, was whether those younger test-takers were being monitored by Proctorio — so he set out to find out. 

He found two instances, both in Texas, where Proctorio was being used in the K-12 setting, including at a remote school tied to the University of Texas at Austin. Linkletter shared his findings with ĂŰĚŇÓ°ĘÓ, which used the government procurement tool GovSpend to identify other districts that have contracts with Proctorio and its competitors. 

More than 100 K-12 school districts have relied on Proctorio and its competitors, according to the GovSpend data, with a majority of expenditures made during the height of the pandemic. And while remote learning has become a more integral part of K-12 schooling nationwide, seven districts have paid for remote proctoring services in the last year. While extensive, the GovSpend database doesn’t provide a complete snapshot of U.S. school districts or their expenditures. 

“It was just obvious that Proctorio had K-12 clients and were being misleading about children under 18 using their product,” Linkletter said, adding that young people could be more susceptible to the potential harms of persistent surveillance. “It’s almost like a human rights issue when you’re imposing it on students, especially on K-12 students.” Young children, he argued, are unable to truly consent to being monitored by the software and may not fully understand its potential ramifications. 

Proctorio did not respond to multiple requests for comment by ĂŰĚŇÓ°ĘÓ. Founded in 2013, claims it provided remote proctoring services during the height of the pandemic to education institutions globally. 

In 2020,  over a series of tweets in which the then-University of British Columbia learning technology specialist linked to Proctorio-produced YouTube videos, which the company had made available to instructors. Using the video on the tool’s “Abnormal Eye Movement function,” Linkletter that it showed “the emotional harm you are doing to students by using this technology.”

Proctorio’s lawsuit alleged that Linkletter’s use of the company’s videos, which were unlisted and could only be viewed by those with the link, amounted to copyright infringement and distributing of confidential material. In January, Canada’s Supreme Court Linkletter’s claim that the litigation was specifically designed to silence him.

While there is little independent research on the efficacy of any remote proctoring tools in preventing cheating, one 2021 study found that who had been instructed to cheat. Researchers concluded the software is “best compared to taking a placebo: It has some positive influence, not because it works but because people believe that it works, or that it might work.” 

Remote proctoring costs K-12 schools millions

A , the online K-12 school operated by the University of Texas, indicates that Proctorio is used for Credit by Exam tests, which award course credit to students who can demonstrate mastery in a particular subject. For students in kindergarten, first and second grade, the district pairs district proctoring with a “Proctorio Secure Browser,” which prohibits test takers from leaving the online exam to use other websites or programs. Beginning in third grade, according to the rubric uploaded to the school’s website, test takers are required to use Proctorio’s remote online proctoring.

Proctorio isn’t the only remote proctoring tool in use in K-12 schools. GovSpend data indicate the school district in Las Vegas, Nevada, has spent more than $1.4 million since 2018 on contracts with Proctorio competitor Spending on Honorlock by the Clark County School District surged during the pandemic but as recently as October, it had a $286,000 company purchase. GovSpend records indicate the tool is used at , the district’s online-only program which claims more than 4,500 elementary, middle and high school students. Clark County school officials didn’t respond to questions about how Honorlock is being utilized. 

Meanwhile, dozens of K-12 school districts relied on the remote proctoring service ProctorU, now known as , during the pandemic, records indicate, with several maintaining contracts after school closures subsided. Among them is the rural Watertown School District in South Dakota, which spent $18,000 on the service last fall. 

Aside from Wiemers, representatives for schools mentioned in this story didn’t respond to interview requests or declined to comment. Meazure Learning and Honorlock didn’t respond to media inquiries. 

At TTU K-12, an online education program offered by Texas Tech University, the institution relies on Proctorio for “all online courses and Credit by Examinations,” flagging suspicious activity to teachers for review. In an apparent nod to Proctorio privacy concerns, TTU instructs students to select private spaces for exams and that if they are testing in a private home, they have to get the permission of anyone also residing there for the test to be recorded. 

Documents indicate that K-12 institutions continue to subject remote learners to room scans even after a federal judge ruled a university’s . In 2022, a federal judge sided with a Cleveland State University student, who alleged that a room scan taken before an online exam at the Ohio institution violated his Fourth Amendment rights against unreasonable searches and seizures. The judge ruled that the scan was “unreasonable,” adding that “room scans go where people otherwise would not, at least not without a warrant or an invitation.” 

Marlow of the ACLU says he finds room scans particularly troubling — especially in the K-12 context. From an equity perspective, he said such scans could have disproportionately negative effects on undocumented students, those living with undocumented family members and students living in poverty. He expressed concerns that information collected during room scans could be used as evidence for immigration enforcement 

“There are two fairly important groups of vulnerable students, undocumented families and poor students, who may not feel that they can participate in these classes because they either think it’s legally dangerous or they’re embarrassed to use the software,” he said. 

The TTU web page notes that students “may be randomly asked to perform a room scan,” where they’re instructed to offer their webcam a 360-degree view of the exam environment with a warning: Failure to perform proper scans could result in a violation of exam procedures.

“If you’re using a desktop computer with a built-in webcam, it might be difficult to lift and rotate the entire computer,” the web page notes while offering a solution. “You can either rotate a mirror in front of the webcam or ask your instructor for further instruction.”

‘A legitimate concern’ 

Wiemers, the principal in Utah, said that Proctorio serves as a deterrent against cheating — but is far from foolproof. 

“There’s ways to cheat any software,” he said, adding that educators should avoid the urge to respond to Proctorio alerts with swift discipline. In the instances where Proctorio has caught students cheating, he said that instead of being given a failing grade, they’re simply asked to retake the test. 

“There are limitations to the software, we have to admit that, it’s not perfect, not even close,” he said. “But if we expect it to be, and the stakes are high and we’re overly punitive, I would say [students] have a legitimate concern.”

During a TTU K-12 advisory board meeting in July 2021, administrators outlined the extent that Proctorio is used during exams. Justin Louder, who at the time served as the TTU K-12 interim superintendent, noted that teachers and a “handful of administrators within my office” had access to view the recordings. Ensuring that third parties didn’t have access to the video feeds was “a big deal for us,” he said, because they’re “dealing with minors.” 

While college students “really kind of pushed back” on remote proctoring, he noted that they only received a few complaints from K-12 parents, who recognized the service offered scheduling benefits. Like Wiemers, he framed the issue as one of 24-hour convenience. 

“It lets students go at their own pace,” he said. “If they’re ready at 2 o’clock in the morning, they can test at 2 o’clock in the morning.”

Correction: A copyright infringement case brought by Proctorio against longtime company critic Ian Linkletter is still being argued in court. An earlier version of this story mischaracterized the litigation as being ruled in Proctorio’s favor.

The finding stems from a complaint brought by a Fairfax parent and special education advocate  in December after she inadvertently received data on roughly 35,000 students, including special education records, confidential legal memos and mental health conditions. ĂŰĚŇÓ°ĘÓ first reported the disclosure Nov. 1. The records included full names of students involved in lawsuits against the district over alleged sexual assault complaints and those seeing counselors for issues such as suicidal thoughts and depression.

The 180,000-student district has until March 25 to appeal the state’s finding or complete a “corrective action plan” that includes some steps the district has already agreed to, such as additional staff training.

That training, however, was supposed to begin Oct. 31, according to the district’s response to an earlier complaint from the same parent. But during a with a parents group, a district official acknowledged the training had yet to start . 

“That is going to be launched fairly shortly,” said Dawn Schaefer, who oversees special education complaints for the district. “I don’t have an exact launch date, but I can certainly check.” 

In its decision, the state noted the district’s failure to address the repeated violations.

“A perfect policy is of no use if people ignore it,” wrote Patricia Haymes, the director of dispute resolution at the Virginia Department of Education. “Perfect procedures are meaningless if no one follows them.”

Haymes ordered the district to provide a list of all students affected by the disclosure and to verify that their parents have been notified. The district must also submit monthly progress on its implementation of recommendations of the Superintendent Michelle Reid launched following ĂŰĚŇÓ°ĘÓ’s reporting. The state noted the article in its response to the district.

The state’s finding backs up what some Fairfax parents have been saying for years — that district staff members have a pattern of sharing confidential emails and student records with the wrong parents and educators. Experts praised the state for pushing for additional training, but one questioned whether the requirements go far enough, calling them “fairly lackluster.” 

“I don’t know that the families harmed will feel like this is sufficient oversight of the issue,” said Amelia Vance, president of the Public Interest Privacy Center. “Trust has been breached between the community and the district, and more is necessary to fix this.”

Nonetheless, she gave Fairfax’s superintendent credit for being transparent about the district’s mistake and promptly issuing an apology. The district declined to comment on the outcome of the state complaint.

‘A bigger Band-Aid’

Virginia officials previously accepted the district’s assurances that the disclosures were isolated incidents. In mid-December, a state hearing officer said “a series of mistakes” doesn’t necessarily add up to a “systemic violation.” 

The state has “always said it’s a one-off. They operate as if each incident is a silo,” said Callie Oettinger, the parent who gained access to the unredacted records in mid-October when she went to a high school to examine files on her own two children. She made the request under the federal , or FERPA, which gives parents the right to examine their children’s education records.

Pointing to larger concerns in the district, her complaint noted “overlapping” privacy violations that officials were already investigating between March and mid-November last year, including the large October records release and a November incident in which Robinson Secondary School, a seventh through 12th grade school, mailed students’ report cards to the wrong parents. 

Oettinger called the remedy “a bigger Band-Aid” compared with steps the district already agreed to take, including lawyers signing off on record requests before they are released to parents. 

But Todd Reid, a spokesman for the state education department, called the corrective action plan an “intensive requirement of both federal and state special education law” to ensure districts make improvements within a specific time frame. 

‘Not letting it slide’

Another privacy expert blamed these types of mistakes on the “convergence” of more student data, new technologies and parents who want access to records electronically. Steve Smith, founder of the , a national network, said the district should be using systems that “reduce the likelihood of inadvertent sharing.”

But, he added, the backlash from parents can force a district to take better precautions. 

“These things becoming public and the school community losing confidence probably has more impact than a warning from the FERPA office or the state,” he said. “I applaud parents for not letting it slide.”

In response to an inquiry by ĂŰĚŇÓ°ĘÓ, the nonprofit Future of Privacy Forum said last week it would review Raptor Technologies’ status as a Student Privacy Pledge signatory after a maintained by the company were readily available without any encryption protection despite Raptor’s claims that it scrambles its data. 

“We are reviewing the details of Raptor Technologies’ leak to determine if the company has violated its Pledge commitments,” David Sallay, the Washington-based group’s director of youth and education privacy, said in a Jan. 24 statement. “A final decision about the company’s status as Pledge signatory, including, if applicable, potential referrals to the [Federal Trade Commission] and relevant State Attorneys General, is expected within 30 days.” 

Should the privacy forum choose to take action, Raptor would become just the second-ever education technology company to be removed from the pledge. 

Texas-based , which counts roughly 40% of U.S. school districts as its customers, offers an extensive suite of software designed to improve campus safety, including a tool that screens visitors’ government-issued identification cards against sex offender registries, a management system that helps school leaders prepare for and respond to emergencies, and a threat assessment tool that allows educators to report if they notice “something a bit odd about a student’s behavior” that they believe could become a safety risk. This means, according to a Raptor guide, that the company collects data on kids who appear ‘unkempt or hungry,” withdrawn from friends, to engage in self-harm, have poor concentration or struggle academically. 
Rather than keeping students safe, however, cybersecurity researcher Jeremiah Fowler said the widespread data breach threatened to put them in harm’s way. And as cybersecurity experts express concerns about , they’ve criticized the Student Privacy Pledge for lackluster enforcement in lieu of regulations and minimum security standards. 

Fowler, a cybersecurity researcher at and a self-described “data breach hunter,” has been tracking down online vulnerabilities for a decade. The Raptor leak is “probably the most diverse set of documents I’ve ever seen in one database,” he said, including information about campus surveillance cameras that didn’t work, teen drug use and the gathering points where students were instructed to meet in the event of a school shooting. 

vpnMentor in December and Fowler said the company was responsive and worked quickly to fix the problem. The breach wasn’t the result of a hack and there’s no evidence that the information has fallen into the hands of threat actors, though Fowler in the last several months. 

The situation could have grown far more dire without Fowler’s audit. 

“The real danger would be having the game plan of what to do when there is a situation,” like an active shooting, Fowler said in an interview with ĂŰĚŇÓ°ĘÓ. “It’s like playing in the Super Bowl and giving the other team all of your playbooks and then you’re like, ‘Hey, how did we lose?’”

David Rogers, Raptor’s chief marketing officer, said last week the company is conducting an investigation to determine the scope of the breached data to ensure “that any individuals whose personal information could have been affected are appropriately notified.” 

“Our security protocols are rigorously tested, and in light of recent events, we are committed to further enhancing our systems,” Rogers said in a statement. “We take this matter incredibly seriously and will remain vigilant, including by monitoring the web for any evidence that any data that has been in our possession is being misused.” 

‘Maybe this is a pattern’

Raptor is currently among more than 400 companies that , a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children. 

Raptor and the other companies have vowed against selling students’ personally identifiable information or using it for targeted advertising, among other commitments. They also agreed to “maintain a comprehensive security program that is reasonably designed to protect the security, confidentiality and integrity” of student’s personal information against unauthorized or unintended disclosure. Cybersafeguards, the pledge notes, should be “appropriate to the sensitivity of the information.” 

Raptor touts its pledge commitment on its website, where it notes the company takes “great care and responsibility to both support the effective use of student information and safeguard student privacy and information security.” The company that it ensures “the highest levels of security and privacy of customer data,” including encryption “both at rest and in-transit,” meaning that data is scrambled into an unusable format without a password while it is being stored on servers and while it’s being moved between devices or networks. 

Its , however, offers a more proscribed assurance, saying the company takes “reasonable” measures to protect sensitive data, but that it cannot guarantee that such information “will be protected against unauthorized access, loss, misuse or alterations.” 

Districts nationwide have spent tens of millions of dollars on Raptor’s software, according to GovSpend, a government procurement database. Recent customers include the school districts in Dallas, Texas, Broward County, Florida, and Rochester, New York. Under , education technology companies that collect student data are required to maintain a cybersecurity program that includes data encryption and controls to ensure that personally identifiable information doesn’t fall into the hands of unauthorized actors. 

Countering Raptor’s claims that data were encrypted, Fowler told ĂŰĚŇÓ°ĘÓ the documents he accessed “were just straight-up PDFs, they didn’t have any password protections on them,” adding that the files could be found by simply entering their URLs into a web browser. 

Officials at the Rochester school district didn’t respond to requests for comment about whether they had been notified about the breach and its effects on their students or if they were aware that Raptor may not have been in compliance with state encryption requirements. 

Doug Levin, the national director of the nonprofit K12 Security Information eXchange, said the Raptor blunder is reminiscent of a 2022 data breach at the technology vendor Illuminate Education, which exposed the information of at least 3 million students nationwide, including 820,000 current and former New York City students. Levin noted that both companies claimed their data was encrypted at rest and in transit — “except maybe it wasn’t.” 

A decade after the privacy pledge was introduced, he said “it falls far short of offering the regulatory and legal protections students, families and educators deserve.”

“How can educators know if a company is taking security seriously?” Levin asked. Raptor “said all of the right things on their website about what they were doing and, yet again, it looks like a company wasn’t forthright. And so, maybe this is a pattern.” 

State data breach rules have long focused on personal information, like Social Security numbers, that could be used for identity theft and other financial crimes. But the consequences of data breaches like the one at Raptor, Fowler said, could be far more devastating — and could harm children for the rest of their lives. He noted the exposure of health records, which could violate federal privacy law, could be exploited for various forms of fraud. Discipline reports and other sensitive information, including about student sexual abuse victims, could be highly embarrassing or stigmatizing. 

Meanwhile, he said the exposure of confidential records about physical security infrastructure in schools, and district emergency response plans, could put kids in physical danger. 

Details about campus security infrastructure have been exploited by bad actors in the past. After Minneapolis Public Schools fell victim to a ransomware attack last February that led to a large-scale data breach, an investigation by ĂŰĚŇÓ°ĘÓ uncovered reams of campus security records, including campus blueprints that revealed the locations of surveillance cameras, instructions on how to disarm a campus alarm system and maps that documented the routes that children are instructed to take during an emergency evacuation. The data can be tracked down with little more than a Google search. 

“I’ve got a 14-year-old daughter and when I’m seeing these school maps I’m like, ‘Oh my God, I can see where the safe room is, I can see where the keys are, I can see the direction they are going to travel from each classroom, where the meetup points are, where the police are going to be,” Fowler said of the Raptor breach. “That’s the part where I was like, ‘Oh my God, this literally is the blueprint for what happens in the event of a shooting.” 

‘Sweep it under the rug’

The Future of Privacy Forum’s initial response to the Raptor breach mirrors the nonprofit’s actions after the 2022 data breach at Illuminate Education, which was previously listed among the privacy pledge signatories and became the first-ever company to get stripped of the designation. 

The forum’s decision to remove Illuminate followed an article in ĂŰĚŇÓ°ĘÓ, where student privacy advocates criticized it for years of failures to enforce its pledge commitments — and accused it of being a tech company-funded effort to thwart government regulations. 

The pledge, which was created by the privacy forum in partnership with the Software and Information Industry Association, a technology trade group, was created in 2014, placing restrictions on the ways ed tech companies could use the data they collect about K-12 students. 

Along with stripping Illuminate of its pledge signatory designation, the forum referred it to the Federal Trade Commission, which the nonprofit maintains can hold companies accountable to their commitments via consumer protection rules that prohibit unfair and deceptive business practices. The company was also referred to the state attorneys general in New York and California to “consider further appropriate action.” It’s unclear if regulators took any actions against Illuminate. The FTC and the California attorney general’s office didn’t respond to requests for comment. The New York attorney general’s office is reviewing the Illuminate breach, a spokesperson said. 

“Publicly available information appears to confirm that Illuminate Education did not encrypt all student information” in violation of several Pledge provisions, Forum CEO Jules Polonetsky told ĂŰĚŇÓ°ĘÓ at the time. Among them is a commitment to “maintain a comprehensive security program” that protects students’ sensitive information” and to “comply with applicable laws,” including New York’s  “explicit data encryption requirement.” 

After the breach and before it was removed from the pledge, the Software and Information Industry Association recognized Illuminate with the sector’s equivalent of an Oscar. 

Raptor isn’t the only pledge signatory to fall victim to a recent data breach. In December, a cybersecurity researcher disclosed a security vulnerability at Education Logistics, commonly known as EduLog, which offers a GPS tracking system to give parents real-time information about the location of their children’s school buses. A statement the forum provided ĂŰĚŇÓ°ĘÓ didn’t mention whether it had opened an inquiry into whether EduLog had failed to comply with the pledge commitments. 

Despite the forum’s actions against Illuminate Education, and its new inquiry into Raptor, the pledge continues to face criticism for having little utility, including from Fowler, who likened it to “virtue signaling” that can be quickly brushed aside. 

“Pledges are just that, they’re like, ‘Hey, that sounds good, we’ll agree to it until it no longer fits our business model,” he said. “A pledge is just like, “whoops, our bad,” a little bit of bad press and you just sweep it under the rug and move on.” 

Chad Marlow, a senior policy counsel at the American Civil Liberties Union focused on privacy and surveillance issues, offered a similar perspective. Given the persistent threat of data breaches and a growing number of cyberattacks on the K-12 sector, Marlow said that schools should take a hard look at the amount of data that they and their vendors collect about students in the first place. He said Raptor’s early intervention system, which seeks to identify children who pose a potential threat to themselves or others, is an unproven surveillance system that could become a vector for student discrimination in the name of keeping them safe. 

Although he said he has “a great deal of admiration” for the privacy forum and the privacy pledge goals, it falls short on accountability when compared to regulations that mandate compliance.

“Sometimes pledges like this, which are designed to make a little bit of progress, actually do the opposite because it allows companies to point to these pledges and say, ‘Look, we are committed to doing better,’ when in fact, they’re using the pledge to avoid being told to do better,” he said. “That’s what we need, not people saying, ‘On scout’s honor I’ll do X.’”  

Disclosure: The Bill & Melinda Gates Foundation and the Chan Zuckerberg Initiative provide financial support to the Future of Privacy Forum and ĂŰĚŇÓ°ĘÓ.

In a federal court motion filed Nov. 14 that cited ĂŰĚŇÓ°ĘÓ’s exclusive reporting, attorney Andrew Brenner described the disclosure as “at best, careless,” particularly after the former student won a legal battle against the district for her right to remain anonymous. Brenner asked the U.S. District Court for the Eastern District of Virginia to compel Fairfax to explain how her name ended up in documents released as part of a records request that had nothing to do with her case.

A hearing on the motion is set for Dec. 15.

Known as B.R., the woman is as well as the former students she alleges sexually assaulted her in 2011, with a trial set to begin in March. The motion asks for the names of all district employees involved in producing the materials that identified her as well as the district’s steps “to collect, review, compile and transmit the documents” prior to their release.

The district’s response to the motion could provide insight into how unredacted records on tens of thousands of students were released to a parent and special education advocate. The documents included sensitive, confidential information such as grades, disability status and mental health conditions.

Following ĂŰĚŇÓ°ĘÓ’s report, the district apologized and launched an investigation. A firm with expertise in cybersecurity — — is handling the probe, but some parents with children named in the disclosure said so far, no one has contacted them. Superintendent Michelle Reid said in she will share a summary of the investigation once it’s complete.

Callie Oettinger, the parent who received the records, went to her local high school in mid-October to examine what she thought were records pertaining to her own two children. Her son, who received special education services in the district, has since graduated, and her daughter is still in high school. She copied computer files onto thumb drives as a paralegal observed and helped her identify some of the records. 

While most of the documents set aside for her review included her children’s names, they also revealed information on what she estimates were at least 35,000 other students. B.R.’s full name was listed in a document labeled “attorney work product” and marked “privileged and confidential,” as well as in an email to board members about litigation to discuss in a 2020 closed meeting.

The records also identified another former student with a separate Title IX case against the district. In reached last year, the district agreed to always redact the student’s real name from any copy of the document and only use a pseudonym when referring to the case. Her attorneys did not respond to a request for comment.

The day after issuing its apology, the district sent Oettinger a strongly worded email demanding that she “return all files removed, including any and all physical media used for unauthorized extraction of information from FCPS.” The letter referred to the documents as “wrongfully retained information.”

To her attorney, the language suggested Oettinger was at fault. 

“She’s done nothing illegal, and they have no legal right to compel her to do anything,” said Timothy Sandefur, vice president for legal affairs at the Goldwater Institute, a Phoenix-based libertarian think tank. Oettinger posted redacted documents from the recent trove on she runs on special education issues. “If they want assurance that she is not going to publish any kind of confidential information about kids, she absolutely will not publish confidential information about children. She has assured everybody of that already.”

Oettinger sent the thumb drives to Sandefur, who has since communicated with attorneys conducting the district’s investigation. But he declined to provide an update on the district’s progress. The attorneys conducting the investigation also didn’t respond to requests for comment.

A need for ‘robust action’

Oettinger didn’t initially alert the district to the disclosure because, she said, it has failed to make improvements after previous privacy violations. In fact, on Oct. 19 — the third and final day that Oettinger reviewed files in person — the Virginia Department of Education responded to one of her earlier complaints, finding the Fairfax district out of compliance with the federal Family Educational Rights and Privacy Act, or FERPA.

The decision only pertained to her son and was not a statement about the district’s overall privacy record.

Patricia Haymes, who directs the state agency’s Office of Dispute Resolution and Administrative Services, noted that officials have had “ongoing concerns” regarding student confidentiality in Fairfax and “believed that there was a need for the school division to take more robust action to ensure sustainable compliance.” But she also said the district assured her in September that it was taking steps “regarding the confidentiality of and access to student records.”

In that Sept. 27 letter, the district said it was training staff on their obligations under FERPA and the Freedom of Information Act, and was planning a “mandatory training” for principals and other administrators in charge of student records and special education. Training was scheduled to begin Oct. 31 and employees have two months to complete it. 

On. Nov. 8, Oettinger appealed the state’s decision, citing ĂŰĚŇÓ°ĘÓ’s reporting on the accidental records release. Both the district and the state have “failed to ensure compliance — and now here we are,” she wrote. “You have enough for [the district] to be found at fault for systemic noncompliance.” 

The district disputes that it has violated the law. In a Nov. 21 response to Oettinger’s appeal, it described the disclosure as a “single instance of what appears to be human error” and said that Oettinger’s in-person review of the documents, which FERPA allows, was “outside the typical electronic document production that FCPS employs.“

Oettinger said she has faith in Reid, who became superintendent last year, to push for tighter security.  The two have exchanged emails and met in person multiple times. Oettinger said she’s “choosing to believe Reid’s trying to change the district’s culture and that she knows me enough to know I’d never do anything nefarious.”

Some special education experts in the state are baffled by the district’s mistake. 

“It’s just the norm that when you do a document production, you are careful about what you shouldn’t be disclosing — whether it’s other students’ names or legal advice,” said Jim Wheaton, a William and Mary Law School professor who runs a legal clinic for future attorneys that plan to work on special education issues. “It just blows my mind that they would be so reckless.”

But he said that there’s not much parents can do about such violations. They can file complaints, but there’s no right to sue under FERPA.

“In religious terms,” he said, “it’s, ‘Go forth and sin no more.’”

The students, 12- and 16-years-old at the time of the alleged incidents, said district officials failed to respond adequately to their reports — accusations they deny. In court, the students’ lawyers fought successfully for their right to stay anonymous.

“It’s completely irresponsible,” said Shiwali Patel, an attorney with the National Women’s Law Center, which supporting one of the former Fairfax student’s requests to keep her identity private. She said a lot of victims of sexual violence don’t come forward because they “don’t want to have their name out there in the public.”

ĂŰĚŇÓ°ĘÓ reported Wednesday on the district’s release of records on an estimated 35,000 students to a parent who has been an outspoken critic of Fairfax’s data privacy record. District officials declined to comment on the specifics of the disclosures, but late Wednesday issued an apology and launched an “external legal investigation” to determine how staff released the documents.

Two weeks ago, Callie Oettinger, a special education advocate, went to her local high school to review what she thought were records she had requested on her children. But she ended up with a trove of digital files that included personal information such as addresses and disability diagnoses, and that named students who had engaged in self-harm or been hospitalized. “We are deeply sorry that this happened,” the district said, predicting the probe “could take some time” due to the large number of affected students.

In addition, Superintendent Michelle Reid responded to an email from Oettinger, saying that she had “spoken with staff and requested an immediate and thorough review into this deeply concerning matter.” 

The documents also named students with disabilities involved in a over the use of seclusion and restraint. Following a local news investigation, almost 1,700 instances involving over 200 students during the 2017-18 school year. Some students as young as six were isolated in a room dozens of times during the year. The case ended in 2021 with in which the district promised to phase out such practices by the end of last school year. Court documents only used students’ initials, but the documents released used their full names. 

“Absolutely, student names should have been protected,” said Denise Marshall, executive director of the Council of Parent Attorneys and Advocates, a nonprofit that joined the parents who sued the district. She called the leak “an egregious breach of privacy.”

One of the documents on those students, labeled “attorney work product” and “privileged and confidential,” also contained the names of two former students involved in Title IX cases against the district. It identified them as “Jane Doe,” but then listed their real names in parentheses. Their last names were also included in an email from John Foster, the district’s general counsel, to board members about cases they’d discuss in a 2020 closed meeting.

In the , a plaintiff identified as Jane Doe was a 16-year-old Oakton High School student when she alleged that she was sexually assaulted during a three-day band trip in 2017. She sued in 2018, saying that officials violated Title IX because they knew about the allegations, but waited until the trip was over to address it. She alleged that the district discouraged her from contacting police and when they told her parents, suggested their daughter would face discipline for having sex while on the trip.

Doe won her case in the U.S. Court of Appeals for the Fourth Circuit, but it ended in a settlement last year after the U.S. Supreme Court declined to hear the district’s appeal. She received almost $588,000 in , but the district made no admission of responsibility. The agreement includes a stipulation that the district will always redact Doe’s real name from any copy of the document and only use a pseudonym when referring to the case.

Lawyers for both students declined to comment on the recent disclosures.

The second case, , is set for trial in March in a federal district court. B.R., as she’s named in the suit, was a 12-year-old student at Rachel Carson Middle School in 2011 when she said an older group of students repeatedly raped, tortured and threatened her with death over a four-month period. She alleged that they were part of a gang tied to sex trafficking in Northern Virginia.

While she later reported the alleged attacks to the police, she said the detective who investigated was a former school resource officer in the district who quickly closed the case. The district argued that staff responded appropriately, but a by the U.S. Department of Education’s Office for Civil Rights concluded the district could have acted more quickly. As a result, the district updated its policies.

At 19, she sued the district and her alleged attackers, saying educators ignored her requests for help. The school district argued the case should be dismissed because she missed a deadline for requesting to use a pseudonym. The in B.R.’s favor, but the district appealed to the Fourth Circuit.  

The National Women’s Law Center was one of 52 organizations that argued the case should continue, despite what it called a “procedural technicality.” In November 2021, the ruled in favor of the plaintiff. 

“In many of these cases, plaintiffs are proceeding with a pseudonym. That is not uncommon,” Patel said. “For the district to push back against that is a bullying tactic. It doesn’t impact their ability to defend the lawsuit.”

The documents identify current and former special education students by name and include letter grades, disability status and mental health data. In one particularly sensitive disclosure, a counselor identified over 60 students who’ve struggled with issues like depression, including those who have engaged in self-harm or been hospitalized. 

A letter from the district to the state provides copious details about the condition and care of a medically fragile fourth grader. And a document containing “attorney work product” marked “privileged and confidential” references a pair of Title IX cases. It identifies two students as “Jane Doe” — a common practice with alleged victims of sexual assault or harassment — but then names the students in parentheses.

The disclosure of private student data is likely the largest since 2020, when the hacker group MAZE , including Social Security numbers and birthdates, on over 170,000 students and employees in the nation’s 13th-largest district. But this time, it looks like human error, rather than ransomware, was to blame. 

“Why worry about people from the outside?” asked Callie Oettinger, who received the recent document collection. “They’ve got the door wide open from the inside.”  

Oettinger, a parent and special education advocate with a long and contentious relationship with Fairfax administrators, went to a school on three consecutive days last month to examine her children’s files — data such as test scores, attendance records and audio recordings of meetings she’s been requesting for years. In addition to boxes of paper files, the district provided her with thumb drives and computer discs that Oettinger estimates include personal data on roughly 35,000 students.

Parents who have challenged the district over special education services said the leak opens their children to further harm. Among the records released to Oettinger was a 2019 email exchange in which officials questioned the cost of an independent educational evaluation for Julie Melear’s son, who has dyslexia. 

“Is my kid, for the rest of his life, going to have to look over his shoulder to see what Fairfax is putting out there?” asked Melear, who had three children in the district and now lives in Denver.

The latest disclosure is not an isolated incident. Oettinger, who also runs a special education , said the district has repeatedly released information on her now 19-year-old son to other parents and unauthorized staff and, on at least six occasions between 2016 and 2021, provided her with documents on children who are not her own. One was a 2020 internal on special education that included students’ names, their attorneys and costs for services.

But those instances seem small compared to the volume of records she received in October, which span the years 2019 to 2021. It also comes four years after the district’s former superintendent apologized to Oettinger for a similar disclosure and two years after a county judge ruled against Fairfax in a case related to leaked student records. 

Contacted last week, Fairfax officials — who pledged to improve security after the 2020 breach — appeared unaware they had given Oettinger access to students’ personal data. The district’s communications office forwarded an inquiry from ĂŰĚŇÓ°ĘÓ to Molly Shannon, who manages the district’s public records office. In an email, Shannon asked a reporter to identify who accessed the records and where it occurred ”so we can investigate and remediate the issue at the school, notify any affected families, and work with the parent to ensure other students’ information is properly secured.” 

Under , the district is required to alert parents “as soon as practicable” if there’s a violation under the Family Educational Rights and Privacy Act, or FERPA.

The records release is the latest dilemma for Virginia’s largest school system, which has come under intense scrutiny for its handling of special education. Following a federal civil rights probe last year, to make up for services it failed to provide to students with disabilities during the pandemic. For years, federal officials the state to improve its monitoring of districts to ensure they’re complying with all special education laws. As recently as February, they told former state Superintendent Jillian Balow that remained a sticking point.

Data leaks linked to are not unique to Fairfax. In 2017, for example, the Chicago Public Schools posted , including health conditions and birthdates, to unsecured websites. Time-consuming records requests to school districts have also skyrocketed in recent years, fueled in part by controversies over COVID protocols, library books and curriculum. Many districts have struggled to keep up, but one expert said Fairfax shouldn’t be one of them.

“I have a lot more sympathy for the many, many small districts,” said Amelia Vance, founder and president of the Public Interest Privacy Center. But with an annual $3.5 billion budget, Fairfax, she said, “certainly seems to have the resources and they’ve had these requests for years. If they don’t have a system to respond in a protective manner, in an efficient manner, that’s on them.”

Phyllis Wolfram, executive director of the Council of Administrators of Special Education, a national organization, said she doesn’t think it’s common for districts to release students’ files to the wrong parent. But if record requests are increasing, she said, security should be tighter. 

“Given the shortage of school staff all around, we must be extra vigilant and ensure high-quality training for all staff,” she said. 

‘Process and protocols’ 

FERPA is that gives parents the right to examine their children’s educational records. Oettinger said she asked to see original documents in person — after the state overruled the district’s initial refusal — because past responses have been incomplete or contained electronic files that didn’t open. 

She said she is unsure who in the district ultimately signed off on the recent release. On Oct. 16th, she received an email from Shannon saying the records were ready. From Oct. 17 to 19, she sat in a small room next to the main office of her local high school and viewed the files. A paralegal from the central office supervised as she copied records to thumb drives and scanned paper documents on her phone, Oettinger said. He offered assistance and even called in an IT expert when a media file didn’t open. She recorded everything and shared audio files of her visit with ĂŰĚŇÓ°ĘÓ. Ironically, she said, some of her own children’s records are still missing.

At one point, she spotted an unredacted document with a teacher’s notes and suspected there were more. But she said she didn’t realize the full scope of the disclosure until she began reviewing the files at home. 

She filed a complaint with the U.S. Department of Education’s Office for Civil Rights on Oct. 20 and contacted a handful of parents she knows with children named in the documents.

Oettinger said she didn’t report the leak to district officials because she doesn’t trust them — a skepticism that has only intensified over time. When her son had reading difficulties in elementary school, educators responded three times that an evaluation “is not warranted,” according to district records and, she said, told her that boys learn to read slower than girls. 

“You get one chance with your kid, and there’s no handbook,” she said. “In special education especially, nobody knows what to do. All you know is that you’re fighting.”

It took an independent evaluation for her son to be diagnosed with dyslexia, and by seventh grade, he had an Individualized Education Program, a plan that outlines the services a district is obligated to provide students with disabilities. Like thousands of Fairfax parents, she also complained that the district failed to follow that plan during the pandemic. He graduated in 2022, but her daughter remains a Fairfax student.

As she navigated the system for her son, she became a sounding board for other families. She launched her website, Special Education Action, in 2020. She’s filed at least 100 complaints with the state education department over special education services in the district and another dozen with the federal civil rights office, of which at least two have resulted in investigations. Her persistence — sending detailed, sometimes biting, emails and pressing for answers to all her questions — has earned her a reputation for “berating” staff, according to one 2019 email from Dawn Schaefer, director of the district office that handles special education complaints.

“It’s obvious you don’t know what you’re talking about, so let me break it down for you,” Oettinger wrote in a 2020 email to a staff person regarding a diagnosis for her son.

In addition to requests for documents on her own children, she submits Freedom of Information Act requests with the district each year for more general data that she uses in her advocacy role. In one internal 2020 email she obtained, John Cafferky, an attorney who handles special education cases for the district, said she files them because she’s “waiting for someone to slip up.” 

District officials have promised her they would do a better job of safeguarding student privacy. In a 2019 email exchange with former Superintendent Scott Brabrand, Oettinger reported multiple cases of school staff forwarding information about her son to the wrong people. 

“I am sorry to report that the school did make a mistake and unintentionally provided information about your son to another parent,” he responded. “We take student privacy very seriously. Following our process and protocols is paramount to ensuring we protect student information.”

Following the 2020 ransomware incident, the district and released a statement saying it was “committed to protecting the information of our students, our staff, and their families.” The state also stepped in to help the district clean up its “internal practices, and ensure it should not happen again,” state Superintendent Lisa Coons told ĂŰĚŇÓ°ĘÓ.

But it did. 

In 2021, another Fairfax parent, Debra Tisler, filed a public records request seeking invoices for legal services in an attempt to learn how much Fairfax was spending on attorneys’ fees related to students with disabilities. The district released records that included personal information on about a dozen students. 

Tisler shared the files with Oettinger, who posted , with names blacked out, on her website. The district to get the records back, but lost the case. 

Judge Richard Gardiner, who heard the lawsuit in a Fairfax County district court, said the records were “obtained quite lawfully.” 

“The [district], for whatever reason — maybe it was ineptness, I don’t know; I have no evidence on that — made the decision to turn over the information, and they’re stuck with that,” he said, according to of the hearing. 

Following the lawsuit, an from December 2022 showed the district’s in-house attorneys didn’t finish redacting students’ personal information before its records office released the documents. Fairfax instituted new procedures to ensure records go through multiple reviews, including checks by a paralegal and a staff attorney. The district also to keep up with demand.

‘Basic data protection’

But it appears the system broke down. Some parents whose records ended up in the recently released files said they weren’t surprised because they, too, have previously received documents pertaining to other students.

“Some of the information I found out about other people’s children I don’t want to know,” said Melear, the parent who relocated to Denver. 

In the files released to Oettinger, Torey Vanek’s daughter was included on a spreadsheet of students who receive special education services or accommodations for a disability. A ninth grader at Woodson High School, her daughter has dyslexia. 

 “There is a joint frustration among many parents in Fairfax,” Vanek said. “Part of me is not surprised, but part of me is like this is just basic data protection.” 

, led by researchers at the University of Chicago and New York University, highlights how the scramble to adopt new technologies in schools has served to create an $85 billion industry with significant data security risks for teachers, parents and students. The issue has become particularly pervasive since the pandemic forced students nationwide into remote, online learning. 

Students’ sensitive information is increasingly leaked online following high-profile ransomware attacks and user data monetization is a key business strategy for tech companies, including those that serve the education market, like Google. Yet student privacy is rarely a top consideration when teachers adopt new digital tools, researchers learned in interviews with district technology officials. In fact, schools routinely lack the resources and know-how to assess potential vulnerabilities.

Such a reality could spell trouble: In an analysis of education technologies widely used or endorsed by districts nationwide, researchers discovered privacy risks abound. The analysis relied on , a privacy inspector tool created by the nonprofit news website The Markup which scours websites to uncover data-sharing practices. Those include the use of cookies that track user behaviors to deliver personalized advertisements. Analyzed education tools, they found, make “extensive use of tracking technologies” with potential privacy implications. 

Most alarming to the researchers were the 7.4% that used “session recorders,” a type of tracker that documents a user’s every move. 

“Anyone visiting those sites would have their entire session captured which includes information such as which links they clicked on, what images they hovered over and even data entered into fields but not submitted,” the report notes. “This could include data that users might otherwise consider private such as the autofilling of saved user credentials or social network data.” 

ĂŰĚŇÓ°ĘÓ caught up with report co-author Jake Chanenson, a University of Chicago Ph.D. student, to gain insight into the report’s findings and to understand why he believes that parents and students should be concerned about how ed tech companies collect, store and use their personal data. 

The conversation has been edited for length and clarity. 

Why did remote learning pique your interest in digital privacy and what are the primary implications that worry you? 

Remote learning can be done well but we all had to get to it very quickly without a plan because we all suddenly got thrown at home because of the global pandemic. Suddenly schools had to scramble and find new solutions to reach their students, to educate their students, without being able to test the field, to think critically about it. They really were, with shoestring and gum, trying to keep their classes together. 

Whether you were in school, whether you were at work, whether you were at neither and still just trying to keep in touch with your friends, you were using anything that came your way because that’s what you had to do. I found that really interesting — and a bit concerning. It’s no one’s fault because we don’t understand the ramifications of these technologies and now that we’ve used them a lot of them are here to stay. 

I don’t want to sound like some sort of demonizing figure saying that all tech is bad — that is certainly not the case. It’s merely the fact that sometimes these promises are oversold, and now we have this added element of data privacy. 

When you interact with any of these platforms, tons and tons of student data — from how you interact with it, how well you do on their assignments, when you do it, if you’re a chronic procrastinator, if you’re always getting your work done, if you seem more interested in your art class than your math class. These are all data points collected by these companies and I wanted to know, ‘What is it they’re collecting? What are they doing with it,’ and, specifically for this study, ‘What are schools thinking about in this space if anything at all?’

This study took a two-pronged approach. You conducted surveys with experts in this space and then used technology to identify information that folks might not be aware of. Let’s discuss the surveys first. How did the school administrators and district technology officials you interviewed view privacy issues? 

Lots of them knew that something wasn’t quite up to snuff in their security and privacy practices. 

The best security and privacy practices that I saw in these school districts were entirely because someone, usually in the IT department, had an independent interest in student privacy. They were going above and beyond what their job descriptions required because they cared about the students. 

That’s not to imply that school officials don’t care about the kids —they care about them very much — but they’re so busy making sure the lights are on and making sure there are teachers for the classrooms, dealing with discipline issues, dealing with staffing concerns. They’re not necessarily focused on data privacy and security. 

Your research takes a unique approach to show the real-world impacts of education technology on student privacy. You identify that some of these tools raise significant privacy implications. How did you go about that?

We looked at the online websites of educational sites and tried to understand, what are the privacy risks here? What we found is that 7.4% of all these websites had a session recorder, which records everything you do when you’re interacting with a web page. How long you hovered over a certain element, how often you scrolled, what you clicked on and what you didn’t click on. 

That’s a scary amount of data collection for something that’s normally an education site. On top of that we found a high prevalence of cookies and other types of trackers that were being sent to third-parties, basically advertising networks, that were taking that data to track these students across the web. As a student, even while I’m doing my work, they’re creating an ad profile of me that not only encompasses who I am as a consumer in my spare time, but who I am as a student inside of school for this more comprehensive picture of who I am to sell me ads. 

That could be upsetting to somebody who thinks that what I’m doing in school is only the business of me and the teacher, my parents and the principal. 

Why would an education technology company use a session recorder? 

We were able to identify that these trackers, like session recorders, were running on these websites, but we don’t have any idea what they’re recording, which is a project that we’re currently working on and trying to understand. 

I can’t make any well-grounded assumptions to what this is being used for, whether it be nefarious or benign. It’s not uncommon for a session recorder to be used for diagnostic information for a technology company if they want to understand how their users use a site so they can improve it. That’s a legitimate use of one of these session recorders, but without knowing what data they collect, it could be that they’re collecting data that isn’t strictly relevant to improving the service or are over-collecting data in the guise of improving the service and retaining it for future use. 

There are, of course, but I won’t speculate on that because I don’t have definitive proof that’s what’s happening. 

Why should people care about districts’ technology procurements? School districts are using a huge swath of digital tools, some from Google and some from tiny tech companies. If school leaders aren’t putting privacy at the forefront of deciding which tools to use, what concerning outcomes can come from that? 

There are several concerning outcomes, the first being that the data these companies collect don’t necessarily sit on their servers. They sometimes are sold to third parties. Some companies state third parties ambiguously and others list out who they are selling it to and why. 

Just on a normative basis, I think that what you do in the classroom shouldn’t be harvested and sold, especially when many of these companies are raking in somewhere between five- and seven-figure contracts to license this technology. It’s not like they don’t have other sources of income, but the things they can take from students can be incredibly alarming: Information about socioemotional behavior, so if I act out in school, if I am in trouble for something that’s happening at home or I’m bullying another student, that data is collected by a specific service and that data is held somewhere. And of course, when you hold data, it’s a security risk. 

There was a big breach in New York City where hundreds of thousands of students had their personal information leaked because a company was holding onto all of this data. It was leaked to hackers who got that data and can do who knows what with it. That’s a huge privacy violation. Some of the things they stole in that particular breach were names, birthdays and standard things you can use to commit identity fraud, which is a problem. But it can also be more sensitive stuff, such as [special education] accommodation lists or if you qualify for free lunch. There’s stuff about disability or your economic status, stuff that is all collected by these ed tech companies and held somewhere. 

Learning management systems have incredible amounts of metadata. ‘Are you someone who procrastinates and only finishes an assignment one minute before it’s due? Did you do it early? Are you someone who didn’t do the reading but showed up to class anyway? Are you someone who took 10 times to get this quiz right or did it only take you one time’ 

These data are recorded and are available for teachers to see, but because teachers can see it, it’s sitting on a server somewhere. 

Because they’re being stored somewhere and they are not being deleted regularly and these companies are not following data minimization principles, it’s a potential privacy risk for these students should another breach happen, which we’ve seen happen again and again and again. 

Breaches have affected sensitive student information. In her book Danielle Citron argues for federal rules that would protect intimate privacy as a civil right. Why are such rules needed and how would they work in an educational context? 

There are certain types of information, like nonconsensual disclosures of intimate images, so-called revenge porn. I think you can make a straight analogy for student data. Just as there should be a zone of intimate privacy around your personal intimate life, your sexuality, whatever else, we should have a similar zone around your educational life. 

Education is a space where students should be able to learn and make mistakes, and if you cannot make those mistakes without being recorded, then that can have repercussions for you later. If you’re not perfect on your first try and someone gets a hold of that, I could see that affecting your college admissions or that could affect an employment record. If I am someone who wants to hire you and I have a list of every student in a school that turns in their assignments early and all of these people were either habitually late or always procrastinating then obviously I’m going to be more interested in hiring the worker that turned stuff in early. But what that list might not tell you is that it was one data point in eighth grade and that one of those students when they were in high school finally got on top of their executive dysfunction and started turning things in on time. 

It’s ultimately nobody’s business how you do in the classroom. You have final grades, but those fine-grained data are nobody else’s business but yours and the teacher’s. You have a safe space to learn and grow and make mistakes in the educational environment and to not be penalized for them outside of that classroom.

Half of teachers say they know a student at their school who was disciplined or faced negative consequences for using — or being accused of using — generative artificial intelligence like ChatGPT to complete a classroom assignment, , a nonprofit think tank focused on digital rights and expression. The proportion was even higher, at 58%, for those who teach special education. 

Cheating concerns were clear, with survey results showing that teachers have grown suspicious of their students. Nearly two-thirds of teachers said that generative AI has made them “more distrustful” of students and 90% said they suspect kids are using the tools to complete assignments. Yet students themselves who completed the anonymous survey said they rarely use ChatGPT to cheat, but are turning to it for help with personal problems.

“The difference between the hype cycle of what people are talking about with generative AI and what students are actually doing, there seems to be a pretty big difference,” said Elizabeth Laird, the group’s director of equity in civic technology. “And one that, I think, can create an unnecessarily adversarial relationship between teachers and students.”   

Indeed, 58% of students, and 72% of those in special education, said they’ve used generative AI during the 2022-23 academic year, just not primarily for the reasons that teachers fear most. Among youth who completed the nationally representative survey, just 23% said they used it for academic purposes and 19% said they’ve used the tools to help them write and submit a paper. Instead, 29% reported having used it to deal with anxiety or mental health issues, 22% for issues with friends and 16% for family conflicts.

Part of the disconnect dividing teachers and students, researchers found, may come down to gray areas. Just 40% of parents said they or their child were given guidance on ways they can use generative AI without running afoul of school rules. Only 24% of teachers say they’ve been trained on how to respond if they suspect a student used generative AI to cheat. 

The results on ChatGPT’s educational impacts were included in the Center for Democracy and Technology’s broader annual survey analyzing the privacy and civil rights concerns of teachers, students and parents as tech, including artificial intelligence, becomes increasingly engrained in classroom instruction. Beyond generative AI, researchers observed a sharp uptick in digital privacy concerns among students and parents over last year. 

Among parents, 73% said they’re concerned about the privacy and security of student data collected and stored by schools, a considerable increase from the 61% who expressed those reservations last year. A similar if less dramatic trend was apparent among students: 62% had data privacy concerns tied to their schools, compared with 57% just a year earlier. 

Those rising levels of anxiety, researchers theorized, are likely the result of the growing frequency of cyberattacks on schools, which have become a primary target for ransomware gangs. High-profile breaches, including in Los Angeles and Minneapolis, have compromised a massive trove of highly sensitive student records. Exposed records, investigative reporting by ĂŰĚŇÓ°ĘÓ has found, include student psychological evaluations, reports detailing campus rape cases, student disciplinary records, closely guarded files on campus security, employees’ financial records and copies of government-issued identification cards. 

Survey results found that students in special education, whose records are among the most sensitive that districts maintain, and their parents were significantly more likely than the general education population to report school data privacy and security concerns. As attacks ratchet up, 1 in 5 parents say they’ve been notified that their child’s school experienced a data breach. Such breach notices, Laird said, led to heightened apprehension. 

“There’s not a lot of transparency” about school cybersecurity incidents “because there’s not an affirmative reporting requirement for schools,” Laird said. But in instances where parents are notified of breaches, “they are more concerned than other parents about student privacy.” 

Parents and students have also grown increasingly wary of another set of education tools that rely on artificial intelligence: digital surveillance technology. Among them are student activity monitoring tools, such as those offered by the for-profit companies Gaggle and GoGuardian, which rely on algorithms in an effort to keep students safe. The surveillance software employs artificial intelligence to sift through students’ online activities and flag school administrators — and sometimes the police — when they discover materials related to sex, drugs, violence or self-harm. 

Among parents surveyed this year, 55% said they believe the benefits of activity monitoring outweigh the potential harms, down from 63% last year. Among students, 52% said they’re comfortable with academic activity monitoring, a decline from 63% last year. 

Such digital surveillance, researchers found, frequently has disparate impacts on students based on their race, disability, sexual orientation and gender identity, potentially violating longstanding federal civil rights laws. 

The tools also extend far beyond the school realm, with 40% of teachers reporting their schools monitor students’ personal devices. More than a third of teachers say they know a student who was contacted by the police because of online monitoring, the survey found, and Black parents were significantly more likely than their white counterparts to fear that information gleaned from online monitoring tools and AI-equipped campus surveillance cameras could fall into the hands of law enforcement. 

Meanwhile, as states nationwide pull literature from school library shelves amid a conservative crusade against LGBTQ+ rights, the nonprofit argues that digital tools that filter and block certain online content “can amount to a digital book ban.” Nearly three-quarters of students — and disproportionately LGBTQ+ youth — said that web filtering tools have prevented them from completing school assignments. 

The nonprofit highlights how disproportionalities identified in the survey could run counter to federal laws that prohibit discrimination based on race and sex, and those designed to ensure equal access to education for children with disabilities. In a letter sent Wednesday to the White House and Education Secretary Miguel Cardona, the Center for Democracy and Technology was joined by a coalition of civil rights groups urging federal officials to take a harder tack on ed tech practices that could threaten students’ civil rights. 

“Existing civil rights laws already make schools legally responsible for their own conduct, and that of the companies acting at their direction in preventing discriminatory outcomes on the basis of race, sex and disability,” the coalition wrote. “The department has long been responsible for holding schools accountable to these standards.”

These districts’ reactions to ChatGPT have led to a debate among policymakers and parents, teachers and technologists about the of this new chatbot. This deliberation magnifies a troubling truth: Superintendents, principals and teachers are making decisions about the adoption of emerging technology without the answers to fundamental questions about the benefits and risks. 

Technology has the potential to modernize education and help prepare students for an increasingly complex future. But the risks to children are just beginning to be uncovered. Creating a policy and regulatory framework focused on building a deeper understanding of the benefits and risks of emerging technologies, and protecting children where the evidence is incomplete, is not alarmist, but a responsible course of action. 

Why act now? 

First, recent history has demonstrated that emerging technology can pose real risks to children. a correlation between time spent on social media and adolescent anxiety, depression, self-harm and suicide. These impacts seem particularly significant for . While there is debate among researchers about the size of these effects, the state of adolescent mental health has deteriorated to the extent that it was declared a in 2021 by the American Academy of Pediatrics, the American Academy of Child and Adolescent Psychiatry, and the Children’s Hospital Association. Social media seems to be a contributing factor. 

Second, immersive technologies, including virtual reality, augmented reality, mixed reality and brain-computer interfaces, may intensify the benefits and risks to children. Immersive technologies have the potential to . But the impact on childhood development of exposure to multisensory experiences replicating the physical world in digital spaces is just beginning to be understood — and there is cause for concern based on limited research. For example, a concluded that immersive virtual reality can interfere with the development of coordination that allows children to maintain balance. And a 2021 on the impact of virtual reality on children revealed evidence of cognition issues, difficulty navigating real and virtual worlds, and addiction. The most significant risk may be how frequent and prolonged exposure to virtual environments impact mental health. 

Third, the digital divide has considerably. Government and the private sector have driven improvements in , expanded cellular networks and made mobile and computing devices significantly more affordable. Since 2014-15, the percentage of teens who have a smartphone has . Paired with money from COVID-19 legislation that allowed schools to invest in hardware, more children will have opportunities to use emerging technologies than ever had access to older innovations — including apps and the internet — at home and in school. 

Based on emerging evidence on these impacts on children, and in the face of significant unknowns, a policy and regulatory framework focused on mitigating risks — while still allowing children to access the benefits of these technologies — is warranted. At the federal level, Congress should consider:

• Compelling all emerging technology companies, including those producing immersive reality products that are utilized by children, to provide academic researchers access to their data.
  
• Compelling all immersive reality companies to assess the privacy and protection of children in the design of any product or service that they offer.
  
• Compelling all immersive reality companies to provide child development training to staff working on products intended for use by children.
  
• Requiring hardware manufacturers of virtual reality, augmented reality, mixed reality and brain-computer interface devices targeted to children to prominently display on their packaging warning labels about unknown physical and mental health risks.
  
• Establishing guidance, via the Department of Education, for district and school leaders to prepare their communities for the adoption of immersive technologies.
  
• Requiring all immersive technology companies to inform users of product placement within the platform.
  
• Compelling relevant federal regulatory agencies to provide clarification on the ways existing laws, such as the Health Information Portability and Accountability Act and the Children’s Online Privacy Protection Act, Individuals with Disabilities Act and Americans with Disabilities Act, apply to immersive technologies.
  
• Compelling all immersive technology companies to acquire parental consent for data sharing, particularly biometric information, including eye scans, fingerprints, handprints, face geometry and voiceprints.
  
• Providing guidelines around minimum age for the use of immersive technology platforms and products.
  

At the state level, every governor should carefully assess the action last week to regulate children’s use of social media and consider the following actions: 

• Creating child well-being requirements for state procurement of any immersive technology.
  
• Offering research and development grants to in-state immersive technology companies to focus on safety and well-being impacts on children.
  
• Establishing protocols for reviewing districts’ use of emerging technologies to determine compliance with federal and state law.

Finally, at the local level, school boards, superintendents and school leaders should consider regulations and guidance for the selection, adoption and use of immersive technologies:

• Assessing opportunities for integration with current teaching and learning methods and curriculum.
  
• Investing in and planning for professional development around these technologies.
  
• Ensuring accessibility for students with disabilities and English learners when planning around use of emerging technologies.
  
• Ensuring that any planned use of emerging technologies in the classroom is compliant with state and federal special education laws.
  
• Evaluating the costs of immersive technology procurement and necessary infrastructure upgrades and making the results transparent to the community.
  
• Creating opportunities for educator, parent and student involvement in the purchasing process for technology.

If emerging technology can have detrimental impacts on children — and evidence points to that being the case — responsibly mitigating the risks associated with these technologies is prudent. Why chance it? This is the best opportunity to allow children to reap the benefits.

While districts nationwide have become victims in in the last several years, cybersecurity experts said the extortion tactics leveraged against the Minneapolis district are particularly aggressive and an escalation of those typically used against school systems to coerce payments.

In a dark web blog post and an online video uploaded Tuesday, the ransomware gang Medusa claimed responsibility for conducting a February cyberattack — or what Minneapolis school leaders euphemistically called an “encryption event” — that led to . The blog post gives the district until March 17 to hand over $1 million. If the district fails to pay up, criminal actors appear ready to post a trove of sensitive records about students and educators to their dark web leak site. The gang’s leak site gives the district the option to pay $50,000 to add a day to the ransom deadline and allows anyone to purchase the data for $1 million right now.

On the video-sharing platform Vimeo, the group, calling itself the Medusa Media Team, posted a 51-minute video that appeared to show a limited collection of the stolen records, making clear to district leaders the sensitive nature of the files within the gang’s possession. 

“The video is more unusual and I don’t recall that having been done before,” said Brett Callow, a threat analyst with the cybersecurity company Emsisoft. 

A preliminary review of the gang’s dark web leak site by ĂŰĚŇÓ°ĘÓ suggest the compromised files include a significant volume of sensitive documents, including records related to student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications. 

The video is no longer available on Vimeo and a company spokesperson confirmed to ĂŰĚŇÓ°ĘÓ that it was , which prohibits users from uploading content that “infringes any third party’s” privacy rights. 

As targeted organizations decline to pay ransom demands in efforts to recover stolen files, Callow said the threat actors are employing new tactics “to improve conversion rates.”

“This is likely just an experiment, and if they find this works they will do it more frequently,” Callow said. “These groups operate like regular businesses, in that they A/B test and adopt the strategies that work and ditch the ones that don’t.” 

Here’s a snippet of the video’s introduction (with all sensitive records omitted):

The Minneapolis school district hasn’t acknowledged being a ransomware victim, while Callow and other cybersecurity experts have been harshly critical of how it has disclosed the attack to the public. In , the district attributed “technical difficulties” with its computer systems to the referenced “encryption event,” a characterization that experts blasted as creative public relations that left potential victims in the dark about the incident’s severity. 

The district “has not paid a ransom” and an investigation into the incident “has not found any evidence that any data accessed has been used to commit fraud,” school officials said in the March 1 statement.  

In a statement to ĂŰĚŇÓ°ĘÓ Tuesday, the district said it “is aware that the threat actor who has claimed responsibility for our recent encryption event has posted online some of the data they accessed.” 

“This action has been reported to law enforcement, and we are working with IT specialists to review the data in order to contact impacted individuals,” the statement continued.

Minnesota-based student privacy advocate Marika Pfefferkorn called on the district to be more forthcoming as it confronts the attack. 

“First and foremost, they owe an apology to the community by not being explicit right away about what was happening,” said Pfefferkorn, executive director of the Midwest Center for School Transformation. “Because they haven’t communicated about it, they haven’t shared a plan about, ‘How will you address this? How will you respond?’ Not knowing how they are going to respond makes me really nervous.”

School cybersecurity expert Doug Levin, the national director of the K12 Security Information eXchange, said that district officials appear to have coined the term “encryption event,” but available information suggests the school system was the victim of “classic double extortion,” an exploitation technique that’s become popular among ransomware gangs in the last several years. 

With its video and dark web blog, Medusa may have spent “a little more time and energy” than other ransomware groups in presenting the stolen data in a compelling package, “but the tactics seem to be the same,” Levin said. “Now that we have a group coming forward with compelling evidence that they have exfiltrated data from the system and it’s actively extorting them, that’s all I would need to know to classify this as ransomware.”

In double extortion ransomware attacks, threat actors gain access to a victim’s computer network, download compromising records and lock the files with an encryption key. Criminals then demand their victim pay a ransom to regain control of their files. Then, if a ransom is not paid, criminals sell the data or publish the records to a leak site. 

Such a situation recently played out in the Los Angeles Unified School district, the nation’s second-largest school system. Last year, the ransomware gang Vice Society broke into the district’s computer network and made off with some 500 gigabytes of district files. When the district refused to pay an undisclosed ransom, Vice Society uploaded the records to its dark web leak site. 

District officials have sought to downplay the attack’s effects on students. But an investigation by ĂŰĚŇÓ°ĘÓ found thousands of students’ comprehensive and highly sensitive mental health records had been exposed. The district then acknowledged Feb. 22 that some 2,000 student psychological assessments — including those of 60 current students — had been leaked.

Districts that become ransomware targets could face significant liability issues. Earlier this month, the education technology company Aeries Software a negligence lawsuit after a data breach exposed records from two California school districts. District families accused the software company of failing to implement reasonable cybersecurity safeguards. 

Federal authorities have made progress in curtailing cybercriminals. In January, authorities seized control of a prolific ransomware gang’s leak site and earlier this month officials with ties to a Russian-based ransomware group that’s known to target schools. 

At least 11 U.S. school districts have been the victims of ransomware attacks so far in 2023, according to Emsisoft research. Last year, 45 school districts and 44 colleges. 

In Minneapolis, a lack of transparency from the district could put affected students and staff at heightened risk of exploitation, Emsisoft’s Callow said. 

“There absolutely are times when districts have to be cautious about the information they release because it is the source of an ongoing investigation,” he said. “But calling something a ransomware incident as opposed to an encryption event really isn’t problematic. Nor is telling people their personal information may have been compromised.”

Pfefferkorn, the Minneapolis student privacy advocate, said she’s concerned about the amount of data the school district collects about students and worries it lacks sufficient cybersecurity safeguards to keep the information secure. She pointed to Minneapolis schools’ since-terminated contract with the digital student surveillance company Gaggle, which monitors students online and alerts district officials to references about mental health challenges, sexuality, drug use, violence and bullying. 

The district said it adopted the monitoring tool in a pandemic-era effort to keep kids safe online, but the unauthorized disclosure of Gaggle records maintained by the district could make them more vulnerable, she said. 

There’s little recourse, she said, for students and educators whose sensitive records were already leaked by Medusa. 

“It’s already out there and that cannot be repaired,” she said. “There’s information out there that’s going to impact them for the rest of their lives.”

A spokesperson for the company, which describes itself , cited a societal shift toward greater acceptance of LGBTQ youth — rather than criticism of its product — as the impetus for the change as part of a “continuous evaluation and updating process.”

The company, which uses artificial intelligence and human content moderators to sift through billions of student communications each year, has long defended its use of LGBTQ-specific keywords to identify students who might hurt themselves or others. In arguing the targeted monitoring is necessary to save lives, executives have pointed to the prevalence of bullying against LGBTQ youth and data indicating they’re than their straight and cisgender classmates. 

But in practice, Gaggle’s critics argued, the keywords put LGBTQ students at a heightened risk of scrutiny by school officials and, on some occasions, the police. Nearly a third of LGBTQ students said they or someone they know experienced nonconsensual disclosure of their sexual orientation or gender identity — often called outing — as a result of digital activity monitoring, according to released in August by the nonprofit Center for Democracy and Technology. The survey encompassed the impacts of multiple monitoring companies who contract with school districts, such as GoGuardian, Gaggle, Securly and Bark. 

Gaggle’s decision to remove several LGBTQ-specific keywords, including “queer” and “bisexual,” from its dictionary of words that trigger alerts was first reported in . It follows extensive reporting by ĂŰĚŇÓ°ĘÓ into the company’s business practices and sometimes negative effects on students who are caught in its surveillance dragnet. 

Though Gaggle’s software is generally limited to monitoring school-issued accounts, including those by Google and Microsoft, the it can scan through photos on students’ personal cell phones if they plug them into district laptops.

The keyword shift comes at a particularly perilous moment, as Republican lawmakers in multiple states . Legislation has looked to curtail classroom instruction about sexual orientation and gender identity, ban books and classroom curricula featuring LGBTQ themes and prohibit transgender students from receiving gender-affirming health care, participating in school athletics and using restroom facilities that match their gender identities. Such a hostile political climate and pandemic-era disruptions, a recent youth survey by The Trevor Project revealed, has contributed to an uptick in LGBTQ youth who have seriously considered suicide. 

The U.S. Education Department received 453 discrimination complaints involving students’ sexual orientation or gender identity last year, according to data provided to ĂŰĚŇÓ°ĘÓ by its civil rights office. That’s a significant increase from previous years, including in 2021 when federal officials received 249 such complaints. The Trump administration took and complaints dwindled. In 2018, the Education Department received just 57 complaints related to sexual orientation or gender identity discrimination.

The increase in discrimination allegations involving sexual orientation or gender identity are part of , according to data obtained by The New York Times. The total number of complaints for 2021-22 grew to 19,000, a historic high and more than double the previous year. 

In September, ĂŰĚŇÓ°ĘÓ revealed that Gaggle had donated $25,000 to The Trevor Project, the nonprofit that released the recent youth survey and whose advocacy is focused on suicide prevention among LGBTQ youth. The arrangement was framed on Gaggle’s website as a collaboration to “improve mental health outcomes for LGBTQ young people.” 

The revelation was met with swift backlash on social media, with multiple Trevor Project supporters threatening to halt future donations. Within hours, the group announced it had returned the donation, acknowledging concerns about Gaggle “having a role in negatively impacting LGBTQ students.” 

The Trevor Project didn’t respond to requests for comment on Gaggle’s decision to pull certain LGBTQ-specific keywords from its systems. 

In a statement to ĂŰĚŇÓ°ĘÓ, Gaggle spokesperson Paget Hetherington said the company regularly modifies the keywords its software uses to trigger a human review of students’ digital communications. Certain LGBTQ-specific words, she said, are no longer relevant to the 24-year-old company’s efforts to protect students from abuse and were purged late last year.

“At points in time in the not-too-distant past, those words were weaponized by bullies to harass and target members of the LGBTQ+ community, so as part of an effective methodology to combat that discriminatory harassment and violence, those words were once effective tools to help identify dangerous situations,” Hetherington said. “Thankfully, over the past two decades, our society evolved and began a period of widespread acceptance, especially among the K-12 student population that Gaggle serves. With that evolution and acceptance, it has become increasingly rare to see those words used in the negative, harassing context they once were; hence, our decision to take these off our word/phrases list.”

Hetherington said Gaggle will continue to monitor students’ use of the words “faggot,” “lesbo,” and others that are “commonly used as slurs.” A previous review by ĂŰĚŇÓ°ĘÓ found that Gaggle regularly flagged students for harmless speech, like profanity in fictional articles submitted to a school’s literary magazine, and students’ private journals. 

Anti-LGBTQ activists have , and privacy advocates warn that in the era of “Don’t Say Gay” laws and abortion bans, information gleaned from Gaggle and similar services could be weaponized against students.

Gaggle executives have minimized privacy concerns and claim the tool saved more than 1,400 lives last school year. That statistic hasn’t been independently verified and there’s a dearth of research to suggest digital monitoring is an effective school-safety tool. A recent survey found a majority of parents and teachers believe the benefits of student monitoring outweigh privacy concerns. The Vice News documentary included the perspective of a high school student who was flagged by Gaggle for writing a paper titled “Essay on the Reasons Why I Want to Kill Myself but Can’t/Didn’t.” Adults wouldn’t have known she was struggling without Gaggle, she said. 

“I do think that it’s helpful in some ways,” the student said, “but I also kind of think that it’s — I wouldn’t say an invasion of privacy — but if obviously something gets flagged and a person who it wasn’t intended for reads through that, I think that’s kind of uncomfortable.” 

Student surveillance critic Evan Greer, director of the nonprofit digital rights group said the tweaks to Gaggle’s keyword dictionary are unlikely to have a significant effect on LGBTQ teens and blasted the company’s stated justification for the move as being “out of touch” with the state of anti-LGBTQ harassment in schools. Meanwhile, Greer said that LGBTQ youth frequently refer to each other using “reclaimed slurs,” reappropriating words that are generally considered derogatory and remain in Gaggle’s dictionary. 

“This is just like lipstick on a pig — no offense to pigs — but I don’t see how this actually in any meaningful way mitigates the potential for this software to nonconsensually out LGBTQ students to administrators,” Greer said. “I don’t see how it prevents the software from being used to invade the privacy of students in a wide range of other circumstances.”

Gaggle and its competitors — including , and — have faced similar scrutiny in Washington. In April, Democratic Sens. Elizabeth Warren and Ed Markey argued in a report that the tools could be misused to discipline students and warned they could be used disproportionately against students of color and LGBTQ youth. 

In , Gaggle founder and CEO Jeff Patterson said the company cannot test the potential for bias in its system because the software flags student communications anonymously and the company has “no context or background on students,” including their race or sexual orientation. They also said their monitoring services are not meant to be used as a disciplinary tool. 

In the survey released last summer by the Center for Democracy and Technology, however, 78% of teachers reported that digital monitoring tools were used to discipline students. Black and Hispanic students reported being far more likely than white students to get into trouble because of online monitoring. 

In October, the White House cautioned school districts against the “continuous surveillance” of students if monitoring tools are likely to trample students’ rights. It also directed the Education Department to issue guidance to districts on the safe use of artificial intelligence. The guidance is expected to be released early this year.

As an increasing number of districts implement Gaggle for bullying prevention efforts, surveillance critic Greer said the company has failed to consider how adults can cause harm.

“There is now a very visible far-right movement attacking LGBTQ kids, and particularly trans kids and teenagers,” Greer said. “If anything, queer kids are more in the crosshairs today than they were a year ago or two years ago — and that’s why this surveillance is so dangerous.”

If you are in crisis, please call the National Suicide Prevention Lifeline at 1-800-273-TALK (8255), or contact the Crisis Text Line by texting TALK to 741741. For LGBTQ mental health support, contact The Trevor Project’s toll-free support line at 866-488-7386.