We Can Improve Student Learning and Preserve Student Privacy

The expanded use of educational technology and student information for improving student learning has drawn attention to the issue of student privacy on the state and national policy agenda. The education community is having important discussions about the use of student data while also ensuring its privacy and security.

Many educational service providers, working with schools and universities, use student information to develop and deliver learning software, digital content, web services and related technologies and services that meet their teaching, learning and enterprise management needs. These range from adaptive learning to bus and classroom scheduling software, and from learning management systems to data systems. They are helping to personalize learning, support teachers and instruction, carry out various administrative operations, and improve school productivity and educational performance.

As student information is used to improve learning, schools and service providers have a shared responsibility to protect the privacy and security of student information.

One way they do this is by limiting the collection and uses of student information. Schools and their service providers collect and use student information only for legitimate educational purposes and have policies and procedures in place to prevent unauthorized use.  This is not just a matter of good will.  Schools are required to do this by the federal Family Educational Rights and Privacy Act (FERPA) and often by state laws as well. Service providers are also bound by contract and are subject to significant penalties including the possibility of being restricted from contracting with the school for up to five years for unauthorized disclosure of student information. There’s a market incentive for service providers as well: if they do not live up to their responsibilities, they will lose the confidence of their customers and lose business.

Privacy and security of student information is important to schools and service providers for another reason.  They are essential parts of good information practices. For instance, if student information is inaccurate, out-of-date or incomplete, this renders the use of the information unreliable.

Educational service providers do not have an independent role in the school system. They cannot just use student information as they see fit. They work for educational institutions.  They collect and use student information only with the explicit approval of the schools and other educational institutions that they work for. They use this information only for the purpose authorized by the educational institution.

Parents have an important role too. Federal law requires parental consent (for students under age 18) if schools want to share information with third parties for non-educational purposes.  If schools, school districts, or state educational departments want to use student information beyond the narrowly defined educational purposes in Federal law, they have to get parental consent.

Some have called for parental consent for all uses of student information, even for core educational purposes.  But this is unrealistic.  Schools need to collect information from students to operate their institutions and to provide education to their students.  They must share this information with third-party providers without whom they do not have the capacity to carry out many core functions. They cannot possibly do this if they have to provide an opt-out for all uses of student information. More importantly, a universal opt-out would also create an unfair imbalance by further widening the achievement gap — some students would have access to the best educational resources while those who opt out fall behind.

As our education system continues to transform itself, SIIA looks forward to continued work with educators, policy makers and providers to advance the innovative use of technology and data to drive student success, and the continued use of sound data management practices that protect student privacy.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow Mark on Twitter at @Mark_MacCarthy

How NSA Revelations are Affecting the Tech Industry

Revelations about the National Security Agency’s (NSA) surveillance efforts are continuing to pose serious business challenges for the tech sector. SIIA is tracking the repercussions closely. Here are a few important developments to note:

Market Backlash: Studies and surveys have suggested a possible backlash against cloud providers and technology companies generally.  Here’s a summary of some of them:

  • CSA Survey: In July a survey from the Cloud Security Alliance reported  that  “10% of 207 officials at non-U.S. companies have canceled contracts with U.S. service providers following the revelation of the NSA spy program last month…the survey also found that 56% of non-U.S. respondents are now hesitant to work with any U.S.-based cloud service providers.”
  • ITIF Study: By comparing projected growth of US cloud computing sales with a variety of hypothetical sales losses, ITIF suggests that US cloud companies could miss out on as much as $35 billion in additional overseas sales over the next three years.
  • Forrester Study: Forrester thinks the potential impact could be as high as $180 billion by 2016, taking into account the reactions of U.S. and non-US companies, the impact on non-US cloud providers and the effects on the rest of the hosting and outsourcing market.

Repercussions for Tech: The NSA revelations continue to have larger repercussions for tech companies in the form of localization requirements and new challenges to the multi-stakeholder form of Internet governance.  Here are updates on several of these challenges:

  • Brazil’s controversial new internet plans, calling for server and data localization, a local encrypted email service and a separate transatlantic cable connection to Europe that bypasses the US.
  • UN General Assembly Address: After canceling a US state visit over NSA spying, Brazil’s Dilma Rousseff issued an announcement called the interception of Brazilian communications “illegal” and said such a “grave fact” was an “assault” on sovereignty and “incompatible with a democratic coexistence between friendly countries.”  She then delivered the opening speech at the UN General Assembly today, rejecting U.S. government surveillance programs as inconsistent with human rights and a violation of national sovereignty, and calling for “multilateral mechanisms for the worldwide network that are capable of ensuring principles such as:
  1. Freedom of expression, privacy of the individual and respect for human rights.
  2. Open, multilateral and democratic governance, carried out with transparency by stimulating collective creativity and the participation of society, Governments and the private sector
  3. Universality that ensures the social and human development and the construction of inclusive and non-discriminatory societies
  4. Cultural diversity, without the imposition of beliefs, customs and values.
  5. Neutrality of the network, guided only by technical and ethical criteria, rendering it inadmissible to restrict it for political, commercial, religious or any other purposes.

She concludes: “Harnessing the full potential of the Internet requires, therefore, responsible regulation, which ensures at the same time freedom of expression, security and respect for human rights.”

Civil Society Calls for Principles: International civil society groups have issued a call for government surveillance principles consistent with human rights.

EU Response: Viviane Reding’s address in Brussels last week held up the Data Protection regulation as the EU’s response to the fear of US government surveillance, explicitly took privacy issues off the table for discussion in TTIP, and suggested the formation of an EU-area cloud that would compete globally on the basis of better privacy rules and streamlined government regulation.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow Mark on Twitter at @Mark_MacCarthy



Do Not Track is on Track at W3C

The W3C Tracking Protection Working Group announced today that it would appoint Carl Cargill, from Adobe, and Justin Brookman, from the Center for Democracy and Technology (CDT), to join Intel’s Matthias Schunter as co-chairs of the group’s effort to forge a multi-stakeholder consensus on creating a standard to address Tracking Protection.  The group’s standard setting activity will continue, despite the withdrawal of the Digital Advertising Alliance earlier this week, under the leadership of these three well-qualified experts.

SIIA welcomes this development.  Internet users, the industry, and policymakers here and around the world are looking for a workable standard to address Tracking Protection that can be easily and effectively implemented.  All parties share the goal of creating an effective framework to enable users to express their tracking preferences in a transparent and meaningful fashion with the understanding that these preferences will be respected by the relevant Internet participants. The continuation of this W3C process and the momentum created by the naming of additional co-chairs provide the opportunity to adopt a workable standard that is broadly acceptable to all stakeholders.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow Mark on Twitter at @Mark_MacCarthy

Saving the Safe Harbor: Commissioner Julie Brill to the Rescue!

At the EU Data Protection and Privacy Conference today in Brussels, FTC Commissioner Julie Brill delivered a powerful speech about the way the U.S. protects consumer privacy. Along the way she offered a strong defense of the U.S. Safe Harbor Framework for European privacy:

“In the commercial space, the Safe Harbor Framework facilitates the FTC’s ability to protect the privacy of EU consumers. Without the Safe Harbor, my job to protect EU consumers’ privacy, where appropriate, would be much harder. In an era where we face many threats to privacy, Safe Harbor has been an effective solution, not the problem.”

In the face of so many challenges to the Safe Harbor Framework coming from European public officials, this speech from a prominent U.S. consumer protection official is a crucial reminder of the importance of this cross-border framework for international privacy protection.

Her remarks are also notable for the clear distinction she makes between government surveillance and commercial privacy:

“The issue of the proper scope of government surveillance is a conversation that should happen – and will happen – on both sides of the Atlantic. But it is a conversation that should proceed outside out of the commercial privacy context.”

As I’ve noted in previous blogs, the conflation of the two is damaging to both the need to protect citizens from intrusive government surveillance and in finding the right sort of fair information practices that provides for commercial enterprise, innovation and the preservation of consumer privacy.  Commissioner Brill is exactly right when she insists on keeping these issues separate.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow Mark on Twitter at @Mark_MacCarthy

How to Keep the World Safe for Data Driven Innovation and Cross Border Data Flows

In a major address to the German Marshall Fund yesterday, outgoing Commerce Department General Counsel Cameron Kerry brought some refreshing clarity to the current discussions of privacy and government surveillance.

He started in the right place with a ringing endorsement of the progressive use of big data as a tool for economic and social improvement.  He referred favorably to “breakthroughs in medical research from aggregated health care records that can produce information far more robust than the limited populations of medical trials,” and cited a recent example:    

“The drug Herceptin was developed through identification of the HER-2 oncogene from records of 9,000 breast cancer patients. IBM is working with hospitals and the IBM-WATSON natural language system to collect anonymized medical records in ways that protect privacy and analyze unstructured data applying the power of new analytic technologies across many different text-based medical records previously unintelligible to computers.”

As SIIA noted in a recent whitepaper, the seamless flow of data across borders is important to the growth of data-driven innovation and the global economy. Kerry underscored the economic importance of cross-border data flow:

 “Trans-border trade – and especially transatlantic trade – now relies on the continued open flow of data, and cutting off these flows would cause significant and immediate economic damage. Moreover, it would lead to loss of competitiveness on both sides as other economies around the world that embrace open Internet architectures and freedom to experiment with data analytics offer havens for innovators. Our economic future is at stake in our international engagement.”

Then he noted the importance to transatlantic trade of the Safe Harbor arrangement that has governed transfers of information from the European Union to the United States for well over a decade. He warned of the dangers a weakening of this framework would pose to transatlantic trade:

“Today, more than 4,000 companies have subscribed to the Safe Harbor Framework. Many of these are U.S. subsidiaries of EU companies that also rely on the framework…Safe Harbor is a fundamental building block of the trade relationship between the United States and Europe…Any step back from Safe Harbor would send the trading relationship between the U.S. and the EU backward.”

This worry about a threat to the Safe Harbor Framework is not idle. On July 19, 2013 Viviane Reding, European Commission Vice President, issued a statement  saying, “The Safe Harbour agreement may not be so safe after all.” On July 24, 2013, a statement from the Conference of German Data Protection Commissioners indicated that it would examine whether transatlantic data transfers “should be suspended on the basis of the Safe Harbour framework.” 

The basis for this threat to the Safe Harbor in both cases is the NSA revelations regarding government surveillance–but this is mixing up apples and oranges.

The EU Data Protection Directive and the Safe Harbor both provide an exception for national security purposes.  In the US and EU regime, the law, regulation, and policy considerations that relate to protecting consumer privacy in a commercial context are completely different from the law and policy and constitutional considerations that govern government surveillance. 

Moreover, putting onerous burdens on the commercial transfer of information as a backdoor way to control government surveillance is self-defeating and counterproductive.  It distracts from real measures that might protect citizens from overly intrusive government surveillance and it puts an unnecessary burden on commerce that is not justified by the need to preserve and protect consumer privacy in a commercial context.

Kerry’s remarks yesterday show he grasps these issues clearly.  It might have been his last public statement before leaving his current post at the Commerce Department, but it sets a promising roadmap for Obama administration policy in this area.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow the SIIA Public Policy team on Twitter at @Mark_MacCarthy

SIIA Comments on TTIP Address Trade and Privacy

Today, SIIA filed comments in response to the Federal Register notice of April 1, 2013 from the United States Trade Representative (USTR) regarding a proposed Transatlantic Trade and Investment Agreement.  The comment supported this TTIP initiative.  SIIA is prepared to help both the US government and the EU reach a timely and comprehensive agreement.  

The comments focused on the relationship between the seamless flow of information across borders and trade policy. A recent report on the Future of Trade by a panel convened by outgoing WTO Director General Pascal Lamy addressed this question of the relationship between domestic public policy and trade policy.  Here’s what it said:

Regulations in key areas of the economy, such as health, safety, environmental quality and labour rights are not set in the WTO. What this means is that the WTO must consider how to articulate the relationship between trade opening and the existence of measures outside its remit that are nevertheless relevant to the conditions under which trade takes place. While a convergence of public policy design would facilitate matters from a purely trade perspective, we recognise that respect for differing social preferences is paramount. We must work towards a shared understanding of what constitutes a level playing field. As a matter of principle, we argue that the discriminatory application of NTMs (non-tariff measures) must be avoided where possible and that members should not restrict trade where this is not essential to the pursuit of public policy objectives.

The key idea is that domestic laws should not restrict trade where this is not essential to the pursuit of public policy objectives.  Respect for different social preferences is paramount, but the means of implementing these social preferences have to be the least restrictive of trade possible.  If there is a way to achieve a public policy objective in a way that is less restrictive of trade, countries should take this direction. 

These principles are familiar to us from other contexts: the use of cost-effectiveness analysis to pick the project that achieves a policy goal with the least expenditure of social resources and the constitutional analysis of measures that restrict free speech which calls for an assessment of whether the speech-restricting measure is necessary to achieve a substantial government purpose.  Applying these notions to the trade context ensures that both trade and non-trade social preferences are satisfied to the greatest extent possible.

It is worth paying some attention to these ideas in the context of the revision of the European data protection regulation and its relationship to trade.  A recent report by the European Centre for International Political Economy for the U.S. Chamber of Commerce made the point that the revised EU privacy regulation could have an adverse effect on EU trade and thereby on EU’s domestic growth and employment.  It urged that the EU pay attention to these possible economic effects and stressed the importance of getting data protection regulation right.

What does this have to do with trade negotiations?  In particular, how does it relate to the upcoming TTIP negotiations? 

The SIIA comments addressed this question.  It argued that one goal of the TTIP negotiations should be to ensure that privacy rules do not act as an unnecessary barrier to cross-border flows of information.  But it is important to approach this connection between trade and privacy very carefully. 

A trade agreement is not the place for the US or the EU to set its substantive domestic privacy rules.  SIIA does not endorse the idea of negotiating the specifics of the US or EU privacy regimes as part of TTIP.  These privacy regimes are different, but compatible, attempts to achieve the same protective results through different means.

Still, it is crucial to understand that privacy rules can have an effect on trade and should be carefully crafted to minimally impede the cross–border flow of data.  The standard that local rules should be crafted so as to be least restrictive of trade is well established in trade law and policy.  And this standard specifically applies to privacy rules.  Article 15 of the General Agreement on Trade in Services, for instance, permits, among other things, domestic measures “necessary” to secure compliance with local privacy rules.  The WTO panel on the future of trade was relying on this standard in issuing its report.

In this regard, SIIA urges both the EU and US to recognize that a complete ban on the transfer of data across borders is not necessary to secure compliance with local privacy rules.  If a company participates in an international agreement such as the US-EU Safe Harbor agreement, then its data should be able to flow seamlessly across borders.  In a similar fashion, a company that is in compliance with an enforceable privacy code of conduct or subjects itself to binding corporate privacy rules or has a contract with a data protection authority regarding privacy should be able to transfer information across borders.

TTIP need not constrain the specifics of privacy rules, but it should reaffirm the obligation to provide companies with a usable means to demonstrate compliance with local privacy rules so that information can flow across borders.  In this way, trade policy can help to ensure that privacy protection is done carefully and avoids unintended consequences on innovation and economic growth.

An important initiative in the area of trade and privacy is being run out of the law firm of Hogan Lovells. SIIA intends to work closely with them to ensure that TTIP and other trade negotiations address privacy is a positive way that balances the need for protection and the need for the seamless flow of data.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow the SIIA Public Policy team on Twitter at @SIIAPolicy

There’s No Bad Data, Only Bad Uses of Data

Steven Lohr explored the roots of the debate over personal data and privacy in a timely article in the New York Times this Sunday. An important theme of his article is best summed up by Craig Mundie of Microsoft, who says, “There’s no bad data, only bad uses of data.” At SIIA, we concur that if we want privacy protections to be truly meaningful, we should move away from restricting data collection, and instead work to prevent its harmful use.

Lohr’s article first describes a scenario in which a person is harmed because data from his or her online click stream is being collected. But even though this example is being used to illustrate the danger of data collection, it winds up confirming that true harm comes not from the collection, but the misuse of data. It might be harmful to an Internet user if predictions and inferences about his or her web travels make their way to a health insurer or potential employer. But the harm stems from data misuse, not its collection!

The online advertising industry collects click stream data now. It wants to use this data to improve the effectiveness and value of its online advertising. And the industry has already pledged to wall off online data from harmful use by  isolating it from eligibility decisions regarding employment, health care, credit and insurance.

It’s crucial to allow industries to continue to collect data so it can be used to benefit society. For instance, data driven innovation’s contributions in the educational sphere have been well-documented. Two recent reports by the Center for Technology Innovation at the Brookings Institution, called Educational Success Stories and Big Data for Education, show how data analytic techniques can help schools better understand students’ learning approaches and challenges. Instead of relying on static, uniform tests, “instructors can analyze what students know and what techniques are most effective for each pupil. By focusing on data analytics, teachers can study learning in far more nuanced ways.”

There are many uses of data that are beneficial to society, and public policy should not obstruct them by constructing arbitrary barriers to data collection. The best way to respect individual privacy in the age of big data is to protect people from harmful uses of data. Industries like online advertising are already moving in this direction by developing best practices and self-regulation. Blanket prohibitions on data collection will only do more harm than good.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow the SIIA Public Policy team on Twitter at @SIIAPolicy