1
00:00:00,000 --> 00:00:12,760
Episode 14.

2
00:00:12,760 --> 00:00:17,000
In an earlier episode I made the rather obvious observations that schools are filled with

3
00:00:17,000 --> 00:00:18,000
children.

4
00:00:18,000 --> 00:00:22,880
Because so many of the IT users in schools are in fact children, which is a population

5
00:00:22,880 --> 00:00:28,280
deserving special protections, several wide ranging national laws in the United States

6
00:00:28,280 --> 00:00:33,760
provide guidance and direction to school and technology leaders when they design policies

7
00:00:33,760 --> 00:00:37,160
and procedures related to IT use.

8
00:00:37,160 --> 00:00:42,040
Anyone who seeks to work as an IT professional in a school must be aware not only of the

9
00:00:42,040 --> 00:00:47,400
requirements of these laws, but also the rationale behind them.

10
00:00:47,400 --> 00:00:50,640
Most IT professionals are familiar with the need to keep data secure.

11
00:00:50,640 --> 00:00:56,600
In some industries this is necessary for regulatory purposes, and in all industries it's necessary

12
00:00:56,600 --> 00:01:01,640
to protect proprietary information and to protect clients information.

13
00:01:01,640 --> 00:01:06,000
In schools the importance of privacy takes on special importance because of the age of

14
00:01:06,000 --> 00:01:11,000
the individuals about whom information is being kept and because of the nature of the

15
00:01:11,000 --> 00:01:13,040
information that is being kept.

16
00:01:13,040 --> 00:01:18,640
The Family Educational Rights and Privacy Act, or FERPA, is the law in the United States

17
00:01:18,640 --> 00:01:24,680
which is intended to safeguard sensitive information about children and other students.

18
00:01:24,680 --> 00:01:30,360
FERPA defines who is allowed to access information that is kept by the school and the conditions

19
00:01:30,360 --> 00:01:32,960
under which the information must be stored.

20
00:01:32,960 --> 00:01:37,040
The law does specify the rights of students and their parents if the students are under

21
00:01:37,040 --> 00:01:42,920
18 years of age, as well as the steps school officials are expected to take to protect

22
00:01:42,920 --> 00:01:44,920
students information.

23
00:01:44,920 --> 00:01:50,000
Those whose privacy or rights have been violated can file a complaint with the United States

24
00:01:50,000 --> 00:01:54,200
Department of Education and legal action is possible.

25
00:01:54,200 --> 00:01:59,160
To ensure they comply with FERPA requirements, most schools require all employees, including

26
00:01:59,160 --> 00:02:05,280
IT professionals, to attend training in which local expectations are described.

27
00:02:05,280 --> 00:02:11,440
They also protect the school by having employees acknowledge they have received training.

28
00:02:11,440 --> 00:02:15,760
While schools may interpret FERPA differently, there seems to be agreement, at least in the

29
00:02:15,760 --> 00:02:22,000
dozens of FERPA trainings I have attended, that FERPA protects a wide range of information

30
00:02:22,000 --> 00:02:26,120
including that which school employees learn accidentally.

31
00:02:26,120 --> 00:02:31,280
For example, if a school employee who sees a friend in the store says, hey, I saw Johnny

32
00:02:31,280 --> 00:02:36,720
get into fight at school today and he was suspended, that has been a violation of FERPA.

33
00:02:36,720 --> 00:02:41,480
They identified a student and they shared the information about the behavior and the

34
00:02:41,480 --> 00:02:47,000
consequences of it and the recipient of that information was not entitled to know it, nor

35
00:02:47,000 --> 00:02:51,840
were the many people who may have overheard it entitled to hear that information.

36
00:02:51,840 --> 00:02:57,320
IT professionals have an unusual level of access to classrooms and data.

37
00:02:57,320 --> 00:03:02,200
When they're sitting at a computer in a classroom, they are really a fly on the wall.

38
00:03:02,200 --> 00:03:06,120
Teachers and students largely proceed as if there is no one else there.

39
00:03:06,120 --> 00:03:11,640
They gain an unfiltered view of classroom actions, interactions, and some of what they

40
00:03:11,640 --> 00:03:14,400
observe is protected by FERPA.

41
00:03:14,400 --> 00:03:20,360
IT professionals have access to data systems as well that contain protected data.

42
00:03:20,360 --> 00:03:24,160
While the student information system should have protections to prevent a technician from

43
00:03:24,160 --> 00:03:29,480
accessing grades, a teacher may ask for help resolving a technology issue when they are

44
00:03:29,480 --> 00:03:34,720
logged on to the student information system and working on their grade book.

45
00:03:34,720 --> 00:03:40,280
What we observe as IT technicians when working on data systems or working in classrooms must

46
00:03:40,280 --> 00:03:41,960
be kept confidential.

47
00:03:41,960 --> 00:03:46,440
The teacher who shows their grade book to an IT technician while they are getting help

48
00:03:46,440 --> 00:03:48,720
is violating FERPA.

49
00:03:48,720 --> 00:03:54,000
The IT technician who does not share anything they learn when they see that information

50
00:03:54,000 --> 00:03:58,360
or does not treat the student differently has not violated FERPA.

51
00:03:58,360 --> 00:04:02,360
They have minimized the damage it's done when the original violation and they have

52
00:04:02,360 --> 00:04:08,400
not violated FERPA themselves which both protects the privacy of the students and minimizes

53
00:04:08,400 --> 00:04:11,480
the liability due to the original violation.

54
00:04:11,480 --> 00:04:13,240
There are exceptions of course.

55
00:04:13,240 --> 00:04:18,640
If you learn about a potentially unsafe or troubling situation then you do have an obligation

56
00:04:18,640 --> 00:04:23,080
to report that but of course you are going to report that to school personnel and not

57
00:04:23,080 --> 00:04:25,600
to just anybody on the street.

58
00:04:25,600 --> 00:04:29,600
Now the projectors are found in almost every classroom and those tend to be connected to

59
00:04:29,600 --> 00:04:32,160
the single device assigned to the teacher.

60
00:04:32,160 --> 00:04:37,120
It's not uncommon for the teacher's grade book to be displayed accidentally when a projector

61
00:04:37,120 --> 00:04:40,120
is turned on and when the grade book is open.

62
00:04:40,120 --> 00:04:44,640
While most teachers are aware of the potential and will close their grade books, sometimes

63
00:04:44,640 --> 00:04:46,080
they just forget.

64
00:04:46,080 --> 00:04:50,360
Many technicians have questions that they will ask before they turn on a projector and

65
00:04:50,360 --> 00:04:52,080
they try to make it a joke.

66
00:04:52,080 --> 00:04:55,720
One of my former colleagues would always ask, what's going to be on the screen when I turn

67
00:04:55,720 --> 00:04:56,720
this on?

68
00:04:56,720 --> 00:04:59,240
I'm not going to be giving away the winning lottery numbers am I?

69
00:04:59,240 --> 00:05:02,960
And then when that joke attires him he would switch it to something like, I'd hate to show

70
00:05:02,960 --> 00:05:05,760
anyone your secret cookie recipe.

71
00:05:05,760 --> 00:05:11,480
That habit prevented him from being the cause of sensitive data being exposed and it also

72
00:05:11,480 --> 00:05:17,840
served as a reminder that everyone should be aware of this potential situation.

73
00:05:17,840 --> 00:05:22,760
The Children's Internet Privacy Protection Act has been a law in the United States since

74
00:05:22,760 --> 00:05:24,360
1998.

75
00:05:24,360 --> 00:05:29,200
The intent of the law is to protect the privacy and the personal information of children.

76
00:05:29,200 --> 00:05:35,320
Thus it requires publishers of websites that collect user information to have parental consent

77
00:05:35,320 --> 00:05:38,800
for those under 13 years of age.

78
00:05:38,800 --> 00:05:44,360
This is a law that leads social media companies to restrict children from accessing their platforms.

79
00:05:44,360 --> 00:05:48,680
Of course it's very difficult to enforce age restrictions but the terms of service

80
00:05:48,680 --> 00:05:53,600
and the privacy statements of companies that maintain web platforms, especially those that

81
00:05:53,600 --> 00:05:59,880
facilitate interaction among users, do reflect the requirements of this law.

82
00:05:59,880 --> 00:06:05,520
Because of the Children's Online Privacy Act, most schools, especially those enrolling

83
00:06:05,520 --> 00:06:11,240
students younger than 13, have procedures for identifying the online platforms that can

84
00:06:11,240 --> 00:06:13,080
be used by teachers.

85
00:06:13,080 --> 00:06:18,480
A teacher may find they're not allowed to have students logging on to and using an interesting

86
00:06:18,480 --> 00:06:24,520
new tool until the terms of service have been reviewed by the school leaders and they conclude

87
00:06:24,520 --> 00:06:30,560
it's reasonable to allow access and the publishers of the site align with local policies and

88
00:06:30,560 --> 00:06:34,680
procedures related to data protection.

89
00:06:34,680 --> 00:06:39,160
In 2000, the United States federal government passed the Children's Internet Protection

90
00:06:39,160 --> 00:06:44,240
Act which is intended to protect children from indecent information on the internet.

91
00:06:44,240 --> 00:06:49,640
It's also intended to prevent personal information about students from becoming available online.

92
00:06:49,640 --> 00:06:55,920
Specifically, the Children's Internet Protection Act requires schools that receive e-rate funds

93
00:06:55,920 --> 00:07:02,040
to install and maintain filters that restrict access to inappropriate content and it requires

94
00:07:02,040 --> 00:07:07,120
steps be taken to protect youngsters when using email, chat, and similar tools.

95
00:07:07,120 --> 00:07:11,680
The Children's Internet Protection Act does allow the filter to be disabled when only

96
00:07:11,680 --> 00:07:16,640
adults will be using a network but that's rarely done in schools as children are hardly

97
00:07:16,640 --> 00:07:20,560
ever absent from the school when adults are there.

98
00:07:20,560 --> 00:07:24,600
School IT professionals can be expected to participate in the planning undertaken to

99
00:07:24,600 --> 00:07:28,760
ensure the school complies with the Children's Internet Protection Act.

100
00:07:28,760 --> 00:07:33,320
They will review policy and procedures to ensure internet filters are configured and

101
00:07:33,320 --> 00:07:34,920
operational.

102
00:07:34,920 --> 00:07:39,520
Email and chat is only available to the users for whom it's been permitted under local

103
00:07:39,520 --> 00:07:40,680
policy.

104
00:07:40,680 --> 00:07:45,320
They manage firewalls and otherwise protect children when they're using the school's

105
00:07:45,320 --> 00:07:46,920
IT systems.

106
00:07:46,920 --> 00:07:52,080
This planning takes on special importance when the systems are being updated or older devices

107
00:07:52,080 --> 00:07:53,600
are being replaced.

108
00:07:53,600 --> 00:07:58,640
Of course, IT professionals are also expected to monitor the systems to ensure they're

109
00:07:58,640 --> 00:08:04,360
using and to define steps that they will take when the systems fail.

110
00:08:04,360 --> 00:08:10,880
Another often overlooked aspect of IT in schools is students' exposure to advertisements.

111
00:08:10,880 --> 00:08:15,560
Many sources of online information used in schools including mainstream media and journalism

112
00:08:15,560 --> 00:08:21,600
sites, the sites of professional organizations and edited periodicals, and especially social

113
00:08:21,600 --> 00:08:25,720
media sites like YouTube are funded by advertisements.

114
00:08:25,720 --> 00:08:32,080
When students access the information on these sites, they're also being exposed to advertisements.

115
00:08:32,080 --> 00:08:37,880
Some educators and students, parents and others will object to this exposure for several reasons.

116
00:08:37,880 --> 00:08:42,920
First, it can be seen to be a commercialization of the students.

117
00:08:42,920 --> 00:08:47,480
Students are required to attend school and they have little choice over the lessons and

118
00:08:47,480 --> 00:08:49,600
the material that they use.

119
00:08:49,600 --> 00:08:55,320
By directing them to information sources that are advertisement rich, teachers may be seen

120
00:08:55,320 --> 00:08:57,200
as exploiting the students.

121
00:08:57,200 --> 00:09:01,760
Second, some products may be unsuitable for children, especially in schools.

122
00:09:01,760 --> 00:09:06,800
And even if the products aren't unsuitable, they may lead to distractions or they may

123
00:09:06,800 --> 00:09:10,360
otherwise contribute to difficult situations in classrooms.

124
00:09:10,360 --> 00:09:15,040
IT professionals may be asked to minimize students' access to advertisements when at

125
00:09:15,040 --> 00:09:16,040
school.

126
00:09:16,040 --> 00:09:21,520
This may include installing and configuring software or web browser extensions that block

127
00:09:21,520 --> 00:09:22,520
advertisements.

128
00:09:22,520 --> 00:09:28,160
In addition, IT professionals may be asked to support faculty as they embed media in

129
00:09:28,160 --> 00:09:34,520
virtual classrooms or otherwise minimize students' exposure to advertisements.

130
00:09:34,520 --> 00:09:39,280
Regardless of the nature of the organizations in which they work, all IT professionals

131
00:09:39,280 --> 00:09:43,160
are familiar with the importance of network and data security.

132
00:09:43,160 --> 00:09:48,440
This is a lesson that's taught in preparation programs in all organizations implement data

133
00:09:48,440 --> 00:09:50,000
security practices.

134
00:09:50,000 --> 00:09:56,080
IT professionals working in schools should also promote data security, but they must

135
00:09:56,080 --> 00:10:01,280
make sure that their actions align with the decision-making hierarchies in schools and

136
00:10:01,280 --> 00:10:06,840
the accepted policy and procedure, especially those related to younger users.

137
00:10:06,840 --> 00:10:12,000
Schools are places where IT professionals and others are very likely to find passwords

138
00:10:12,000 --> 00:10:15,040
taped on sticky notes attached to computers.

139
00:10:15,040 --> 00:10:19,120
This is becoming less common, but it's still more common than it should be.

140
00:10:19,120 --> 00:10:24,160
In some schools where I have worked, technicians and other IT professionals were encouraged

141
00:10:24,160 --> 00:10:28,920
to remove those sticky notes, but that was not only with the knowledge and the support

142
00:10:28,920 --> 00:10:31,120
of the school administrators.

143
00:10:31,120 --> 00:10:35,040
Another common practice is for teachers to keep a list of their students' usernames

144
00:10:35,040 --> 00:10:36,400
and passwords.

145
00:10:36,400 --> 00:10:42,040
Ostensibly, this is done to reduce troubleshooting when passwords are forgotten, but there are

146
00:10:42,040 --> 00:10:46,880
other strategies whereby passwords can be recovered without the potential of them being

147
00:10:46,880 --> 00:10:50,360
discovered and used for nefarious purposes.

148
00:10:50,360 --> 00:10:55,080
Let me explain a situation I dealt with when I managed IT in schools.

149
00:10:55,080 --> 00:11:00,760
The teachers at Springfield Middle School insisted their students provide their teachers

150
00:11:00,760 --> 00:11:03,420
with their passwords for the school network.

151
00:11:03,420 --> 00:11:09,000
One teacher kept this list taped inside the door of the cabinet next to their desk.

152
00:11:09,000 --> 00:11:13,880
One afternoon, the students noticed the teacher had left the door open and the passwords were

153
00:11:13,880 --> 00:11:15,240
in plain sight.

154
00:11:15,240 --> 00:11:19,680
They memorized some of them and logged on to other students' accounts.

155
00:11:19,680 --> 00:11:24,440
An IT technician noticed students behaving suspiciously near a computer after school

156
00:11:24,440 --> 00:11:25,920
and noted it.

157
00:11:25,920 --> 00:11:30,960
A little investigation found that those students had been logged on as another student and

158
00:11:30,960 --> 00:11:32,840
had sent some emails.

159
00:11:32,840 --> 00:11:38,280
It did not take much detective work to trace the origins of the email to the school's

160
00:11:38,280 --> 00:11:43,560
IP address and the student whose account had been used to send the email was on a trip

161
00:11:43,560 --> 00:11:45,160
with the sports team.

162
00:11:45,160 --> 00:11:50,000
The IT technicians reported the suspicious activity of the students who were questions

163
00:11:50,000 --> 00:11:53,600
and admitted that they had sent those messages.

164
00:11:53,600 --> 00:11:55,880
This is unquestionably a data breach.

165
00:11:55,880 --> 00:12:01,480
The question of the degree to which the teacher was responsible for it is interesting.

166
00:12:01,480 --> 00:12:05,720
It can be argued that the students were old enough to remember their own passwords so

167
00:12:05,720 --> 00:12:08,880
there was no reason for the teacher to have them.

168
00:12:08,880 --> 00:12:13,600
If the teacher did have reason to keep them, which seems dubious to me, then it can be

169
00:12:13,600 --> 00:12:17,480
argued that they were negligent for not keeping them more secure.