FunnyMonkey


Bill Fitzgerald

Bill Fitzgerald

Give It Away Now: A Review of Digedu Terms of Service and Privacy Policies

9 min read

UPDATE, 10 July 2014: Matt Tullman from digedu commented to announce that digedu has updated their terms. I have not read through the new terms yet, and will update this post when I do. END UPDATE

I've been reading terms of service for a while, and I've seen some bad ones, but the terms of Digedu are just about the worst I have ever seen. If you don't want to wade through the details, please skip straight to the conclusion.

With Digedu, the issue is compounded because they list two separate terms of service and privacy policies. The text of these policies is not the same, which is a separate problem. For this review, I focused on the terms of service listed at https://app.digedu.co/ - this is the login page linked from the home page of the Digedu site. The complete text of these terms of service are included as pdfs attached to this post for reference. The second set of terms are listed of their main site, at http://digedu.com/terms and http://digedu.com/privacy.

Looking first at the Privacy Policy:

They punt - entirely - on COPPA:

the school or district is solely responsible for complying with the Children’s Online Privacy Protection Act (COPPA) as concerns students’ use of the services. If you are below the age of 13, please do not send any personal information about yourself to us other than what we request from your school or what you enter through the app

In fairness, this is not abnormal, and districts should be central on COPPA compliance. But the Digedu request to students to not share information is both hollow, and is undercut to the point of absurdity by stating that sharing personal information through the Digedu app is okay.

When it comes to personal contact information, Digedu requires a first name, last name, unique ID, and appears to also collect emails:

(W)e require a user’s first name, last name, course rosters, and an individual identification number, either designated to each student by his/her school or randomly generated by digedu. This allows the Learning Engine to populate classes with the correct students. We may also require users’ email addresses.

So, Digedu has solid contact information on each individual with an account in the site - this includes both teachers and students.

Moving on to encryption, they make the following curious statement:

We encrypt many of our services using SSL.

The qualifier "many" is odd here. Why not encrypt all their services? What services don't get encrypted? I suspect that this clause is in here because they reuse some content that they don't own, and is served from other sites that aren't encrypted. In any case, this is a curious admission. Given that they don't enforce COPPA and collect real contact info, the lack of end to end encryption is not good.

There are other unsavory aspects of their privacy policy, but in this review, I'm just skimming the detritus that rises to the top.

Moving on to the Terms of Service:

They collect a lot of information on everyone using the service. It's hard to see how this information is essential to running the services they provide. The information they collect seems like an unjustifiably egregious violation of privacy.

We may collect device-specific information (such as your hardware model, operating system version, unique device identifiers, and mobile network information including phone number).

You read that right: they collect phone numbers. Equally relevant: they collect the unique hardware ID of every device, as well as brand information.

When you use a digedu® equipped device, such as the Google Nexus 7, we may collect and process information about your actual location, like GPS signals sent by a mobile device. We may also use various technologies to determine location, such as sensor data from your device that may, for example, provide information on nearby Wi-Fi access points and cell towers.

You read that correctly. They collect location information. Given their stance on COPPA and their partial encryption, this is problematic. Using this data, devices with the Digedu mobile app installed can track the location of their user. With this information, Digedu can get pretty accurate home addresses, and a good sense of where a person goes, during and after school. This is creepy. This applies to all users - both students and teachers. Given that their stance on COPPA allows users under 13 to use their app, this data could potentially be collected on kindergarteners.

We may collect and store information (including personal information) locally on your device using mechanisms such as browser web storage (including HTML 5) and application data caches.

The way this is worded leaves this open to at least two interpretations. The first is that they store data related to Digedu use on your device. If this is the case, they should specify that this data is stored securely (for many reasons, but Apple's location debacle comes to mind). A second read of this - which is far worse - is that the Digedu app scans and stores data from selected other apps - like web browsers - to grab a copy of all sites you visit, searches, etc. If this is the case, this is a horrible overreach. It's difficult to make the case that harvesting this information is of any value to the end user. This feels like Digedu buttressing the size of their data store, in direct opposition to the interests of their users.

Moving on, it keeps getting worse: they can change the terms of service without notice, and you can accept the changes you don't know about just by logging in.

1. We can change this Statement if we provide you notice (by posting the change on digedu).
2. Your continued use of digedu® following changes to our terms constitutes your acceptance of our amended terms.

This is a common poison pill in terms of service, and Digedu's version of it is expecially noxious.

Moving on, we come to how Digedu treats content created ad shared by users. When you share content with Digedu, they own it, forever, even if you leave the site. This is especially troubling for student intellectual property (IP), which gets handed to the company forever. This is equally troubling for teacher IP - teachers can plan lessons using Digedu software, and the company now owns all of that teacher generated work. This potentially could violate contract terms between districts and teachers.

When you upload or otherwise submit content to our Services, you give digedu® (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services. Make sure you have the necessary rights to grant us this license for any content that you submit to our Services.

Your personal information is Digedu's asset, and it goes with the company:

All of our rights and obligations under this Statement are freely assignable by us in connection with a merger, acquisition, or sale of assets, or by operation of law or otherwise.

Also, it sounds like Digedu can sell user information ("sale of assets") to anyone, at their discretion, with no notice to end users.

And if a point isn't covered in the terms of service? That means it belongs to Digedu.

We reserve all rights not expressly granted to you.

Conclusion

As it currently stands, digedu collects first name, last name, personal locations, and browsing history from all users in the site. They also collect emails and phone numbers from many of these users. They also collect intellectual property (lesson plans from teachers, work from students) from all users.

Digedu claims the right to use all of this information, and the right to change the terms how this information can be used without consulting any users. If the company is sold, user information is an asset in the sale.

To put this into more human terms, a student using Digedu for a year via their mobile app would have their location tracked every day of that year. Digedu would have a record of where that student went for the year, in school and outside school. Digedu would know that student's home address, their phone number. Digedu would have unlimited access and control over the students work. If the student wanted to look at what Digedu has collected they have no recourse. If the student wants to delete their information, they have no recourse. If Digedu gets sold or goes bankrupt, that student information is an asset to be transferred. And, according to the terms of service, data collected by Digedu can be sold

And, at any point during that year, Digedu can change the terms to anything they want, with no notice to end users.

For teachers, it's worse. Teachers have their location and personal information tracked just like students, but if teachers do original work that they distribute via Digedu, that work is then controlled by Digedu, even if the teacher deletes it.

In short, not only are these terms of service and privacy policy incredibly invasive, they leave students and teachers no way of reclaiming or controlling their data or intellectual property. Under these terms, exposing students and teachers to this level of intrusion in the name of learning feels irresponsible and cruel.

Digedu could easily revise these terms and still run their service. One possible explanation for terms of service this bad is an organizational disconnect between their legal team and the education and engineering teams. If this is the case, I hope they address the terms of service and their security practices quickly, and take steps to protect and safeguard user information that has already been entrusted to them.

,

0 stars 3 comments

Thank you for reviewing our Privacy Policy and Terms of Service. We very much appreciate your insights on these issues generally and digedu’s policies in particular. Classroom technologies are evolving fast, as are the issues that accompany the innovation. We welcome your thoughtful analysis and recommendations.

The Terms and Privacy Policy you reviewed were created early in our Company’s development and, as you pointed out, needed a revision. Our team began that process a few weeks ago, and are happy to share that our new Terms of Service and Privacy Policy have been posted at www.digedu.com/terms and www.digedu.com/privacy . We hope you will agree that these new policies address your concerns, and we want to highlight two elements in particular:

1. While our old Terms did reserve the right to collect location information, we do not track the locations of students or teachers, and we have no intention to do so in the future. Our new Terms reflect this.

2. We do not claim, nor have we ever claimed, ownership of user-created content. We do require a license to this content in order to display it as a typical part of our service. That said, this license is limited—we cannot, for example, sell a user’s submission. Our new Terms more accurately describe the limited nature of digedu’s license to user content and the fact that digedu’s license does not affect the user’s ownership of her or his content.

At digedu, our goal is to create amazing learning experiences through meaningful use of technology. An essential part of this is ensuring our users’ safety and privacy. We pride ourselves on a commitment to improving education for all stakeholders—students, teachers, administrators, and parents–and know that delivering on this promise requires constant vigilance and adaptation. Our team is grateful for the time you spent pointing out the areas for us to improve upon, and we welcome your feedback on our new Terms and Privacy Policy.

digedu, Jul 09 2014 on funnymonkey.com

Excellent work in this post. And so polite! You write that "One possible explanation for terms of service this bad is an organizational disconnect between their legal team and the education and engineering teams."

Maybe. I guess it's possible that digedu execs are that clueless. But there's another, more plausible explanation, namely, that digedu is scum. Maybe it just figured it might as well try to get away with every scummy practice it could until it got called on it, and then issue a scummy PR comment like the one above.

Dr_Doctorstein, Jul 12 2014 on funnymonkey.com

Great post.

Sara Tansey, Jul 21 2014 on funnymonkey.com