FunnyMonkey


Bill Fitzgerald

Bill Fitzgerald

Remind, Privacy Certifications, Privacy Policies, and Distributing Access Codes Via Social Media

9 min read

Remind is a free service marketed to teachers that describes itself as a "safe way for teachers to text message students and stay in touch with parents."

In this post, we will take a look at their terms of service, how they use industry standards for promoting their privacy practices, and how parents sign up. In the process, we will examine some of the holes in existing practices, and how these holes become visible in this service.

Terms

Remind doesn't collect a lot of information, but what they do collect is very valuable: because Remind collects information where parents will be informed about their children, Remind can guarantee that they are getting contact info that people use.

From Remind's Privacy Policy:

When users download and use our mobile application, we automatically collect IP address, device ID, device type, user agent browser, what OS they are running, whether or not you signed up on the web, and phone number. If a user is under 13 and using our Student Application we do not collect the device ID or IP address, we will only collect the device type and OS they are running.

We collect geo-location information from teachers when they download and use our mobile application. The purpose for doing so is to provide teachers a generic phone number in their area code so that we are able to provide them with one in their area.

Information like IP address, operating system, and browser are all pretty standard items that get collected. It's worth noting that collecting geolocation data from teachers is not necessary to do what they describe, as they can infer location data from both IP address and phone number area code. Additionally, if a parent or student has the mobile app, collecting the phone number is an unneeded duplication to deliver the service.

Moving on, their privacy policies state that they do not respect Do Not Track.

Our Services do not support Do Not Track requests at this time, which means that we collect information about your online activity both while you are using the Services and after you leave our Services.

The fact that they do not respect an informed user decision (ie, a user enabling Do Not Track) says a lot about how they view their users. And, the fact that they track "online activity" while on their site, and off their site, is completely unnecessary for the service they deliver.

This begins to come into focus when we continue to read the rights they claim over user information, and how they work with their partners. Remind does not display ads, and makes the ubiquitous claim that they do not sell, share, or rent personal information - except with partners or affiliates.

We may, for example, provide services jointly with affiliated businesses, or work with third party websites to enhance your online experience, such as Twilio to send messages or letting you add “apps” to your account.

Remind is built on Twilio. A quick look at Twilio's Privacy Policy gives us this information:

Twilio does not collect Personally Identifiable Data about a consumer's online activities over time and across different Web sites when consumers use the Twilio Site or Services. However, Twilio does allow certain third party services to track its users on the Twilio Site and other third party sites over time. Such third party services are used to support more effective marketing and advertising programs. Twilio does not provide any Personally Identifiable Data to those parties. You can find more information about tracking and opting-out at http://www.youradchoices.com/

So, while it is not clear if the anonymized data being tracked via web beacons on Remind about user's internet behavior is being passed to Twilio, the privacy policy of Remind permits the passage of data, and the privacy policy of Twilio appears to allow data to be analyzed by advertisers. If this isn't what is happening, it would be great to see Remind explain why they need to track data of their users off the Remind service. Because Remind does not respect Do Not Track, they have more usage data to share.

There are other issues with the terms here, but the point of this post isn't to take a deep dive into Remind's or Twilio's terms. Remind's terms are bad, which means that they are in line with most of the terms of vendors in the edtech space, and especially those giving a free service who have received VC funding.

Based on this superficial review, Remind collects high value data from end users, they track their users both on and off the Remind site, they collect more data than they need to deliver their service, and their terms appear to permit passing data to partners where it can be used to refine advertising practices.

The Truste Certification

In their marketing materials, Remind highlights the safety of their service.

At the bottom of their privacy policy, they include a link to their Truste certification.

The Truste page defines how companies can get the Truste certification; I'm including the text here in full:

TRUSTe powers trust by ensuring businesses adhere to privacy best practices regarding the collection and use of personal information on their websites and apps. If you see the TRUSTe Certified Privacy Seal on a website or app, the company operating that property has met the comprehensive privacy certification requirements established by TRUSTe. The certification process helps ensure the business is transparent about what information they collect and how they use the information; the business provides you with control over what information they collect and how they use that information; and the business is accountable to the practices they outline in their privacy policy statement.

As we have seen from a very superficial look at Remind's privacy policies, Remind does not respect Do Not Track, and using the Remind service potentially exposes user data to another company (Twilio), with different policies, and they collect more data than is needed to deliver their service. If this is "transparent" or respecting user "control" and demonstrates "comprehensive privacy certification requirements" and "privacy best practices", I wonder what a company would need to do to not be eligible for the Truste certification.

We'll revisit this later in the post.

Remind Just Raised An Additional 40 Million!

On September 30th, Remind announced that they had raised an additional $40 million, bringing their total fundraising to $59 million.

As I mentioned earlier, Remind's policies are pretty standard for the tech industry in general, and edtech in particular. The fact that Remind's policies don't respect user choice didn't seem to have much of an impact on their funders.

Which begs the question: did Remind get VC funding because it improves teaching and learning, or did Remind get VC funding because some funders saw it as a good investment? When the context within which a company operates includes treating user information as an asset, the second option feels more likely.

Parent Sign Up Via Access Codes

When a teacher signs up for Remind, they are prompted to create a class. The entire purpose of Remind is for teachers to create a closed, safe space where they (teachers) can communicate openly with students and parents.

Remind marketing copy highlights the safety and privacy of their service. However, as shown in the video below, their signup process and recommended practice makes it impossible for teachers to guarantee the identity of the people signed up in their classes.

As noted in the video, when someone joins a class, they cannot see the full list of other members. Teachers have the ability to delete members from their class at any time. However, because teachers can't guarantee the identity of people in their class, the real potential exists for Remind classes to have lurkers who get included in full class messages. This runs the gamut from inconvenient to creepy to (in the case of a custody battle or stalking situation) potentially dangerous.

If the access codes used to join classes were tightly held, that would mitigate this risk, but Remind encourages people to share the codes via social media. This is shown in the video, starting at 4:30. In this specific case, the "privacy features" of Remind (where student and parent contact info is not shown to teachers) run headlong into Remind's recommended methods for distributing access codes. Given that Remind has a Teacher Advisory Board, I'm curious and surprised that this was missed. It seems difficult to reconcile claims of "100% safe and secure" with the limited ability of teachers to guarantee the identity of people in their class. I would love to see how a teacher with 4 classes of 30 kids apiece manages the identity of parent signups using only names.

Closing Thoughts

While this post focused specifically on Remind, the general practices described here are not uncommon. For example, just about every privacy policy makes the statement that user data won't be bought, sold, or shared, and then the policy goes on to define the conditions under which user data will be passed on through affiliate or partner arrangements.

In the specific case of Remind, several common elements come together: privacy policies and recommended practice that aren't effective, the Truste stamp of approval on these ineffective practices, and a VC funded reward of the entire system. When the privacy certification of an industry has more to do with "protecting brand" than defining privacy, we have a problem. It's patterns like this that lead to widespread, pervasive distrust of vendors in the education space. The disconnect between what vendors provide and what learners need is not helped by the well documented lack of diversity within the tech industry, and VC funded companies.

At the risk of being a Pollyanna, I don't think that any of this is done with bad intentions, but at a certain point the intentions cease to matter. It's possible to build useful edtech, respect users, and help people learn. Doing edtech right means that our privacy policies, terms of service, and funding mechanisms need to align. Current business models appear to set up a rigged game to benefit founders over learners; this approach is shortsighted and unnecessary (although very much in line with letting funders recoup their investment). We can build better edtech - complete with better policies - but it requires a different vision than what is currently in place.

, , ,

0 stars 3 comments

This shines a bright light on the evil that is Remind. Actively engaging in behaviors that makes their tool unsafe for student privacy is abhorrent. Thanks for sharing Bill

Elliott Quinn, Oct 10 2014 on funnymonkey.com

Excellent analysis as always.

Barmak Nassirian, Oct 12 2014 on funnymonkey.com

One positive note to highlight: at least with Remind, people signing up can't see a class list. The privacy issue boils down to the fact that teachers have no way to verify the identity of people who sign up for their class - and this is compounded by Remind's habit of telling teachers to share access codes via social media.

I suspect that if teachers using Remind asked parents in their class if they could randomly bring in a person from the internet to listen to teacher to student communication, most parents and kids (and teachers) would not be okay with that.

What Remind has set up is really a subscription service for a moderately functional blog, with public comments turned off. However, the difference between a blog and a what Remind sets up is the expectation of privacy. With a blog (or a class twitter feed, or a Facebook page) reasonable people don't expect privacy. Remind, however, promises a "safe" environment where "privacy" is protected. This promise shifts the expectations for both teachers and people receiving messages - the expectation of a closed space creates the potential for more open communication (and in an actual closed space, that would be great).

However, because Remind *isn't* a private space, they can never deliver fully on the safety that they promise.

Three immediate steps would mitigate this - although these steps do nothing to address the issues with their privacy policies overall:

a. provide teachers a way to verify identity;
b. Unless they do "a" they should dial back their promises around safety and privacy;
c. Remind should stop encouraging people to share access codes via social media.

There are other steps that should follow from this, but without these three as the foundation, additional followup is pretty moot.

bill, Oct 13 2014 on funnymonkey.com