Two Steps That Would Improve EdTech Security Practice Immediately
2 min read
Natasha Singer has a couple of very strong articles highlighting weak or nonexistent security practices within many education technology (or EdTech) companies.
It's hard to say if this is just a poorly kept secret or the elephant in the room, but it's good to see the lax practices of EdTech companies getting more mainstream attention. It's needed - it's been needed for a while - and Singer's articles are part of the solution.
As I'm writing this, people are talking in Congress about the need for improved legislation to protect student privacy. And they are right, and I'm glad to see this being discussed in Congress - not because I think Congress will actually do anything, or that even if they did anything they would come close to getting it right - because it's good to see growing mainstream awareness that data privacy in EdTech needs to be fixed.
But there are two steps that could be taken almost immediately that would address a large number of sloppy security practices within EdTech.
- Google and Apple both announce that they will no longer accept educational apps that don't encrypt data transfers. Existing apps will have a two month window to comply, or they will be removed from the store.
- Venture Capital firms require security audits as part of their funding criteria. At a minimum, these audits would require encryption for both web and api access, encrypted data storage, and encrypted data transmission within their infrastructure. VC funding would be contingent upon meeting a base level of security.
It's worth highlighting here that some of the EdTech companies that have been rocked with security issues in the last year have received millions or tens of millions of dollars in VC funding. To put it another way: despite the fact that these companies were being handed large sums of money, no one anywhere in the vetting or due-diligence process saw fit to prioritize student privacy.
But with that said, taking either of the steps outlined above would cause an immediate improvement in security practices. If industry took the lead on both of these steps, the improvements would be immediate and industry-wide.
Then, we could focus on policies, pedagogical goals of the technology, and the need for learner control in shaping their learning. But getting the underlying security right is a necessary first step.
