Data Privacy & Security Service Digital Digest_Fall 2017

Data Privacy & Security Service

Issue 9


The Washington Post reported that a research group, Usable Security & Privacy, affiliated with the University of California, Berkeley Center for Long-Term Cybersecurity, tested more than 5,000 children’s apps from the Google Play store. Since these apps are available for parents (teachers and schools) to download, it would be assumed that the kids’ data would be safe. Never assume. More than 50% of Google Play apps targeted to children under 13, many of which were downloaded millions of times, appear to fail to protect personally identifiable data. It was found that the apps regularly send “potentially sensitive information—including device serial numbers, which are often paired with location data, email addresses, and other personally identifiable information—to third party advertisers. Over 90% percent of these cases involve apps transmitting identifiers that cannot be changed or deleted, like hardware serial numbers –thereby enabling long-term tracking ” ( Washington Post , ¶2). Additional reading— Researchers report >4000 apps that secretly record audio and steal logs.

Third party app developers use advertising packages within their code. It is the developer’s responsibility to disable the types of tracking and data sharing that might cause conflicts with COPPA and other regulations. The “high rate of potential COPPA violations also reveals a systemic and troubling lack of oversight. While app developers are ultimately liable for such violations, it is clear that app stores like Google Play and Apple’s iTunes Store, as well as agencies like the Federal Trade Commission, need to play a greater role ( Washington Post , ¶7).

AppCensus was created by a collaboration of researchers with combined expertise in the fields of networking, privacy, security, and usability. This group has analyzed over 21K apps in an effort to identify use and misuse of personally identifiable information. The website contains a searchable database of mobile apps and provides known details on data privacy with regard to those apps. Of course, the best prevention of transmis- sion of PII is to read the terms and conditions of the click agreement. However, most consumers do not read the agreements. Consumers can help protect their data by demanding more transparency from app de- velopers and third-party advertisers. There is always the option to delete the app and to let the developer know why it was deleted.


FERPA’s Collision With Social Media

Policies and Other Information Broward County Public Schools has a Privacy Information website. This webpage contains resources that may be of interest. Also, the County has Security Incident Handling Guidelines . Erie I BOCES has a Prevention, Response and Notification in the Event of a Breach policy available for review. The Privacy Technical Assistance Center offers a Data Breach Check- list. The checklist covers before, during and after a breach. It also con- tains useful links.

“Do you have a FERPA problem?” This is the question Joel Buckman poses as he presents a social media situa- tion that crosses the line and exposes personally- identifiable information regarding a student. A teacher’s frustration and the ready access to social media can be a combination for disaster. Buckman reminds us of what is defined as an education record and who has rights to that record. He uncovers the sources of that information and states it could include staff email, student information systems, gradebooks, and extra-curricular participation records. Now expand information and consider that edu- cation records can also be created with smartphone use or video-records during a class. The article clarifies, who can have access to a student’s education records and re- minds us that posting to social media would more than likely be outside that scope. “As part of a district’s ad- ministrative policy to prohibit nonconsensual disclosure to third parties, school districts might consider adopting districtwide social media or FERPA policies that prohibit staff from posting any such information” (Frontline, Feb- ruary 2017).

The Office of Information Technology Services offers draft policies on: Risk As- sessment, Information Clas- sification Resources, Re- mote Access, Acceptable Use Policies, and many more.


Made with FlippingBook HTML5