With Congress engaged in broader debates about education, technology and data privacy, this is a moment when FERPA modernization is no longer an abstract policy discussion. Congress should update FERPA so it can do what its original authors intended: safeguard student privacy and serve families.

FERPA was enacted in 1974 鈥� over 50 years ago 鈥� to codify with whom and under what circumstances schools could share students鈥� personally identifiable information. But since then, the ways in which student data is handled have seismically shifted. 

Today, districts and schools store and share data digitally 鈥� not on paper stored in filing cabinets. Yet FERPA remains rooted in a paper-record era that predates real-time dashboards and digital tools. The law does not yet account for the rapidly evolving technology-driven practices that affect student privacy.

Parents are rightly wary of how their children鈥檚 data is collected, stored and used 鈥� especially as data breaches continue to make headlines. A FERPA that reflects America’s current digital landscape is long overdue. 

Because FERPA has never been statutorily updated, states and school systems are left to navigate a murky and complicated legal landscape as they work to both protect students and share data in smart ways. This ambiguity can result in states, school districts or colleges and universities from responsible data-sharing practices out of fear of violating FERPA鈥檚 convoluted provisions.

All this ultimately denies families access to the very insights and information they need to advocate for their children. Heightened concern about student data privacy should be met with clearer rules designed to modernize security protections and build trust with families, not used as an excuse to prevent action or to cease sharing useful information with parents.

This is not what student data privacy should look like. And it鈥檚 certainly not what families deserve. The nation can 鈥� and must 鈥� do better.

A modernized FERPA must ensure that student information is safeguarded with the highest standards of security and ethical use, while empowering families with the information they need to make informed decisions. Parents are clear that they want access to this information: say they support requiring schools to provide access to transparent data on student achievement, discipline and enrollment for families and policymakers. And say easier access to information would help them feel more confident about their ability to help their child make decisions about life after high school. 

It鈥檚 time for Congress to modernize FERPA so it works for today鈥檚 families. That means setting strong, enforceable privacy standards to ensure student data is protected. It also means affirming families鈥� rights to access information that empowers them: data on academic progress, school quality and services available to help students thrive.

An updated FERPA should also unlock the potential of state data systems that securely connect longitudinal information across early childhood, K-12, postsecondary and workforce programs 鈥� systems that can enable parents, students, educators, policymakers and the public to understand what鈥檚 working for students and what鈥檚 not. Today, FERPA鈥檚 framework does not reflect how cross-agency data can be used to, for example, connect high school students with college scholarship programs or assess return on investment for a district鈥檚 tutoring programs.

Student privacy and parent empowerment are not competing goals. With the right legal framework, congressional leaders can achieve both. Parents shouldn鈥檛 have to choose between protecting their children鈥檚 information and knowing how to help them succeed.

While the matter focused on a student with disabilities, Trump officials appear to have homed in on it because it addressed a separate question central to the administration鈥檚 agenda: Do parents have a right to read staff emails about their children?

With the administration accusing districts of hiding students鈥� gender transitions from parents, experts say their answer is yes. 

鈥淚 don’t think there’s any question that they’re going to say [emails] should be available to parents,鈥� said Amelia Vance, president of the nonprofit Public Interest Privacy Center.聽

Education Secretary Linda McMahon signaled the department鈥檚 intention when she said districts have turned the 鈥渃oncept of privacy on its head to facilitate ideological indoctrination … without parental interference or even involvement.鈥� 

In a message to the Wisconsin district, a department official acknowledged the issue鈥檚 importance to parents, students and school officials and said that districts can expect 鈥済uidance or regulations in the foreseeable future.鈥� Contacted Aug. 14, department spokeswoman Madison Biedermann had no updates on timing. 

Enforcing the Family Educational Rights and Privacy Act, which gives parents the right to inspect and amend their children鈥檚 education records, is a central focus of the administration鈥檚 parental rights agenda. The law was enacted 50 years ago, long before the advent of digital records. In the past, courts have sided with districts that argued emails were not education records, while parents say they should be treated just like report cards or schoolwork. Districts are likely to push back on being required to disclose internal messages about students, Vance said. Not only might a search eat up staff time, but 鈥減eople say stupid things in emails.鈥�

鈥楴umerous鈥� requests

Biedermann, the department spokeswoman, would not say why officials revived the 12-year-old complaint.

But in the March letter reminding states of their responsibilities under FERPA, McMahon said 鈥渟chools are routinely hiding information about the mental and physical health of their students from parents.鈥�

In a sign of its commitment to reshaping FERPA, the department hired Lindsay Burke in June as its deputy chief of staff for policy and programs. The author of the education section of , a vision for Trump鈥檚 second term, she contends that FERPA should offer parents the right to sue districts they think have violated their rights. Filing a complaint is currently the only option under the law. She also argues that students shouldn鈥檛 be able to change their gender identity at school without a parent鈥檚 permission.  

Like many districts faced with similar FERPA requests, Middleton Cross Plains, northwest of Madison, leaned on a that many experts feel is out of step with the digital age. It suggests that communications like email are not part of a student鈥檚 official record unless they are printed and physically placed there. 

FERPA was originally intended to target records 鈥渟tored in file folders and cabinets,鈥� said Andrew Manna, an Indiana attorney who represents districts. 鈥淭here is no software that I am aware of that can sort through the digital storage of emails, so it is a 鈥榟ide and seek鈥� approach to trying to find the email specific to a student.鈥� 

Districts also say that combing through years of emails is too burdensome for staff and is likely to produce irrelevant communication. Vance suggested that argument might be outdated 鈥渁t this moment in time with what AI is capable of.鈥�

But while there might be more tech tools to conduct searches, there鈥檚 no guarantee AI is secure, said Stephanie Jones, an attorney with a firm representing districts in Illinois. 

Searching emails 鈥渋s both an art and a science,鈥� she said. As an example, a district she represents once had a request for emails related to a student with the last name Fridge. 鈥淵ou wouldn鈥檛 believe how many employees try to sell their college kid鈥檚 dorm room fridge through district email.鈥�

In the Wisconsin case, Frank Miller, acting director of the Education Department鈥檚 privacy office, determined that the district was simply following long-standing legal precedents on FERPA when it declined to provide a parent with staff emails about her child. 

Superintendent Dana Monogue wasn鈥檛 in charge when the parent filed the complaint, but said she was pleased with the outcome.

鈥淟ike all districts, we receive numerous student record requests each year and this letter will provide useful guidance regarding our obligations,鈥� Monogue said. 

But while he gave the district a pass, Miller had more to say. 

He referenced a second court ruling, from 2009, that often guides the way districts handle requests for emails. In , a federal district court in California said an email about a student is only part of the official record if the district 鈥渕aintains鈥� it in a central location.

Emails 鈥渉ave a fleeting nature鈥� and 鈥渕ay be sent, received, read and deleted within moments,鈥� the judge said in that case. 

The department, Miller said, rejects the Tulare interpretation, even though it鈥檚 been widely adopted by districts. Middleton Cross Plains officials told the parent that it used Infinite Campus, a 鈥渢hird-party, cloud-based鈥� system to store emails, and said that emails that are 鈥渟imply still on a server鈥� are not education records.

A recent is another sign that the legal landscape could be shifting. The state Supreme Court ruled that emails stored in an online platform are still subject to FERPA.

鈥楧efies reality鈥�

Jim Wheaton, an associate professor at William and Mary Law School, has little tolerance for districts that turn down parents鈥� requests for emails.

鈥淓ssentially, a school [or] district can simply decide not to physically put something in a file, and important, relevant discussions about a child suddenly fall outside FERPA,鈥� said Wheaton, who runs a law clinic for students who intend to work as special education advocates. 鈥淭he idea that files continue to be physical paper defies reality.鈥�

As an alternative, some parents file public records requests to obtain emails, but districts often charge hefty fees to cover the staff time involved, and may heavily redact the documents before releasing them. Wheaton said public records laws are not an adequate FERPA substitute.

鈥淚 once received a letter asking me to prepay a quarter million dollars before they would do the search,鈥� he said.

In 2024, Tamara Quick, a Virginia mother of five, asked the Spotsylvania school district for emails regarding her ninth-grader. Because of her dyslexia, Brennan attends a private school at the district鈥檚 expense.

When Quick learned teachers weren鈥檛 following her daughter鈥檚 special education plan, she hoped some email exchange between the district and the school might reveal why Brennan wasn鈥檛 being challenged in reading and spelling. 

鈥淎ny information you have about my kids, I have a right to see,鈥� she said. 

Instead, the district said it had not 鈥渕aintained鈥� any communications with the girl鈥檚 teachers and, therefore, had 鈥渘o education records responsive鈥� to her request. Quick ultimately took the district to court, saying she couldn鈥檛 get the emails through the Virginia Freedom of Information Act either. 

In court records, the district said she never filed a formal request. An attorney for the district said officials 鈥渕ake every effort鈥� to produce the records parents want, but 鈥渄o not have time for games.鈥�

The district eventually offered to look for emails for Quick and give her a cost estimate. But she didn鈥檛 think she should have to pay. Under the Individuals with Disabilities Act, parents have a their children鈥檚 records before a meeting to discuss special education services. 

She鈥檚 paying anyway. To this date, she鈥檚 spent over $30,000 on her case, withdrawing funds from a retirement account.

鈥淥bviously it would have been cheaper for me to say, 鈥極K, I’ll pay $2,000 for you to search for these emails,鈥� but that would be me agreeing that was appropriate,鈥� she said.

鈥榁ery negative things鈥�

Parents may have multiple reasons for requesting staff emails, but McMahon鈥檚 March letter about privacy focused primarily on gender issues. Schools, she said, 鈥減romote and enable the transitioning of minor children, regardless of their mental state or their vulnerabilities.鈥�

That鈥檚 what worried Amber Lavinge, a Maine parent, when she sought emails between staff members in the Great Salt Bay Community School district. It was late 2022 and she had just learned that a school social worker had given her 13-year-old daughter a chest binder to support a gender transition. But the district didn鈥檛 provide what she was looking for, said Adam Shelton, an attorney with the libertarian Goldwater Institute, which is handling her against the district. 

鈥淪he had a lot of questions and was just trying to understand what was going on,鈥� he said. While the case, pending before the U.S. Court of Appeals for the First Circuit, doesn鈥檛 focus on emails or student records, he said he has a hard time understanding how any form of communication pertaining to a student wouldn鈥檛 constitute an education record. 鈥淪chools exist for the sole purpose of educating children.鈥� 

Narrowing down which emails to release might be tricky, but Matt Cohen, a civil rights attorney in Chicago, said there are other reasons why districts avoid it.

鈥淪ometimes teachers or administrators say very negative things about a child or the parents in the email that they’re not saying publicly,鈥� he said. 鈥淚t helps to establish that there is actual animus or discrimination going on.鈥�

Jones, the other Illinois attorney, agrees that there can be a 鈥渞eputational cost鈥� for districts if they have to release embarrassing emails. That鈥檚 why she advises district staff to avoid 鈥渨atercooler conversations鈥� in emails 鈥� something many more are likely to take seriously if they know parents might read what they write, Jones said. 

鈥淚t has to pass the grandma test,鈥� she said. 鈥淚f you don鈥檛 want your grandma reading it, then don鈥檛 put it in an email.鈥�

An education technology company that built an app for Los Angeles students to receive telehealth services during the school day has fallen victim to a data breach that puts students鈥� sensitive information in jeopardy, a disclosure to state regulators reveals. 

The company, Kokomo Solutions, also hosts an anonymous tip line where Los Angeles community members can , safety threats and mental health crises to the school district鈥檚 police department. In filed with the California attorney general鈥檚 office, the company disclosed that an unspecified number of individuals鈥� personal information was compromised after an 鈥渦nauthorized third party鈥� accessed its computer network and the exposed files pertained to the Los Angeles Unified School District. 

The company, also known as Kokomo24/7, says it discovered the unauthorized access on Dec. 11, 2024, nearly eight months before it disclosed what happened to victims. The district has not issued any public statements alerting students and families that their sensitive information may have been compromised. 

Kokomo24/7, which has apparently scrubbed its website over the last few days of references to its work with the nation鈥檚 second-largest district, did not respond to requests for comment.

A Los Angeles Unified spokesperson said the company notified the school system on Dec. 12, 2024, “that an unauthorized user gained access to certain files containing personal information, stored on behalf of the District.” The spokesperson said the breach was not connected to LAUSD’s telehealth program or its student patients, but did not say whose information was exposed. They said it was Kokomo’s responsibility to handle disclosure to all affected parties and that, as far as L.A. school officials know, “there has been no evidence of personal information being shared as a result of the breach.”

While many details about the breach remain unknown, including the specific types of information that were compromised and whether it was the result of a cyberattack, the incident raises red flags because 鈥渢here鈥檚 no question that [Kokomo is] managing exceptionally sensitive information鈥� about campus safety issues and students鈥� medical information, school cybersecurity expert Doug Levin said. 

鈥淭his is another example of schools outsourcing the collection and management of exceptionally sensitive data on school communities which, if abused, could affect the health and safety of the school community,鈥� said Levin, the co-founder and national director of the K12 Security Information eXchange. 鈥淲e definitely would benefit from knowing more about how they were compromised and how they鈥檙e going to fix it.鈥�

District officials have touted the telehealth service to parents since the data breach was disclosed. In an Aug. 8 live video session over Facebook, a district student and community engagement specialist gave that laid out L.A.鈥檚 back-to-school offerings.

Parent advocate Evelyn Aleman, who facilitated the event, said she was pleased to learn about the telehealth service during the presentation. Parents grew accustomed to telehealth during the pandemic and the virtual service could benefit families who have been advocating for better health services in schools, she said. But she hadn鈥檛 heard about the data breach before being contacted by 社区黑料.

鈥淚 have a lot of questions: Was the person who was presenting to the group aware that [the breach] had happened?鈥� asked Aleman, who founded the group Our Voice to advocate for low-income and Spanish-speaking L.A. families. 鈥淎nd how deep was the breach? Obviously that would be of concern to the parents.鈥�

, the Los Angeles Schools Anonymous Reporting app allows students, parents and others in the community to report 鈥渟uspicious activity, mental health incidents, drug consumption, drug trafficking, vandalism and safety issues鈥� to the district鈥檚 . 

That same year, L.A. schools  鈥� along with the Children鈥檚 Hospital Los Angeles and Hazel Health 鈥� to launch new . The $800,000 program, funded by , is designed to provide app-based mental and physical health care to students, including at school. Hazel Health provides virtual mental health services, according to the district鈥檚 website, while Kokomo24/7鈥檚 services focus on physical health issues, including minor injuries, allergies and headaches. 

In , the district describes its Kokomo24/7-managed telehealth program as an option for students 鈥渢o access healthcare when not feeling well during school hours鈥� with the supervision of a school nurse 鈥渨hile remaining in school and focusing on learning.鈥� 

Kokomo founder and CEO Daniel Lee lauding the company鈥檚 ability to 鈥渢ransform鈥� L.A. Unified鈥檚 COVID-tracking and health data system in a year after the school system鈥檚 previous tool became 鈥渃lunky, difficult to customize and expensive to maintain.鈥� The post notes the company鈥檚 role in creating the anonymous reporting application and the district鈥檚 Incident System Tracking Accountability Report, an internal tool to document injuries, medical emergencies and campus threats.

The Kokomo24/7 breach is the latest in a series of data privacy incidents affecting L.A. schools, including a high-profile ransomware attack in 2022 that led to the exposure of thousands of students鈥� mental health records. Schools Superintendent Alberto Carvalho at first categorically denied that students鈥� psychological evaluations had been exposed but then had to acknowledge that they were after 社区黑料鈥檚 investigation revealed the records鈥� existence on the dark web.

Meanwhile, the district鈥檚 rollout last year of a highly touted AI chatbot named 鈥淓d鈥� was derailed after AllHere, the ed tech company hired to develop the $6 million project, shuttered abruptly and filed for Chapter 7 bankruptcy. The company鈥檚 founder and CEO, Joanna Smith-Griffin, was then indicted on charges she defrauded investors of some $10 million. A company whistleblower told 社区黑料 AllHere鈥檚 student data security practices violated both industry standards and the district鈥檚 own policies. 

The L.A. district for the chatbot bid 鈥� including Kokomo24/7 鈥� before awarding the contract to AllHere. Both the bankruptcy and criminal cases are pending. In July, a school district spokesperson told 社区黑料 that Ed 鈥渞emains on hold.鈥� 

The Kokomo24/7 website lists a wide suite of products, primarily in physical security including building access control systems, emergency alarms and visitor management tools. It also names large companies among its customers, including The Oscars 鈥� the company was the 鈥渉ealth and safety software provider鈥� 鈥� United Airlines鈥� subsidiary United Express and Fifth Third Bank. 

But the Illinois-based company has a relatively small footprint in the education sector, according to records in the GovSpend government procurement database. Among the handful of its school district clients is the Hartford, Connecticut, school system where educators spent more than $60,000 between 2020 and 2023 for licenses to to screen students鈥� temperatures, track infections and conduct contact tracing. Glendale Unified, a neighboring district to Los Angeles, is also listed as a client on the company鈥檚 website.

Kokomo24/7鈥檚 connections to the L.A. district were widely featured on the company鈥檚 website until this week. In fact, listed four foundational events, including the 2023 launch of the 鈥渁nonymous reporting app for students and an emergency alert system for staff鈥� for the L.A. district.

The reference to the school district was removed from the company timeline this week, as was a banner attributing a quote to Carvalho, a picture of district police officers and the district police department鈥檚 logo. Press releases announcing Kokomo鈥檚 work with the L.A. district appear to have also been scrubbed from the internet. 

The since-removed Carvalho quote called 鈥渃ritically important.鈥� Though slightly misstated, the remark comes from a March 2023 school board meeting where Carvalho boasted of people鈥檚 ability to 鈥渞elay in an anonymous way 鈥� or not 鈥� potential threats鈥� to a student or a school. 

The Los Angeles Schools Anonymous Reporting app hasn鈥檛 been universally praised, and last year filed by anti-surveillance activists who alleged the tool created 鈥渁 culture of mass suspicion鈥� and bolstered police interactions between students of color and those with disabilities. 

The Stop LAPD Spying Coalition, which filed the lawsuit seeking records about the app, students, parents and community members 鈥渢o surveil each other鈥� on behalf of school police and to file reports that don鈥檛 require evidence. It also questioned why the community was being encouraged to file reports on people in mental health crises as part of a broader effort to investigate 鈥渟uspicious activity.鈥� 

鈥淭he app criminalizes mental health, perpetuating the idea that if someone has a mental illness they are inherently a threat to others,鈥� the activist .

BoardDocs parent company Diligent Corporation acknowledged Tuesday the breach was national in scope only after reporting by 社区黑料 confirmed its customers across the country were affected. The BoardDocs software, which allows school boards to disseminate agendas and other public documents to their communities while keeping other records private, is used by some 5,000 public sector entities in the U.S. and Canada, primarily public schools. 

The company declined to disclose the number of school districts that were affected after a glitch in its product erroneously published sensitive records to the web, but said only about 1% of documents stored on BoardDocs 鈥� or roughly 64,000 files 鈥� were exposed.

Company spokesperson Michele Steinmetz told 社区黑料 Diligent began notifying all BoardDocs customers 鈥� including those who were not directly affected  鈥� on May 30, the same day into a BoardDocs breach affecting the Lower Merion school district. That instance appears to have been uncovered when plaintiffs in a legal case against the district came across privileged files while searching for public ones. 

Multiple additional school districts that contract with BoardDocs, however, said they were unaware of the incident until they were contacted this week by 社区黑料 and, in several instances, received confirmation of the breach from Diligent only after they reached out to the company directly to inquire about whether their own confidential records had been compromised. 

In an interview with 社区黑料, one customer called the glitch 鈥渁n improper misconfiguration of the vendor’s products.鈥� An option to store records in 鈥渁 private folder鈥� within the district鈥檚 broader public library 鈥渃ould be misleading and people could think, and rightfully so, 鈥楢nything I put in there is not publicly available,鈥� when, in fact, it could be accessed by an unauthenticated user.鈥�

The official, who spoke on the condition of anonymity because they weren鈥檛 authorized to discuss the BoardDocs situation or draw attention to their district鈥檚 cybersecurity practices, said their school system was not 鈥渘otified proactively鈥� about the fallibility that came to light in Lower Merion.

鈥淚t was something that should not have been in place,鈥� the official said. 鈥淭he vendor should have been more clear and thoughtful and communicative around that configuration and the implications of it.鈥�

Nithya Das, Diligent鈥檚 chief legal and chief administrative officer, acknowledged the problem to 社区黑料, saying, 鈥淒ocuments that were supposed to be set to private access were made accessible.鈥�  She declined to elaborate on the misconfiguration but said the company took 鈥渋mmediate action to resolve the issue鈥� once it was discovered. 

She stressed that the confidential records had been made available on the BoardDocs platform only 鈥渇or a matter of a few months鈥� and existed only on that platform, meaning that someone could not have 鈥済one onto [their] web browser and pulled up Google or Yahoo or something like that鈥� to find them. 

 鈥淚 don鈥檛 mean to downplay the situation, but I do think it鈥檚 important to just keep in mind that it was extremely limited in terms of scope, impact and duration,鈥� Das said. 鈥淚n order for these documents that were meant to be private to be publicly accessible, you would actually have to go into the BoardDocs application and do a fairly specific search.鈥�

鈥楬ow am I reading this?鈥�

It鈥檚 likely that some of the documents that may have been exposed would be those dealt with during school boards鈥� executive sessions, where to discuss sensitive or privileged subjects. These include personnel matters and employee disciplinary issues; litigation involving plaintiffs, often parents, alleging wrongdoing; union contract negotiations and pending real estate transactions.

Internal records from executive sessions were made publicly accessible in the Lower Merion breach, according to the school district鈥檚 lawyer. A parent who came upon a trove of confidential memos told the Inquirer the discovery felt 鈥渨eird;鈥�  鈥淚 was like, 鈥榃ait, how am I reading this?鈥欌��

Denise Marshall, chief executive officer of the nonprofit Council of Parent Attorneys and Advocates, which works to protect the legal and civil rights of students with disabilities and their families, said the breach was 鈥渁 great concern鈥� because school boards regularly discuss sensitive issues concerning these children. It鈥檚 unclear whether BoardDoc files related to special education services were compromised.

鈥淲e know of instances where families have been retaliated against because of information that鈥檚 been shared and made public through one means or another from board meetings,鈥� she said. 鈥淚t鈥檚 important that the school boards, and, of course, BoardDocs, take every effort to ensure that privacy is safeguarded.鈥� 

The vulnerability at BoardDocs is the latest example of how school districts鈥� reliance on third-party technology vendors for critical systems can introduce weaknesses and put sensitive information about students, parents and educators at risk. Last week, 19-year-old Matthew Lane for his role in a recent cyberattack on education technology behemoth PowerSchool, which led to a data breach exposing the personal information of millions of students, parents and teachers globally. The PowerSchool cyberattack and subsequent data breach has prompted dozens of lawsuits filed by parents, students and school districts. 

The National School Boards Association, which represents more than , didn鈥檛 respond to requests for comment from 社区黑料. On , the trade group gave a 鈥渟pecial shout out to BoardDocs鈥� for their 鈥済enerous support鈥� of the nonprofit鈥檚 85th anniversary celebration.

BoardDocs doesn鈥檛 list its fees on its website. The New York State School Boards Association that the tool is available 鈥渇or as little as $3,000 per year and a one-time $1,000 start-up fee.鈥� 

School cybersecurity expert Doug Levin, co-founder and national director of the nonprofit K12 Security Information eXchange, said the BoardDocs incident is a cautionary tale for both school districts and their vendors. 

鈥淎ny reasonable person if, upon selecting a setting to private, would presume that it would not be searchable,鈥� Levin said. 鈥淚 certainly don’t fault anyone for taking a private setting at face value.鈥�

Not trying 鈥榯o hide the issue here鈥�

After a large urban school district quizzed the company about the news out of Lower Merion, Diligent acknowledged in a notice obtained by 社区黑料 that the district鈥檚 private records 鈥渃ould have been returned as part of a public search result if specific search terms were used.鈥�

鈥淥ur investigation determined that your organization鈥檚 BoardDocs site had documents鈥� in the accessible private folder, MarKeith Allen, Diligent鈥檚 chief customer officer, wrote in an email to the district earlier this month. 

The record was provided to 社区黑料 on the condition that the district not be named. 

In addition to a general notification to all its customers, Das, Diligent鈥檚 chief legal and chief administrative officer, said that for 鈥渃ustomers we believed could have been impacted,鈥�  the company 鈥渟ent them a different communication, obviously letting them know of that situation.鈥� Das declined to provide copies of those communications to 社区黑料 and said the company is not required to notify impacted individuals under any state-level breach notification laws. 

鈥淲e did also have a process of doing some direct outreach to impacted clients like picking up the telephone and calling them, and so I guess I am surprised to hear that there might be clients who weren’t aware of the situation until you reached out,鈥� said Das, who noted the company does not plan to release a public statement about the breach. 鈥淭he goal was not to try to hide the issue here.鈥�

Amy Buckman, the Lower Merion school district spokesperson, said in a statement that Diligent 鈥渁dmitted there had been an error by their company in protecting confidential documents stored on their site and said immediate corrective action would be taken.鈥� Still, Buckman said the district put Diligent on notice that it 鈥渨ould hold BoardDocs responsible for any damages resulting from the breach.鈥�

This isn鈥檛 Diligent鈥檚 first time responding to a data breach involving sensitive information. In 2022, the company suffered a cyberattack and subsequent breach involving a tool unrelated to its work with schools, with affected customers . That incident prompted at least three federal class action lawsuits, which led to court settlements. 

Officials with school districts across the country that contract with BoardDocs, including in Scottsdale, Arizona, and at the Illinois State Board of Education, told 社区黑料 they hadn鈥檛 received notices about the incident. 

鈥淎t this point in time we have no information on this topic,鈥� Barth Paine, the spokesperson for California鈥檚 Fremont Unified School District, wrote to 社区黑料. 鈥淧lease email us back if you have more details about our specific District. We are now investigating this issue.鈥�

The lawsuit is one in a barrage of legal challenges that have emerged since the company announced in early 2025 it was the target of a December cyberattack that, , led to a global breach of some 62.4 million students鈥� and 9.5 million educators鈥� personal information. Though the company hasn鈥檛 acknowledged how many people were affected, exposed sensitive files Social Security numbers, special education records and detailed medical information.

The St. Croix Falls breach of contract, unjust enrichment and false advertising, which sets it apart from other class action lawsuits charging negligence against the education technology company whose cloud-based student information system dominates the K-12 market.

鈥淎t the end of the day, we believe that there were fraudulent misrepresentations made to the clients to induce them to go and be in these contracts with PowerSchool,鈥� attorney William Shinoff, whose firm represents the St. Croix Falls district, told 社区黑料 in an interview.

PowerSchool spokesperson Beth Keebler said in a statement the company 鈥渁cted swiftly and effectively to protect our customers in compliance with the law.鈥�

鈥淧owerSchool believes the claims are without merit and will defend itself,鈥� Keebler said. 鈥淗owever, our focus as a business continues to be our customers, ensuring they have the information and support they need while informing them of the steps we have taken to set a higher standard in cybersecurity for the entire industry.鈥�

Students and parents nationwide have filed more than 30 federal class action lawsuits against PowerSchool in connection to the December breach. The lawsuits, which could soon be consolidated, collectively allege PowerSchool was negligent when it failed to protect sensitive data and opened victims to potential identity theft. 

But because these center on the data breach鈥檚 potential for future harms, legal experts said, the cases could be dismissed almost as quickly as they were filed. The lawsuit filed by St. Croix Falls schools, meanwhile, alleges PowerSchool broke contractual obligations to keep data secure 鈥� and failed to provide schools the services they were promised. 

鈥淎 cornerstone of the commercial relationship between鈥� the school district and the company was educators鈥� 鈥渞eliance on PowerSchool鈥檚 representation that it would adequately protect鈥� students鈥� and educators鈥� sensitive information, according to the complaint filed in federal district court in Sacramento. Instead, PowerSchool 鈥渉as done little to help鈥� the school district and people whose information was compromised. 

Courts nationwide could soon be flooded with similar complaints. Shinoff said his firm, the Frantz Law Group, plans to 鈥渇ile thousands鈥� of them on behalf of school districts across the country. The precise number of districts affected by the breach is unknown. 

鈥淲hat I can tell you is we鈥檝e already spoken to hundreds of districts,鈥� Shinoff said. 鈥淥ur hope is that they will all get involved in this to ensure that PowerSchool is held accountable, that they can ensure that this information moving forward is indeed protected, and to make sure they’re reimbursed these public dollars that were spent for their programs.鈥� 

Shinoff represents large groups of school districts in several recent high-profile lawsuits, including against Facebook鈥檚 and Instagram鈥檚 and the . The lawsuits alleging that the social media giant Meta exacerbated the youth mental health crisis involve nearly 1,000 districts, according to the firm. 

PowerSchool has the hacker used a compromised password belonging to 鈥渁n authorized support engineer鈥� to breach PowerSource, its customer support portal for school staff seeking help with its software tools. The PowerSource portal reportedly lacked multi-factor authentication, according to and other records obtained by NBC News. 

The full audit, , found its systems were breached in August 鈥� months earlier than previously disclosed 鈥� but couldn鈥檛 say for certain it was by the same threat actors. 

The company 鈥渇ailed to implement the bare minimum security measures that are commonly utilized by similarly situated companies,鈥� the complaint alleges. 鈥淪omething as simple as providing for a multi-factor authentication log-in method would have been easily accomplished and would have prevented the Data Breach altogether.鈥�

The that the Wisconsin district is accusing PowerSchool of breaching requires that the company employ multi-factor authentication and data encryption, standard industry security measures. Its reported failure to do so also made PowerSchool one of only a handful of companies to be removed from the Student Privacy Pledge, a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children. The company was Feb 13.

In an earlier statement to 社区黑料, Keebler, the PowerSchool spokesperson, said the company 鈥渉as and will continue to implement [multi-factor authentication] across all internal systems as part of its robust and ongoing security protocols.鈥澛�

鈥淧owerSchool is accessed by tens of thousands of customers, posing challenges to MFA management,鈥� the statement continued. 鈥淗owever, following the incident, PowerSchool has implemented additional hardening efforts, including MFA for any PowerSchool employee and contractor access to customer data on PowerSource.鈥� 

鈥楧evil and the deep blue sea鈥�

Despite PowerSchool鈥檚 promise to bolster security measures, its customer districts have lost confidence in the company, attorney Mark Williams, who is assisting school districts in filing suits against the company, told 社区黑料. 

But because its student information system plays such a significant role in day-to-day operations 鈥� and contains so much information about students 鈥� he said that switching to a competitor could become a logistical nightmare. 

鈥淢any school districts are between the devil and the deep blue sea,鈥� Williams said. 鈥淢any of them don鈥檛 have confidence in PowerSchool to secure their data but they are very hesitant to change the vendor of their [student information system] because it is extraordinarily expensive and burdensome to do so.鈥� 

While the company may not be a household name 鈥� save for a flood of recent press following the breach 鈥� its student information system is one of the largest ed tech services in the U.S. with teachers nationwide using it every day to track grades, attendance and other performance metrics. 

The company claims its software is used to support the learning for 60 million students globally at more than 18,000 institutions, including 90 of America鈥檚 100 largest school districts. 

PowerSchool was by the Boston-based private equity firm Bain Capital for $5.6 billion. The company, which also owns the college- and career-readiness platform , has acquired , such as Schoology and SchoolMessenger, in recent years, furthering its reach into the nation鈥檚 K-12 classrooms.

Williams is the author of the central to the Wisconsin district鈥檚 claims against PowerSchool. Created by the , a collaborative effort between school districts and technology vendors to keep students鈥� information secure, the agreement is used by school districts in more than half of states to ensure the tech companies they contract with 鈥� 鈥� follow stringent security practices. 

Among its provisions is a requirement for companies to notify school district customers within 72 hours of learning data was accessed or obtained by an unauthorized third-party like a hacker. 

PowerSchool was reportedly unaware it had fallen victim to the December attack until the hacker came forward with a ransom demand, according to NBC鈥檚 reporting. The company then paid the hacker an undisclosed sum to prevent the stolen records from being shared publicly, the outlet reported, and was given a video by the threat actor apparently deleting the stolen files in their possession. 

Through the agreements, PowerSchool also vowed to 鈥渁bide by and maintain adequate data security measures, consistent with industry standards鈥� for the storage of sensitive records. 

Williams accused the company of breaching those requirements 鈥� laying the groundwork for a first-of-its-kind legal battle for the data privacy consortium. 

鈥淲e just felt that at some point you have to police the process, at some point you have to draw a red line,鈥� Williams told 社区黑料. 鈥淲e鈥檝e got to protect the contract because it protects schools and it protects kids. So that鈥檚 not negotiable for us.鈥� 

Given the difficulty school districts face in migrating to different student information services, St. Croix Falls seeks a commitment from PowerSchool 鈥� and court-ordered accountability 鈥� to ensure the company follows stringent cybersecurity standards in the future, said Shinoff, its attorney.

鈥淎t this point their word, to us, can鈥檛 be trusted,鈥� Shinoff said. 鈥淔or them to have someone that they鈥檙e reporting to for a period of time is something that鈥檚 essential 鈥� especially when we鈥檙e dealing with thousands and thousands of districts across the country.鈥�

Data practices under a microscope

Prior to the data breach, PowerSchool positioned itself as a national leader in K-12 education data security 鈥� and its CEO appeared at a White House event in 2023 to boast of its efforts to keep students鈥� personal information out of the hands of malicious actors. 

As an early adopter of a to design products with security at the forefront, CEO Hardeep Gulati spoke alongside then-First Lady Jill Biden at the first-ever White House summit on K-12 school cybersecurity, where PowerSchool and other technology companies highlighted the need to strengthen digital safeguards at schools nationwide. 

Watch: PowerSchool CEO Hardeep Gulati speaks at the first-ever White House summit on K-12 cybersecurity in 2023.

During the event, the company free webinars, training videos and other resources to help schools better secure their systems. 

In the year prior to the summit, Gulati said, the company successfully fended off 1 billion cyberattacks on its servers while ensuring schools were kept safe through a 鈥渞elentless investment and focus on every element of security.鈥� 

Now, the company has found itself under scrutiny by the tech industry, lawmakers and other elected officials. In North Carolina, state Attorney General Jeff Jackson into the PowerSchool breach, which exposed the sensitive information of nearly 4 million people in his state, 鈥渢o determine if they broke any laws.鈥�

The company is also facing bipartisan federal questioning. In , senators from New Hampshire, Indiana and Oklahoma blasted PowerSchool for maintaining inadequate cybersecurity measures and accused it of offering delayed notifications and insufficient information to affected individuals. 

鈥淪chool district leaders who we have spoken with raised serious concerns about delays in your company鈥檚 response to the cybersecurity incident, including delayed notifications to impacted schools,鈥� wrote Sens. Maggie Hassan, Jim Banks and James Lankford. Sufficient use of basic cybersecurity safeguards like multi-factor authentication, they wrote, could have prevented the breach. 

PowerSchool says it will provide two years of identity protection services to students and educators affected by the breach and credit monitoring services to 鈥渁dult students and educators.鈥� Keeber, the PowerSchool spokesperson, said in the statement the company has seen 鈥渘o evidence of fraud or further misuse of the information involved to date.鈥� 

But the senators wrote that PowerSchool 鈥渉as not clearly communicated a date by which impacted individuals will receive鈥� the services. 

鈥淵our delayed and unclear communication is unacceptable,鈥� the letter continued, 鈥渆specially given the sensitive nature of the personal data that was stolen.鈥�

Information PowerSchool takes is 鈥榲irtually unlimited鈥�

Even before the breach, PowerSchool has faced criticism for its data collection, use and security practices. In the last five years, it has been named as a defendant in numerous federal lawsuits related to its data collection and use practices, a review of federal court records shows.

They include complaints accusing the company of subjecting people to persistent and unsolicited robocalls and of failing to properly identify children experiencing homelessness.

One brought by a Seattle mother and former middle school teacher accuses the company of selling student data collected through Naviance and other services to more than 100 third-party 鈥減artners鈥� with inadequate consent from students or their parents. That lawsuit, filed in May 2024 in San Francisco, also alleges the company has leveraged the data it collects on students to train an AI chatbot. 

鈥淭he information PowerSchool takes from students is virtually unlimited,鈥� the complaint alleges. 鈥淚t includes everything from education records and behavioral history to health data and information about a child鈥檚 family circumstances. PowerSchool collects this highly sensitive information under the guise of educational support, but in fact collects it for its own commercial gain.鈥�

In a motion to dismiss the lawsuit, PowerSchool鈥檚 attorneys claimed Cherkin鈥檚 complaint relied on 鈥渂road, general social critiques condemning surveillance capitalism, cybercrimes and manipulative digital product design, in an apparent attempt to mask that they cannot make specific allegations of wrongdoing by PowerSchool.鈥� 

Keebler, the company spokesperson, denied Cherkin鈥檚 claims that it sells data or uses personal data to train its chatbots. 

But Cherkin argues the vast amount of data PowerSchool collects and shares about millions of students have made it an attractive target for cybercriminals 鈥� and should have been a red flag all along. She compared Powerschool鈥檚 business model to that of social media companies that are built to amass and monetize user data. 

鈥淚鈥檓 truly not at all shocked that this happened,鈥� she said of the breach. 鈥淭he only way, really, to keep data safe is to not collect it and stockpile it in the first place.鈥�

鈥�I used to be pretty suicidal last summer and I tried to commit suicide about two times.鈥�

Since 2018, more than 36,000 students across the Seattle region have shared their hopes, fears and family secrets in an online questionnaire called Check Yourself. 

鈥�My dog has 鈥� untreatable cancer and my great grandma died a week ago.鈥�

鈥�Some time i harm my self by not eating cause i don’t really like my body.鈥�

Questions peer into students鈥� sexual preferences and romantic lives 鈥� even which gender they鈥檙e 鈥渕ost likely to have a crush on.鈥� It鈥檚 the kind of information a 12-year-old might not tell their best friend.

鈥�Do my parents see this survey?鈥�

Districts promise students their answers to over 50 personal questions will be kept confidential. But a group of parents has been able to obtain reams of sensitive survey data from multiple districts through the state鈥檚 .

One of them, Stephanie Hager, is on a six-year crusade to expose what she considers to be the program鈥檚 lack of privacy safeguards. To prove her point, the former Microsoft program manager said she correctly identified six students based on nothing more than details they provided in the survey and a simple Google or social media search. 

鈥淲e know their school, gender, age on a certain date, grade level, language they speak, their dogs鈥� names, friends鈥� names, race, their unique interests, what sports they play, if they are religious, and anything else they feel like writing in 鈥� plus their whole mental health record,鈥� said the Snoqualmie Valley mother of four, whose son took the survey in 2019.

 鈥淚 can’t imagine any parent saying OK to that.鈥�

Researchers at Seattle Children鈥檚 Hospital and the University of Washington developed the Check Yourself program to better identify students in middle and high school silently suffering from depression, substance abuse or suicidal thoughts. 

Supported by a voter-approved encompasses Seattle, more than $21 million since 2018. The funds help pay for mental health counseling for students and to track trends across the 13 districts that participate. Seven schools in Spokane County, in eastern Washington, and a few districts in Oregon also use Check Yourself.

Backers of the survey have a simple defense: It saves lives.

Valerie Allen, director of social services and mental health in the Highline district, told 社区黑料 of a student who jumped into a pond at a city park in 2022 carrying a backpack laden with weights. The boy went missing after an argument with his dad. The family, Allen said, turned to a school counselor who had started meeting with the student after Check Yourself responses showed he was suicidal. The counselor tipped off police to the pond, the kid鈥檚 favorite spot, where they arrived just in time to save him.

The question of whether results like this justify the potential pitfalls have mired the program in controversy since its inception.

鈥淭he ultimate protection鈥� against privacy risks is not to do the survey, said Evan Elkin, who helped adapt it for schools and serves as executive director of Reclaiming Futures, a project at Portland State University. But, he asks, is ending the program 鈥渨orth the lives that you lose?鈥� Officials said they could not determine the number of suicides prevented due to the survey.

For Hapsa Ali, a 2023 Highline district graduate, Check Yourself came at the right time. She suffered from 鈥渞eally bad social anxiety鈥� and wasn鈥檛 getting along with her mom. Based on her answers, the school connected her to a counselor who regularly checked in on her, texting once a week.

鈥淪he was my safe space,鈥� Ali said.

The clash over Check Yourself falls at the intersection of social forces that have only intensified since the pandemic. are experiencing extreme emotional and psychological stress. While show some improvement since 2021, 30% of 10th graders still say they have persistent feelings of depression and 15% reported thoughts of suicide, according to . 

At the same time, school districts house massive amounts of sensitive personal data and rely heavily on ed tech, making them prime targets for hackers. The Highline district, for example, closed for three days in September because of a . Nationally, more than doubled in 2023. Online mental health surveys also face backlash from activists and , who find them frequently intrusive, inappropriate and removed from school鈥檚 main purpose. 

鈥淪chools are really under a huge amount of pressure to address student mental health,鈥� said Isabelle Barbour, a consultant who developed a school-based mental health program for the state of Oregon. 鈥淏ut when they try to adopt something that can work in their setting, it brings up all of these other pressure points around privacy.鈥�

鈥業 shouldn鈥檛 be seeing this鈥�

The survey, which takes about 12 minutes to complete, leads students through a series of prompts, from simple tasks such as listing their top goals for the year to deeply personal queries like, 鈥淒uring the past year, did you ever seriously think about ending your life?鈥�

Parents get two chances to opt their children out of the screener, and students can also decline to complete it on the day of the survey. But districts reveal nothing that would alert anyone to its potential risks. Quite the contrary. promotes it as a 鈥渟uccessful, proactive approach to providing support to students.鈥� 鈥減ersonalized feedback and strategies for staying healthy.鈥�

In fact, assure parents that only counselors or other 鈥渞elevant鈥� staff can view individual students鈥� responses, which are stored on a 鈥渟ecure鈥� platform by Tickit Health, a Canadian company. To participate in the county-led program, districts must sign an agreement saying they will remove all 鈥減otentially identifying鈥� student data before submitting records to the county, which uses the information to evaluate the program鈥檚 effectiveness and respond to students鈥� needs. Districts promise that county officials and researchers only see.

But an investigation by county ombudsman Jon Stier, triggered by parents鈥� concerns, suggests this hasn鈥檛 always been the case. A report released last summer revealed that in the program鈥檚 early years, county officials were able to connect student names to their responses, although Stier said that practice has ended.

The issue of the survey鈥檚 confidentiality first emerged publicly in 2022, when 10 districts released spreadsheets of student answers in response to a public records request from a . Snoqualmie Valley parents asked districts for additional information, released as recently as February 2024, which they shared exclusively with 社区黑料. 

A handful of districts concealed some personal details. But several redacted little, if anything.

This could put districts in violation of federal , which require districts to gain parental consent or remove all identifying information from records before releasing them publicly. 

Privacy experts say that wiping information such as race, home language and favorite activities from a document in order to make it is no easy task. But without such measures, a combination of answers could identify a student, in the language of the law, 鈥渨ith reasonable certainty.鈥�

Sometimes, just a simple data point can expose a student鈥檚 identity.

During the 2021-22 school year, for example, only one student in the Kent district who took the survey identified as being part of the Muckleshoot tribe, which has about statewide.

Most survey questions are multiple choice. But 13 allow students to write open-ended responses 鈥� and it is these answers that experts say vastly increase the chances of identifying potential students. 

At 社区黑料鈥檚 request, Amelia Vance, president of the Public Interest Privacy Center, reviewed an Excel document with answers from more than 900 students in the Auburn district from the 2021-22 school year 鈥� details that included random factoids like a preference for techno music and proficiency in math, as well as very private revelations such as conflicts at home and incidents of self-harm. 

鈥淚 shouldn’t be seeing this spreadsheet,鈥� Vance said. 鈥淚t feels like everybody’s sticking their head in the sand about what the consequences could be.鈥� 

Districts 鈥榗aught off guard鈥�

Marc Seligson, a King County spokesman, insisted that 鈥渟tudent data security is paramount,鈥� but that responsibility for interpreting privacy laws falls to the districts.

鈥淲e can’t give them legal advice. Each district has their own lawyer,鈥� said Margaret Soukup, the county鈥檚 youth, family and prevention manager, who oversees the program.

She said she was shocked districts released records to parents. 鈥淚 was very upset because I didn’t even think that that was a possibility.鈥�

社区黑料 reached out to the nine King County districts that released records to the public and still use Check Yourself.

Five didn鈥檛 respond, and a spokeswoman for Auburn declined to comment. Conor Laffey, a spokesman for the Snoqualmie Valley district, said officials there worked with the county to 鈥渟afeguard confidential student information鈥� and consulted the district鈥檚 legal counsel before releasing spreadsheets. He declined to elaborate.

Tahoma School District Superintendent Ginger Callison, a former Snoqualmie Valley official, said she didn鈥檛 remember details about past disclosures and is 鈥渃onfident鈥� that in the future, 鈥渘othing will get released that isn鈥檛 allowed or required.鈥�

A Seattle spokeswoman noted that records went through 鈥渕ultiple layers of review to remove potentially identifiable comments within student responses.鈥� But the district didn鈥檛 redact very specific details about some students, like the one obsessed with reptiles who wanted a pet frog and another who speaks English, Russian, Spanish and sometimes Samoan. The district did not comment on why it included such information in the spreadsheet of students鈥� answers.

社区黑料 also contacted , a University of Washington researcher who helped develop the survey and now evaluates the King County program. She said districts are obligated to protect 鈥渢he confidentiality of student information,鈥� but directed further questions to the county.

Parents say the county also bears responsibility for students potentially being exposed. 

Hager, Check Yourself鈥檚 most outspoken parent critic, obtained an email thread through an open records request that shows officials were well aware of the survey’s potential privacy pitfalls. In one email, a former Tickit Health executive warns county officials that if a student 鈥渨ere to enter identifiable information in the free-text sections, theoretically this would be accessible.鈥�

One wrinkle in King County鈥檚 privacy dispute is that Washington has one of the strongest. In 2016, for example, the state Supreme Court upheld over half a million dollars in in a case against a state agency that was slow to turn over records. 

Elkin, from Portland State University, said districts were 鈥渃aught off guard and panicked鈥� when they received the open records requests. 

But the Washington districts are no different than many others nationally that currently find themselves fielding more public record requests than ever before 鈥� often from watchdogs like Hager or activists investigating curriculum materials they believe to be inappropriate. Spurred on by conservative groups like Parents Defending Education and Moms for Liberty, repeat filers dig for lesson plans, teacher training materials and financial records 鈥� particularly those relating to transgender issues and diversity, equity and inclusion.

Allen Miedema, executive director of the Northshore district鈥檚 technology department, said the districts that use Check Yourself could 鈥渄o a better job of letting parents know鈥� about the purpose of the survey.

If staff members failed to conceal student identities, he said, it鈥檚 often because they鈥檙e 鈥渟wamped鈥� with requests for documents and lack clear guidance from state or county officials on what鈥檚 allowed to be included.   

鈥楽urvey gets dark very fast鈥�

School leaders insist the danger is largely hypothetical.

Officials in King County, and from six districts that responded to a request from 社区黑料, said they鈥檝e received no reports of cyberthieves or child predators gaining access to Check Yourself and using results to target students.

They point to internal  showing that students feel more connected to school when they鈥檙e referred to an 鈥渋ntervention鈥� after taking the survey. In focus groups, students expressed 鈥渇avorable opinions鈥� about the screener. In  of almost 400 students referred to a staff member after completing Check Yourself, the percentage saying that an adult at school listens, cares and tells them they do a good job increased. 

鈥淭he tool has been indispensable in pinpointing students who would benefit from urgent extra help 鈥� some of whom we never would have known were struggling,鈥� said Laffey, the Snoqualmie Valley district spokesman.

But that doesn鈥檛 satisfy Hager.

She is among more than 20 Snoqualmie Valley parents who started asking questions about the program after the warned in 2018 that 鈥渕alicious use鈥� of sensitive student data could lead to identity theft and 鈥渉elp child predators identify new targets.鈥�

Hager, who attended school in King County, doesn鈥檛 have to imagine what it鈥檚 like to be preyed on by a trusted adult. In seventh grade, she said she was a victim of sexual misconduct involving a male teacher. 

鈥淚 know the FBI’s scenarios are real,鈥� she said.

She points to students鈥� written reflections on the survey as proof that some find the questions disturbing.

“This survey gets dark very fast especially for a child.”

“Why does it act like I’m constantly breaking the law? I’m 12.” 

Many students expressed particular concern about questions related to sex and gender. One 12-year-old wrote:

“Female but kinda non binary sorta questioning but not? (Don’t tell my parents).”

Seligson, the King County spokesman, said the survey asks such questions because LGBTQ kids 鈥渁re one of our most vulnerable populations.鈥� State data released in 2023 showed that were nearly twice as likely as other students to report 鈥渄epressive feelings.鈥� 

The unease some students expressed about Check Yourself was echoed by several district staffers.

In 2019, an official in the Tukwila district, south of Seattle, wrote in that the survey was 鈥渃ausing considerable angst鈥� and that with many 鈥渧ulnerable鈥� and 鈥渢raditionally marginalized鈥� families, educators didn鈥檛 want to 鈥渃reate unnecessary harm.鈥�

That same year, a Seattle school counselor called it a 鈥渟uper personal survey,鈥� according to an email 社区黑料 obtained through a public records request. She questioned why the district needed the information and whether it would be able to keep it confidential.

鈥楢bsolute data privacy is a fantasy鈥�

To be sure, not all King County parents have a problem with Check Yourself.

Erica Thomson, who works for a cloud communications company, said the notion of 鈥渁bsolute data privacy is a fantasy.鈥�

She has two boys in the Seattle schools, one who is transgender and the other who has ADHD, and appreciates that the program gets her children to open up.

鈥淜ids do not tell parents everything,鈥� Thomson said. 鈥淪ometimes it is because they love their parents too much and do not want them to worry or suffer.鈥�

Some students write that they appreciate the survey experience, which includes targeted recommendations based on their answers. A student who reports using marijuana, for example, will get facts about how it negatively affects memory and mental and physical health.

Ali, the former student who found Check Yourself beneficial to her well-being, had a distinctly nuanced take on her experience.

While praising the personal attention she received from a counselor,  Ali described a 鈥渞owdy鈥� atmosphere in the sixth-period history classroom where she took the survey, with classmates buried in their phones and chatting with friends. It made it difficult to express some of the conflicts she was experiencing at the time. 

鈥淚t was a bunch of juniors just goofing off. I was sitting next to my friend, and she would just ask me, 鈥極h, what did you answer?鈥欌�� she said. The atmosphere, she added, 鈥渇elt like it wasn鈥檛 as serious as it should have been.鈥�

The information is 鈥榯oo valuable鈥�

As King County parents and school officials debate the merits and risks of Check Yourself, other districts have managed to use the program with relative ease.

In Oregon鈥檚 Hillsboro district, students鈥� responses stay on the Tickit platform 鈥� unavailable to outside evaluators or the public at large.

Spokane County officials not only eliminated questions about sexual orientation and romantic attractions, but also removed open-response fields.

鈥淲hy is it necessary for us to have that information?鈥� asked Justin Johnson, who leads community services for Spokane. Additionally, clinicians monitor the administration of the survey in classrooms, allowing the results to be covered by . 

But Soukup, the King County official who oversees the program, said districts there find the write-in answers 鈥渢oo valuable鈥� to do without because students often use them to open up about their problems.

For some King County districts, however, Check Yourself simply proved to be too much.

The Lake Washington district pulled out of the program three years ago and instead contracts with full-time mental health specialists to respond to students鈥� needs.

The intensely personal questions 鈥� and the resulting risk of privacy violations 鈥� also helped push the Bellevue school system to drop it in 2019. 

Officials opted for , and because of their sensitive nature, results are 鈥渃onsidered some of the most privileged data the district has,鈥� said Naomi Calvo, who served as Bellevue鈥檚 director of research, evaluation and assessment until 2023. 鈥淚 didn’t even have access to it.鈥�

Calvo understands why districts jumped to implement Check Yourself and most continue to use it. 鈥淪tudents have needs that were going unaddressed and there is a dearth of options available,鈥� she said. 

But as a mental health professional with a young son at the time, she felt skeptical. 

鈥淎s a researcher, I believe in surveys,鈥� she said. 鈥淏ut I would not have let my child take that survey.鈥�

This story was co-published with .

If you or someone you know is having thoughts of suicide, call or text 988 to reach the National Suicide Prevention Lifeline. Additional resources are available at . For LGBTQ mental health support, you can contact The Trevor Project鈥檚 toll-free support line at 866-488-7386.

Free, confidential treatment referral and information is available in English and Spanish at 800-662-4357, the Substance Abuse and Mental Health Services Administration鈥檚 National Helpline.

It was October 2022 when Los Angeles schools Superintendent Alberto Carvalho made a false assurance about a massive ransomware attack on the country鈥檚 second-largest school district 鈥� and the leak of thousands of highly sensitive student mental health records 鈥� that set me off.

Published reports that the breach exposed students鈥� psychological evaluations, Carvalho said, were 鈥渁bsolutely incorrect.鈥� The dark web proved otherwise: On a shady corner of the internet, I revealed, hackers used the detailed, very confidential records about Los Angeles children as leverage in a sick ploy for money. After my story ran, L.A. schools acknowledged publicly that some 2,000 student psych evals were indeed exposed by the Vice Society ransomware gang. 

And so began my descent down the rabbit hole, marking the early days of an in-depth investigation I published Tuesday and supported by a grant from the .

What I found is that as educators take steps to protect themselves, their school districts and their reputations after cyberattacks, they employ a pervasive pattern of obfuscation that leaves students, parents and teachers 鈥� the real victims of the hacks and subsequent data breaches 鈥� in the dark. 

I spent a year (OK, more than a year) learning everything I could about more than 300 K-12 school cyberattacks since the pandemic pushed students into online learning and educators became lucrative targets for hackers. I reconfigured a crappy old laptop to track ransomware gangs on the dark web and to analyze the reams of sensitive files published to their sketchy leak sites. I obtained thousands of public records from more than two dozen school districts. I used the government procurement database GovSpend to uncover school spending after attacks, including ransom payments made to cyberthieves in Bitcoin. I scoured news reports, state data breach disclosures and district websites for public confirmations and, oftentimes, denials 鈥� sometimes even after their students鈥� and employees鈥� personal information had already been published. 

My reporting documented that educators routinely offered incomplete, misleading or downright inaccurate information about cyberattacks 鈥� and the risks that subsequent data breaches pose to students, parents and teachers for identity theft, fraud and other forms of online exploitation. 

The hollowness in schools鈥� messaging and the mechanisms that leave school communities clueless are no coincidence. Staring down a cyberattack and the prospect of being sued over the leak of sensitive information, school leaders turn to insurance companies, consultants and privacy lawyers to steer 鈥減rivileged investigations,鈥� which keep key details hidden from the public. Often contacted before the police, the paid consultants who arrive in the wake of a cyberattack are portrayed to the public as an encouraging sign, trained to handle the bad actors and restore learning.

But what isn鈥檛 as apparent to students, parents and district employees is that these individuals are not there to protect them 鈥� but to protect schools from them. 

School cybersecurity expert Doug Levin had this to say about our investigation: 鈥淔or institutions whose mission is to lift up and protect children and youth, it is unconscionable that they are incentivized to cover up the criminal acts perpetrated against them by malicious foreign actors.”

K-12 cyberattacks in focus: Now you can fall down the school cyberattack rabbit hole, too! Use our new search feature to read about how incidents unfolded in your own community, complete with investigative reveals you won鈥檛 want to miss. 

Emotional support

This story was brought to you with invaluable editing and guidance from 社区黑料鈥檚 Kathy Moore.

And Matilda.

This article is published in partnership with

Schools have faced an onslaught of cyberattacks since the pandemic disrupted education nationwide five years ago, yet district leaders across the country have employed a pervasive pattern of obfuscation that leaves the real victims in the dark, an investigation by 社区黑料 shows. 

An in-depth analysis chronicling more than 300 school cyberattacks over the past five years reveals the degree to which school leaders in virtually every state repeatedly provide false assurances to students, parents and staff about the security of their sensitive information. At the same time, consultants and lawyers steer 鈥減rivileged investigations鈥�, which keep key details hidden from the public. 

In more than two dozen cases, educators were forced to backtrack months 鈥� and in some cases more than a year 鈥� later after telling their communities that sensitive information, which included, in part, special education accommodations, mental health challenges and student sexual misconduct reports, had not been exposed. While many school officials offered evasive storylines, others refused to acknowledge basic details about cyberattacks and their effects on individuals, even after the hackers made student and teacher information public. 

The hollowness in schools鈥� messaging is no coincidence. 

That鈥檚 because the first people alerted following a school cyberattack are generally not the public nor the police. District incident response plans place insurance companies and their phalanxes of privacy lawyers first. They take over the response, with a focus on limiting schools鈥� exposure to lawsuits by aggrieved parents or employees. 

The attorneys, often employed by just a handful of law firms 鈥�&苍产蝉辫;诲耻产产别诲  by one law professor for their massive caseloads 鈥� hire the forensic cyber analysts, crisis communicators and ransom negotiators on schools鈥� behalf, placing the discussions under the shield of attorney-client privilege. is for these specialized lawyers, who work to control the narrative.

The result: Students, families and district employees whose personal data was published online 鈥� from their financial and medical information to traumatic events in young people鈥檚 lives 鈥� are left clueless about their exposure and risks to identity theft, fraud and other forms of online exploitation. Told sooner, they could have taken steps to protect themselves.

Similarly, the public is often unaware when school officials quietly agree in closed-door meetings  to pay the cybergangs鈥� ransom demands in order to recover their files and unlock their computer systems. Research suggests that has been fueled, at least in part, by insurers鈥� willingness to pay. Hackers themselves have that when a target carries cyber insurance, ransom payments are 鈥渁ll but guaranteed.鈥� 

In 2023, there were 121 ransomware attacks on U.S. K-12 schools and colleges, according to , a consumer-focused cybersecurity website whose researchers acknowledge that number is an undercount. An analysis by the  reported 265 ransomware attacks against the education sector globally in 2023 鈥�  a 70% year-over-year surge, making it "the worst ransomware year on record for education."

Daniel Schwarcz, a University of Minnesota law professor, wrote criticizing the confidentiality and doublespeak that shroud school cyberattacks as soon as the lawyers 鈥� often called breach coaches 鈥� arrive on the scene. 

鈥淭here鈥檚 a fine line between misleading and, you know, technically accurate,鈥� Schwarcz told 社区黑料. 鈥淲hat breach coaches try to do is push right up to that line 鈥� and sometimes they cross it.鈥�

When breaches go unspoken

社区黑料鈥檚 investigation into the behind-the-scenes decision-making that determines what, when and how school districts reveal cyberattacks is based on thousands of documents obtained through public records requests from more than two dozen districts and school spending data that links to the law firms, ransomware negotiators and other consultants hired to run district responses. It also includes an analysis of millions of stolen school district records uploaded to cybergangs鈥� leak sites. 

Some of students鈥� most sensitive information lives indefinitely on the dark web, a hidden part of the internet that鈥檚 often used for anonymous communication and illicit activities. Other personal data can be found online with little more than a Google search 鈥� even as school districts deny that their records were stolen and cyberthieves boast about their latest score.

社区黑料 tracked news accounts and relied on its own investigative reporting in Los Angeles, Minneapolis, Providence, Rhode Island and St. Landry Parish, Louisiana, which uncovered the full extent of school data breaches, countering school officials鈥� false or misleading assertions. As a result, district administrators had to publicly acknowledge data breaches to victims or state regulators for the first time, or retract denials about the leak of thousands of students鈥� detailed psychological records. 

In many instances, 社区黑料 relied on mandated data breach notices that certain states, like Maine and California, report publicly. The notices were sent to residents in these states when their personal information was compromised, including numerous times when the school that suffered the cyberattack was hundreds, and in some cases thousands, of miles away. The legally required notices repeatedly revealed discrepancies between what school districts told the public early on and what they disclosed to regulators after extensive delays.

Some schools, meanwhile, failed to disclose data breaches, which they are required to do under state privacy laws, and for dozens of others, 社区黑料 could find no information at all about alleged school cyberattacks uncovered by its reporting 鈥� suggesting they had never before been reported or publicly acknowledged by local school officials.

Education leaders who responded to 社区黑料鈥檚 investigation results said any lack of transparency on their part was centered on preserving the integrity of the investigation, not self-protection. School officials in Reeds Spring, Missouri, said when they respond 鈥渢o potential security incidents, our focus is on accuracy and compliance, not downplaying the severity.鈥� Those at Florida鈥檚 River City Science Academy said the school 鈥渁cted promptly to assess and mitigate risks, always prioritizing the safety and privacy of our students, families and employees.鈥� 

In Hillsborough County Public Schools in Tampa, Florida, administrators in the nation鈥檚 seventh-largest district said they notified student breach victims 鈥渂y email, mail and a telephone call鈥� and 鈥渟et up a special hotline for affected families to answer questions.鈥�

Hackers have exploited officials鈥� public statements on cyberattacks to strengthen their bargaining position, a reality educators cite when endorsing secrecy during ransom negotiations.

鈥淏ut those negotiations do not go on forever,鈥� said Doug Levin, who advises school districts after cyberattacks and is the co-founder and national director of the nonprofit K12 Security Information eXchange. "A lot of these districts come out saying, 'We're not paying,'鈥� the ransom.

鈥淎ll right, well, negotiation is over,鈥� Levin said. 鈥淵ou need to come clean."

Confidentiality is king

The paid professionals who arrive in the wake of a school cyberattack are held up to the public as an encouraging sign. School leaders announce reassuringly that specialists were promptly hired to assess the damage, mitigate harm and restore their systems to working order. 

This promise of control and normality is particularly potent when cyberattacks suddenly cripple school systems, for days and disable online learning tools. News reports are fond of saying that educators were forced to teach students 鈥�

But what isn鈥檛 as apparent to students, parents and district employees is that these individuals are not there to protect them 鈥� but to protect schools from them.

The extent to which this involves keeping critical information out of the public鈥檚 hands is made clear in the advice that Jo Anne Roque, vice president of risk services account management at Poms & Associates Insurance Brokers, gave to leaders of New Mexico鈥檚 Gallup-McKinley County Schools after a 2023 cyberattack.

The district had hired Kroll, which conducts forensic investigations and intelligence gathering. Contracting with a privacy attorney was also necessary, Roque wrote, to shield Kroll鈥檚 findings from public view. 

鈥淲ithout privacy counsel in place, public records would be accessible in the event of an information leak,鈥� she wrote in an email to school leaders that was obtained by 社区黑料 through a public records request. School districts routinely denied 社区黑料鈥檚 requests for cyberattack information on the very same grounds of attorney-client privilege.

Records obtained by 社区黑料 reveal Gallup-McKinley officials never notified the school community, state regulators or law enforcement about the attack, even after threat actors with the Hunters International ransomware gang listed the New Mexico district on its leak site in January 2024. 

In California鈥檚 Sweetwater Union High School District, administrators told the public at first that a February 2023 attack was an 鈥渋nformation technology system outage鈥� 鈥� and then went on to pay a $175,000 ransom to the hackers who encrypted their systems. The payoff didn鈥檛 stop the leak of data for more than 22,000 people, nor did the district鈥檚 initially foggy phrasing allay public suspicion for very long. 

During a , angry residents accused Sweetwater of being misleading and cagey. One, Kathleen Cheers, questioned whether lawyers or public relations consultants had advised school leaders to keep quiet. 

鈥淲hat brainiac recommended this?鈥� asked Cheers, who wanted the district to create a presentation within 30 days outlining  how the breach occurred and who 鈥渞ecommended the deceitful description.鈥�

It wasn鈥檛 until June 2023 鈥� four months after the attack 鈥� that Sweetwater their records were compromised. But the district鈥檚 breach notice never says what specific records had been taken, refers to files that 鈥渕ay have been taken鈥� and tells those receiving the notice that their 鈥減ersonal information was included in the potentially taken files.鈥�

鈥淲ell, was my information taken or not?鈥� April Strauss, an attorney representing current and former employees in a class action lawsuit against Sweetwater, asked 社区黑料. 

Strauss, the Las Vegas district in a similar lawsuit, accused school officials of downplaying cyberattacks 鈥渢o avoid exacerbating their liability, quite frankly,鈥� in a way that prevents families from being able to 鈥渁ssert their rights more competently.鈥� 

顿颈蝉迟谤颈肠迟蝉鈥� vaguely worded breach notification letters to victims serve more to confuse than inform, she said. 

鈥淭he wording in notices is disheartening,鈥� Strauss told 社区黑料. 鈥淚t鈥檚 almost like revictimization.鈥�

Who鈥檚 in charge

Such hedged language used in required breach notices echoes the hazy descriptions districts give the public right after they鈥檝e been hacked. Cyberattacks were called an  鈥渆ncryption event鈥� in Minneapolis; a 鈥渘etwork security incident鈥� in Blaine County, Idaho; 鈥渢emporary network disruptions鈥� in Chambersburg, Pennsylvania, and 鈥渁nomalous activity鈥� in Camden, New Jersey. 

In several cases, consultants advised educators against using words like 鈥渂reach鈥� and 鈥渃yberattack鈥� in their communications to the public. Less than 24 hours after school officials in Rochester, Minnesota, discovered a ransom note and an April 2023 attack on the district鈥檚 computer network, they notified families but only after accepting input from the public relations firm FleishmanHillard.

鈥� 鈥楥yberattack鈥� is severe language that we prefer to avoid when possible,鈥� the firm鈥檚 representative wrote .

The district called it 鈥渋rregular activity鈥� instead. 

In cases where schools are being attacked, threatened and extorted by some of the globe鈥檚 most notorious cybergangs 鈥� many with known ties to Russia 鈥� officials have claimed in arresting and indicting some of the masterminds. Yet 社区黑料 identified instances where police took a secondary role.

In positioning themselves at the helm of cyberattack responses, attorneys have they should contact law enforcement only 鈥渋n conjunction with qualified counsel.鈥� 

In some cases, including one involving the Sheldon Independent School District in Texas, insurers have approved and covered costs associated with ransom payments, often harder-to-trace bitcoin transactions that have come under law enforcement scrutiny.

Biden's Deputy National Security Advisor Anne Neuberger,  writing in in the Financial Times, said insurers are right to demand their clients install better cybersecurity measures, like multi-factor authentication, but those who agree to pay off hackers have incentivized 鈥減ayment of ransoms that fuel cyber crime ecosystems.鈥� 

鈥淭his is a troubling practice that must end,鈥� she wrote.

Records obtained by 社区黑料 show that in Somerset, Massachusetts, Beazley, the school district鈥檚 cybersecurity insurance provider, approved a $200,000 ransom payment after a July 2020 attack. The insurer also played a role in selecting other outside vendors for the district鈥檚 incident response, including Coveware, a cybersecurity company that specializes in negotiating with hackers.

If police were disturbed by the district鈥檚 course of action, they didn鈥檛 express it. In fact, William Tedford, then the Somerset Police Department鈥檚 technology director, requested in a July 31 email that the district furnish the threat actor鈥檚 bitcoin address 鈥渁s soon as possible,鈥� so he could share it with a Secret Service agent who 鈥渙ffered to track the payment with the hopes of identifying the suspect(s).鈥� 

But he was quick to defer to the district and its lawyers.

鈥淭here will be no action taken by the Secret Service without express permission from the decision-makers in this matter,鈥� Tedford wrote. 鈥淎ll are aware of the sensitive nature of this matter, and information is restricted to only [the officers] directly involved.鈥�

While ransom payments are 鈥渆thically wrong because you鈥檙e funding criminal organizations,鈥� insurers are on the hook for helping districts recover, and the payments are a way to limit liability and save money, said Chester Wisniewski, a director at cybersecurity company Sophos. 

鈥淭he insurance companies are constantly playing catch-up trying to figure out how they can offer this protection,鈥� he told 社区黑料. 鈥淭hey see dollar signs 鈥� that everybody wants this protection 鈥� but they鈥檙e losing their butts on it.鈥� 

Similarly, school districts have seen their premiums climb. In by the nonprofit Consortium for School Networking, more than half said their cyber insurance costs have increased. One Illinois school district reported its 334% between 2021 and 2022.

Many districts told 社区黑料 that they were quick to notify law enforcement soon after an attack and said the police, their insurance companies and their attorneys all worked in concert to respond. But a pecking order did emerge in the aftermath of several of these events examined by 社区黑料 鈥� one where the public did not learn what had fully happened until long after the attack.

When the Medusa ransomware gang attacked Minneapolis Public Schools in February 2023, it stole reams of sensitive information and demanded $4.5 million in bitcoin in exchange for not leaking it. District officials had a lawyer at Mullen Coughlin .  But at the same time school officials were refusing to acknowledge publicly that they had been hit by a ransomware attack, their attorneys were telling federal law enforcement that the district almost immediately determined its network had been encrypted, promptly identified Medusa as the culprit and within a day had its 鈥渢hird-party forensic investigation firm鈥� communicating with the gang 鈥渞egarding the ransom.鈥�

Mullen Coughlin then told the FBI that it was leading 鈥渁 privileged investigation鈥� into the attack and, at the school district鈥檚 request, 鈥渁ll questions, communication and requests in connection with this notification should be directed鈥� to the law firm. Mullen Coughlin didn鈥檛 respond to requests for comment. 

Minneapolis school officials would wait seven months before notifying more than 100,000 people that their sensitive files were exposed, including documents detailing campus rape cases, child abuse inquiries, student mental health crises and suspension reports. As of Dec. 1, all schools in Minnesota are now to the state but that information will be anonymous and not shared with the public.

One district took such a hands-off approach, leaving cyberattack recovery to the consultants鈥� discretion, that they were left out of the loop and forced to issue an apology.

When an April 2023 letter to Camden educators arrived 13 months after a ransomware attack, it caused alarm. An administrator had to assure employees in an email that the New Jersey district wasn鈥檛 the target of a second attack. Third-party attorneys had sent out notices after a significant delay and without school officials鈥� knowledge. Taken by surprise, Camden schools were not 鈥渁ble to preemptively advise each of you about the notice and what it meant.鈥�

Other school leaders said when they were in the throes of a full-blown crisis and ill-equipped to fight off cybercriminals on their own, law enforcement was not of much use and insurers and outside consultants were often their best option. 

鈥淚n terms of how law enforcement can help you out, there鈥檚 really not a whole lot that can be done to be honest with you,鈥� said Don Ringelestein, the executive director of technology at the Yorkville, Illinois, school district. When the district was hit by a cyberattack prior to the pandemic, he said, a report to the FBI went nowhere. Federal law enforcement officials didn鈥檛 respond to requests for comment. 

District administrators turned to their insurance company, he said, which connected them to a breach coach, who led all aspects of the incident response under attorney-client privilege.

Northern Bedford County schools Superintendent Todd Beatty said the Pennsylvania district contacted the federal to report a July 2024 attack, but 鈥渢he problem is there鈥檚 not enough funding and personnel for them to be able to be responsive to incidents.鈥� 

Meanwhile, John VanWagoner, the schools superintendent in Traverse City, Michigan, claims insurance companies and third-party lawyers often leave district officials in the dark, too. Their insurance company presented school officials with the choice of several cybersecurity firms they could hire to recover from a March 2024 attack, VanWagoner said, but he "didn鈥檛 know where to go to vet if they were any good or not.鈥�

He said it had been a community member 鈥� not a paid consultant 鈥� who first alerted district officials to the extent of the massive breach that forced school closures and involved 1.2 terabytes 鈥� or over 1,000 gigabytes 鈥� of stolen data.

鈥淲e were literally taking that right to the cyber companies and going, 鈥楬ey, they鈥檙e finding this, can you confirm this so that we can get a message out?鈥� 鈥� he told 社区黑料. 鈥淭hat is what I probably would tell you is the most frustrating part is that you鈥檙e relying on them and you鈥檙e at the mercy of that a little bit.鈥�

The breach coach

Breach notices and other incident response records obtained by 社区黑料 show that a small group of law firms play an outsized role in school cyberattack recovery efforts throughout the country. Among them is McDonald Hopkins, where Michigan attorney Dominic Paluzzi co-chairs a 52-lawyer data privacy and cybersecurity practice. 

Some call him a breach coach. He calls himself a 鈥渜uarterback.鈥� 

After establishing attorney-client privilege, Paluzzi and his team call in outside agencies covered by a district鈥檚 cyber insurance policy 鈥�  including forensic analysts, negotiators, public relations firms, data miners, notification vendors, credit-monitoring providers and call centers. Across all industries, the cybersecurity practice handled , 17% of which involved the education sector 鈥� which, Paluzzi noted, isn鈥檛 鈥渁lways the best when it comes to the latest protections."

When asked why districts鈥� initial response is often to deny the existence of a data breach, Paluzzi said it takes time to understand whether an event rises to that level, which would legally require disclosure and notification.  

鈥淚t鈥檚 not a time to make assumptions, to say, 鈥榃e think this data has been compromised,鈥� until we know that,鈥� Paluzzi said. 鈥淚f we start making assumptions and that starts our clock [on legally mandated disclosure notices], we鈥檙e going to have been in violation of a lot of the laws, and so what we say and when we say it are equally important.鈥� 

He said in the early stage, lawyers are trying to protect their client and avoid making any statements they would have to later retract or correct.

鈥淲hile it often looks a bit canned and formulaic, it鈥檚 often because we just don鈥檛 know and we鈥檙e doing so many things,鈥� Paluzzi said. 鈥淲e鈥檙e trying to get it contained, ensure the threat actor is not in our environment and get up and running so we can continue with school and classes, and then we shift to what data is potentially out there and compromised.鈥�

A data breach is confirmed, he said, only after 鈥渁 full forensic review.鈥� Paluzzi said that process can take up to a year, and often only after it鈥檚 completed are breaches disclosed and victims notified. 

鈥淲e run through not only the forensics, but through that data mining and document review effort. By doing that last part, we are able to actually pinpoint for John Smith that it was his Social Security number, right, and Jane Doe, it's your medical information,鈥� he said. 鈥淲e try, in most cases, to get to that level of specificity, and our letters are very specific.鈥�

Targets in general that without the help of a breach coach, according to a 2023 blog post by attorneys at the firm Troutman Pepper Locke, often fail to notify victims and, in some cases, provide more information than they should. When entities over-notify, they increase 鈥渢he likelihood of a data breach class action [lawsuit] in the process.鈥� Companies that under-notify 鈥渕ay reduce the likelihood of a data breach class action,鈥� but could instead find themselves in trouble with government regulators. 

For school districts and other entities that suffer data breaches, legal fees and settlements are often . 

Law firms like McDonald Hopkins that manage thousands of cyberattacks every year are particularly interested in privilege, said Schwarcz, the University of Minnesota law professor who wonders whether lawyers are necessarily best positioned to handle complex digital attacks.

In his , Schwarcz writes that  the promise of confidentiality is breach coaches鈥� chief offering. By elevating the importance of attorney-client privilege, the report argues, lawyers are able to 鈥渞etain their primacy鈥� in the ever-growing and lucrative cyber incident-response sector. 

Similarly, he said lawyers鈥� emphasis on reducing payouts to parents who sue overstates schools鈥� actual exposure and is another way to promote themselves as 鈥減roviding a tremendous amount of value by limiting the risk of liability by providing you with a shield.鈥�

Their efforts to lock down information and avoid paper trails, he wrote, ultimately undermine 鈥渢he long-term cybersecurity of their clients and society more broadly.鈥�

Who gets hurt

School cyberattacks have led to the widespread release of records that heighten the risk of identity theft for students and staff and trigger data breach notification laws that typically center on preventing fraud. 

Yet files obtained by 社区黑料 show school cyberattacks carry particularly devastating consequences for the nation鈥檚 most vulnerable youth. Records about sexual abuse, domestic violence and other traumatic childhood experiences are found to be at the center of leaks. 

Hackers have leveraged these files, in particular, to coerce payments. 

In Somerset, Massachusetts, a hacker using an encrypted email service extorted school officials with details of past sexual misconduct allegations during a district 鈥渟how choir鈥� event. The accusations were investigated by local police and no charges were filed.

鈥淚 am somewhat shocked with the contents of the files because the first file I chose at random is about a predatory/pedophilia incident described by young girls in one of your schools,鈥� the hacker alleges in records obtained by 社区黑料. 鈥淭his is very troubling even for us. I hope you have investigated this incident and reported it to the authorities, because that is some fucked up stuff. If the other files are as good, we regret not making the price higher.鈥�

The exposure of intimate records presents a situation where 鈥渧ulnerable kids are being disadvantaged again by weak data security,鈥� said digital privacy scholar Danielle Citron, a University of Virginia law professor whose 2022 book, , argues that a lack of legal protections around intimate data leaves victims open to further exploitation. 

鈥淚t鈥檚 not just that you have a leak of the information,鈥� Citron told 社区黑料. 鈥淏ut the leak then leads to online abuse and torment.鈥�

Meanwhile in Minneapolis, an educator reported that someone withdrew more than $26,000 from their bank account after the district got hacked. In Glendale, California, more than 230 educators were required to verify their identity with the Internal Revenue Service after someone filed their taxes fraudulently. 

In Albuquerque, where school officials said they prevented hackers from acquiring students鈥� personal information, a parent reported being contacted by the hackers who placed a 鈥渟trange call demanding money for ransoming their child.鈥�

Blood in the water

Nationally, about 135 state laws are devoted to student privacy. Yet all of them are 鈥渦nfunded mandates鈥� and 鈥渢here鈥檚 been no enforcement that we know of,鈥� according to Linnette Attai, a data privacy compliance consultant and president of . 

that require businesses and government entities to notify victims when their personal information has been compromised, but the rules vary widely, including definitions of what constitutes a breach, the types of records that are covered, the speed at which consumers must be informed and the degree to which the information is shared with the general public. 

It鈥檚 a regulatory environment that breach coach Anthony Hendricks, with the Oklahoma City office of law firm Crowe & Dunlevy, calls 鈥渢he multiverse of madness.鈥� 

鈥淚t's like you're living in different privacy realities based on the state that you live in,鈥� Hendricks said. He said federal cybersecurity rules could provide a 鈥渓evel playing field鈥� for data breach victims who have fewer protections 鈥渂ecause they live in a certain state.鈥� 

By 2026, proposed federal rules to the Cybersecurity and Infrastructure Security Agency, a division of the Department of Homeland Security. But questions remain about what might happen to the rules under the new Trump administration and whether they would come with any accountability for school districts or any mechanism to share those reports with the public. 

about the extent of cyberattacks and data breaches can face Securities and Exchange Commission scrutiny, yet such accountability measures are lacking for public schools.

The Family Educational Rights and Privacy Act, the federal student privacy law, prohibits schools from disclosing student records but doesn鈥檛 require disclosure when outside forces cause those records to be exposed. Schools that have 鈥渁 policy or practice鈥� of routinely releasing students鈥� records in violation of FERPA can lose their federal funding, but such sanctions have never been imposed since the law was enacted in 1974. 

The patchwork of data breach notices are often the only mechanism alerting victims that their information is out there, but with the explosion of cyberattacks across all aspects of modern life, they鈥檝e grown so common that some see them as little more than junk mail.  

Schwarcz, the Minnesota law professor, is also a Minneapolis Public Schools parent. He told 社区黑料 he got the district鈥檚 September 2023 breach notice in the mail but he "didn't even read it." The vague notices, he said, are 鈥渕ostly worthless.鈥� 

It may be enforcement against districts鈥� misleading practices that ultimately forces school systems to act with more transparency, said Attai, the data privacy consultant. She urges educators to 鈥渃ommunicate very carefully and very deliberately and very accurately鈥� the known facts of cyberattacks and data breaches. 

鈥淐ommunities smell blood in the water,鈥� she said, 鈥渂ecause we鈥檝e got these mixed messages.鈥�

Development and art direction by Eamonn Fitzmaurice.  Illustrations by  for 社区黑料.

This story was supported by a grant from the Fund for Investigative Journalism.

Aleeza Siddique, 15, was in a Spanish class earlier this year in her Northern California high school when a lesson about newscasts got derailed by her school鈥檚 internet filter. Her teacher told the class to open up their school-issued Chromebooks and explore a list of links he had curated from the Spanish language broadcast news giant Telemundo. The students tried, but every single link turned up the same page: a picture of a padlock. 

鈥淣one of it was available to us,鈥� Aleeza said. 鈥淭he site was completely blocked.鈥� 

She said her teacher scrambled to pivot and fill the 90-minute class with other activities. From what she recalls, they went over vocabulary lists and independently clicked through online quizzes from Quizlet 鈥� a decidedly less dynamic use of time. 

 by the D.C.-based Center for Democracy & Technology shows just how often some of that blocking happens nationwide. The nonprofit digital rights advocacy organization conducted its fifth annual survey of middle and high school teachers and parents as well as high school students about a range of tech issues. About 70% of both teachers and students this year said web filters get in the way of students鈥� ability to complete their assignments. 

Virtually all schools use some type of web filter to comply with the Children鈥檚 Internet Protection Act, which requires districts taking advantage of the federal E-rate program for discounted internet and telecommunications equipment to keep kids from seeing graphic and obscene images online. A , which is now a part of CalMatters, discovered far more expansive blocking by school districts than federal law requires, some of it political, mirroring culture war battles over what students have access to in school libraries. That investigation found school districts blocking access to sex education and LGBTQ+ resources, including suicide prevention. It also found routine blocking of websites students seek out for academic research. And because school districts tend to set different restrictions for students and staff, teachers can be  because of how they complicate lesson planning.

Web filtering is  鈥榮ubjective and unchecked鈥�

Elizabeth Laird, director of equity in civic technology for the center and lead author of the report, said The Markup鈥檚 reporting helped inspire additional survey questions to better understand how schools are using filters as a 鈥渟ubjective and unchecked鈥� method of restricting students鈥� access to information. 

鈥淭he scope of what is blocked is more pervasive and value-laden than I think we initially even knew to ask last year,鈥� Laird said. 

While past surveys have revealed how often students and teachers report disproportionate filtering of content related to reproductive health, LGBTQ+ issues and content about people of color, the center asked respondents this year if they thought content associated with or about immigrants was more likely to be blocked. About one-third of students said yes. 

Aleeza would have said yes, after her experience with Telemundo. The California teen said how often she runs into blocks depends on how much research she鈥檚 trying to do and how much of it she has to do on her school computer. When she was taking a debate class, she ran into the blocks regularly while researching controversial topics. An article in Slate magazine about LGBTQ+ rights gave her a block screen, for example, because the entire news website is blocked. She said she avoids her school Chromebook as much as possible, doing homework on her personal laptop away from school Wi-Fi whenever she can. 

Nearly one-third of teachers surveyed by the Center for Democracy & Technology said their schools block content related to the LGBTQ+ community. About half said information about sexual orientation and reproductive health is blocked. And Black and Latino students were more likely to say content related to people of color is disproportionately blocked on their school devices.

For students like Aleeza, the blocking is frustrating in practice as well as principle. 

鈥淭he amount that they鈥檙e policing is actively interfering with our ability to have an education,鈥� she said. Often, she has no idea why a website triggers the block page. Aleeza said it feels arbitrary and thinks her school should be more transparent about what it鈥檚 blocking and why. 

鈥淲e should have a right to know what we鈥檙e being protected from,鈥� she said.

Audrey Baime, Olivia Brandeis, and Samantha Yee, all members of the CalMatters Youth Journalism Initiative, contributed reporting for this story.

This was originally published on .

Since the release of ChatGPT to the public in November 2022, the number of AI tools has skyrocketed, and there are now many advocates for the potential changes AI can cause in education.

But districts have not been as fast in providing teachers with training. As a result, many are experimenting without any guidance, an .

To learn about how teachers and other educators can protect student data and abide by the law when using AI tools, Chalkbeat consulted documents and interviewed specialists from school districts, nonprofits, and other groups. Here are nine suggestions from experts.

Get stories like this delivered straight to your inbox. Sign up for 社区黑料 Newsletter

Consult with your school district about AI

Navigating the details about the privacy policies in each tool can be challenging for a teacher. Some districts list tools that they have vetted or with which they have contracts.

Give preference to these tools, if possible, and check if your district has any recommendations about how to use them. When a tool has a contract with a school or a district, they are supposed to protect students鈥� data and follow national and state law, but always check if your district has any recommendations on how to use the tool. Checking with your school鈥檚 IT or education technology department is also a good option.

It is also essential to investigate if your school or district has guidelines or policies for the general use of AI. These documents usually review privacy risks and ethical questions.

Check for reviews about AI platforms鈥� safety

Organizations like and review ed-tech tools and provide feedback on their safety.

Be careful when platforms say they comply with laws like the Family Educational Rights and Privacy Act, or FERPA, and the Children鈥檚 Online Privacy Protection Rule. According to the law, the school is ultimately responsible for children鈥檚 data and must be aware of any information it shares with a third party.

Study the AI platform鈥檚 privacy policy and terms

The privacy policy and the terms of use should provide some answers about how a company uses the data it collects from you. Make sure to read them carefully, and look for some of the following information:

• What information does the platform collect?
• How does the platform use the collected data? Is it used to determine which ads it will show you? Does it share data with any other company or platform?
• For how long does it keep the collected data?
• Is the data it collects used to train the AI model?

The list of questions that Common Sense Media uses for their privacy evaluations is .

You should avoid signing up for platforms that collect a broad volume of data or that are not clear in their policies. One potential red flag: vague claims about 鈥渞etaining personal information for as long as necessary鈥� and 鈥渟haring data with third parties to provide services.鈥�

Bigger AI platforms can be safer

Big companies like OpenAI, Google, Meta, and others are under more scrutiny: NGOs, reporters, and politicians tend to investigate their privacy policies more frequently. They also have bigger teams and resources that allow them to invest heavily in compliance with privacy regulations. For these reasons, they tend to have better safeguards than small companies or start-ups.

You still have to be careful. Most of these platforms are not explicitly intended for educational purposes, making them less likely to create specific policies regarding student or teacher data.

Use the tools as an assistant, not a replacement

Even though these tools provide better results when you input more information, try to use them for tasks that don鈥檛 require much information about your students.

AI tools can help provide suggestions on how to ask questions about a book, set up document templates, like an Individualized Educational Program plan or a behavioral assessment, or create assessment rubrics.

But even tasks that can seem mundane can increase risks. For example, providing the tool with a list of students and their grades on a specific assignment and asking it to organize it in alphabetical order could represent a violation of student privacy.

Turn on maximum privacy settings for AI platforms

Some tools allow you to adjust your privacy settings. Look online for tutorials on the best private settings for the tool that you are using and how to activate them. , for example, allows users to stop it from using your data to train AI models.

Doing this does not necessarily make AI tools completely safe or compliant with student privacy regulations.

Never input personal information to AI platforms

Even if you take all the steps above, do not input student information. Information that is restricted can include:

• Personal information: a student鈥檚 name, Social Security number, education ID, names of parents or other relatives, address and phone number, location of birth, or any other information that can be used to identify a student.
• Academic records: reports about absences, grades, and student behaviors in the school, student work, and teachers鈥� feedback on and assessments of student work.

This may be harder than it sounds.

If teachers upload student work to a platform to get help with grading, for example, they should remove all identification, including the student鈥檚 name, and replace it with an alias or random number that can鈥檛 be traced back to the student. It鈥檚 also wise to ensure the students haven鈥檛 included any personal information, like their place of birth, where they live or personal details about their families, friends, religious or political inclination, sexual orientation, and club affiliations.

One exception is for platforms approved by the school or the district and holding contracts with them.

Be transparent with others about using AI

Communicate with your school supervisors, principal, parents, and students about when and how you use AI in your work. That way, everyone can ask questions and bring up concerns you may not know about.

It is also a good way to model behavior for students. For example, if teachers ask students to disclose when they use AI to complete assignments, being transparent with them in turn about how teachers use AI might foster a better classroom environment.

If uncertain, ask AI platforms to delete information

In some states, the law says platforms must delete users鈥� information if they request it. And some companies will delete it even if you aren鈥檛 in one of these states.

Deleting the data may be challenging and not solve all of the problems caused by misusing AI. Some companies may take a long time to respond to deletion requests or find loopholes in order to avoid deleting it.

The tips listed above come from the , published by the American Federation of Teachers; the report by the U.S. Department of Education鈥檚 Office of Educational Technology; and the used by Common Sense Media to carry out its privacy evaluations.

Additional help came from Calli Schroeder, senior counsel and global privacy counsel at the Electronic Privacy Information Center; Brandon Wilmart, director of educational technology at Moore Public Schools in Oklahoma; and Anjali Nambiar, education research manager at Learning Collider.

This story was originally published by Chalkbeat. Chalkbeat is a nonprofit news site covering educational change in public schools. Sign up for their newsletters at . 

FERPA permits parents and eligible students (typically over 18) to inspect and correct their education records. It also requires consent before disclosure of personally identifiable information from those records, though there are numerous exceptions. In addition, schools must notify parents and eligible students annually of their FERPA rights.

With the advent of education technology, FERPA is really showing its age. Though it has slightly since its enactment, the last congressional update was over a decade ago, and regulations from the Department of Education are also woefully outdated. (Updates to the regulations from the Department are frequently said to be imminent, but as of this writing, none are public.)

Privacy concerns have steadily increased over the last few decades, as technology continues to develop and make increasingly intrusive incursions into every aspect of life. While FERPA does provide at least for students 鈥� unlike, say, consumers in general 鈥� the fact is, it does not mandate adequate safeguards.

Students and families in today鈥檚 digital world deserve modern protections that accurately reflect contemporary society and their learning experiences. Here are a few suggestions for bringing FERPA into its next half-century.

First, it should reflect that the information contained in student records is much broader than documents in files or scanned into computers. FERPA needs to protect students鈥� online information; protected 鈥渆ducation records鈥� should explicitly and unambiguously include online data created by students, including web browsing and search histories, interactions with tech tools and artificial intelligence chatbots, and other digital activity.

Second, the concept of directory information 鈥� things like a student鈥檚 name, address, telephone listing, email address, photograph, date and place of birth, height and weight (for athletic team members) and student ID numbers 鈥� needs an overhaul for the digital age. Under FERPA, schools can share this information with a third party or the public generally, unless a parent has opted out. 

is supposed to be data that is not considered harmful or invasive if disclosed. But given rapid advances in technology, much of it could lead to commercial profiling, identity theft and other harms. The definition should be narrowed, and parents should be allowed to choose what specific information schools can share. And that sharing should be opt-in, item by item, not the current blanket opt-out.

Third, the FERPA statute did not contemplate the extent to which ed tech and other third-party companies would be integrated into students鈥� daily lives. The Department of Education has since 鈥� 鈥� to whom information can be shared without consent 鈥� to include ed tech vendors when they have a legitimate educational interest, perform a function the school would otherwise do, are under the school’s direct control with respect to use of student records and comply with other FERPA requirements. It would be helpful for Congress to very clearly indicate when FERPA-covered information may be shared with ed tech vendors and other third parties that students encounter on a daily basis.

FERPA should specify that students鈥� information 鈥� including and especially when shared with 鈥渟chool officials鈥� 鈥� should be used for educational purposes only and not be offered for sale or used for targeted advertising.

Lastly, it is critical that schools safeguard student information. . It should mandate administrative, physical and technical safeguards, including training for individuals handling student information and prompt responses to data breaches. Schools need funding to better understand cybersecurity issues, as well as to build out necessary infrastructure to collaborate and coordinate cybersecurity efforts. Ideally, Congress would add new cybersecurity funding for schools, because many lack the financial means to implement adequate safeguards.

FERPA was passed 50 years ago in response to rising concerns about new technology. Technology has continued to evolve, and so must FERPA.

At the time, principals with Boston Impact Initiative were finalizing the firm鈥檚 annual impact assessment of AllHere, a 2016 startup that offered a tech-driven solution to chronic student absences. Officials with the were left with an impression that was, it turns out, far from reality. 

鈥淭here were conversations with the company and it was doing really well,鈥� CEO Betty Francisco told 社区黑料 in a brief telephone conversation earlier this month.  

AllHere was actually on the verge of collapse and now, Francisco is questioning whether her firm may have been played. 

鈥淲e are trying to also understand what happened,鈥� she said of the news that the company, the recipient of some $12 million in investor capital and much praise for being an AI education innovator, was in serious straits. Last month, a majority of its staff were furloughed, AllHere announced ; the ambitious AI chatbot that it built for the Los Angeles Unified School District was unplugged and its founder and chief executive officer, Joanna Smith-Griffin, was out of a job. 

Francisco said her firm was a minor player in AllHere鈥檚 venture capital fundraising and that the larger, institutional investors were now working with the company 鈥渢o figure out the plan.鈥� 

What that plan might be 鈥� and what necessitated it in the first place 鈥� remains a mystery. In the month since 社区黑料 first reported on the company鈥檚 downfall, key figures in AllHere鈥檚 rise have gone underground. 社区黑料 sought comments from more than a dozen company officials, including its founder, investors at prominent venture capital firms and members of its board of directors. None, aside from Francisco, would speak publicly about the company. 

It鈥檚 a major shift for AllHere鈥檚 backers, many of whom work at impact investment firms that fund startups through a social justice lens. These figures were once outspoken about AllHere and their shared place in the race to inject AI into schools. Among those who have gone silent is Andrew Parker of the firm , whose fundraising efforts landed him a seat on AllHere鈥檚 board of directors. In a 2021 blog post, he to chronic absenteeism, one of the pandemic鈥檚 most lasting impacts, as a profound innovation in the way schools communicate with parents. The company, he boasted, was a smart bet. 

鈥淏eing this primary conduit of communication is a terrific business opportunity, and it鈥檚 how AllHere will thrive in the years to come,鈥� wrote Parker, who declined to comment for this story.

AllHere鈥檚 latest financial woes aren鈥檛 the first time that Smith-Griffin felt the pressure of a company mission gone wrong. Shortly after Boston-based AllHere emerged from a startup incubator at Harvard University, where Smith-Griffin was enrolled, its technological approach to bolster student attendance fell flat. 

鈥淭he first iteration of AllHere failed spectacularly,鈥� Smith-Griffin, a former Boston charter school teacher and family engagement director, said in a 2017 interview on . 鈥淎nd it was one of the best things that could have happened to us.鈥� 

In response to those early startup woes, Smith-Griffin changed course. She ditched her initial idea of using data to create lists for teachers of the students most likely to become chronically absent 鈥� a service that educators told her wasn鈥檛 much help 鈥� and pivoted to an automated text messaging service that sent personally tailored 鈥渘udges鈥� to parents in the guise of a friendly chatbot. 

The $6 million chatbot that it would eventually build for L.A. schools 鈥� an animated sun named 鈥淓d鈥� meant to interact individually with and accelerate the learning of some 540,000 students 鈥� was in a different class entirely. AllHere, according to a former employee-turned-whistleblower, put students鈥� personal information at risk by taking shortcuts to meet the school district鈥檚 ambitious demands.

Meanwhile, AllHere鈥檚 investors publicly touted that it was the infusion of cash and leadership from altruistically inclined impact firms that transformed the company from one with an under-baked product to an AI innovator in the K-12 space. An examination of these firms鈥� outsized role suggests that AllHere鈥檚 venture-influenced embrace of artificial intelligence may have led it to fail once again 鈥� this time on a much grander scale. 

鈥楧isturbed by the allegations鈥� 

Reached by phone, four members of the company鈥檚 board of directors 鈥� including several with extensive and well-known education policy credentials 鈥� declined to comment for this story. In fact, much of the information about AllHere鈥檚 unraveling has been filtered through an unusual channel: The school district it left in a lurch. 

It was an L.A. Unified district spokesperson who first told news outlets that Smith-Griffin was no longer with AllHere and that the company was up for sale. Smith-Griffin, who records show lives in North Carolina, couldn鈥檛 be reached for comment. 

Investigators with the district鈥檚 independent inspector general鈥檚 office have launched an inquiry into the former AllHere executive鈥檚 claims that the company misused L.A. students鈥� personal data and Superintendent Alberto Carvalho last week proposed a task force to find out what went wrong. The inquiry, Carvalho said, will dig into the district鈥檚 procurement process and claims the chatbot handled students鈥� personal information in ways that violated district policy and basic data privacy principles. 

鈥淚鈥檓 disturbed by the allegations,鈥� Carvalho with the Los Angeles Times while speaking simultaneously on AllHere鈥檚 behalf. 

鈥淲e鈥檝e had 鈥� our team has had 鈥� conversations with the company about those allegations,鈥� Carvalho said. 鈥淭he company has denied those allegations.鈥� 

The task force, an LAUSD spokesperson said in a statement, will create a framework for the district to 鈥渃ontinue leveraging technology responsibly.鈥� AllHere, which has been paid about $3 million so far, won the five-year contract after a competitive bidding process, the spokesperson said, and was selected 鈥渂ecause it was most aligned鈥� with the district鈥檚 vision for the chatbot and 鈥渨as an established educational technology company focused on personalized and interactive AI solutions to improve student attendance.鈥� 

鈥楢 truly amazing board鈥�

After the pandemic shuttered in-person learning nationally and student absences surged to unprecedented highs, Rethink Education, an ed tech-focused impact investment firm that provided early capital to AllHere, saw an opening. A by Impact Capital Managers says that Rethink provided the company with more than cash flow; it oversaw a 鈥渟trategic transition,鈥� specifically 鈥渁 pivot towards an AI chatbot鈥� that observers would later say was outside the scope of AllHere鈥檚 capabilities.

Rethink Education partner Ebony Brown offered AllHere critical connections to influential education players and helped it build 鈥渁 truly amazing board鈥� of directors, by Matt Greenfield, Rethink鈥檚 managing partner. She successfully recruited Jeff Livingston, a at McGraw-Hill Education and a Bill & Melinda Gates Foundation , and Janice Jackson, the former CEO of Chicago Public Schools. 

鈥淓bony got introductions to several former superintendents of large districts, secured a meeting with Janice, and delivered an impassioned and ultimately successful pitch,鈥� Greenfield wrote. The addition of Livingston and Jackson to the AllHere board was strategic, according to the case study, noting that they 鈥渉ave been instrumental in securing deals with major school districts and in developing a customer acquisition playbook to expand the company鈥檚 nationwide presence.鈥� 

The extent to which board members鈥� helped AllHere land the LAUSD contract is unclear. Livingston and Jackson both declined to provide comment for this story. Greenfield and Brown didn鈥檛 respond to multiple requests for comment. 

Brown, who also gained a seat on AllHere鈥檚 board, then sought to improve the company鈥檚 visibility, helping Smith-Griffin 鈥渟ecure a spot as the featured entrepreneur鈥� on the for education leaders in 2021. A year later, Smith-Griffin served as alongside Purdue University president and former Indiana governor Mitch Daniels and Deborah Quazzo, a managing partner at the investment company GSV Ventures. 

GSV is heavily involved in education technology companies. In April, Smith-Griffin and Carvalho unveiled the district鈥檚 buzzed-about chatbot in San Diego co-hosted by the venture firm and Arizona State University.

鈥淭he Forbes profile,鈥� Greenfield鈥檚 post notes, 鈥渋n turn led to inbound interest from venture capitalists, multiple term sheets [documents outlining the terms under which VCs fund startups] and a round鈥� of investments totaling more than $8 million. 

On June 12, just before AllHere announced that it had furloughed most of its staff, the company got bad news from the U.S. Patent and Trademark Office. Officials for a chatbot that addressed student absenteeism, finding that the tool didn鈥檛 present eligible technological advancements. 

The office wrote: 鈥淣o inventive concept exists sufficient to transform the abstract idea of 鈥榮tudent monitoring鈥� into a patent-eligible application of that idea.鈥� 

Investigators with the Los Angeles Unified School District鈥檚 inspector general鈥檚 office conducted a video interview with Chris Whiteley, the former senior director of software engineering at AllHere, after he told 社区黑料 his former employer鈥檚 student data security practices violated both industry standards and the district鈥檚 own policies. 

Whiteley told 社区黑料 he had alerted the school district, the IG鈥檚 office and state education officials earlier to the data privacy problems with Ed but got no response. His meeting with investigators occurred July 2, one day after 社区黑料 published its story outlining Whiteley鈥檚 allegations, including that the chatbot put students鈥� personally identifiable information at risk of getting hacked by including it in all chatbot prompts, even in those where the data weren鈥檛 relevant; sharing it with other third-party companies unnecessarily and processing prompts on offshore servers in violation of district student privacy rules. 

In an interview with 社区黑料 this week, Whiteley said the officials from the district鈥檚 inspector general鈥檚 office 鈥渨ere definitely interested in what I had to say,鈥� as speculation swirls about the future of Ed, its ed tech creator AllHere and broader education investments in artificial intelligence. 

鈥淚t felt like they were after the truth,鈥� Whiteley said, adding, 鈥淚鈥檓 certain that they were surprised about how bad [students鈥� personal information] was being handled.鈥�

To generate responses to even mundane prompts, Whiteley said, the chatbot processed the personal information for all students in a household. If a mother with 10 children asked the chatbot a question about her youngest son鈥檚 class schedule, for example, the tool processed data about all of her children to generate a response. 

鈥淚t鈥檚 just sad and crazy,鈥� he said.

The inspector general鈥檚 office directed 社区黑料鈥檚 request for comment to a district spokesperson, who declined to comment or respond to questions involving the inquiry.

While the conversation centered primarily on technical aspects related to the company鈥檚 data security protocols, Whiteley said investigators probed him on his personal experiences with AllHere, which he described as being abusive, and its finances.

Whiteley was laid off from AllHere in April. Two months later, a notice posted to the said a majority of its 50 or so employees had been furloughed due to its 鈥渃urrent financial position鈥� and the LAUSD spokesperson said company co-founder and CEO Joanna Smith-Griffin had left. The former Boston teacher and Harvard graduate was successful in raising $12 million in venture capital for AllHere and appeared with L.A. schools Superintendent Alberto Carvalho at ed tech conferences and other events throughout the spring touting the heavily publicized AI tool they partnered to create.

Just weeks ago, Carvalho spoke publicly about how the project had put L.A. out in front as school districts and ed tech companies nationally race to follow the lead of generative artificial intelligence pioneers like ChatGPT. But the school chief鈥檚 superlative language around what Ed could do on an individualized basis with 540,000 students had some industry observers and AI experts speculating it was destined to fail.

The chatbot was supposed to serve as a 鈥渇riendly, concise customer support agent鈥� that replied 鈥渦sing simple language a third grader could understand鈥� to help students and parents supplement classroom instruction, find assistance with kids鈥� academic struggles and navigate attendance, grades, transportation and other key issues. What they were given, Whiteley charges, was a student privacy nightmare. 

Smith-Griffin recently deactivated her LinkedIn page and has not surfaced since her company went into apparent free fall. Attempts to reach AllHere for comment were unsuccessful and parts of the company website have gone dark. LAUSD said earlier that AllHere is for sale and that several companies are interested in acquiring it.

The district has already paid AllHere $3 million to build the chatbot and 鈥渁 fully-integrated portal鈥� that gave students and parents access to information and resources in a single location, the district spokesperson said in a statement Tuesday, and 鈥渨as surprised by the financial disruption to AllHere.鈥� 

AllHere鈥檚 collapse represents a stunning fall from grace for a company that was named among the world鈥檚 top education technology companies by Time Magazine just months earlier. Scrutiny of AllHere intensified when Whiteley became a whistleblower. He said he turned to the press because his concerns, which he shared first with AllHere executives and the school district, had been ignored.

Whitely shared source code with 社区黑料 which showed that students鈥� information had been processed on offshore servers. Seven out of eight Ed chatbot requests, he said, were sent to places like Japan, Sweden, the United Kingdom, France, Switzerland, Australia and Canada. 

鈥楬ow are smaller districts going to do this?鈥�

What district leaders failed to do as they heralded their new tool, Whiteley said, is conduct sufficient audits. As L.A. 鈥� and school systems nationwide 鈥� contract with a laundry list of tech vendors, he said it鈥檚 imperative that they understand how third-party companies use students鈥� information. 

鈥淚f the second-biggest district can鈥檛 audit their [personally identifiable information] on new or interesting products and can鈥檛 do security audits on external sources, how are smaller districts going to do this?鈥� he asked.

Over the last several weeks, the district鈥檚 official position on Ed has appeared to shift. In late June when the district spokesperson said that several companies were 鈥渋nterested in acquiring Allhere,鈥� they also said its predecessor would 鈥渃ontinue to provide this first-of-its-kind resource to our students and families.鈥� In its initial response to Whiteley鈥檚 allegations published July 1, the spokesperson said that education officials would 鈥渢ake any steps necessary to ensure that appropriate privacy and security protections are in place in the Ed platform.鈥� 

In in the Los Angeles Times, a district spokesperson said the chatbot had been unplugged on June 14. 社区黑料 asked the spokesperson to provide documentation showing the tool was disabled last month but didn鈥檛 get a response. 

Even after June 14, Carvalho continued to boast publicly about LAUSD鈥檚 foray into generative AI and what he described with third-party vendors. 

On Tuesday, the district spokesperson told 社区黑料 that the online portal 鈥� even without a chatty, animated sun 鈥� 鈥渨ill continue regardless of the outcome with AllHere.鈥� In fact, the project could become a source of district revenue. Under the contract between AllHere and LAUSD, which was obtained by 社区黑料, the chatbot is the property of the school district, which was set to receive 2% in royalty payments from AllHere 鈥渟hould other school districts seek to use the tool to benefit their families and students.鈥� 

In the statement Tuesday, the district spokesperson said that officials chose to 鈥渢emporarily disable the chatbot鈥� amid AllHere鈥檚 uncertainty and that it would 鈥渙nly be restored when the human-in-the-loop aspect is re-established.鈥� 

Whiteley agreed that the district could maintain the student information dashboard without the chatbot and, similarly, that another firm could buy what remains of AllHere. He was skeptical, however, that Ed the chatbot would live another day because 鈥渋t鈥檚 broken鈥�

鈥淭he name AllHere,鈥� he said, 鈥淚 think is dead.鈥�

As the eight-year-old startup rolled out Los Angeles Unified School District鈥檚 flashy new AI-driven chatbot 鈥� an animated sun named 鈥淓d鈥� that AllHere was hired to build for $6 million 鈥� a former company executive was sending emails to the district and others that Ed鈥檚 workings violated bedrock student data privacy principles. 

Those emails were sent shortly before 社区黑料 first reported last week that AllHere, with in investor capital, was in serious straits. A June 14 statement on the company’s website revealed a majority of its employees had been furloughed due to its 鈥渃urrent financial position.” Company founder and CEO Joanna Smith-Griffin, a spokesperson for the Los Angeles district said, was no longer on the job. 

Smith-Griffin and L.A. Superintendent Alberto Carvalho went on the road together this spring to unveil Ed at a series of high-profile ed tech conferences, with the schools chief dubbing it the nation鈥檚 first 鈥減ersonal assistant鈥� for students and leaning hard into LAUSD鈥檚 place in the K-12 AI vanguard. He called Ed鈥檚 ability to know students 鈥渦nprecedented in American public education鈥� at the ASU+GSV conference in April. 

Through an algorithm that analyzes troves of student information from multiple sources, the chatbot was designed to offer tailored responses to questions like 鈥渨hat grade does my child have in math?鈥� The tool relies on vast amounts of students鈥� data, including their academic performance and special education accommodations, to function.

Meanwhile, Chris Whiteley, a former senior director of software engineering at AllHere who was laid off in April, had become a whistleblower. He told district officials, its independent inspector general’s office and state education officials that the tool processed student records in ways that likely ran afoul of L.A. Unified鈥檚 own data privacy rules and put sensitive information at risk of getting hacked. None of the agencies ever responded, Whiteley told 社区黑料. 

鈥淲hen AllHere started doing the work for LAUSD, that鈥檚 when, to me, all of the data privacy issues started popping up,鈥� Whiteley said in an interview last week. The problem, he said, came down to a company in over its head and one that 鈥渨as almost always on fire鈥� in terms of its operations and management. LAUSD鈥檚 chatbot was unlike anything it had ever built before and 鈥� given the company鈥檚 precarious state 鈥� could be its last. 

If AllHere was in chaos and its bespoke chatbot beset by porous data practices, Carvalho was portraying the opposite. One day before 社区黑料 broke the news of the company turmoil and Smith-Griffin鈥檚 departure, spotlighted the schools chief at a Denver conference talking about how adroitly LAUSD managed its ed tech vendor relationships 鈥� 鈥淲e force them to all play in the same sandbox鈥� 鈥� while ensuring that 鈥減rotecting data privacy is a top priority.鈥�

In a statement on Friday, a district spokesperson said the school system 鈥渢akes these concerns seriously and will continue to take any steps necessary to ensure that appropriate privacy and security protections are in place in the Ed platform.鈥� 

鈥淧ursuant to contract and applicable law, AllHere is not authorized to store student data outside the United States without prior written consent from the District,鈥� the statement continued. 鈥淎ny student data belonging to the District and residing in the Ed platform will continue to be subject to the same privacy and data security protections, regardless of what happens to AllHere as a company.鈥� 

A district spokesperson, in response to earlier questioning from 社区黑料 last week, said it was informed that Smith-Griffin was no longer with the company and that several businesses 鈥渁re interested in acquiring AllHere.鈥� Meanwhile Ed, the spokesperson said, 鈥渂elongs to Los Angeles Unified and is for Los Angeles Unified.鈥�

Officials in the inspector general鈥檚 office didn鈥檛 respond to requests for comment. The state education department “does not directly oversee the use of AI programs in schools or have the authority to decide which programs a district can utilize,” a spokesperson said in a statement.

It鈥檚 a radical turn of events for AllHere and the AI tool it markets as a 鈥渓earning acceleration platform,鈥� which were all the buzz just a few months ago. In April, Time Magazine education technology companies. That same month, Inc. Magazine dubbed Smith-Griffin in artificial intelligence in its Female Founders 250 list. 

Joanna Smith-Griffin, Founder and CEO of AllHere, joins on stage as he delivers the keynote at on Unlocking the Potential of AI. With Ed, students receive personalized support to help them excel in school.

鈥� allherek12 (@allherek12)

Ed has been similarly blessed with celebrity treatment. 

鈥淗e鈥檚 going to talk to you in 100 different languages, he鈥檚 going to connect with you, he鈥檚 going to fall in love with you,鈥� Carvalho said at ASU+GSV. 鈥淗opefully you鈥檒l love it, and in the process we are transforming a school system of 540,000 students into 540,000 鈥榮chools of one鈥� through absolute personalization and individualization.鈥�

Smith-Griffin, who graduated from the Miami school district that Carvalho once led before going onto Harvard, couldn鈥檛 be reached for comment. Smith-Griffin鈥檚 LinkedIn page was recently deactivated and parts of the company website have gone dark. Attempts to reach AllHere were also unsuccessful.

鈥楾he product worked, right, but it worked by cheating鈥�

Smith-Griffin, a former Boston charter school teacher and family engagement director, founded AllHere in 2016. Since then, the company has primarily provided schools with a text messaging system that facilitates communication between parents and educators. , the tool relies on attendance data and other information to deliver customized, text-based 鈥渘udges.鈥� 

The work that AllHere provided the Los Angeles school district, Whiteley said, was on a whole different level 鈥� and the company wasn鈥檛 prepared to meet the demand and lacked expertise in data security. In L.A., AllHere operated as a consultant rather than a tech firm that was building its own product, according to its contract with LAUSD obtained by 社区黑料. Ultimately, the district retained rights to the chatbot, according to the agreement, but AllHere was contractually obligated to 鈥渃omply with the district information security policies.鈥� 

聽The contract notes that the chatbot would be 鈥渢rained to detect any confidential or sensitive information鈥� and to discourage parents and students from sharing with it any personal details. But the chatbot鈥檚 decision to share and process students鈥� individual information, Whiteley said, was outside of families鈥� control.聽

In order to provide individualized prompts on details like student attendance and demographics, the tool connects to several data sources, according to the contract, including , an online tool used to track students鈥� special education services. The document notes that Ed also interfaces with the stored on , a cloud storage company. , the Whole Child platform serves as a central repository for LAUSD student data to help educators monitor students鈥� progress and personalize instruction. 

Whiteley told officials the app included students鈥� personally identifiable information in all chatbot prompts, even in those where the data weren鈥檛 relevant. Prompts containing students鈥� personal information were also shared with other third-party companies unnecessarily, Whiteley alleges, and were processed on offshore servers. Seven out of eight Ed chatbot requests, he said, are sent to places like Japan, Sweden, the United Kingdom, France, Switzerland, Australia and Canada. 

Taken together, he argued the company鈥檚 practices ran afoul of data minimization principles, a standard cybersecurity practice that maintains that apps should collect and process the least amount of personal information necessary to accomplish a specific task. Playing fast and loose with the data, he said, unnecessarily exposed students鈥� information to potential cyberattacks and data breaches and, in cases where the data were processed overseas, could subject it to foreign governments鈥� data access and surveillance rules. 

Chatbot source code that Whiteley shared with 社区黑料 outlines how prompts are processed on foreign servers by a Microsoft AI service that integrates with ChatGPT. The LAUSD chatbot is directed to serve as a 鈥渇riendly, concise customer support agent鈥� that replies 鈥渦sing simple language a third grader could understand.鈥� When querying the simple prompt 鈥淗ello,鈥� the chatbot provided the student鈥檚 grades, progress toward graduation and other personal information. 

AllHere鈥檚 critical flaw, Whiteley said, is that senior executives 鈥渄idn鈥檛 understand how to protect data.鈥� 

鈥淭he issue is we鈥檙e sending data overseas, we鈥檙e sending too much data, and then the data were being logged by third parties,鈥� he said, in violation of the district鈥檚 data use agreement. 鈥淭he product worked, right, but it worked by cheating. It cheated by not doing things right the first time.鈥�

In a 2017 policy bulletin, the district notes that all sensitive information 鈥渘eeds to be handled in a secure way that protects privacy,鈥� and that contractors cannot disclose information to other parties without parental consent. A second policy bulletin, from April, outlines the district鈥檚 authorized use guidelines for artificial intelligence, which notes that officials, 鈥淪hall not share any confidential, sensitive, privileged or private information when using, prompting or communicating with any tools.鈥� It鈥檚 important to refrain from using sensitive information in prompts, the policy notes, because AI tools 鈥渢ake whatever users enter into a prompt and incorporate it into their systems/knowledge base for other users.鈥� 

鈥淲ell, that鈥檚 what AllHere was doing,鈥� Whiteley said. 

鈥楢cid is dangerous鈥�

Whiteley鈥檚 revelations present LAUSD with its third student data security debacle in the last month. In mid-June, a threat actor known as 鈥淪p1d3r鈥� began to sell for $150,000 a trove of data it claimed to have stolen from the Los Angeles district on Breach Forums, a dark web marketplace. LAUSD Bloomberg that the compromised data had been stored by one of its third-party vendors on the cloud storage company Snowflake, the repository for the district鈥檚 Whole Child Integrated Data. The Snowflake data breach may be one of the largest in history. The threat actor claims that the L.A. schools data in its possession include student medical records, disability information, disciplinary details and parent login credentials. 

The chatbot interacted with data stored by Snowflake, according to the district鈥檚 contract with AllHere, though any connection between AllHere and the Snowflake data breach is unknown. 

In its statement Friday, the district spokesperson said an ongoing investigation has 鈥渞evealed no connection between AllHere or the Ed platform and the Snowflake incident.鈥� The spokesperson said there was no 鈥渄irect integration鈥� between Whole Child and AllHere and that Whole Child data was processed internally before being directed to AllHere.

The contract between AllHere and the district, however, notes that the tool should 鈥渟eamlessly integrate鈥� with the Whole Child Integrated Data 鈥渢o receive updated student data regarding attendance, student grades, student testing data, parent contact information and demographics.鈥�

Earlier in the month, a second threat actor known as Satanic Cloud claimed it had access to tens of thousands of L.A. students鈥� sensitive information and had posted it for sale on Breach Forums for $1,000. In 2022, the district was victim to a massive ransomware attack that exposed reams of sensitive data, including thousands of students鈥� psychological evaluations, to the dark web. 

With AllHere鈥檚 fate uncertain, Whiteley blasted the company鈥檚 leadership and protocols.

鈥淧ersonally identifiable information should be considered acid in a company and you should only touch it if you have to because acid is dangerous,鈥� he told 社区黑料. 鈥淭he errors that were made were so egregious around PII, you should not be in education if you don鈥檛 think PII is acid.鈥� 

L.A. parents and students, we want to hear from you.  using AllHere鈥檚 Ed:

Updated, correction appended April 18

In the middle of night, students at Utah鈥檚 Kings Peak High School are wide awake 鈥� taking mandatory exams. 

At this online-only school, which opened during the pandemic and has ever since, students take tests from their homes at times that work best with their schedules. Principal Ammon Wiemers says it鈥檚 this flexibility that attracts students 鈥� including athletes and teens with part-time jobs 鈥� from across the state. 

鈥淪tudents have 24/7 access but that doesn鈥檛 mean the teachers are going to be there 24/7,鈥� Wiemers told 社区黑料 with a chuckle. 鈥淪ometimes [students] expect that but no, our teachers work a traditional 8 to 4 schedule.鈥� 

Any student who feels compelled to cheat while their teacher is sound asleep, however, should know they鈥檙e still being watched. 

For students, the cost of round-the-clock convenience is their privacy. During exams, their every movement is captured on their computer鈥檚 webcam and scrutinized by Proctorio, . Proctorio software conducts 鈥渄esk scans鈥� in a bid to catch test-takers who turn to 鈥渦nauthorized resources,鈥� 鈥渇ace detection鈥� technology to ensure there isn鈥檛 anybody else in the room to help and 鈥済aze detection鈥� to spot anybody 鈥渓ooking away from the screen for an extended period of time.鈥� 

Proctorio then provides visual and audio records to Kings Peak teachers with the algorithm calling particular attention to pupils whose behaviors during the test flagged them as possibly engaging in academic dishonesty. 

Such remote proctoring tools grew exponentially during the pandemic, particularly at U.S. colleges and universities where administrators seeking to ensure exam integrity during remote learning met with sharp resistance from students. Online end the surveillance regime; the tools of and that set off a red flag when the tool failed to detect Black students’ faces.  

At the same time, social media platforms like TikTok were flooded with videos purportedly highlighting service vulnerabilities that taught others

K-12 schools鈥� use of remote proctoring tools, however, has largely gone under the radar. Nearly a year since the federal public health emergency expired and several since the vast majority of students returned to in-person learning, an analysis by 社区黑料 has revealed that K-12 schools nationwide 鈥� and online-only programs in particular 鈥� continue to use tools from digital proctoring companies on students, including those as young as kindergarten. 

Previously unreleased survey results from the nonprofit Center for Democracy and Technology found that remote proctoring in K-12 schools has become widespread. In its August 2023 36% of teachers reported that their school uses the surveillance software.

Civil rights activists, who contend AI proctoring tools fail to work as intended, harbor biases and run afoul of students鈥� constitutional protections, said the privacy and security concerns are particularly salient for young children and teens, who may not be fully aware of the monitoring or its implications. 

鈥淚t鈥檚 the same theme we always come back to with student surveillance: It鈥檚 not an effective tool for what it鈥檚 being claimed to be effective for,鈥� said Chad Marlow, senior policy counsel at the American Civil Liberties Union. 鈥淏ut it actually produces real harms for students.鈥� 

Wiemers is aware that the school, where about 280 students are enrolled full time and another 1,500 take courses part time, must make a delicate 鈥渃ompromise between a valid testing environment and students鈥� privacy.鈥� When students are first subjected to the software he said 鈥渋t鈥檚 kind of weird to see that a camera is watching,鈥� but unlike the uproar at colleges, he said the monitoring has become 鈥渘ormalized鈥� among his students and that anybody with privacy concerns is allowed to take their tests in person.

鈥淚t鈥檚 always strange in a virtual setting 鈥� it鈥檚 like you鈥檙e watching yourself take the test in the mirror,鈥� he said. 鈥淏ut when students use it more, they get used to it.鈥�  

Children 鈥榙on鈥檛 take tests鈥�

Late last year, Proctorio founder and CEO Mike Olsen published   in response to research critical of the company鈥檚 efficacy. A tech-savvy Ohio college student had conducted an analysis and concluded Proctorio鈥檚 relied on an open-source software library with a 鈥� including a failure to recognize Black faces more than half of the time. 
The student tested the company鈥檚 face-detection capabilities against a dataset of nearly 11,000 images, , which depicted people of multiple races and ethnicities, with results showing a failure to distinguish Black faces 57% of the time, Middle Eastern faces 41% of the time and white faces 40% of the time. Such a high failure rate was problematic for Proctorio, which relies on its ability to flag cheaters by zeroing in on people鈥檚 facial features and movements. 

Olsen鈥檚 post sought to discredit the research, arguing that while the FairFace dataset had been used to identify biases in other facial-detection algorithms, the images weren鈥檛 representative of 鈥渁 live test-taker鈥檚 remote exam experience.鈥� 

鈥淔or example,鈥� he wrote, 鈥渃hildren and cartoons don鈥檛 take tests so including those images as part of the data set is unrealistic and unrepresentative.鈥� 

To Ian Linkletter, a librarian from Canada embroiled in a long-running battle with Proctorio over whether its products were harmful, Olsen鈥檚 response was baffling. Sure, cartoon characters don鈥檛 take tests. But children, he said, certainly do. What he wasn鈥檛 sure about, however, was whether those younger test-takers were being monitored by Proctorio 鈥� so he set out to find out. 

He found two instances, both in Texas, where Proctorio was being used in the K-12 setting, including at a remote school tied to the University of Texas at Austin. Linkletter shared his findings with 社区黑料, which used the government procurement tool GovSpend to identify other districts that have contracts with Proctorio and its competitors. 

More than 100 K-12 school districts have relied on Proctorio and its competitors, according to the GovSpend data, with a majority of expenditures made during the height of the pandemic. And while remote learning has become a more integral part of K-12 schooling nationwide, seven districts have paid for remote proctoring services in the last year. While extensive, the GovSpend database doesn鈥檛 provide a complete snapshot of U.S. school districts or their expenditures. 

鈥淚t was just obvious that Proctorio had K-12 clients and were being misleading about children under 18 using their product,鈥� Linkletter said, adding that young people could be more susceptible to the potential harms of persistent surveillance. 鈥淚t鈥檚 almost like a human rights issue when you鈥檙e imposing it on students, especially on K-12 students.鈥� Young children, he argued, are unable to truly consent to being monitored by the software and may not fully understand its potential ramifications. 

Proctorio did not respond to multiple requests for comment by 社区黑料. Founded in 2013, claims it provided remote proctoring services during the height of the pandemic to education institutions globally. 

In 2020,  over a series of tweets in which the then-University of British Columbia learning technology specialist linked to Proctorio-produced YouTube videos, which the company had made available to instructors. Using the video on the tool’s “Abnormal Eye Movement function,” Linkletter that it showed “the emotional harm you are doing to students by using this technology.”

Proctorio鈥檚 lawsuit alleged that Linkletter鈥檚 use of the company鈥檚 videos, which were unlisted and could only be viewed by those with the link, amounted to copyright infringement and distributing of confidential material. In January, Canada’s Supreme Court Linkletter’s claim that the litigation was specifically designed to silence him.

While there is little independent research on the efficacy of any remote proctoring tools in preventing cheating, one 2021 study found that who had been instructed to cheat. Researchers concluded the software is 鈥渂est compared to taking a placebo: It has some positive influence, not because it works but because people believe that it works, or that it might work.鈥� 

Remote proctoring costs K-12 schools millions

A , the online K-12 school operated by the University of Texas, indicates that Proctorio is used for Credit by Exam tests, which award course credit to students who can demonstrate mastery in a particular subject. For students in kindergarten, first and second grade, the district pairs district proctoring with a 鈥淧roctorio Secure Browser,鈥� which prohibits test takers from leaving the online exam to use other websites or programs. Beginning in third grade, according to the rubric uploaded to the school鈥檚 website, test takers are required to use Proctorio鈥檚 remote online proctoring.

Proctorio isn鈥檛 the only remote proctoring tool in use in K-12 schools. GovSpend data indicate the school district in Las Vegas, Nevada, has spent more than $1.4 million since 2018 on contracts with Proctorio competitor Spending on Honorlock by the Clark County School District surged during the pandemic but as recently as October, it had a $286,000 company purchase. GovSpend records indicate the tool is used at , the district鈥檚 online-only program which claims more than 4,500 elementary, middle and high school students. Clark County school officials didn鈥檛 respond to questions about how Honorlock is being utilized. 

Meanwhile, dozens of K-12 school districts relied on the remote proctoring service ProctorU, now known as , during the pandemic, records indicate, with several maintaining contracts after school closures subsided. Among them is the rural Watertown School District in South Dakota, which spent $18,000 on the service last fall. 

Aside from Wiemers, representatives for schools mentioned in this story didn鈥檛 respond to interview requests or declined to comment. Meazure Learning and Honorlock didn鈥檛 respond to media inquiries. 

At TTU K-12, an online education program offered by Texas Tech University, the institution relies on Proctorio for 鈥渁ll online courses and Credit by Examinations,鈥� flagging suspicious activity to teachers for review. In an apparent nod to Proctorio privacy concerns, TTU instructs students to select private spaces for exams and that if they are testing in a private home, they have to get the permission of anyone also residing there for the test to be recorded. 

Documents indicate that K-12 institutions continue to subject remote learners to room scans even after a federal judge ruled a university鈥檚 . In 2022, a federal judge sided with a Cleveland State University student, who alleged that a room scan taken before an online exam at the Ohio institution violated his Fourth Amendment rights against unreasonable searches and seizures. The judge ruled that the scan was 鈥渦nreasonable,鈥� adding that 鈥渞oom scans go where people otherwise would not, at least not without a warrant or an invitation.鈥� 

Marlow of the ACLU says he finds room scans particularly troubling 鈥� especially in the K-12 context. From an equity perspective, he said such scans could have disproportionately negative effects on undocumented students, those living with undocumented family members and students living in poverty. He expressed concerns that information collected during room scans could be used as evidence for immigration enforcement 

鈥淭here are two fairly important groups of vulnerable students, undocumented families and poor students, who may not feel that they can participate in these classes because they either think it’s legally dangerous or they’re embarrassed to use the software,鈥� he said. 

The TTU web page notes that students 鈥渕ay be randomly asked to perform a room scan,鈥� where they鈥檙e instructed to offer their webcam a 360-degree view of the exam environment with a warning: Failure to perform proper scans could result in a violation of exam procedures.

鈥淚f you鈥檙e using a desktop computer with a built-in webcam, it might be difficult to lift and rotate the entire computer,鈥� the web page notes while offering a solution. 鈥淵ou can either rotate a mirror in front of the webcam or ask your instructor for further instruction.鈥�

鈥楢 legitimate concern鈥� 

Wiemers, the principal in Utah, said that Proctorio serves as a deterrent against cheating 鈥� but is far from foolproof. 

鈥淭here鈥檚 ways to cheat any software,鈥� he said, adding that educators should avoid the urge to respond to Proctorio alerts with swift discipline. In the instances where Proctorio has caught students cheating, he said that instead of being given a failing grade, they鈥檙e simply asked to retake the test. 

鈥淭here are limitations to the software, we have to admit that, it鈥檚 not perfect, not even close,鈥� he said. 鈥淏ut if we expect it to be, and the stakes are high and we鈥檙e overly punitive, I would say [students] have a legitimate concern.鈥�

During a TTU K-12 advisory board meeting in July 2021, administrators outlined the extent that Proctorio is used during exams. Justin Louder, who at the time served as the TTU K-12 interim superintendent, noted that teachers and a 鈥渉andful of administrators within my office鈥� had access to view the recordings. Ensuring that third parties didn鈥檛 have access to the video feeds was 鈥渁 big deal for us,鈥� he said, because they鈥檙e 鈥渄ealing with minors.鈥� 

While college students 鈥渞eally kind of pushed back鈥� on remote proctoring, he noted that they only received a few complaints from K-12 parents, who recognized the service offered scheduling benefits. Like Wiemers, he framed the issue as one of 24-hour convenience. 

鈥淚t lets students go at their own pace,鈥� he said. 鈥淚f they鈥檙e ready at 2 o鈥檆lock in the morning, they can test at 2 o鈥檆lock in the morning.鈥�

Correction: A copyright infringement case brought by Proctorio against longtime company critic Ian Linkletter is still being argued in court. An earlier version of this story mischaracterized the litigation as being ruled in Proctorio’s favor.

The finding stems from a complaint brought by a Fairfax parent and special education advocate  in December after she inadvertently received data on roughly 35,000 students, including special education records, confidential legal memos and mental health conditions. 社区黑料 first reported the disclosure Nov. 1. The records included full names of students involved in lawsuits against the district over alleged sexual assault complaints and those seeing counselors for issues such as suicidal thoughts and depression.

The 180,000-student district has until March 25 to appeal the state鈥檚 finding or complete a 鈥渃orrective action plan鈥� that includes some steps the district has already agreed to, such as additional staff training.

That training, however, was supposed to begin Oct. 31, according to the district鈥檚 response to an earlier complaint from the same parent. But during a with a parents group, a district official acknowledged the training had yet to start . 

鈥淭hat is going to be launched fairly shortly,鈥� said Dawn Schaefer, who oversees special education complaints for the district. 鈥淚 don’t have an exact launch date, but I can certainly check.鈥� 

In its decision, the state noted the district鈥檚 failure to address the repeated violations.

鈥淎 perfect policy is of no use if people ignore it,鈥� wrote Patricia Haymes, the director of dispute resolution at the Virginia Department of Education. 鈥淧erfect procedures are meaningless if no one follows them.鈥�

Haymes ordered the district to provide a list of all students affected by the disclosure and to verify that their parents have been notified. The district must also submit monthly progress on its implementation of recommendations of the Superintendent Michelle Reid launched following 社区黑料鈥檚 reporting. The state noted the article in its response to the district.

The state鈥檚 finding backs up what some Fairfax parents have been saying for years 鈥� that district staff members have a pattern of sharing confidential emails and student records with the wrong parents and educators. Experts praised the state for pushing for additional training, but one questioned whether the requirements go far enough, calling them 鈥渇airly lackluster.鈥� 

鈥淚 don’t know that the families harmed will feel like this is sufficient oversight of the issue,鈥� said Amelia Vance, president of the Public Interest Privacy Center. 鈥淭rust has been breached between the community and the district, and more is necessary to fix this.鈥�

Nonetheless, she gave Fairfax鈥檚 superintendent credit for being transparent about the district鈥檚 mistake and promptly issuing an apology. The district declined to comment on the outcome of the state complaint.

鈥楢 bigger Band-Aid鈥�

Virginia officials previously accepted the district鈥檚 assurances that the disclosures were isolated incidents. In mid-December, a state hearing officer said 鈥渁 series of mistakes鈥� doesn鈥檛 necessarily add up to a 鈥渟ystemic violation.鈥澛�

The state has 鈥渁lways said it鈥檚 a one-off. They operate as if each incident is a silo,鈥� said Callie Oettinger, the parent who gained access to the unredacted records in mid-October when she went to a high school to examine files on her own two children. She made the request under the federal , or FERPA, which gives parents the right to examine their children鈥檚 education records.

Pointing to larger concerns in the district, her complaint noted 鈥渙verlapping鈥� privacy violations that officials were already investigating between March and mid-November last year, including the large October records release and a November incident in which Robinson Secondary School, a seventh through 12th grade school, mailed students鈥� report cards to the wrong parents. 

Oettinger called the remedy 鈥渁 bigger Band-Aid鈥� compared with steps the district already agreed to take, including lawyers signing off on record requests before they are released to parents. 

But Todd Reid, a spokesman for the state education department, called the corrective action plan an 鈥渋ntensive requirement of both federal and state special education law鈥� to ensure districts make improvements within a specific time frame. 

鈥楴ot letting it slide鈥�

Another privacy expert blamed these types of mistakes on the 鈥渃onvergence鈥� of more student data, new technologies and parents who want access to records electronically. Steve Smith, founder of the , a national network, said the district should be using systems that 鈥渞educe the likelihood of inadvertent sharing.鈥�

But, he added, the backlash from parents can force a district to take better precautions. 

鈥淭hese things becoming public and the school community losing confidence probably has more impact than a warning from the FERPA office or the state,鈥� he said. 鈥淚 applaud parents for not letting it slide.鈥�

In response to an inquiry by 社区黑料, the nonprofit Future of Privacy Forum said last week it would review Raptor Technologies鈥� status as a Student Privacy Pledge signatory after a maintained by the company were readily available without any encryption protection despite Raptor鈥檚 claims that it scrambles its data. 

鈥淲e are reviewing the details of Raptor Technologies鈥� leak to determine if the company has violated its Pledge commitments,鈥� David Sallay, the Washington-based group鈥檚 director of youth and education privacy, said in a Jan. 24 statement. 鈥淎 final decision about the company鈥檚 status as Pledge signatory, including, if applicable, potential referrals to the [Federal Trade Commission] and relevant State Attorneys General, is expected within 30 days.鈥� 

Should the privacy forum choose to take action, Raptor would become just the second-ever education technology company to be removed from the pledge. 

Texas-based , which counts roughly 40% of U.S. school districts as its customers, offers an extensive suite of software designed to improve campus safety, including a tool that screens visitors鈥� government-issued identification cards against sex offender registries, a management system that helps school leaders prepare for and respond to emergencies, and a threat assessment tool that allows educators to report if they notice 鈥渟omething a bit odd about a student鈥檚 behavior鈥� that they believe could become a safety risk. This means, according to a Raptor guide, that the company collects data on kids who appear 鈥榰nkempt or hungry,鈥� withdrawn from friends, to engage in self-harm, have poor concentration or struggle academically. 
Rather than keeping students safe, however, cybersecurity researcher Jeremiah Fowler said the widespread data breach threatened to put them in harm鈥檚 way. And as cybersecurity experts express concerns about , they鈥檝e criticized the Student Privacy Pledge for lackluster enforcement in lieu of regulations and minimum security standards. 

Fowler, a cybersecurity researcher at and a self-described 鈥渄ata breach hunter,鈥� has been tracking down online vulnerabilities for a decade. The Raptor leak is 鈥減robably the most diverse set of documents I鈥檝e ever seen in one database,鈥� he said, including information about campus surveillance cameras that didn鈥檛 work, teen drug use and the gathering points where students were instructed to meet in the event of a school shooting. 

vpnMentor in December and Fowler said the company was responsive and worked quickly to fix the problem. The breach wasn鈥檛 the result of a hack and there鈥檚 no evidence that the information has fallen into the hands of threat actors, though Fowler in the last several months. 

The situation could have grown far more dire without Fowler鈥檚 audit. 

鈥淭he real danger would be having the game plan of what to do when there is a situation,鈥� like an active shooting, Fowler said in an interview with 社区黑料. 鈥淚t鈥檚 like playing in the Super Bowl and giving the other team all of your playbooks and then you鈥檙e like, 鈥楬ey, how did we lose?鈥欌��

David Rogers, Raptor鈥檚 chief marketing officer, said last week the company is conducting an investigation to determine the scope of the breached data to ensure 鈥渢hat any individuals whose personal information could have been affected are appropriately notified.鈥� 

鈥淥ur security protocols are rigorously tested, and in light of recent events, we are committed to further enhancing our systems,鈥� Rogers said in a statement. 鈥淲e take this matter incredibly seriously and will remain vigilant, including by monitoring the web for any evidence that any data that has been in our possession is being misused.鈥� 

鈥楳aybe this is a pattern鈥�

Raptor is currently among more than 400 companies that , a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children. 

Raptor and the other companies have vowed against selling students鈥� personally identifiable information or using it for targeted advertising, among other commitments. They also agreed to 鈥渕aintain a comprehensive security program that is reasonably designed to protect the security, confidentiality and integrity鈥� of student鈥檚 personal information against unauthorized or unintended disclosure. Cybersafeguards, the pledge notes, should be 鈥渁ppropriate to the sensitivity of the information.鈥� 

Raptor touts its pledge commitment on its website, where it notes the company takes 鈥済reat care and responsibility to both support the effective use of student information and safeguard student privacy and information security.鈥� The company that it ensures 鈥渢he highest levels of security and privacy of customer data,鈥� including encryption 鈥渂oth at rest and in-transit,鈥� meaning that data is scrambled into an unusable format without a password while it is being stored on servers and while it鈥檚 being moved between devices or networks. 

Its , however, offers a more proscribed assurance, saying the company takes 鈥渞easonable鈥� measures to protect sensitive data, but that it cannot guarantee that such information 鈥渨ill be protected against unauthorized access, loss, misuse or alterations.鈥� 

Districts nationwide have spent tens of millions of dollars on Raptor鈥檚 software, according to GovSpend, a government procurement database. Recent customers include the school districts in Dallas, Texas, Broward County, Florida, and Rochester, New York. Under , education technology companies that collect student data are required to maintain a cybersecurity program that includes data encryption and controls to ensure that personally identifiable information doesn’t fall into the hands of unauthorized actors. 

Countering Raptor鈥檚 claims that data were encrypted, Fowler told 社区黑料 the documents he accessed 鈥渨ere just straight-up PDFs, they didn鈥檛 have any password protections on them,鈥� adding that the files could be found by simply entering their URLs into a web browser. 

Officials at the Rochester school district didn鈥檛 respond to requests for comment about whether they had been notified about the breach and its effects on their students or if they were aware that Raptor may not have been in compliance with state encryption requirements. 

Doug Levin, the national director of the nonprofit K12 Security Information eXchange, said the Raptor blunder is reminiscent of a 2022 data breach at the technology vendor Illuminate Education, which exposed the information of at least 3 million students nationwide, including 820,000 current and former New York City students. Levin noted that both companies claimed their data was encrypted at rest and in transit 鈥� 鈥渆xcept maybe it wasn鈥檛.鈥� 

A decade after the privacy pledge was introduced, he said 鈥渋t falls far short of offering the regulatory and legal protections students, families and educators deserve.鈥�

鈥淗ow can educators know if a company is taking security seriously?鈥� Levin asked. Raptor 鈥渟aid all of the right things on their website about what they were doing and, yet again, it looks like a company wasn鈥檛 forthright. And so, maybe this is a pattern.鈥� 

State data breach rules have long focused on personal information, like Social Security numbers, that could be used for identity theft and other financial crimes. But the consequences of data breaches like the one at Raptor, Fowler said, could be far more devastating 鈥� and could harm children for the rest of their lives. He noted the exposure of health records, which could violate federal privacy law, could be exploited for various forms of fraud. Discipline reports and other sensitive information, including about student sexual abuse victims, could be highly embarrassing or stigmatizing. 

Meanwhile, he said the exposure of confidential records about physical security infrastructure in schools, and district emergency response plans, could put kids in physical danger. 

Details about campus security infrastructure have been exploited by bad actors in the past. After Minneapolis Public Schools fell victim to a ransomware attack last February that led to a large-scale data breach, an investigation by 社区黑料 uncovered reams of campus security records, including campus blueprints that revealed the locations of surveillance cameras, instructions on how to disarm a campus alarm system and maps that documented the routes that children are instructed to take during an emergency evacuation. The data can be tracked down with little more than a Google search. 

鈥淚鈥檝e got a 14-year-old daughter and when I鈥檓 seeing these school maps I’m like, 鈥極h my God, I can see where the safe room is, I can see where the keys are, I can see the direction they are going to travel from each classroom, where the meetup points are, where the police are going to be,鈥� Fowler said of the Raptor breach. 鈥淭hat鈥檚 the part where I was like, 鈥極h my God, this literally is the blueprint for what happens in the event of a shooting.鈥� 

鈥楽weep it under the rug鈥�

The Future of Privacy Forum鈥檚 initial response to the Raptor breach mirrors the nonprofit鈥檚 actions after the 2022 data breach at Illuminate Education, which was previously listed among the privacy pledge signatories and became the first-ever company to get stripped of the designation. 

The forum鈥檚 decision to remove Illuminate followed an article in 社区黑料, where student privacy advocates criticized it for years of failures to enforce its pledge commitments 鈥� and accused it of being a tech company-funded effort to thwart government regulations. 

The pledge, which was created by the privacy forum in partnership with the Software and Information Industry Association, a technology trade group, was created in 2014, placing restrictions on the ways ed tech companies could use the data they collect about K-12 students. 

Along with stripping Illuminate of its pledge signatory designation, the forum referred it to the Federal Trade Commission, which the nonprofit maintains can hold companies accountable to their commitments via consumer protection rules that prohibit unfair and deceptive business practices. The company was also referred to the state attorneys general in New York and California to 鈥渃onsider further appropriate action.鈥� It鈥檚 unclear if regulators took any actions against Illuminate. The FTC and the California attorney general鈥檚 office didn鈥檛 respond to requests for comment. The New York attorney general鈥檚 office is reviewing the Illuminate breach, a spokesperson said. 

鈥淧ublicly available information appears to confirm that Illuminate Education did not encrypt all student information鈥� in violation of several Pledge provisions, Forum CEO Jules Polonetsky told 社区黑料 at the time. Among them is a commitment to 鈥渕aintain a comprehensive security program鈥� that protects students鈥� sensitive information鈥� and to 鈥渃omply with applicable laws,鈥� including New York鈥檚  鈥渆xplicit data encryption requirement.鈥� 

After the breach and before it was removed from the pledge, the Software and Information Industry Association recognized Illuminate with the sector鈥檚 equivalent of an Oscar. 

Raptor isn鈥檛 the only pledge signatory to fall victim to a recent data breach. In December, a cybersecurity researcher disclosed a security vulnerability at Education Logistics, commonly known as EduLog, which offers a GPS tracking system to give parents real-time information about the location of their children鈥檚 school buses. A statement the forum provided 社区黑料 didn鈥檛 mention whether it had opened an inquiry into whether EduLog had failed to comply with the pledge commitments. 

Despite the forum鈥檚 actions against Illuminate Education, and its new inquiry into Raptor, the pledge continues to face criticism for having little utility, including from Fowler, who likened it to 鈥渧irtue signaling鈥� that can be quickly brushed aside. 

鈥淧ledges are just that, they鈥檙e like, 鈥楬ey, that sounds good, we鈥檒l agree to it until it no longer fits our business model,鈥� he said. 鈥淎 pledge is just like, 鈥渨hoops, our bad,鈥� a little bit of bad press and you just sweep it under the rug and move on.鈥� 

Chad Marlow, a senior policy counsel at the American Civil Liberties Union focused on privacy and surveillance issues, offered a similar perspective. Given the persistent threat of data breaches and a growing number of cyberattacks on the K-12 sector, Marlow said that schools should take a hard look at the amount of data that they and their vendors collect about students in the first place. He said Raptor鈥檚 early intervention system, which seeks to identify children who pose a potential threat to themselves or others, is an unproven surveillance system that could become a vector for student discrimination in the name of keeping them safe. 

Although he said he has 鈥渁 great deal of admiration鈥� for the privacy forum and the privacy pledge goals, it falls short on accountability when compared to regulations that mandate compliance.

鈥淪ometimes pledges like this, which are designed to make a little bit of progress, actually do the opposite because it allows companies to point to these pledges and say, 鈥楲ook, we are committed to doing better,鈥� when in fact, they鈥檙e using the pledge to avoid being told to do better,鈥� he said. 鈥淭hat鈥檚 what we need, not people saying, 鈥極n scout鈥檚 honor I鈥檒l do X.鈥欌��  

Disclosure: The Bill & Melinda Gates Foundation and the Chan Zuckerberg Initiative provide financial support to the Future of Privacy Forum and 社区黑料.

In a federal court motion filed Nov. 14 that cited 社区黑料鈥檚 exclusive reporting, attorney Andrew Brenner described the disclosure as 鈥渁t best, careless,鈥� particularly after the former student won a legal battle against the district for her right to remain anonymous. Brenner asked the U.S. District Court for the Eastern District of Virginia to compel Fairfax to explain how her name ended up in documents released as part of a records request that had nothing to do with her case.

A hearing on the motion is set for Dec. 15.

Known as B.R., the woman is as well as the former students she alleges sexually assaulted her in 2011, with a trial set to begin in March. The motion asks for the names of all district employees involved in producing the materials that identified her as well as the district鈥檚 steps 鈥渢o collect, review, compile and transmit the documents鈥� prior to their release.

The district鈥檚 response to the motion could provide insight into how unredacted records on tens of thousands of students were released to a parent and special education advocate. The documents included sensitive, confidential information such as grades, disability status and mental health conditions.

Following 社区黑料鈥檚 report, the district apologized and launched an investigation. A firm with expertise in cybersecurity 鈥� 鈥� is handling the probe, but some parents with children named in the disclosure said so far, no one has contacted them. Superintendent Michelle Reid said in she will share a summary of the investigation once it鈥檚 complete.

Callie Oettinger, the parent who received the records, went to her local high school in mid-October to examine what she thought were records pertaining to her own two children. Her son, who received special education services in the district, has since graduated, and her daughter is still in high school. She copied computer files onto thumb drives as a paralegal observed and helped her identify some of the records. 

While most of the documents set aside for her review included her children鈥檚 names, they also revealed information on what she estimates were at least 35,000 other students. B.R.鈥檚 full name was listed in a document labeled 鈥渁ttorney work product鈥� and marked 鈥減rivileged and confidential,鈥� as well as in an email to board members about litigation to discuss in a 2020 closed meeting.

The records also identified another former student with a separate Title IX case against the district. In reached last year, the district agreed to always redact the student鈥檚 real name from any copy of the document and only use a pseudonym when referring to the case. Her attorneys did not respond to a request for comment.

The day after issuing its apology, the district sent Oettinger a strongly worded email demanding that she 鈥渞eturn all files removed, including any and all physical media used for unauthorized extraction of information from FCPS.鈥� The letter referred to the documents as 鈥渨rongfully retained information.鈥�

To her attorney, the language suggested Oettinger was at fault. 

鈥淪he’s done nothing illegal, and they have no legal right to compel her to do anything,鈥� said Timothy Sandefur, vice president for legal affairs at the Goldwater Institute, a Phoenix-based libertarian think tank. Oettinger posted redacted documents from the recent trove on she runs on special education issues. 鈥淚f they want assurance that she is not going to publish any kind of confidential information about kids, she absolutely will not publish confidential information about children. She has assured everybody of that already.鈥�

Oettinger sent the thumb drives to Sandefur, who has since communicated with attorneys conducting the district鈥檚 investigation. But he declined to provide an update on the district鈥檚 progress. The attorneys conducting the investigation also didn鈥檛 respond to requests for comment.

A need for 鈥榬obust action鈥�

Oettinger didn鈥檛 initially alert the district to the disclosure because, she said, it has failed to make improvements after previous privacy violations. In fact, on Oct. 19 鈥� the third and final day that Oettinger reviewed files in person 鈥� the Virginia Department of Education responded to one of her earlier complaints, finding the Fairfax district out of compliance with the federal Family Educational Rights and Privacy Act, or FERPA.

The decision only pertained to her son and was not a statement about the district鈥檚 overall privacy record.

Patricia Haymes, who directs the state agency鈥檚 Office of Dispute Resolution and Administrative Services, noted that officials have had 鈥渙ngoing concerns鈥� regarding student confidentiality in Fairfax and 鈥渂elieved that there was a need for the school division to take more robust action to ensure sustainable compliance.鈥� But she also said the district assured her in September that it was taking steps 鈥渞egarding the confidentiality of and access to student records.鈥�

In that Sept. 27 letter, the district said it was training staff on their obligations under FERPA and the Freedom of Information Act, and was planning a 鈥渕andatory training鈥� for principals and other administrators in charge of student records and special education. Training was scheduled to begin Oct. 31 and employees have two months to complete it. 

On. Nov. 8, Oettinger appealed the state鈥檚 decision, citing 社区黑料鈥檚 reporting on the accidental records release. Both the district and the state have 鈥渇ailed to ensure compliance 鈥� and now here we are,鈥� she wrote. 鈥淵ou have enough for [the district] to be found at fault for systemic noncompliance.鈥� 

The district disputes that it has violated the law. In a Nov. 21 response to Oettinger鈥檚 appeal, it described the disclosure as a 鈥渟ingle instance of what appears to be human error鈥� and said that Oettinger鈥檚 in-person review of the documents, which FERPA allows, was 鈥渙utside the typical electronic document production that FCPS employs.鈥�

Oettinger said she has faith in Reid, who became superintendent last year, to push for tighter security.  The two have exchanged emails and met in person multiple times. Oettinger said she鈥檚 鈥渃hoosing to believe Reid鈥檚 trying to change the district鈥檚 culture and that she knows me enough to know I’d never do anything nefarious.鈥�

Some special education experts in the state are baffled by the district鈥檚 mistake. 

鈥淚t’s just the norm that when you do a document production, you are careful about what you shouldn’t be disclosing 鈥� whether it’s other students鈥� names or legal advice,鈥� said Jim Wheaton, a William and Mary Law School professor who runs a legal clinic for future attorneys that plan to work on special education issues. 鈥淚t just blows my mind that they would be so reckless.鈥�

But he said that there鈥檚 not much parents can do about such violations. They can file complaints, but there鈥檚 no right to sue under FERPA.

鈥淚n religious terms,鈥� he said, 鈥渋t鈥檚, ‘Go forth and sin no more.’鈥�

The students, 12- and 16-years-old at the time of the alleged incidents, said district officials failed to respond adequately to their reports 鈥� accusations they deny. In court, the students鈥� lawyers fought successfully for their right to stay anonymous.

鈥淚t鈥檚 completely irresponsible,鈥� said Shiwali Patel, an attorney with the National Women鈥檚 Law Center, which supporting one of the former Fairfax student鈥檚 requests to keep her identity private. She said a lot of victims of sexual violence don鈥檛 come forward because they 鈥渄on’t want to have their name out there in the public.鈥�

社区黑料 reported Wednesday on the district鈥檚 release of records on an estimated 35,000 students to a parent who has been an outspoken critic of Fairfax鈥檚 data privacy record. District officials declined to comment on the specifics of the disclosures, but late Wednesday issued an apology and launched an 鈥渆xternal legal investigation鈥� to determine how staff released the documents.

Two weeks ago, Callie Oettinger, a special education advocate, went to her local high school to review what she thought were records she had requested on her children. But she ended up with a trove of digital files that included personal information such as addresses and disability diagnoses, and that named students who had engaged in self-harm or been hospitalized. 鈥淲e are deeply sorry that this happened,鈥� the district said, predicting the probe 鈥渃ould take some time鈥� due to the large number of affected students.

In addition, Superintendent Michelle Reid responded to an email from Oettinger, saying that she had 鈥渟poken with staff and requested an immediate and thorough review into this deeply concerning matter.鈥� 

The documents also named students with disabilities involved in a over the use of seclusion and restraint. Following a local news investigation, almost 1,700 instances involving over 200 students during the 2017-18 school year. Some students as young as six were isolated in a room dozens of times during the year. The case ended in 2021 with in which the district promised to phase out such practices by the end of last school year. Court documents only used students鈥� initials, but the documents released used their full names. 

鈥淎bsolutely, student names should have been protected,鈥� said Denise Marshall, executive director of the Council of Parent Attorneys and Advocates, a nonprofit that joined the parents who sued the district. She called the leak 鈥渁n egregious breach of privacy.鈥�

One of the documents on those students, labeled 鈥渁ttorney work product鈥� and 鈥減rivileged and confidential,鈥� also contained the names of two former students involved in Title IX cases against the district. It identified them as 鈥淛ane Doe,鈥� but then listed their real names in parentheses. Their last names were also included in an email from John Foster, the district鈥檚 general counsel, to board members about cases they鈥檇 discuss in a 2020 closed meeting.

In the , a plaintiff identified as Jane Doe was a 16-year-old Oakton High School student when she alleged that she was sexually assaulted during a three-day band trip in 2017. She sued in 2018, saying that officials violated Title IX because they knew about the allegations, but waited until the trip was over to address it. She alleged that the district discouraged her from contacting police and when they told her parents, suggested their daughter would face discipline for having sex while on the trip.

Doe won her case in the U.S. Court of Appeals for the Fourth Circuit, but it ended in a settlement last year after the U.S. Supreme Court declined to hear the district鈥檚 appeal. She received almost $588,000 in , but the district made no admission of responsibility. The agreement includes a stipulation that the district will always redact Doe鈥檚 real name from any copy of the document and only use a pseudonym when referring to the case.

Lawyers for both students declined to comment on the recent disclosures.

The second case, , is set for trial in March in a federal district court. B.R., as she鈥檚 named in the suit, was a 12-year-old student at Rachel Carson Middle School in 2011 when she said an older group of students repeatedly raped, tortured and threatened her with death over a four-month period. She alleged that they were part of a gang tied to sex trafficking in Northern Virginia.

While she later reported the alleged attacks to the police, she said the detective who investigated was a former school resource officer in the district who quickly closed the case. The district argued that staff responded appropriately, but a by the U.S. Department of Education鈥檚 Office for Civil Rights concluded the district could have acted more quickly. As a result, the district updated its policies.

At 19, she sued the district and her alleged attackers, saying educators ignored her requests for help. The school district argued the case should be dismissed because she missed a deadline for requesting to use a pseudonym. The in B.R.鈥檚 favor, but the district appealed to the Fourth Circuit.  

The National Women鈥檚 Law Center was one of 52 organizations that argued the case should continue, despite what it called a 鈥減rocedural technicality.鈥� In November 2021, the ruled in favor of the plaintiff. 

鈥淚n many of these cases, plaintiffs are proceeding with a pseudonym. That is not uncommon,鈥� Patel said. 鈥淔or the district to push back against that is a bullying tactic. It doesn鈥檛 impact their ability to defend the lawsuit.鈥�

The documents identify current and former special education students by name and include letter grades, disability status and mental health data. In one particularly sensitive disclosure, a counselor identified over 60 students who’ve struggled with issues like depression, including those who have engaged in self-harm or been hospitalized. 

A letter from the district to the state provides copious details about the condition and care of a medically fragile fourth grader. And a document containing 鈥渁ttorney work product鈥� marked 鈥減rivileged and confidential鈥� references a pair of Title IX cases. It identifies two students as 鈥淛ane Doe鈥� 鈥� a common practice with alleged victims of sexual assault or harassment 鈥� but then names the students in parentheses.

The disclosure of private student data is likely the largest since 2020, when the hacker group MAZE , including Social Security numbers and birthdates, on over 170,000 students and employees in the nation鈥檚 13th-largest district. But this time, it looks like human error, rather than ransomware, was to blame. 

鈥淲hy worry about people from the outside?鈥� asked Callie Oettinger, who received the recent document collection. 鈥淭hey鈥檝e got the door wide open from the inside.鈥�  

Oettinger, a parent and special education advocate with a long and contentious relationship with Fairfax administrators, went to a school on three consecutive days last month to examine her children鈥檚 files 鈥� data such as test scores, attendance records and audio recordings of meetings she鈥檚 been requesting for years. In addition to boxes of paper files, the district provided her with thumb drives and computer discs that Oettinger estimates include personal data on roughly 35,000 students.

Parents who have challenged the district over special education services said the leak opens their children to further harm. Among the records released to Oettinger was a 2019 email exchange in which officials questioned the cost of an independent educational evaluation for Julie Melear’s son, who has dyslexia. 

鈥淚s my kid, for the rest of his life, going to have to look over his shoulder to see what Fairfax is putting out there?鈥� asked Melear, who had three children in the district and now lives in Denver.

The latest disclosure is not an isolated incident. Oettinger, who also runs a special education , said the district has repeatedly released information on her now 19-year-old son to other parents and unauthorized staff and, on at least six occasions between 2016 and 2021, provided her with documents on children who are not her own. One was a 2020 internal on special education that included students鈥� names, their attorneys and costs for services.

But those instances seem small compared to the volume of records she received in October, which span the years 2019 to 2021. It also comes four years after the district鈥檚 former superintendent apologized to Oettinger for a similar disclosure and two years after a county judge ruled against Fairfax in a case related to leaked student records. 

Contacted last week, Fairfax officials 鈥� who pledged to improve security after the 2020 breach 鈥� appeared unaware they had given Oettinger access to students鈥� personal data. The district鈥檚 communications office forwarded an inquiry from 社区黑料 to Molly Shannon, who manages the district鈥檚 public records office. In an email, Shannon asked a reporter to identify who accessed the records and where it occurred 鈥漵o we can investigate and remediate the issue at the school, notify any affected families, and work with the parent to ensure other students’ information is properly secured.鈥� 

Under , the district is required to alert parents 鈥渁s soon as practicable鈥� if there鈥檚 a violation under the Family Educational Rights and Privacy Act, or FERPA.

The records release is the latest dilemma for Virginia鈥檚 largest school system, which has come under intense scrutiny for its handling of special education. Following a federal civil rights probe last year, to make up for services it failed to provide to students with disabilities during the pandemic. For years, federal officials the state to improve its monitoring of districts to ensure they鈥檙e complying with all special education laws. As recently as February, they told former state Superintendent Jillian Balow that remained a sticking point.

Data leaks linked to are not unique to Fairfax. In 2017, for example, the Chicago Public Schools posted , including health conditions and birthdates, to unsecured websites. Time-consuming records requests to school districts have also skyrocketed in recent years, fueled in part by controversies over COVID protocols, library books and curriculum. Many districts have struggled to keep up, but one expert said Fairfax shouldn鈥檛 be one of them.

鈥淚 have a lot more sympathy for the many, many small districts,鈥� said Amelia Vance, founder and president of the Public Interest Privacy Center. But with an annual $3.5 billion budget, Fairfax, she said, 鈥渃ertainly seems to have the resources and they’ve had these requests for years. If they don’t have a system to respond in a protective manner, in an efficient manner, that’s on them.鈥�

Phyllis Wolfram, executive director of the Council of Administrators of Special Education, a national organization, said she doesn鈥檛 think it鈥檚 common for districts to release students鈥� files to the wrong parent. But if record requests are increasing, she said, security should be tighter. 

鈥淕iven the shortage of school staff all around, we must be extra vigilant and ensure high-quality training for all staff,鈥� she said. 

鈥楶rocess and protocols鈥� 

FERPA is that gives parents the right to examine their children鈥檚 educational records. Oettinger said she asked to see original documents in person 鈥� after the state overruled the district鈥檚 initial refusal 鈥� because past responses have been incomplete or contained electronic files that didn鈥檛 open. 

She said she is unsure who in the district ultimately signed off on the recent release. On Oct. 16th, she received an email from Shannon saying the records were ready. From Oct. 17 to 19, she sat in a small room next to the main office of her local high school and viewed the files. A paralegal from the central office supervised as she copied records to thumb drives and scanned paper documents on her phone, Oettinger said. He offered assistance and even called in an IT expert when a media file didn鈥檛 open. She recorded everything and shared audio files of her visit with 社区黑料. Ironically, she said, some of her own children鈥檚 records are still missing.

At one point, she spotted an unredacted document with a teacher鈥檚 notes and suspected there were more. But she said she didn鈥檛 realize the full scope of the disclosure until she began reviewing the files at home. 

She filed a complaint with the U.S. Department of Education鈥檚 Office for Civil Rights on Oct. 20 and contacted a handful of parents she knows with children named in the documents.

Oettinger said she didn鈥檛 report the leak to district officials because she doesn鈥檛 trust them 鈥� a skepticism that has only intensified over time. When her son had reading difficulties in elementary school, educators responded three times that an evaluation 鈥渋s not warranted,鈥� according to district records and, she said, told her that boys learn to read slower than girls. 

鈥淵ou get one chance with your kid, and there鈥檚 no handbook,鈥� she said. 鈥淚n special education especially, nobody knows what to do. All you know is that you鈥檙e fighting.鈥�

It took an independent evaluation for her son to be diagnosed with dyslexia, and by seventh grade, he had an Individualized Education Program, a plan that outlines the services a district is obligated to provide students with disabilities. Like thousands of Fairfax parents, she also complained that the district failed to follow that plan during the pandemic. He graduated in 2022, but her daughter remains a Fairfax student.

As she navigated the system for her son, she became a sounding board for other families. She launched her website, Special Education Action, in 2020. She鈥檚 filed at least 100 complaints with the state education department over special education services in the district and another dozen with the federal civil rights office, of which at least two have resulted in investigations. Her persistence 鈥� sending detailed, sometimes biting, emails and pressing for answers to all her questions 鈥� has earned her a reputation for 鈥渂erating鈥� staff, according to one 2019 email from Dawn Schaefer, director of the district office that handles special education complaints.

鈥淚t鈥檚 obvious you don鈥檛 know what you鈥檙e talking about, so let me break it down for you,鈥� Oettinger wrote in a 2020 email to a staff person regarding a diagnosis for her son.

In addition to requests for documents on her own children, she submits Freedom of Information Act requests with the district each year for more general data that she uses in her advocacy role. In one internal 2020 email she obtained, John Cafferky, an attorney who handles special education cases for the district, said she files them because she鈥檚 鈥渨aiting for someone to slip up.鈥� 

District officials have promised her they would do a better job of safeguarding student privacy. In a 2019 email exchange with former Superintendent Scott Brabrand, Oettinger reported multiple cases of school staff forwarding information about her son to the wrong people. 

鈥淚 am sorry to report that the school did make a mistake and unintentionally provided information about your son to another parent,鈥� he responded. 鈥淲e take student privacy very seriously. Following our process and protocols is paramount to ensuring we protect student information.鈥�

Following the 2020 ransomware incident, the district and released a statement saying it was 鈥渃ommitted to protecting the information of our students, our staff, and their families.鈥� The state also stepped in to help the district clean up its 鈥渋nternal practices, and ensure it should not happen again,鈥� state Superintendent Lisa Coons told 社区黑料.

But it did. 

In 2021, another Fairfax parent, Debra Tisler, filed a public records request seeking invoices for legal services in an attempt to learn how much Fairfax was spending on attorneys鈥� fees related to students with disabilities. The district released records that included personal information on about a dozen students. 

Tisler shared the files with Oettinger, who posted , with names blacked out, on her website. The district to get the records back, but lost the case. 

Judge Richard Gardiner, who heard the lawsuit in a Fairfax County district court, said the records were 鈥渙btained quite lawfully.鈥� 

鈥淭he [district], for whatever reason 鈥� maybe it was ineptness, I don’t know; I have no evidence on that 鈥� made the decision to turn over the information, and they’re stuck with that,鈥� he said, according to of the hearing. 

Following the lawsuit, an from December 2022 showed the district鈥檚 in-house attorneys didn鈥檛 finish redacting students鈥� personal information before its records office released the documents. Fairfax instituted new procedures to ensure records go through multiple reviews, including checks by a paralegal and a staff attorney. The district also to keep up with demand.

鈥楤asic data protection鈥�

But it appears the system broke down. Some parents whose records ended up in the recently released files said they weren鈥檛 surprised because they, too, have previously received documents pertaining to other students.

鈥淪ome of the information I found out about other people’s children I don’t want to know,鈥� said Melear, the parent who relocated to Denver. 

In the files released to Oettinger, Torey Vanek鈥檚 daughter was included on a spreadsheet of students who receive special education services or accommodations for a disability. A ninth grader at Woodson High School, her daughter has dyslexia. 

 “There is a joint frustration among many parents in Fairfax,” Vanek said. “Part of me is not surprised, but part of me is like this is just basic data protection.” 

, led by researchers at the University of Chicago and New York University, highlights how the scramble to adopt new technologies in schools has served to create an $85 billion industry with significant data security risks for teachers, parents and students. The issue has become particularly pervasive since the pandemic forced students nationwide into remote, online learning. 

Students鈥� sensitive information is increasingly leaked online following high-profile ransomware attacks and user data monetization is a key business strategy for tech companies, including those that serve the education market, like Google. Yet student privacy is rarely a top consideration when teachers adopt new digital tools, researchers learned in interviews with district technology officials. In fact, schools routinely lack the resources and know-how to assess potential vulnerabilities.

Such a reality could spell trouble: In an analysis of education technologies widely used or endorsed by districts nationwide, researchers discovered privacy risks abound. The analysis relied on , a privacy inspector tool created by the nonprofit news website The Markup which scours websites to uncover data-sharing practices. Those include the use of cookies that track user behaviors to deliver personalized advertisements. Analyzed education tools, they found, make 鈥渆xtensive use of tracking technologies鈥� with potential privacy implications. 

Most alarming to the researchers were the 7.4% that used 鈥渟ession recorders,鈥� a type of tracker that documents a user鈥檚 every move. 

鈥淎nyone visiting those sites would have their entire session captured which includes information such as which links they clicked on, what images they hovered over and even data entered into fields but not submitted,鈥� the report notes. 鈥淭his could include data that users might otherwise consider private such as the autofilling of saved user credentials or social network data.鈥� 

社区黑料 caught up with report co-author Jake Chanenson, a University of Chicago Ph.D. student, to gain insight into the report鈥檚 findings and to understand why he believes that parents and students should be concerned about how ed tech companies collect, store and use their personal data. 

The conversation has been edited for length and clarity. 

Why did remote learning pique your interest in digital privacy and what are the primary implications that worry you? 

Remote learning can be done well but we all had to get to it very quickly without a plan because we all suddenly got thrown at home because of the global pandemic. Suddenly schools had to scramble and find new solutions to reach their students, to educate their students, without being able to test the field, to think critically about it. They really were, with shoestring and gum, trying to keep their classes together. 

Whether you were in school, whether you were at work, whether you were at neither and still just trying to keep in touch with your friends, you were using anything that came your way because that鈥檚 what you had to do. I found that really interesting 鈥� and a bit concerning. It鈥檚 no one鈥檚 fault because we don鈥檛 understand the ramifications of these technologies and now that we鈥檝e used them a lot of them are here to stay. 

I don’t want to sound like some sort of demonizing figure saying that all tech is bad 鈥� that is certainly not the case. It’s merely the fact that sometimes these promises are oversold, and now we have this added element of data privacy. 

When you interact with any of these platforms, tons and tons of student data 鈥� from how you interact with it, how well you do on their assignments, when you do it, if you鈥檙e a chronic procrastinator, if you鈥檙e always getting your work done, if you seem more interested in your art class than your math class. These are all data points collected by these companies and I wanted to know, 鈥榃hat is it they鈥檙e collecting? What are they doing with it,鈥� and, specifically for this study, 鈥榃hat are schools thinking about in this space if anything at all?鈥�

This study took a two-pronged approach. You conducted surveys with experts in this space and then used technology to identify information that folks might not be aware of. Let鈥檚 discuss the surveys first. How did the school administrators and district technology officials you interviewed view privacy issues? 

Lots of them knew that something wasn鈥檛 quite up to snuff in their security and privacy practices. 

The best security and privacy practices that I saw in these school districts were entirely because someone, usually in the IT department, had an independent interest in student privacy. They were going above and beyond what their job descriptions required because they cared about the students. 

That鈥檚 not to imply that school officials don鈥檛 care about the kids 鈥攖hey care about them very much 鈥� but they鈥檙e so busy making sure the lights are on and making sure there are teachers for the classrooms, dealing with discipline issues, dealing with staffing concerns. They鈥檙e not necessarily focused on data privacy and security. 

Your research takes a unique approach to show the real-world impacts of education technology on student privacy. You identify that some of these tools raise significant privacy implications. How did you go about that?

We looked at the online websites of educational sites and tried to understand, what are the privacy risks here? What we found is that 7.4% of all these websites had a session recorder, which records everything you do when you鈥檙e interacting with a web page. How long you hovered over a certain element, how often you scrolled, what you clicked on and what you didn鈥檛 click on. 

That鈥檚 a scary amount of data collection for something that鈥檚 normally an education site. On top of that we found a high prevalence of cookies and other types of trackers that were being sent to third-parties, basically advertising networks, that were taking that data to track these students across the web. As a student, even while I鈥檓 doing my work, they鈥檙e creating an ad profile of me that not only encompasses who I am as a consumer in my spare time, but who I am as a student inside of school for this more comprehensive picture of who I am to sell me ads. 

That could be upsetting to somebody who thinks that what I鈥檓 doing in school is only the business of me and the teacher, my parents and the principal. 

Why would an education technology company use a session recorder? 

We were able to identify that these trackers, like session recorders, were running on these websites, but we don鈥檛 have any idea what they鈥檙e recording, which is a project that we鈥檙e currently working on and trying to understand. 

I can’t make any well-grounded assumptions to what this is being used for, whether it be nefarious or benign. It鈥檚 not uncommon for a session recorder to be used for diagnostic information for a technology company if they want to understand how their users use a site so they can improve it. That’s a legitimate use of one of these session recorders, but without knowing what data they collect, it could be that they鈥檙e collecting data that isn鈥檛 strictly relevant to improving the service or are over-collecting data in the guise of improving the service and retaining it for future use. 

There are, of course, but I won鈥檛 speculate on that because I don鈥檛 have definitive proof that鈥檚 what鈥檚 happening. 

Why should people care about districts鈥� technology procurements? School districts are using a huge swath of digital tools, some from Google and some from tiny tech companies. If school leaders aren鈥檛 putting privacy at the forefront of deciding which tools to use, what concerning outcomes can come from that? 

There are several concerning outcomes, the first being that the data these companies collect don鈥檛 necessarily sit on their servers. They sometimes are sold to third parties. Some companies state third parties ambiguously and others list out who they are selling it to and why. 

Just on a normative basis, I think that what you do in the classroom shouldn鈥檛 be harvested and sold, especially when many of these companies are raking in somewhere between five- and seven-figure contracts to license this technology. It鈥檚 not like they don鈥檛 have other sources of income, but the things they can take from students can be incredibly alarming: Information about socioemotional behavior, so if I act out in school, if I am in trouble for something that鈥檚 happening at home or I鈥檓 bullying another student, that data is collected by a specific service and that data is held somewhere. And of course, when you hold data, it鈥檚 a security risk. 

There was a big breach in New York City where hundreds of thousands of students had their personal information leaked because a company was holding onto all of this data. It was leaked to hackers who got that data and can do who knows what with it. That鈥檚 a huge privacy violation. Some of the things they stole in that particular breach were names, birthdays and standard things you can use to commit identity fraud, which is a problem. But it can also be more sensitive stuff, such as [special education] accommodation lists or if you qualify for free lunch. There鈥檚 stuff about disability or your economic status, stuff that is all collected by these ed tech companies and held somewhere. 

Learning management systems have incredible amounts of metadata. 鈥楢re you someone who procrastinates and only finishes an assignment one minute before it鈥檚 due? Did you do it early? Are you someone who didn鈥檛 do the reading but showed up to class anyway? Are you someone who took 10 times to get this quiz right or did it only take you one time鈥� 

These data are recorded and are available for teachers to see, but because teachers can see it, it鈥檚 sitting on a server somewhere. 

Because they鈥檙e being stored somewhere and they are not being deleted regularly and these companies are not following data minimization principles, it鈥檚 a potential privacy risk for these students should another breach happen, which we鈥檝e seen happen again and again and again. 

Breaches have affected sensitive student information. In her book Danielle Citron argues for federal rules that would protect intimate privacy as a civil right. Why are such rules needed and how would they work in an educational context? 

There are certain types of information, like nonconsensual disclosures of intimate images, so-called revenge porn. I think you can make a straight analogy for student data. Just as there should be a zone of intimate privacy around your personal intimate life, your sexuality, whatever else, we should have a similar zone around your educational life. 

Education is a space where students should be able to learn and make mistakes, and if you cannot make those mistakes without being recorded, then that can have repercussions for you later. If you’re not perfect on your first try and someone gets a hold of that, I could see that affecting your college admissions or that could affect an employment record. If I am someone who wants to hire you and I have a list of every student in a school that turns in their assignments early and all of these people were either habitually late or always procrastinating then obviously I鈥檓 going to be more interested in hiring the worker that turned stuff in early. But what that list might not tell you is that it was one data point in eighth grade and that one of those students when they were in high school finally got on top of their executive dysfunction and started turning things in on time. 

It鈥檚 ultimately nobody鈥檚 business how you do in the classroom. You have final grades, but those fine-grained data are nobody else鈥檚 business but yours and the teacher鈥檚. You have a safe space to learn and grow and make mistakes in the educational environment and to not be penalized for them outside of that classroom.

Half of teachers say they know a student at their school who was disciplined or faced negative consequences for using 鈥� or being accused of using 鈥� generative artificial intelligence like ChatGPT to complete a classroom assignment, , a nonprofit think tank focused on digital rights and expression. The proportion was even higher, at 58%, for those who teach special education. 

Cheating concerns were clear, with survey results showing that teachers have grown suspicious of their students. Nearly two-thirds of teachers said that generative AI has made them 鈥渕ore distrustful鈥� of students and 90% said they suspect kids are using the tools to complete assignments. Yet students themselves who completed the anonymous survey said they rarely use ChatGPT to cheat, but are turning to it for help with personal problems.

鈥淭he difference between the hype cycle of what people are talking about with generative AI and what students are actually doing, there seems to be a pretty big difference,鈥� said Elizabeth Laird, the group鈥檚 director of equity in civic technology. 鈥淎nd one that, I think, can create an unnecessarily adversarial relationship between teachers and students.鈥�   

Indeed, 58% of students, and 72% of those in special education, said they鈥檝e used generative AI during the 2022-23 academic year, just not primarily for the reasons that teachers fear most. Among youth who completed the nationally representative survey, just 23% said they used it for academic purposes and 19% said they鈥檝e used the tools to help them write and submit a paper. Instead, 29% reported having used it to deal with anxiety or mental health issues, 22% for issues with friends and 16% for family conflicts.

Part of the disconnect dividing teachers and students, researchers found, may come down to gray areas. Just 40% of parents said they or their child were given guidance on ways they can use generative AI without running afoul of school rules. Only 24% of teachers say they鈥檝e been trained on how to respond if they suspect a student used generative AI to cheat. 

The results on ChatGPT鈥檚 educational impacts were included in the Center for Democracy and Technology鈥檚 broader annual survey analyzing the privacy and civil rights concerns of teachers, students and parents as tech, including artificial intelligence, becomes increasingly engrained in classroom instruction. Beyond generative AI, researchers observed a sharp uptick in digital privacy concerns among students and parents over last year. 

Among parents, 73% said they鈥檙e concerned about the privacy and security of student data collected and stored by schools, a considerable increase from the 61% who expressed those reservations last year. A similar if less dramatic trend was apparent among students: 62% had data privacy concerns tied to their schools, compared with 57% just a year earlier. 

Those rising levels of anxiety, researchers theorized, are likely the result of the growing frequency of cyberattacks on schools, which have become a primary target for ransomware gangs. High-profile breaches, including in Los Angeles and Minneapolis, have compromised a massive trove of highly sensitive student records. Exposed records, investigative reporting by 社区黑料 has found, include student psychological evaluations, reports detailing campus rape cases, student disciplinary records, closely guarded files on campus security, employees鈥� financial records and copies of government-issued identification cards. 

Survey results found that students in special education, whose records are among the most sensitive that districts maintain, and their parents were significantly more likely than the general education population to report school data privacy and security concerns. As attacks ratchet up, 1 in 5 parents say they鈥檝e been notified that their child鈥檚 school experienced a data breach. Such breach notices, Laird said, led to heightened apprehension. 

鈥淭here鈥檚 not a lot of transparency鈥� about school cybersecurity incidents 鈥渂ecause there鈥檚 not an affirmative reporting requirement for schools,鈥� Laird said. But in instances where parents are notified of breaches, 鈥渢hey are more concerned than other parents about student privacy.鈥� 

Parents and students have also grown increasingly wary of another set of education tools that rely on artificial intelligence: digital surveillance technology. Among them are student activity monitoring tools, such as those offered by the for-profit companies Gaggle and GoGuardian, which rely on algorithms in an effort to keep students safe. The surveillance software employs artificial intelligence to sift through students鈥� online activities and flag school administrators 鈥� and sometimes the police 鈥� when they discover materials related to sex, drugs, violence or self-harm. 

Among parents surveyed this year, 55% said they believe the benefits of activity monitoring outweigh the potential harms, down from 63% last year. Among students, 52% said they鈥檙e comfortable with academic activity monitoring, a decline from 63% last year. 

Such digital surveillance, researchers found, frequently has disparate impacts on students based on their race, disability, sexual orientation and gender identity, potentially violating longstanding federal civil rights laws. 

The tools also extend far beyond the school realm, with 40% of teachers reporting their schools monitor students鈥� personal devices. More than a third of teachers say they know a student who was contacted by the police because of online monitoring, the survey found, and Black parents were significantly more likely than their white counterparts to fear that information gleaned from online monitoring tools and AI-equipped campus surveillance cameras could fall into the hands of law enforcement. 

Meanwhile, as states nationwide pull literature from school library shelves amid a conservative crusade against LGBTQ+ rights, the nonprofit argues that digital tools that filter and block certain online content 鈥渃an amount to a digital book ban.鈥� Nearly three-quarters of students 鈥� and disproportionately LGBTQ+ youth 鈥� said that web filtering tools have prevented them from completing school assignments. 

The nonprofit highlights how disproportionalities identified in the survey could run counter to federal laws that prohibit discrimination based on race and sex, and those designed to ensure equal access to education for children with disabilities. In a letter sent Wednesday to the White House and Education Secretary Miguel Cardona, the Center for Democracy and Technology was joined by a coalition of civil rights groups urging federal officials to take a harder tack on ed tech practices that could threaten students鈥� civil rights. 

鈥淓xisting civil rights laws already make schools legally responsible for their own conduct, and that of the companies acting at their direction in preventing discriminatory outcomes on the basis of race, sex and disability,鈥� the coalition wrote. 鈥淭he department has long been responsible for holding schools accountable to these standards.鈥�

These districts鈥� reactions to ChatGPT have led to a debate among policymakers and parents, teachers and technologists about the of this new chatbot. This deliberation magnifies a troubling truth: Superintendents, principals and teachers are making decisions about the adoption of emerging technology without the answers to fundamental questions about the benefits and risks. 

Technology has the potential to modernize education and help prepare students for an increasingly complex future. But the risks to children are just beginning to be uncovered. Creating a policy and regulatory framework focused on building a deeper understanding of the benefits and risks of emerging technologies, and protecting children where the evidence is incomplete, is not alarmist, but a responsible course of action. 

Why act now? 

First, recent history has demonstrated that emerging technology can pose real risks to children. a correlation between time spent on social media and adolescent anxiety, depression, self-harm and suicide. These impacts seem particularly significant for . While there is debate among researchers about the size of these effects, the state of adolescent mental health has deteriorated to the extent that it was declared a in 2021 by the American Academy of Pediatrics, the American Academy of Child and Adolescent Psychiatry, and the Children鈥檚 Hospital Association. Social media seems to be a contributing factor. 

Second, immersive technologies, including virtual reality, augmented reality, mixed reality and brain-computer interfaces, may intensify the benefits and risks to children. Immersive technologies have the potential to . But the impact on childhood development of exposure to multisensory experiences replicating the physical world in digital spaces is just beginning to be understood 鈥� and there is cause for concern based on limited research. For example, a concluded that immersive virtual reality can interfere with the development of coordination that allows children to maintain balance. And a 2021 on the impact of virtual reality on children revealed evidence of cognition issues, difficulty navigating real and virtual worlds, and addiction. The most significant risk may be how frequent and prolonged exposure to virtual environments impact mental health. 

Third, the digital divide has considerably. Government and the private sector have driven improvements in , expanded cellular networks and made mobile and computing devices significantly more affordable. Since 2014-15, the percentage of teens who have a smartphone has . Paired with money from COVID-19 legislation that allowed schools to invest in hardware, more children will have opportunities to use emerging technologies than ever had access to older innovations 鈥� including apps and the internet 鈥� at home and in school. 

Based on emerging evidence on these impacts on children, and in the face of significant unknowns, a policy and regulatory framework focused on mitigating risks 鈥� while still allowing children to access the benefits of these technologies 鈥� is warranted. At the federal level, Congress should consider:

• Compelling all emerging technology companies, including those producing immersive reality products that are utilized by children, to provide academic researchers access to their data.
  
• Compelling all immersive reality companies to assess the privacy and protection of children in the design of any product or service that they offer.
  
• Compelling all immersive reality companies to provide child development training to staff working on products intended for use by children.
  
• Requiring hardware manufacturers of virtual reality, augmented reality, mixed reality and brain-computer interface devices targeted to children to prominently display on their packaging warning labels about unknown physical and mental health risks.
  
• Establishing guidance, via the Department of Education, for district and school leaders to prepare their communities for the adoption of immersive technologies.
  
• Requiring all immersive technology companies to inform users of product placement within the platform.
  
• Compelling relevant federal regulatory agencies to provide clarification on the ways existing laws, such as the Health Information Portability and Accountability Act and the Children鈥檚 Online Privacy Protection Act, Individuals with Disabilities Act and Americans with Disabilities Act, apply to immersive technologies.
  
• Compelling all immersive technology companies to acquire parental consent for data sharing, particularly biometric information, including eye scans, fingerprints, handprints, face geometry and voiceprints.
  
• Providing guidelines around minimum age for the use of immersive technology platforms and products.
  

At the state level, every governor should carefully assess the action last week to regulate children’s use of social media and consider the following actions: 

• Creating child well-being requirements for state procurement of any immersive technology.
  
• Offering research and development grants to in-state immersive technology companies to focus on safety and well-being impacts on children.
  
• Establishing protocols for reviewing districts’ use of emerging technologies to determine compliance with federal and state law.

Finally, at the local level, school boards, superintendents and school leaders should consider regulations and guidance for the selection, adoption and use of immersive technologies:

• Assessing opportunities for integration with current teaching and learning methods and curriculum.
  
• Investing in and planning for professional development around these technologies.
  
• Ensuring accessibility for students with disabilities and English learners when planning around use of emerging technologies.
  
• Ensuring that any planned use of emerging technologies in the classroom is compliant with state and federal special education laws.
  
• Evaluating the costs of immersive technology procurement and necessary infrastructure upgrades and making the results transparent to the community.
  
• Creating opportunities for educator, parent and student involvement in the purchasing process for technology.

If emerging technology can have detrimental impacts on children 鈥� and evidence points to that being the case 鈥� responsibly mitigating the risks associated with these technologies is prudent. Why chance it? This is the best opportunity to allow children to reap the benefits.

While districts nationwide have become victims in in the last several years, cybersecurity experts said the extortion tactics leveraged against the Minneapolis district are particularly aggressive and an escalation of those typically used against school systems to coerce payments.

In a dark web blog post and an online video uploaded Tuesday, the ransomware gang Medusa claimed responsibility for conducting a February cyberattack 鈥� or what Minneapolis school leaders euphemistically called an 鈥渆ncryption event鈥� 鈥� that led to . The blog post gives the district until March 17 to hand over $1 million. If the district fails to pay up, criminal actors appear ready to post a trove of sensitive records about students and educators to their dark web leak site. The gang鈥檚 leak site gives the district the option to pay $50,000 to add a day to the ransom deadline and allows anyone to purchase the data for $1 million right now.

On the video-sharing platform Vimeo, the group, calling itself the Medusa Media Team, posted a 51-minute video that appeared to show a limited collection of the stolen records, making clear to district leaders the sensitive nature of the files within the gang鈥檚 possession. 

鈥淭he video is more unusual and I don鈥檛 recall that having been done before,鈥� said Brett Callow, a threat analyst with the cybersecurity company Emsisoft. 

A preliminary review of the gang鈥檚 dark web leak site by 社区黑料 suggest the compromised files include a significant volume of sensitive documents, including records related to student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications. 

The video is no longer available on Vimeo and a company spokesperson confirmed to 社区黑料 that it was , which prohibits users from uploading content that 鈥渋nfringes any third party鈥檚鈥� privacy rights. 

As targeted organizations decline to pay ransom demands in efforts to recover stolen files, Callow said the threat actors are employing new tactics 鈥渢o improve conversion rates.鈥�

鈥淭his is likely just an experiment, and if they find this works they will do it more frequently,鈥� Callow said. 鈥淭hese groups operate like regular businesses, in that they A/B test and adopt the strategies that work and ditch the ones that don鈥檛.鈥� 

Here鈥檚 a snippet of the video鈥檚 introduction (with all sensitive records omitted):

The Minneapolis school district hasn鈥檛 acknowledged being a ransomware victim, while Callow and other cybersecurity experts have been harshly critical of how it has disclosed the attack to the public. In , the district attributed 鈥渢echnical difficulties鈥� with its computer systems to the referenced 鈥渆ncryption event,鈥� a characterization that experts blasted as creative public relations that left potential victims in the dark about the incident鈥檚 severity. 

The district 鈥渉as not paid a ransom鈥� and an investigation into the incident 鈥渉as not found any evidence that any data accessed has been used to commit fraud,鈥� school officials said in the March 1 statement.  

In a statement to 社区黑料 Tuesday, the district said it 鈥渋s aware that the threat actor who has claimed responsibility for our recent encryption event has posted online some of the data they accessed.鈥� 

鈥淭his action has been reported to law enforcement, and we are working with IT specialists to review the data in order to contact impacted individuals,鈥� the statement continued.

Minnesota-based student privacy advocate Marika Pfefferkorn called on the district to be more forthcoming as it confronts the attack. 

鈥淔irst and foremost, they owe an apology to the community by not being explicit right away about what was happening,鈥� said Pfefferkorn, executive director of the Midwest Center for School Transformation. 鈥淏ecause they haven鈥檛 communicated about it, they haven鈥檛 shared a plan about, 鈥楬ow will you address this? How will you respond?鈥� Not knowing how they are going to respond makes me really nervous.鈥�

School cybersecurity expert Doug Levin, the national director of the K12 Security Information eXchange, said that district officials appear to have coined the term 鈥渆ncryption event,鈥� but available information suggests the school system was the victim of 鈥渃lassic double extortion,鈥� an exploitation technique that鈥檚 become popular among ransomware gangs in the last several years. 

With its video and dark web blog, Medusa may have spent 鈥渁 little more time and energy鈥� than other ransomware groups in presenting the stolen data in a compelling package, 鈥渂ut the tactics seem to be the same,鈥� Levin said. 鈥淣ow that we have a group coming forward with compelling evidence that they have exfiltrated data from the system and it鈥檚 actively extorting them, that鈥檚 all I would need to know to classify this as ransomware.鈥�

In double extortion ransomware attacks, threat actors gain access to a victim鈥檚 computer network, download compromising records and lock the files with an encryption key. Criminals then demand their victim pay a ransom to regain control of their files. Then, if a ransom is not paid, criminals sell the data or publish the records to a leak site. 

Such a situation recently played out in the Los Angeles Unified School district, the nation鈥檚 second-largest school system. Last year, the ransomware gang Vice Society broke into the district鈥檚 computer network and made off with some 500 gigabytes of district files. When the district refused to pay an undisclosed ransom, Vice Society uploaded the records to its dark web leak site. 

District officials have sought to downplay the attack鈥檚 effects on students. But an investigation by 社区黑料 found thousands of students鈥� comprehensive and highly sensitive mental health records had been exposed. The district then acknowledged Feb. 22 that some 2,000 student psychological assessments 鈥� including those of 60 current students 鈥� had been leaked.

Districts that become ransomware targets could face significant liability issues. Earlier this month, the education technology company Aeries Software a negligence lawsuit after a data breach exposed records from two California school districts. District families accused the software company of failing to implement reasonable cybersecurity safeguards. 

Federal authorities have made progress in curtailing cybercriminals. In January, authorities seized control of a prolific ransomware gang鈥檚 leak site and earlier this month officials with ties to a Russian-based ransomware group that鈥檚 known to target schools. 

At least 11 U.S. school districts have been the victims of ransomware attacks so far in 2023, according to Emsisoft research. Last year, 45 school districts and 44 colleges. 

In Minneapolis, a lack of transparency from the district could put affected students and staff at heightened risk of exploitation, Emsisoft鈥檚 Callow said. 

鈥淭here absolutely are times when districts have to be cautious about the information they release because it is the source of an ongoing investigation,鈥� he said. 鈥淏ut calling something a ransomware incident as opposed to an encryption event really isn鈥檛 problematic. Nor is telling people their personal information may have been compromised.鈥�

Pfefferkorn, the Minneapolis student privacy advocate, said she鈥檚 concerned about the amount of data the school district collects about students and worries it lacks sufficient cybersecurity safeguards to keep the information secure. She pointed to Minneapolis schools鈥� since-terminated contract with the digital student surveillance company Gaggle, which monitors students online and alerts district officials to references about mental health challenges, sexuality, drug use, violence and bullying. 

The district said it adopted the monitoring tool in a pandemic-era effort to keep kids safe online, but the unauthorized disclosure of Gaggle records maintained by the district could make them more vulnerable, she said. 

There鈥檚 little recourse, she said, for students and educators whose sensitive records were already leaked by Medusa. 

鈥淚t鈥檚 already out there and that cannot be repaired,鈥� she said. 鈥淭here鈥檚 information out there that鈥檚 going to impact them for the rest of their lives.鈥�

A spokesperson for the company, which describes itself , cited a societal shift toward greater acceptance of LGBTQ youth 鈥� rather than criticism of its product 鈥� as the impetus for the change as part of a 鈥渃ontinuous evaluation and updating process.鈥�

The company, which uses artificial intelligence and human content moderators to sift through billions of student communications each year, has long defended its use of LGBTQ-specific keywords to identify students who might hurt themselves or others. In arguing the targeted monitoring is necessary to save lives, executives have pointed to the prevalence of bullying against LGBTQ youth and data indicating they鈥檙e than their straight and cisgender classmates. 

But in practice, Gaggle鈥檚 critics argued, the keywords put LGBTQ students at a heightened risk of scrutiny by school officials and, on some occasions, the police. Nearly a third of LGBTQ students said they or someone they know experienced nonconsensual disclosure of their sexual orientation or gender identity 鈥� often called outing 鈥� as a result of digital activity monitoring, according to released in August by the nonprofit Center for Democracy and Technology. The survey encompassed the impacts of multiple monitoring companies who contract with school districts, such as GoGuardian, Gaggle, Securly and Bark. 

Gaggle鈥檚 decision to remove several LGBTQ-specific keywords, including 鈥渜ueer鈥� and 鈥渂isexual,鈥� from its dictionary of words that trigger alerts was first reported in . It follows extensive reporting by 社区黑料 into the company鈥檚 business practices and sometimes negative effects on students who are caught in its surveillance dragnet. 

Though Gaggle鈥檚 software is generally limited to monitoring school-issued accounts, including those by Google and Microsoft, the it can scan through photos on students鈥� personal cell phones if they plug them into district laptops.

The keyword shift comes at a particularly perilous moment, as Republican lawmakers in multiple states . Legislation has looked to curtail classroom instruction about sexual orientation and gender identity, ban books and classroom curricula featuring LGBTQ themes and prohibit transgender students from receiving gender-affirming health care, participating in school athletics and using restroom facilities that match their gender identities. Such a hostile political climate and pandemic-era disruptions, a recent youth survey by The Trevor Project revealed, has contributed to an uptick in LGBTQ youth who have seriously considered suicide. 

The U.S. Education Department received 453 discrimination complaints involving students鈥� sexual orientation or gender identity last year, according to data provided to 社区黑料 by its civil rights office. That鈥檚 a significant increase from previous years, including in 2021 when federal officials received 249 such complaints. The Trump administration took and complaints dwindled. In 2018, the Education Department received just 57 complaints related to sexual orientation or gender identity discrimination.

The increase in discrimination allegations involving sexual orientation or gender identity are part of , according to data obtained by The New York Times. The total number of complaints for 2021-22 grew to 19,000, a historic high and more than double the previous year. 

In September, 社区黑料 revealed that Gaggle had donated $25,000 to The Trevor Project, the nonprofit that released the recent youth survey and whose advocacy is focused on suicide prevention among LGBTQ youth. The arrangement was framed on Gaggle鈥檚 website as a collaboration to 鈥渋mprove mental health outcomes for LGBTQ young people.鈥� 

The revelation was met with swift backlash on social media, with multiple Trevor Project supporters threatening to halt future donations. Within hours, the group announced it had returned the donation, acknowledging concerns about Gaggle 鈥渉aving a role in negatively impacting LGBTQ students.鈥� 

The Trevor Project didn鈥檛 respond to requests for comment on Gaggle鈥檚 decision to pull certain LGBTQ-specific keywords from its systems. 

In a statement to 社区黑料, Gaggle spokesperson Paget Hetherington said the company regularly modifies the keywords its software uses to trigger a human review of students鈥� digital communications. Certain LGBTQ-specific words, she said, are no longer relevant to the 24-year-old company鈥檚 efforts to protect students from abuse and were purged late last year.

鈥淎t points in time in the not-too-distant past, those words were weaponized by bullies to harass and target members of the LGBTQ+ community, so as part of an effective methodology to combat that discriminatory harassment and violence, those words were once effective tools to help identify dangerous situations,鈥� Hetherington said. 鈥淭hankfully, over the past two decades, our society evolved and began a period of widespread acceptance, especially among the K-12 student population that Gaggle serves. With that evolution and acceptance, it has become increasingly rare to see those words used in the negative, harassing context they once were; hence, our decision to take these off our word/phrases list.鈥�

Hetherington said Gaggle will continue to monitor students鈥� use of the words 鈥渇aggot,鈥� 鈥渓esbo,鈥� and others that are 鈥渃ommonly used as slurs.鈥� A previous review by 社区黑料 found that Gaggle regularly flagged students for harmless speech, like profanity in fictional articles submitted to a school鈥檚 literary magazine, and students鈥� private journals. 

Anti-LGBTQ activists have , and privacy advocates warn that in the era of 鈥淒on鈥檛 Say Gay鈥� laws and abortion bans, information gleaned from Gaggle and similar services could be weaponized against students.

Gaggle executives have minimized privacy concerns and claim the tool saved more than 1,400 lives last school year. That statistic hasn鈥檛 been independently verified and there鈥檚 a dearth of research to suggest digital monitoring is an effective school-safety tool. A recent survey found a majority of parents and teachers believe the benefits of student monitoring outweigh privacy concerns. The Vice News documentary included the perspective of a high school student who was flagged by Gaggle for writing a paper titled 鈥淓ssay on the Reasons Why I Want to Kill Myself but Can鈥檛/Didn鈥檛.鈥� Adults wouldn鈥檛 have known she was struggling without Gaggle, she said. 

鈥淚 do think that it鈥檚 helpful in some ways,鈥� the student said, 鈥渂ut I also kind of think that it鈥檚 鈥� I wouldn鈥檛 say an invasion of privacy 鈥� but if obviously something gets flagged and a person who it wasn鈥檛 intended for reads through that, I think that鈥檚 kind of uncomfortable.鈥� 

Student surveillance critic Evan Greer, director of the nonprofit digital rights group said the tweaks to Gaggle鈥檚 keyword dictionary are unlikely to have a significant effect on LGBTQ teens and blasted the company鈥檚 stated justification for the move as being 鈥渙ut of touch鈥� with the state of anti-LGBTQ harassment in schools. Meanwhile, Greer said that LGBTQ youth frequently refer to each other using 鈥渞eclaimed slurs,鈥� reappropriating words that are generally considered derogatory and remain in Gaggle鈥檚 dictionary. 

鈥淭his is just like lipstick on a pig 鈥� no offense to pigs 鈥� but I don鈥檛 see how this actually in any meaningful way mitigates the potential for this software to nonconsensually out LGBTQ students to administrators,鈥� Greer said. 鈥淚 don鈥檛 see how it prevents the software from being used to invade the privacy of students in a wide range of other circumstances.鈥�

Gaggle and its competitors 鈥� including , and 鈥� have faced similar scrutiny in Washington. In April, Democratic Sens. Elizabeth Warren and Ed Markey argued in a report that the tools could be misused to discipline students and warned they could be used disproportionately against students of color and LGBTQ youth. 

In , Gaggle founder and CEO Jeff Patterson said the company cannot test the potential for bias in its system because the software flags student communications anonymously and the company has 鈥渘o context or background on students,鈥� including their race or sexual orientation. They also said their monitoring services are not meant to be used as a disciplinary tool. 

In the survey released last summer by the Center for Democracy and Technology, however, 78% of teachers reported that digital monitoring tools were used to discipline students. Black and Hispanic students reported being far more likely than white students to get into trouble because of online monitoring. 

In October, the White House cautioned school districts against the 鈥渃ontinuous surveillance鈥� of students if monitoring tools are likely to trample students鈥� rights. It also directed the Education Department to issue guidance to districts on the safe use of artificial intelligence. The guidance is expected to be released early this year.

As an increasing number of districts implement Gaggle for bullying prevention efforts, surveillance critic Greer said the company has failed to consider how adults can cause harm.

鈥淭here is now a very visible far-right movement attacking LGBTQ kids, and particularly trans kids and teenagers,鈥� Greer said. 鈥淚f anything, queer kids are more in the crosshairs today than they were a year ago or two years ago 鈥� and that鈥檚 why this surveillance is so dangerous.鈥�

If you are in crisis, please call the National Suicide Prevention Lifeline at 1-800-273-TALK (8255), or contact the Crisis Text Line by texting TALK to 741741. For LGBTQ mental health support, contact The Trevor Project鈥檚 toll-free support line at 866-488-7386.