 I'm so glad you can join us and if you're just joining us, please grab food. If you're already with us, please grab seconds. And the Jewish models are one of those who would eat, then eat, eat some more. While you listen to our two distinguished guests, you are here today at this Merkman Central Luncheon. Back to the dry boards, students high would be in Massachusetts Primary and Secondary School. We are delighted to have Jesse Rossman and Kaye Crawford of the ACLU Massachusetts here with us today to tell you all about the wonderful report that the ACLU recently released that takes a broad look at the student privacy policies, or lack thereof, like somebody would be fair to say, in a variety of diverse communities across our state and really takes a probing look at the question if students do not shed their constitutional rights at the schoolhouse door, which, according to the United States Supreme Court, they are not supposed to do. How does that still apply in the digital age and does it currently in any meaningful way? So, both of you are very seasoned ACLU veterans at this point. Jesse was previously with the ACLU of Michigan, joined the ACLU of Massachusetts in 2013 and has litigated a broad array of cases, including many on privacy at both the trial and appellate levels. And on a personal note, it's wonderful to be here with Jesse at HLS because we went to school here together longer ago than I'd like to admit. Kaye directs the Technology for Liberty program at the ACLU of Massachusetts and is also an expert on digital surveillance, privacy, and interrelated concerns. So, I'm Leah Plunkett and I'm a fellow at the Berkman Center. I'm also an associate professor of the University of New Hampshire School of Law. So, it's wonderful to see all of you and without further ado, to our two distinguished guests. Thanks. Jesse and Kaye and I are very excited to be here to talk with you guys. If you all have been to some of these luncheons before, you may know we're actually not going to be up here talking for very long. We figured we would jump off the conversation with a bit of an overview both of our findings, what we had in the report which Kaye is going to touch on in a second. I'm first going to give a very broad overview of the state of student privacy law here in Massachusetts today for those of you who are experts in this field. It generally goes much more detailed than what I'm going to do with my broad overview but I figured I would give us some starting points that we could have in our conversation. Kaye will then provide some of the building blocks of what we found in our report and then we really hope the vast majority of the lunch we can spend in an active dialogue with all of you because the real purpose of us putting out this report was to start the conversation and continue it with folks like yourselves who are interested and interested enough to come out in this gross weather and as a result, I feel like no one should have to be out in this rain without swag. So, we did bring these handy dandy, it's kind of like of a piece of our talk right now. It's these stickers for your web cameras. You can put them on your phones, you can put them on your laptops. They're like color forms, for those of you who like color forms when you were kids you can remove them, they're not going to goop up your camera. So please feel free to take some, take some from your friends, use them widely. They're super fun. So, we're here today to talk about technology in the classroom in a broad variety of circumstances. The main areas that we focused on in this report was looking at student information systems which you sometimes will hear described as SIS. Those are some of the cloud platforms that schools can upload. All of the information that they collect about students that maybe used to be kept in a drawer in just a written down format now uploaded to the cloud. One-to-one technology, so devices that schools are giving to students to use both in the classrooms and when they take home, be that a laptop or a Kindle or a tablet, something of that nature. Internet usage when you are on school property, excuse me, physical surveillance when you are on school property, so any of those video cameras. So the ACLU's position is kind of laid out here, which Hallie J. Pope, I should just give a shout out. She's a legal fellow that we have at the ACLU of Massachusetts now. She is an HLS grad and she is a lawyer and legal cartoonist. And this is part of her, actually one of my proudest moments as a lawyer was that I was cartoonified and the broader version of this cave was as well. It was very exciting. My father just found it actually. He was like, you're cartoonified. But so as we sort of lay out these two panels, we agree and believe that technology can be a really powerful tool for education in the classrooms, but we need to make sure that that isn't at the expense of privacy, which is also a really important tool in our classrooms, to make sure that students are learning in an environment where they feel free and safe to express their views, explore different ideas, and really figure out what their identity is. And in a lot of ways, this is their first time participating in something that is a touch point for the government. This is the first time that they are participating as citizens and people who will become voting members of this country. And we think it's important to set that stage that people don't begin to get the sense that it's okay for the government to be surveilling you. It's okay for the government to have access to all of your private information. To the contrary, we think this is the perfect place in schools. A really important to create an environment where students know that there are limits on what the government can and can't do and that there's a proper way to balance access to technology, creating safety in the schools, and the very important right of privacy in the schools. So there are two different, this is excellent, how do current laws and regulations sort of cover that? There are two main areas that I want to touch on very briefly with you. And that is with respect to data sharing, so with respect to those student information systems that I mentioned, where schools, excuse me, can upload information to the cloud, and then searches of electronic devices and the use of the internet on school grounds. And one thing that I think is really important is everything that I'm about to say to you today is the floor of what the rights are. It's not the ceiling. And that's really important because this final map right there, which is really pixelated and has lots of little boundaries, that breaks down all of the different towns and municipalities in Massachusetts. And at the end of the day, schools can put into place policies that are even more protective of student privacy rights than what the Constitution provides or what federal and state laws and regulations provide. In a lot of instances, we think that would be in the school's best interest as well as the student's best interest. And so we think it's always important to emphasize the laws here are just the floor, not the ceiling, and schools can go above and beyond. And we're going to talk about some of the ways that they can do that. But so very quickly, with respect to data sharing, this is a lot of text, which is on our report, which is available, did you make that available? Okay, so it's on our website. But the two main laws that really govern this are FERPA, which is the Family Education Rights and Privacy Act. That's a federal law and it's accompanying regulations. And also the Massachusetts Student Privacy Regulations, which were legal wonks out there, is available at 603-CMR-23. Unfortunately, it doesn't have a fun acronym like FERPA. So FERPA provides on its face that you can't disclose identifiable student information without consent of a parent, which on its face sounds like a very broad protection and strong protection for student information. Except in the past 10 years there have been changes to the law, both to the law and also to the accompanying regulations done by the Department of Education that have really carved out some really broad exceptions. And they've done that in two ways. First, the law now says that you can disclose this kind of identifiable information to someone who is designated as a school official, that's the official term, and there's a lot of leeway given to schools about who can be defined as a school official. The second loophole that was created by the Department of Education is that schools can designate corporations to be authorized representatives that can partake in certain roles, including information technology in the schools. And these two loopholes, which were explicitly added essentially to create third-party access and corporate access to this kind of information, have really meant that at this point in time, FERPA doesn't create a lot of protections from preventing corporate access to this kind of student information without consent. Massachusetts regulations, however, haven't been changed in the face of sort of this education ed tech boom that we've seen over the past 10 years. And they explicitly say that you cannot give information that is the student identifiable information without consent unless it is to an authorized school personnel. And there are three different categories of individuals who fall into authorized school personnel. I'm actually going to read them explicitly, which I don't generally like to do, but it's a pretty nuanced definition that I think would be important to understanding. So the first set of individuals are those who evaluate students for special education services. The second set of individuals are those who are working directly with students in their administrative or teaching capacity. Those two are pretty clear. The third set of individuals who qualify as an authorized school personnel are administrative office staff and clerical personnel, including operators of data processing equipment or equipment that produces microfilm or microfish. For those of you in the audience, you know how old that's making this sound, who are either employed by the school committee or are employed under a school committee service contract and whose duties require them to have access to records for purposes of processing information for the student record. So as I said, that definition wasn't, that was the most recent amendments to this law happened in 2006. It has not been weakened in the same way that FERPA has been weakened, and we think still offers strong protection to the data that is processed about students. However, because this is a slightly outdated law and really the most recent amendments happen prior to this ed tech boom, we think it would be in everyone's best interest for the legislature to update it to really clarify what these meanings are. In light of all the new actors who now may or may not have access to student information. So those are the sort of set of regulations and laws that are governing data sharing. I should say that between 2014 and 2017, 17 states have passed student privacy data acts that offer stronger protections to the data that is being collected about students, and we think it would be appropriate for Massachusetts as a leader in education to join that movement to ensure that we have the strongest protections possible for our students' information. So that second set of information that we were, excuse me, technology that I wanted to talk to you about today was about searches. Old school searches happened in backpacks like the one that is so cutely depicted here. Now students have laptops and kindles and tablets that are provided by the schools. What I'm going to talk about, excuse me, our report really focused on was either school provided technology or students who were using the internet at school. We didn't focus on our report on searches of cell phones, personally owned cell phones, or searches of personally owned tablets or laptops, but we're happy to talk about that if folks want to. So what this is largely governed by the state of the law is really shifting and hasn't been clarified to what is going to govern electronic searches on school grounds when you're talking about school-owned property that was then given to students to use in their own personal capacity. Often these one-to-one technology programs ask students to take it home. There was actually one school we found that allowed parents to create their own accounts on these tablets. So there's a lot of personal usage that is happening and being encouraged in a lot of instances by these schools. And as you all know, the amount of information, personal information that can be contained in a backpack pales in comparison to the amount of information that can be contained in a laptop or even a phone which was just recently recognized and continuously recognized both by the U.S. Supreme Court and the Riley case. And our state Supreme Court here in Massachusetts, the SJC, has also recognized a very specific and detailed amount of information that can be contained in these electronic devices. So in a 1980s case called New Jersey versus TLO, they used the acronym for the student's name involved because she was a minor. The Supreme Court addressed New Jersey's argument that students had no Fourth Amendment rights once they entered a school building. And what the Supreme Court said was no way. That's not the way things work. Students don't leave their constitutional rights at the schoolhouse door. You still have a Fourth Amendment right. You still have a reasonable expectation of privacy. What we need to determine is how that is going to be balanced against the school's desire to create a safe learning environment. And I think one thing that's really important is that the Supreme Court recognized that the arguments that New Jersey was making essentially was you don't have any reasonable expectation of privacy as a student and also having any sorts of rights of privacy on school grounds is entirely incompatible with our need to keep the school grounds safe. And the Supreme Court said explicitly both of these premises are fundamentally flawed. It's just not right. We understand that you as school teachers need to keep your students safe. You can do that while also expecting a student's privacy rights. And I think that's really important in terms of understanding the way that should be applied to electronic devices as well. What the Supreme Court said in TLO eventually was that it wasn't going to place the probable cause requirement, which is the requirement that is generally used for law enforcement when they are going to do searches outside of a school environment. And by the way, still needs to be applied if you have a law enforcement official in a school building. But for school administrators what they need to do is essentially apply a reasonable suspicion standard. So you need to have an articulable basis, an actual basis to say I have a reasonable suspicion that whatever it is that I'm about to search is going to provide evidence either of a violation of a school regulation or of a law. And that search needs to be limited in scope to what you're actually searching for. And that's really important when you start talking about electronic devices, right? Because you could have a very limited search for, like for example on a cell phone, just the contact list that someone has that wouldn't give you the right to then go through and look at all of their text messages, all of their emails, all of their web searches, etc. So this dual understanding of reasonable searches when it talks about schools in terms of have to have a reasonable suspicion and need to limit its scope are things that have consistently been applied to physical searches and we think should continue to be applied because the reasons are even more strong when you start talking about electronic devices. Yeah, so just, you folks are probably familiar with the worry Riley case that came down in Supreme Court last year which held that law enforcement is required to get a probable cause warrant to search someone's cell phone incident to arrest. So if it's truly the case as it is here in Massachusetts and in many parts of the country that students can be subjected to cell phone searches based on something less than even reasonable suspicion, they have fewer rights than people who are actually arrested do, which is pretty remarkable. Which, by the way, Supreme Court like actually said, because this was raised, they talked about the fact that the school had said that prisoners don't have a reasonable expectation of privacy and the Supreme Court in the TLO decision said it almost goes without saying that the prisoner and the school child stand in wholly different circumstances separated by the harsh facts of criminal conviction and incarceration. There you go. Okay. So we knew very little frankly about the landscape of student privacy issues in Massachusetts when we set out to do this report. So because we're the ACLU, we filed a bunch of public records requests with school districts throughout the state. Like I said, diverse districts all throughout the state, many different sizes in rural communities, suburban communities, urban communities. And we asked, as Jesse said, for information about student information systems, one-to-one technologies that we like to call school-controlled technologies. I think it's more accurate. And physical surveillance at school as well as the use of Gmail accounts that sometimes students are required to use and Google apps for education and things like that. So what did we find? Well, pretty much all schools share lots of student information with private companies. Only one school that we surveyed didn't. I believe it was the Mystic Valley Charter School that actually runs its own student information system and sends no student data to outside third-party companies. But pretty much all other schools in the state and nationwide do. And there are really only a couple of companies. I think something like 50% of the market is controlled by two or three major corporations. So this is, I think you can imagine how sensitive this information is. And given that the records of millions and millions of students are being held by just a handful of companies, I think raises some concerns. We also found generally that school districts that actually wrote their own contracts with corporations instead of simply signing a boilerplate contract that the company produced generally offered superior privacy protections. We thought that was a valuable insight in part because it raises some concerns about wealthier school districts and poorer school districts and the parity in terms of the privacy protections that these contracts are providing to their students. Schools in communities that have funds to hire decent legal counsel who can take the time to actually study these issues and spell out a contract that will provide better protection for, say, students in Lexington than maybe students in a place like West Springfield would get. So we saw that. And on that note, I've actually been in this room and spoken with somebody who is involved with the Cambridge Public School System who is a part of a project called the Massachusetts Student Privacy Alliance, which is very cool, you should check it out. It's basically an effort to address the problem that I just described, which is to say that it's a place where school systems administrators, superintendents can share information about best practices in terms of the details of these contracts. And so school systems who, again, don't have the resources to really dedicate someone's general counsel to looking very closely at these issues can basically piggyback off of what other school systems have done, which I think is pretty useful. So the one-to-one devices issue, oh boy, so this is a great story, actually. We, Jesse and I were feverishly, it's probably embarrassing to describe how feverishly getting ready to produce this report the night before we were ready to publish it. Nuance, it was Nuance. Yeah, it was totally Nuance. It was a very late night. And at about 4.30 p.m. that night, I got a phone call at my desk and the thing on my, you know, the caller ID said GoGuardian. Has anybody ever heard of GoGuardian? So this is a company that manufactures what is basically malware that runs on computers and iPads that school systems give out to students. And GoGuardian, up until that moment, had on its website, it was bragging about its anti-theft mechanisms, which included key logging, do you know what key logging is? Logging every single keystroke on a computer. Key logging, remote activation of webcams and microphones, location tracking of devices. So this was all prominently displayed on the GoGuardian website. The moment that I received this phone call, I checked, it was still there. And this woman on the other side of the phone told me, we have heard that you are about to publish a report that contains some inaccurate information about our company and the software we provide. And I said, wow, that's fascinating. What's inaccurate about it? By the way, this was a marketing person. This was not a lawyer on the phone with me. And she said, well, the inaccurate information is that we no longer do key logging or remote webcam activation. And I said, that's great. When did you stop doing it? And she was like, I don't know. I have no idea. I'm going to have to get back to you on that. Anyway, long story short, they claim now that they have turned off those features, which I think was probably the first victory that we had from this report. So anyway, but there are a lot of other programs very much like this, that essentially install back doors in these computers, making them very insecure by the way to hackers and anybody who potentially wants to get inside a student's computer, enabling administrators at the school to see everything that's happening on the computer, sometimes even change content on the computer, remotely install applications and software, remotely update software and things like that. So some of those things are reasonable. Obviously, we would prefer that school systems maintain these computers and run the latest software so that students aren't exposed to software exploits and hacks and things like that. But there are clearly concerns when the IT guy who's like nobody even knows his name, who maybe works in a broom closet somewhere, has access to the sensitive information of hundreds of students that are using these computers. As Jesse said, not just for school work at school but at home, often their parents sometimes are even encouraged to use them. We all know what kinds of sensitive information we put onto our computers. So another thing that we discovered is that almost ubiquitous that schools have surveillance cameras today. Not necessarily in private areas like bathrooms or locker rooms, obviously, but in hallways, in auditoriums and cafeterias. Unfortunately, most schools, frankly, did not have policies to govern what happens to this information, who has access to it, under what kinds of circumstances. So that was pretty alarming. There was another victory with this report thus far, that there was one of the school districts, Holyoke, that didn't have a written school policy, that following our public records request, they ended up instituting one. I think that, plus the Go Guardians, where both are really great indications, when people say that parents and students don't care about privacy, I just think that's a lie. I think what it means is that they may not be aware of the different potential invasions of privacy that are occurring in the school system, because as we've seen time and time again, once they become aware of some of these technologies and practices or lack thereof in place, people are deeply concerned. Right. So probably the most disturbing thing that, in my view that we found across the board at schools in Massachusetts, is that schools maintain policies that say students have no expectation of privacy on school networks, on school devices, and even using email accounts that students are required to use as a part of their academic life on campus. This is extremely disturbing to me, because as Jesse said, school is where we teach young people what to expect from the world, right? School is where young people learn the norms of their society. What are their rights and responsibilities? And if we are raising up a whole series of generations of young people who have never been told that they are to expect any sort of privacy in their digital information, that's going to be a real problem when those people become adults. They may well believe, well, what do I have to hide? I've never had any right to privacy. Ever since I've, you know, went to school in kindergarten, I've been told, well, nothing you do online, your email is never private. So we've been talking, you know, with superintendents, with school officials about these issues. And to be fair to superintendents, they don't set school policy. In Massachusetts, school policy is set by school committees. But the things that superintendents have told me, effectively across the board, whenever I've had these conversations with school officials, it goes like this. Well, we have to keep students safe. And then I say, well, actually, this is not about keeping students safe. You have filtering mechanisms, which are different from, you know, reserving the right to monitor everyone's email or look at every website they're visiting. Filtering is one thing. You have to do it to receive federal grants. We understand, you know, reserving the right to monitor anything at any time for no reason is something totally different. Okay. And then they say, well, look, we don't even have the staff to do this, right? Like, we don't have enough. We can barely pay people to run a music class. We don't have staffing to have folks actually looking at what students are doing online or reading their email unless we have some sort of reason to believe that they're up to no good. Aha! So make that your policy. That's all we're saying. That's what we want the policy to be, is what schools are effectively already doing, which is saying students do have a right to privacy on their internet use at school, in their emails at school, and on the devices that schools give them to take home and use as if they're their own. The only time that that right to privacy would be, you know, penetrated, I guess, is if the school has some sort of reason to believe a student is using the internet to violate a school policy or to break the law, which is, again, what they say they're already doing. So we very strongly believe that these policies should be changed and that schools should educate children about their digital rights and responsibilities. You know, the internet is a powerful place. It can sometimes be a dangerous place. That doesn't mean, however, that adults should be telling children you have no rights. We find that to be a very dangerous proposition. So the last thing that we looked at was the use very widespread again of corporate apps for education. So Google is, I don't know how many of you are aware of this trend, but Google is fast taking over state and local governments. Google, no, it's really true. I mean, Google maintains the email systems and database systems often for many, many, many city and state governments across the country. The Boston Police Department last year started using Gmail servers to run its email. You know, you can decide for yourself whether or not you think that's a good idea. But also school systems increasingly are using Gmail accounts and what this whole suite of programs that falls under the rubric of something called Google Apps for Education. Students are not, these are not optional accounts. You know, students are required to use a Gmail account in many of these schools if they want to go to school to get, you know, grades for full participation. And, you know, we don't have time here. I don't think to get into the reasons for why that may be problematic, but I'm sure you can imagine that it wasn't always the case that in order for young people to participate fully in a public school environment where, again, they're required to go or their parents will go to jail, quite literally, that they would be forced to use a very invasive product produced by a, you know, gargantuan multinational corporation that has more information about all of us than God. So now that's starting at a very young age and there have been some lawsuits. Google, years ago, was found to have been using information it was collecting about children in schools to create dossiers to market to them. There was a lawsuit to stop that practice. Google has, in recent years, been accused of continuing the practice even after it said it would stop. So, you know, it's up to you, I guess, to decide whether or not you think Google should be in schools. We think that there are a whole host of issues that this kind of, you know, corporate invasion of public school systems raises for children, really. So what do we think should be done? Well, I don't know if you can read this, sorry. For students, we basically want students to know what's going on for them, right? And to have to be armed, especially high school students, you know, kids who are a little bit older, to be armed with the kind of information they need to figure out what's going on in their school system. And so this is just taken from the executive summary recommendations from our report. We also want students to know that they shouldn't use school communications for certain kinds of things, right? I mean, if it's true that they're being monitored at school or that the school reserves the right to monitor them, then they should take appropriate, you know, measures to ensure that their information is not going to be exploited or that they won't get in trouble for, frankly, something that, you know, they, that they're doing that isn't necessarily malicious but could be right as such. So, you know, this section sort of dovetails with a Department of Justice Obama administration program called countering violent extremism. I don't know how many of you have heard about this, but it's a concern, it's a real concern for the ACLU that this is a program that is kind of built off, or based off of the UK program called Prevent, which has generated a lot of controversy across the pond, in part because it has whipped up so much fear and hostility against Muslims, or ridden this wave of Islamophobia, really, and is encouraging, you know, public health providers, teachers to basically racially profile students and view Muslim students or Arab students as inherently suspect and maybe report those students for behaviors that are totally benign. So, one example of this is just last week, a woman in the BBC, or rather a woman in the UK gave an interview to the BBC talking about how her four-year-old son, his pre-K teachers, his nursery school teachers, wanted to report him to the anti-terrorism police in the UK through this Prevent program because he drew a picture of his father cutting a cucumber and there was a knife involved and the teachers became very concerned that this kid was a terrorist or something, that his father was a terrorist. So, this is the kind of thing that, you know, is starting to seep over into the United States through CVE, you know, they're encouraging, the FBI in fact just last week or two weeks ago put out some guidelines that it's encouraging teachers to use in public school settings about looking out for signs of, you know, anti-American hostility and things like this. You know, that would have been me as a teenager, frankly. I railed against, you know, U.S. foreign wars. I was like always talking about slavery and the American genocide and how the U.S. is built on lies and all, you know. So, I'm clearly not a terrorist. People in the United States have the right to dissent. We have the right to frankly believe that our government sucks and we think it's troubling that the government is encouraging school teachers to view those students as potential terrorists and we think that, you know, students should know that this kind of stuff is happening and be aware in terms of, you know, the way that they are using devices that the school is saying can be monitored for no reason at all. I can add as well. So, as Kate has just pointed out, there is an overlay here with respect to some of the racial justice work that we do as well as sort of freedom of speech work that the ACLU does. I think another layer that we saw time and again when it comes up with technology is an equity piece as well because for many students, particularly in some of the rural districts that we were looking at, although not exclusively, the laptop, for example, that's being provided may be the only computer that is being used in that household or the internet access that's being provided at school may be the only internet access that that student has and what you start to see is an instance where you can buy privacy if you have access to buy your own computer but if what we are telling students is the only thing until these policies are changed that you just shouldn't use your school-owned device for personal business or to send personal messages and that's the only access that they have. It creates a real issue of socioeconomic equity that comes up time and again in these issues as well. Yeah, definitely. So, for parents, we're basically recommending similar things. We essentially want to arm parents with the information that they need to ask the right questions of administrators. So, there's a lot more detail about this in the report. For administrators, we're offering some advice essentially about community transparency, having a public conversation about these issues with parents and students so that none of this stuff comes as a surprise, basically. Again, respecting privacy with search policies and then being smart when administrators are choosing technologies. I've had conversations with teachers who say that they use this thing called class dojo which is basically a student management system for teachers on a much more localized level in the classroom and those teachers have never read the privacy policy. I mean, they have no idea what's going on with the information that they're sending to this company and oftentimes administrators in their desire, their eagerness to adopt technologies in the classroom are not really doing the appropriate level of homework that they should be doing to ensure that these companies are legit, that these policies are appropriate, that student information is not going to be sent to some database like V-tex which is going to get hacked by China or whatever or frankly just abused by corporations that want to sell that information for money for financial reasons. So, finally, we really think that the law needs to be changed here in Massachusetts. Again, dozens of states throughout the country have passed 21st century student privacy law in Massachusetts, lags behind unfortunately and just very quickly I'll go over, we put out some model legislation, model state legislation with this report. Essentially, it just sets statewide standards which would address the issue that Jesse talked about related to disparities between wealthy communities and poorer communities. Basically, I would say you can't sell student data, you can't compile profiles of students, you can't advertise to students based off of information that you've collected through student information systems or something like Class Dojo that there would have to be pretty rigid security requirements for the data as well as data breach notifications any requirements rather. It also provides students with privacy protections on school networks and one-to-one devices and basically follows the framework that Jesse described, so it would be a reasonable suspicion standard for school policy violations and a probable cause standard for illegal conduct and then the same standards would apply to student-owned devices under this law. Finally, the law provides for civil damages, so if you're interested in this, come talk to us afterward we're hoping that we'll be able to get somebody in Massachusetts to introduce this in the next legislative session starting in 2017. So that's pretty much it. Here's the cartoon. And you can see the whole cartoon if you go to this link and read the executive summary and the whole report. So we're happy to take questions. Thank you. I think there's a mic. Only because it's being recorded. Hi. Thanks. That was a great talk. So on the topic of encouraging or forcing students to use these laptops that they don't own generally it's hard to like if someone gives you a computer and you don't know anything about it other than you're required to use it using it safely can be really challenging like you can try to cover up the webcam and I don't know not typing passwords and things but it gets really hard to anticipate every possible way that the computer could be hijacked and also I forget my other thing. Anyway, so I was wondering what were your thoughts on how you could manage those kind of issues if a student is going to be forced to use it especially if they don't have an option of buying their own. I mean I think that that's why we have to change the law really you know that this issue should not be individually you know it shouldn't be up to individual students or individual families or even individual school systems to implement you know software that's secure or policies that ensure that the students information isn't going to be abused by either the corporation that is running the malware or you know the administrators at the school who have access to the back end of those computer systems we just need we need a better law frankly. And I think in the meantime some of the things that students can be doing is sort of as you already mentioned covering webcams not using sort of Gmail or any personal email the other thing that we have seen is when students speak out within their own school systems that can push school committee and teachers and administrators to actually change law at the local level until we get something at the statewide level. I think in a lot of instances as Kate had mentioned administrators aren't doing this because they don't care about student privacy they just haven't actually taken the time to think that through and when there is an incentive to do so because of pressure within the school system you can actually have some of this change at the local level. Thanks. I don't want you to think I'm taking this side but building on that last question because I agree with much of your analysis if not all of it in recommendations but if we're talking about students understanding the world we live in and preparing whether we're employed by a private or public sector organization not for profit or a student at Harvard our expectations of privacy are limited you know that's how a couple of years ago we tracked down the IP address of someone who did a bomb scare I believe I don't know the details here at Harvard so you know it's actually funnier than that but yeah so you know we could get into it but there are many many examples and most of us come to learn that whether we're at a university or employed by government or the private sector we shouldn't have too many expectations now I know we could get into the weeds about specific things but I just wonder and I totally agree with the equity issue where some students can afford to have their own devices and that's also true of working class people they may have the only computer in their home is from their employer they work for Verizon or the Commonwealth of Massachusetts so I just wonder you know given that context what are your thoughts and expectations yeah I mean in my view we shouldn't the lowest common denominator should not carry the day right and so that's one issue and the other is that again I'm like you know having a job at Verizon or you know choosing to work for a corporation that monitors your email students don't have a choice they have to go to public school so there's no option for them there's no other option they can't just get another job that doesn't you know at a company that doesn't monitor their email they have to go to school and so in my view it's not they're not really comparable in that sense and additionally I would say that you know I don't necessarily think it's appropriate for employers to be monitoring employees either so you know I wouldn't you know we don't our boss doesn't read our email you know at the ACLU we have I'm sure that in the contract it says that they could right but in practice that's not I totally agree with you yeah yeah you're right I should actually tell my boss that we should change that policy if it exists I mean I think there's also first of all the only way that those policies sort of that I don't think that necessarily that should be what our expectation is once we get into the working environment I think the only way that that changes certainly not going to change I guess I would say if we are starting with the premise in school that that is the case so any sort of drive for a policy change would need to start in the school systems and I think something that Kate had mentioned earlier the idea that schools are also environments for intellectual development and the idea of the free speech sort of implications of that and the I mean students experiment a ton in high school in terms of trying on different views to see if that's what they are going to end up believing or not and I think that extra layer of intellectual development students are really going to be stunted in terms of the education that we're saying that we're going to provide them in schools if they don't have the freedom to explore hi I have two questions not particularly related one is I just want to clarification does your study also go into go into required software but not necessarily a school provided computer for example Newton of course expects of course everybody in Newton has their own computer so my grandchildren for example are still are expected to use not only Google apps but there's some other kind of courseware that they're using does your report deal with that no we didn't go into that although I imagine the issues are very much the same the second one is is is about the Google apps you mentioned that you know they were caught using student student data that's the second time they've been caught using student data so I'm just wondering what relief there is under the law to a force them to wipe out what they've got and be to keep them from doing it again I mean you know I'll answer that as a non-attorney that's part of the reason we want a stronger law in Massachusetts so that we know that there are civil damages guaranteed in cases like that you know I'm not clear on whether or not there could be a successful lawsuit against Google today in Massachusetts yeah I mean so the law student California was settled and as you've said they were then later found to have been continually violating student privacy after they settled this lawsuit so you know I'm not sure about the prospects for a successful student in Massachusetts but certainly if the model that they have drafted is enacted something like that in Massachusetts there likely would be a very strong cause for civic action I'm wondering if you've gotten into the issue at all of who owns what data and specifically if it's a student does the student own the data does the parent own the data does the school own the data does Google own the data or does the third party app own the data and are those issues being thought of right now yeah so at least with respect to data collection a student both a student and a parent always has the right to access their own information that's in a data system but the school for a long time even prior to the time that we were talking about stuff being uploaded into the cloud had the right to collect that information and some of the questions that you're getting at right now actually really touch on how are we defining some of those terms I talked about earlier about is it a school administrator is it someone who has been designated and other things that are still being worked out right now unfortunately in the courts and also in legislatures I think something that that becomes really pertinent in is when you talk about third parties it's a little bit confusing because it's really like the second third party that we're talking about with a lot of these student information systems because you have the first layer which is okay the school decides to use a platform let's say Aspen it's one of the companies that has a student information system so they upload it that's like the first band of a third party who has access to that information in lots of instances they say that the school still owns that information but that they or they could at least but they are simply providing sort of the platform to allow that information to exist the problem is whether or not the contracts then limit the ability of that third party platform to share with additional third parties the sharing between a school and a platform I think for a lot of privacy reasons in so far as they have sufficient securities in place so it's not going to be hacked it may actually protect the information better than it would have been if it was just in I'm from Needham Needham's random like student information systems within that own school system but once that information if it's not limited can be shared to additional third parties who owns that information becomes really complicated some of the contracts Cade mentioned there was two school districts it was Worcester and Brockton I think who had written their own contracts and that had really specific language that said that any time you shared information the information it had specifically lay out what the information was being shared for and it couldn't be further used for any other purpose that kind of limitation when a school actually has the ability to write the own contract is a really important way to share the ownership of that information but it's not happening across the board right now I wholeheartedly agree with your position with regard to the third party data on the one on the expectation of privacy in the one-to-one situation I'm curious about how your proposed regulations or laws would or policies would play out in say a situation where the device that's been provided is has been found to be used for a bad thing like harassing or sexting or whatever and the school officials fear that it's endemic let's say they found it on like 10 out of 30 or something in a classroom or in one full classroom my question is does this reasonable suspicion standard mean that they have to have they have to have a reasonable suspicion of every individual student before they can look at their their device so they couldn't if they found hazing on a football team and they found and they feared that this was widespread they couldn't look at the devices of every member of the football team unless they had individual reasons and the fact of a very large number and a fear that this has become spread like wildfire is not the case that you've given is an interesting one because I'm not a school administrator but I'm a human being and I have some emotional intelligence and it seems to me that if you really believe that there's a serious hazing problem on the football team that the approach maybe shouldn't be a punitive one that you search everyone's phones to come up with concrete evidence so that you can expel everybody but you sit the football team down for a conversation about what the hell is going on on the football team you guys clearly have a problem with hazing we need to address it and maybe the team is not going to practice today because you guys have some real social problems I guess I'd try to find I would think that the administrators wouldn't think of looking on other people's on all the kids devices in a particular group as punitive as fact finding they need to find out what the problem you know you've got a problem you need to scope the problem and you need to do it fat well let's just think about the analog it seems like you may be tying the hands of administrators in serious situations sorry I was just going to say I think that what you're talking about I don't know what the tipping point would be certainly a factor in determining reasonable suspicion that an individual member of the team may have participated in whatever behavior you're talking about could be that they're a member of the team I mean I think if you have a larger number that probably would be involved in the balancing test of whether or not reasonable suspicion had been met I think an important component though the punitive issue that I think Cade may be alluding to here is that it is an invasion of privacy regardless of whether or not there is punishment the actual search is a punishment per se it is a constitutionally recognized right to privacy that will be invaded but I think a key part that second part of the reasonable suspicion test so you need to have something that is an articulable reasonable suspicion and the scope of the search needs to be limited so perhaps in the situation that you're talking about let's say they had reasonable suspicion to search for sexting for the members of the football team that wouldn't then allow them to go into the cell phones and search all of their emails for example or all of their photographs unless there was also reason to suspect that and I think a critical piece also of the legislation the model legislation that we have is that the reasons supporting a search need to be documented and the scope of the search needs to be documented and it needs to be made available to both the students and the parents so that they are aware of what has happened and if it comes to any kind of either within the school system or in the criminal justice system some type of punishment that they have the material available to contest it I just want to be clear about the reasonable suspicion standard too it is very low I mean that is a low standard it's lower than probable cause probable cause is a standard that we frankly would prefer across the board for all types of searches but courts have held that there are some circumstances under which government officials can search people for example on the street for Terry stops law enforcement does not have to have probable cause that they will find evidence of a crime to stop someone on the street they simply have to have some reason basically to stop someone and that is the same standard so it is not a high bar we don't think the main purpose of a reasonable suspicion standard is to eliminate suspicionless monitoring which is to say you have to have a reason it's not such a high bar have you or others at the ACLU given any thought to try and arise some sort of handbook for students on how to disable features of software on these devices that might be invasive of their privacy so interesting question that I mean no we have not done that and we won't do that but I mean I've certainly thought about what options are available for students who are dealing with these kinds of technological problems unfortunately students in other parts of the country who have tried hacking around firewalls or getting rid of invasive monitoring software on their computers have gotten disciplined you know they're not supposed to mess with that stuff so Hi I'm Matt thanks so much for this awesome presentation one of the things I've been thinking about lately I think it's been on a lot of people minds has been the DOJ versus Apple issue and so in relation to this it sort of makes me wonder why a government would be a better fiduciary for the data than say Google I'm not sure how the relationship works and so far is getting to do the peaking but if you have if the government owns the data I feel like they're likely to be able to like peak on a reasonable suspicion whereas Google could maybe require a court order and maybe they'll have lawyers that like want to quash a subpoena or something like that whereas if you have the data on site at the school government can just start peaking at stuff and doing things so I'm kind of wondering how you think about and balance that tension so I mean on what schools can do in owning the data there are constitutional limits which at least as it is structured right now constitutional limits aren't being applied to private corporations there are other legal limits that are but not the constitution and there at least to some degree school officials and government officials are responsive to an electorate in a way that a corporation may or may not be now we have seen in terms of the way that Apple has reacted for example to the All Ritz Act cases that there ultimately ended up being a commercial reason why Apple chose to encrypt its information and I think that did largely speak to the fact that they saw that their customers valued this good but to this point in schools with respect to the constitutional protections that are available that would only apply to schools and I think it also is governed by the lens for the ACLU which because we sort of our mandate is structured around the bill of rights and constitutional rights and civil rights legislation in both the states and the federal government that tends to push us towards what are the regulations and things that we can put in place to ensure the government is respecting all of those rights also just to be clear as a technical matter Google might store the data but the administrator still can access it so instead of just the administrators having access it means Google also has access so simply making the problem worse in our view no I mean that's untenable the administration needs access to student information to give people their transcripts to I mean they need to report to their federal government requirements to school local schools need to collect by DOE we're not saying that administrators should never be able to look at student records that's absurd you know that the issue that that we have is simply that you know there's certain kinds of information that administrators need to use in the course of business and teachers do and then there's other kinds of information like what website students are reading and what they're saying in their emails to their friends which are not school matters right and those should be distinct and there should be separate rules applied to you know administrator access to the to those kinds of information on the law enforcement question though it doesn't matter if Google stores the information or if the local school stores it you know if this bill that we are proposing were to pass into into law in Massachusetts law enforcement would be required to get a warrant to access it from either the school or Google if they wanted to use that information in some sort of criminal prosecution against someone I mean I would say just even now based on we would like things to be more clearly articulated in that way but the government possession of information has not come one come all just because one government access has information does not necessarily mean that any other governmental actor would be able to access it that's particularly true when it comes to information that school administrators has either via a search which is under a lower basis of suspicion than what a law enforcement agent would have or under the SIS just because and there are there have been cases that talk about this that the difference between what a school administrator can get and then what it can handle to the police officers are two very different standards so all you got a question a basic question out of ignorance is there any difference between public schools and charter schools in this context or do the same laws and regulations apply regardless of how the school is organized to my knowledge it is the same but I have much less expertise in charter schools thus far but to my knowledge it is the same I think this person had a question to you thank you this is really helpful and I'm on the Cambridge school committee so this is very timely if anybody is interested in Cambridge in particular I'm interested and drift on to social media so the official chorus that sets up a Facebook page or the chess club or we have a city youth council here that set up their own Facebook page for students to post anecdotes about their experiences around race at the high school what about these Facebook type of much less regulated things that are not official educational applications that's a really good question and unfortunately it's something that I haven't given a significant amount of thought to but just off the cuff I would say that certainly this should be opt in if the chorus has a Facebook page students should not be required to feature in photographs that are going to be posted on Facebook if they don't want to be nothing like that should ever be a requirement for participation in any sort of school activities you know beyond that I don't have any really deep thoughts about it at the moment I mean the only thing I would add on to that is I am glad you said that Kate about opt in we think about I mean I remember when I was in high school the number of forms that either I had to sign or my mom needed to sign or my dad needed to sign in terms of whether or not we agree to let my photograph be used whether like all sorts of permissions that were given for much sort of more discrete actions in the type of information that now is often being given without any sort of notice let alone consent so what we're really asking for here is the same degree of protections that schools provided in the analog world to also be applied to the digital context which if anything requires even more supervision of privacy protection that's a great question though and maybe one more question hello it's Michelle Raymond from University of Geneva I just have maybe a more technical question how do we guarantee that the law reform you're advocating for has teeth in the enforcement sense who gets to decide if there's a privacy breach if there is reasonable suspicion in any given case and given the fact that there are many different actors both states and private actors how do we make one system to make sure they all respect the rules well so that's why the law specifically provides or the bill as we've drafted it provides that it follows the fruit of the poisonous tree model for prosecutions which is to say if the school violates the law or law enforcement gains access in other words to student information without a warrant and tries to use that in a criminal prosecution that it would be inadmissible and then on the civil side there's a provision that would enable people to sue for large sums of money basically the civil damages part is key because what we see time and again in terms of technology is often you never end up even knowing that your rights have been violated unless there is a criminal prosecution and we don't want to set up a situation where individuals who potentially they weren't even ever charged don't have a sort of mechanism to redeem the rights that were violated so that's a critical component to make sure that the enforcement happens across the board thank you both so much thanks for having us