DISTANCE LEARNING AND PRIVACY

Privacy Considerations in Selecting Distance Learning Tools

Dalia Topelson Ritvo, AAGPrivacy Specialist

*Not licensed in CO. Practice temporarily authorized pending admission under C.R.C.P. 205.6

RUSH TO ZOOM

• In light of the Governor’s stay at home order, schools, like many other institutions, adopted Zoom as the platform of choice for live virtual classrooms and virtual meetings with students.

ZOOM SECURITY VULNERABILITIES

• The uptick in adoption revealed a number of security vulnerabilities in Zoom’s platform, including, but not limited to:

• Lack of end-to-end encryption

• Discoverability of meeting ID’s leading to “zoombombing”

• Unsecured links to recorded calls

• Potential data breach of up to 500,000 user accounts

WHAT HAS ZOOM DONE SINCE THEN?

• In light of bad press and a number of law suits, Zoom halted its development efforts to focus on upgrading the security of its platform.

• Zoom entered into settlement with the New York Attorney General requiring it to:

• Conduct risk assessments and code reviews

• Implement safeguards to prevent hackers from accessing accounts with old credentials

• Enhance encryption protocols

• Implementing a software vulnerability management program, including annual penetration testing

WHAT ABOUT ENCRYPTION?

• While it still does not have end-to-end encryption, its systems have been upgraded use AES 256 GCM transport encryption as the default encryption

• Zoom plans to roll out a beta version of optional E2EE end-to-end encryption in July of 2020

• Individuals seeking to use E2EE must provide personally identifiable information to Zoom in order for Zoom to authenticate accounts.

• It will be up to the meeting host to turn on end-to-end encryption for a meeting, as using end-to-end encryption eliminates other features of the software.

ARE THERE OTHER OPTIONS?

• Google Meet

• Microsoft Teams

• Webex

• Vidyo

• Blackboard

• Canvas (integrated with Zoom)

CAN I USE THESE TOOLS UNDER FERPA AND THE SDTSA

• Yes. Neither FERPA, nor the SDTSA prevent schools from using these types of technical tools to support providing education to students.

• Schools must comply with each statute’s notification and consent requirements when using these tools, depending on the level of control they have over the vendor.

BEST PRACTICES FOR USING ZOOM

• Schools or districts should sign up for one of the paid accounts so that students can access meetings through an account set up by the school, rather than their own personal account.

• Use random meeting IDs for each session to minimize the opportunity for unwanted guests to either guess or discover the meeting ID.

• Password-protect the classroom.

• Limit attendance to authenticated Zoom users tied to the school account.

• Use the waiting room functionality so that teachers must actively approve individuals seeking to attend the meeting.

• Disable the join before host functionality so that no one can join until the teacher has arrived.

BEST PRACTICES FOR USING ZOOM

• Set screen-sharing to “host only” so that only the teacher can share his or her screen unless the teacher pro-actively turns on screen sharing for a specific student.

• Disable the private chat functionality to avoid side conversations during class.

• Consider muting all students, and only unmute if a student has raised their hand using the hand raising feature.

• Set the account default so that class sessions or meetings are not automatically recorded.

TO RECORD OR NOT TO RECORD?

• Reasons to record:

• Record student presentations for grading and feedback purposes

• Record classes to allow students to access classes at their convenience to address digital divide issues

• Reasons not to record:

• Protect student privacy

• Avoid inadvertent public access to classroom recordings

• Creation of unnecessary records

WHAT SHOULD WE DO IF WE RECORD?

• Establish data storage policies guiding teachers on where recorded classes or meetings should be stored, and how long they should be stored for.

• Ensure that recorded classes or meetings will be stored on a secure server controlled by the school.

• This could be a server managed by a cloud service provider that the school has a contract or account with.

• Create policy on how to notify parents and students when they will be recorded.

• Notify students and parents of policies associated with recording and notify students and parents prior to each recording.

BEST PRACTICES FOR CHOOSING TOOLS

• Review terms of use and privacy policies of any technical tool to be utilized.

• Understand the different treatment of data by companies using freemium models

• Conduct technical due diligence to confirm compliance with privacy policies

• Ensure school or district complies with notification requirements under FERPA and SDTSA

• Avoid requiring students to use personal accounts for access in order to ensure data stays within the infrastructure “controlled” by the school.