2018 STATE OF EDTECH SECURITY SURVEY Common Sense Privacy Evaluaon Iniave CREDITS Authors: Girard Kelly Jeff Graham Jill Bronfman Steve Garton Suggested citaon: Kelly, G., Graham, J., Bronfman, J. & Garton, S. (2018). 2018 State of Edtech Security Survey, Common Sense Privacy Evaluaon Iniave. San Francisco, CA: Common Sense This work is licensed under a Creave Commons Aribuon 4.0 Internaonal Public License. 2018 STATE OF EDTECH SECURITY SURVEY, COMMON SENSE PRIVACY EVALUATION INITIATIVE commonsense.org/educaon/privacy 2018 STATE OF EDTECH SECURITY SURVEY Common Sense Privacy Evaluaon Iniave CREATIVE COMMONS ATTRIBUTION 2018 STATE OF EDTECH SECURITY SURVEY, COMMON SENSE PRIVACY EVALUATION INITIATIVE 4.0 INTERNATIONAL PUBLIC LICENSE Common Sense is grateful for the contribuons to this survey from our 2018 privacy intern, Irene Lee, and the generous support and underwring that funded this research survey from the Michael and Susan Dell Foundaon, the Bill and Melinda Gates Foundaon, and the Chan Zuckerberg Initave. TABLE OF CONTENTS Introducon 1 EdTech Security ..................................................... 2 Privacy vs. Security ................................................. 2 Focus on Encrypon ................................................ 2 Background ....................................................... 2 Preliminary Survey in 2016 ............................................ 2 Encrypon List ................................................... 3 Updated Survey in 2017 .............................................. 4 Methodology 4 2018 Results 5 Products Scanned .................................................... 5 Successful Status Codes ................................................. 5 Supports Encrypon ................................................... 5 Requires Encrypon ................................................... 6 HTTP Strict Transport Security (HSTS) Headers ..................................... 6 Conclusion 7 Appendix 8 2018 Vendors That Require Encrypon ......................................... 8 CREATIVE COMMONS ATTRIBUTION 2018 STATE OF EDTECH SECURITY SURVEY, COMMON SENSE PRIVACY EVALUATION INITIATIVE 4.0 INTERNATIONAL PUBLIC LICENSE security (HSTS) headers, which is a web security policy mech- INTRODUCTION anism that helps to protect websites by using only secure HTTPS connecons. The Common Sense Privacy Evaluaon Iniave is a coordi- The release of this 2018 State of EdTech Security Survey nated effort to evaluate educaon technology (edtech) tools, represents a yearly examinaon of security pracces of edu- protect student privacy, and build in privacy and security caon technology-related online services using our security from the start.1 The Common Sense Privacy Evaluaon Inia- assessment. In 2016 Common Sense privacy ran its inial ve helps clarify privacy policies so teachers can make smart encrypon survey to determine a baseline for the state of choices about the learning tools they use with students and edtech security. Then, in 2017, Common Sense privacy ran so schools and districts can parcipate in evaluang the tech- the encrypon survey again and released our findings, which nology used in K–12 classrooms. Common Sense privacy has showed posive but non-significant trends in the edtech in- been collecng and incorporang feedback from stakehold- dustry with increasing encrypon since 2016, but with clear ers about how to share the results of our privacy evaluaons room for improvement. This 2018 security survey includes since we began this work in 2015. Since that me, Common results from over 2,000 URLs of popular edtech online ser- Sense privacy has spoken with numerous teachers, students, vices. To determine this sample set, we interviewed various parents, developers, vendors, privacy advocates, and indus- teachers, schools, and districts about which services they try representaves about their perspecves on privacy and had used during the 12 months prior to the security survey. security. This research led to the design of a 180-queson This is an increase in products scanned from 1,121 edtech evaluaon framework designed to analyze privacy policies products in 2017 and 1,100 edtech products in 2016. These and create a profile of each edtech product’s privacy and se- services provide a representave sample of the wide range of curity pracces. educaonal technologies, including educaonal games and In May 2018, Common Sense privacy released its ground- tools, for communicaon, collaboraon, formave assess- breaking 2018 State of EdTech Privacy Report.2 The report rep- ment, student feedback, content creaon, and delivery of resents the culminaon of Common Sense privacy’s research instruconal content. These types of services are currently over the previous three years, including the evaluaon of used by millions of children at home and by tens of millions hundreds of educaon technology-related applicaons and of students in classrooms across the United States. services. In this report, Common Sense privacy went beyond Our overall findings in 2018 indicate a significant increase in evaluang individual edtech products and captured a snap- the percentage of services that both support and require en- shot of the edtech industry as a whole. Common Sense pri- crypon. In addion, our findings indicate that there was a vacy’s overall findings in the privacy report are illustrave of modest decrease in the percentage of services that support current trends in the edtech industry including a widespread encrypon, but do not require encrypon. However, there lack of transparency and inconsistent privacy and security was no significant change in the percentage of services that pracces. implement HSTS. These findings illustrate that the edtech in- dustry has made significant improvement in its use of encryp- Good security, however, is not stac. Edtech industry secu- on of personal informaon over the past three years, but, rity pracces may be – indeed, should be – updated in re- given that 22 percent of edtech products sll do not require sponse to current events and improvements in technology. encrypon, the industry has a long way to go to improve its Aer the release of the privacy report, Common Sense pri- security pracces. vacy immediately began to update its security findings. In or- der to have a solid foundaon for privacy, edtech providers Security pracces of edtech providers should have a higher must also have adequate security pracces. Therefore, in ad- standard than the industry standard for online services and dion to evaluang privacy policies, Common Sense privacy applicaons generally given the potenally sensive nature ulized a comprehensive security assessment to determine of personal informaon that may be gathered from children whether the evaluated edtech products supported encryp- and students. These crucial observaons are whether an on with the return of successful status codes. Edtech prod- edtech service: 1). supports encrypon; 2). requires encryp- ucts that responded successfully were surveyed to deter- on; 3). supports encrypon and requires encrypon; and 4). mine whether they also required encrypon with hypertext supports encrypon and uses HSTS direcves in its headers. transfer protocol (HTTP) to HTTP secure (HTTPS) redirec- Given the size of the sample and the tools used to evaluate on and whether they implemented HTTP strict transport the edtech products, our key findings in the security survey hold a mirror up to the security pracces of the edtech in- 1 Common Sense Media. “Privacy Evaluaon Iniave,” https://www. dustry as a whole. commonsense.org/education/privacy. 2Kelly, Girard, Jeff Graham, and Bill Fitzgerald. 2018 State of Edtech Privacy, https://www.commonsense.org/blog/2018-state-of-EdTech- privacy-report. CREATIVE COMMONS ATTRIBUTION 2018 STATE OF EDTECH SECURITY SURVEY, COMMON SENSE PRIVACY EVALUATION INITIATIVE 1 4.0 INTERNATIONAL PUBLIC LICENSE Our 2018 security survey key findings indicate: panded beyond the right to be le alone to the right to con- trol your personal informaon. Further, this expanded mean- 1. A significant increase from 2017 of 16 percent in the ing of privacy has taken on new prominence in the digital percentage of services that support encrypon. world. Privacy includes the ability to control your informa- 2. A significant increase from 2017 of 22 percent in the on, who has access to it, and what it is used for – including percentage of services that require encrypon. what decisions are made because of it. To effectuate privacy, security needs to expand in scope as well, to take on the re- 3. A modest decrease from 2017 of 6 percent in the per- sponsibility of protecng these individual decisions. Security centage of services that support encrypon, but do not involves the protecon of a user’s control of their personal require encrypon. informaon, as well as protecon of a vendor’s systems and 4. No significant change from 2017 in the percentage of products from outside influences. services ( 14 percent) that support encrypon and im- plement HSTS. Focus on Encrypon This survey would not have been possible without support from the Privacy Evaluaon Iniave Consorum, which in- Using encrypon to protect data in transit is widely recog- cludes over 150 schools and districts that help inform Com- nized as a best pracce and even, in some cases, a legal re- mon Sense privacy’s work and use the privacy evaluaons quirement to sasfy a “reasonable” standard of security. To and security informaon as part of their veng process for illustrate this preference, Google priorizes encrypted sites educaonal