A very long thread on types of questions we ask before we use any piece of software with K-12 students. Using Zoom as an example in some of thread because it was one of our most extensive recent review process due to Zoom's aggressive targeting of users w/ their tools & issues

In addition to our usual privacy/data/security questions, Zoom had an extra layer of harm mitigation: when selecting tool how do we ensure we don't expose children (through user error or poor software design) to harmful/illegal content?

A sketchy thing Zoom did was circumventing school purchasing processes & protocols for high-value software contracts by giving away free licenses to teachers. In no other situation would schools suddenly, w zero vetting or competitors, sign up for a $25K (for us)/year contract

Now on to the questions we ask. Our policy requires each piece of software used to be vetted by the technology team prior to use. This is not a complete list of the criteria, but this overview should give a sense of both the breadth & depth of the review process.

COPPA--Is this vendor COPPA compliant? Can we use this software with students under age 13? Are we meeting our contractual obligations to parents to review the software for *actual* COPPA compliance and not just expressed compliance?

FERPA framework--Although our school is not required to adhere to FERPA since we do not receive public funding, the FERPA framework for evaluating student data and privacy practices is an industry standard that guides our review process.

Data privacy--For students of all ages, what data sharing and selling practices are in place? What does the company explicitly state it will do with student data in its terms of service?

What data sharing and selling practices are in effect that are not explicitly outlined in the terms (for example, Zoom had an undisclosed data sharing agreement with Facebook)?

Does the company follow an opt-in or opt-out model for data privacy? Is it possible to delete student data after the tool is no longer in use and what is the mechanism for data destruction?

Data definitions and collection--What types of data does the company collect and store about users? What are potential abuses of the types of data collected by a vendor (particularly immutable data such as biometric profiles)?

Security--What security protocols are in place to protect student data at rest and in transit? Is the company using industry tested and accepted methods for encrypting data? Does the company use an opt-in or opt-out security model?

Are the settings defaulted to the most secure options and users have to opt-out of security protections or does the software default to least secure options and users have to opt-in to additional protections?

Does the company have a history of security breaches and how did they respond to them?
Breach notifications-What are the service level agreements for breach notifications if student data is exposed/leaked or a new exploit (zero day exploit) is discovered?

Domain level control--What mechanism exists to ensure students under 13 are communicating with and sharing content (and receiving content) only from members of the community and not external parties and non-affiliated adults?

Support--What is the overall support available from the company and how quickly are they able to resolve issues? What will support look like for our team? Is this tool device agnostic or will users with certain devices have issues using this tool?

Vendor history and health--How established is the vendor in the industry? What is their growth trajectory and can they sustain that trajectory (this is particularly important for companies that experience a sudden spike in use that stress their protocols and systems)?

Practical operations and budget--How will students login and manage accounts? What is the overall cost of the tool? How well does this integrate with our existing software for scheduling, class work, and other workflows? Is the user interface accessible K-12?

What technical onboarding does the community need to successfully use this tool? What is the implementation process & timeline?

Mission alignment--Does the software of the company operate in a way that does not align with our mission? Does the software support progressive teaching and learning practices?

And because I am blessed to have walked into a strong team who have become a data/privacy/security review machine in our time together, a quick note that this is not a one person decision. There are many of us who bring our lenses into the process

Me (Director) + Senior DBA/acting Privacy Officer for GDPR + Network Admin/SysAdmin + Network Security Engineer+ Support Technicians + Ethics & Technology Staff (we made the position and it's awesome)
We don't mess around when it comes to handling & sharing student data

We also consult w/ NYCIST, the collective network of hundreds of NYC Independent School Technologists to gain more insight and perspectives, particularly in the areas of privacy and security. If you don't have a deep bench at your own school, find a collective to share the load

And one of the biggest flags for us (and especially w/ Zoom) is when you can't get a straight answer to a question because that means they are either A) lying or B) making it up as they go along which shows when their own policies & docs contradict each other

Some examples of concerns/conflicts we couldn't get resolved by Zoom in March (vetting period)
Zoom's guidance provided conflicting guidance stating users under 18 should not have accounts & at the same time only way to manage security for users under 18 was to create accounts

Calls to Zoom in March revealed they did not fully grasp COPPA requirements since they had previously only targeted adults. They seemed to be learning COPPA & making policy on the fly. Multiple calls from different staff members resulted in different replies.

Conflicting information between the privacy protections offered by their K-12 school district privacy policy (which was not available or offered at the outset of remote learning) and their stand alone privacy policy as it relates to COPPA.

At the outset, Zoom was offering Pro licenses to schools for free and those licenses were not covered by the district privacy policies. So even if a policy existed that protected privacy, it's likely the license a teacher accepted wasn't covered under that policy.

Zoom indicated on one page the licenses are COPPA compliant but only if school contractually consents on behalf of parents. What mechanism is contractual consent obtained since there is no contract for each school to sign when using the free licenses?

What effort has been made to reconcile the discrepancies between the site terms of service and the different policies governing data of users under 18?

If users under 16 are not supposed to have accounts, but Zoom is being offered for use with K-12 schools, what are the Zoom COPPA policies for non-account holding data collection for students under 13? (students using Zoom as guest)

A lack of account does not exempt Zoom from COPPA if data collection is still occurring and being targeted at K-12 users. If we are only creating accounts for teachers (which are pro) but students are using service through basic/links only, which policy legally takes precedence?

How does Zoom reconcile the different policies governing teacher use (w/ student data) using Pro licenses and the data students provide when using Zoom?
Zoom techs asserted that Zoom was FERPA compliant and were using terms COPPA/FERPA interchangeably (they're not!).

How well-versed are Zoom staff in the policies governing student data in ages 18 and under? How well-versed are Zoom staff in the policies governing student data in ages 13 and under?

What training or guidance are Zoom staff receiving in order to be able to answer questions about privacy and policy correctly?