Advertisers are sucking up student data, even after legal action, researchers say
Hundreds of advertisers are collecting valuable student data from a service that allows schools to add sports data to their informational app for students, researchers at the Me2B Alliance found.
The new findings build on previous research from the nonprofit that found the majority of sampled school apps were sharing data with advertising software kits. This time researchers examined web traffic originating from links embedded directly into the customized school apps using a utility called WebView.
“These are taxpayer-funded school utility apps that have integrated some of the most aggressive advertising chains you can think of,” said Zach Edwards, one of the report’s researchers.
The WebView software gives developers a way to allow users to open links within an app, instead of a separate web browser. The process makes it easier for developers to include content in their apps but harder for users to control privacy settings. WebView itself doesn’t expose data, but it serves as a conduit to websites that collect it.
Researchers identified the sharing of commercially valuable student data with advertisers when looking into a sample of 18 different school and school districts’ apps suggested by the Student Data Privacy Project to the Department of Education.
Protections of student data have been outpaced by an explosion of educational technology apps and devices offering to help schools adapt to remote learning and ease in-house technical burdens. The software, often offered at a discount, might offer a more affordable alternative to building technology from scratch, but parents and privacy experts say students pay a high price in having their data passed along to third parties who monetize it — often with no parental oversight thanks to federal law that gives school officials some authority to provide student data without parental consent.
Tracking down the data being shared by schools with educational technology companies has become so difficult and time-consuming that in July a group of 14 parents from nine states organized by SDPP filed complaints with the U.S. Department of Education over vendor practices.
A main source of the traffic to advertisers, researchers found, was an application called MaxPreps, which is owned by ViacomCBS. While MaxPreps markets itself as a way to track high school sports, researchers noted some school systems it lists cover kindergarten through grade 12. The behavior would seemingly put the company at risk of collecting data from users under 13 without parental permission, which is a violation of the Children’s Online Privacy Protection Act, and more certainly children under 16, which is the age of protection under California’s privacy law.
“MaxPreps is ostensibly a valuable tool for parents, students, school staff and fans to follow their teams,” Me2B Alliance researchers conclude. “The problem, however, is that it is a self-avowed advertising platform that provides no transparency, consent, or control for the aggressive advertising supply chains integrated into their pages, and subsequently integrated into school utility apps via WebView.”
ViacomCBS, which owns MaxPreps, settled in April a class-action lawsuit accusing it and 11 other companies of violating state privacy and fair business practice laws by acing tracking software in children’s gaming apps without parental knowledge or consent. MaxPreps was not included in the suit but Me2B alleges that the behavior “is similar if not worse within this subsidiary that offers free products for schools.”
MaxPreps did not respond to a request for comment by publication time.
Among the advertisers that receive data from MaxPreps is OpenX, which recently settled with the Federal Trade Commission for $2 million over allegations it failed to comply with federal law prohibiting the collection of data from children under 13 years old without parental consent.
In addition to student data collection, the report also raises concerns about “dangling,” or expired, domains embedded in the apps reviewed by Me2B. Researchers found three of the school districts whose apps they reviewed had embedded domains that no longer belonged to the school, and now redirect to malicious links including pornography, scam offers and other spam.
The schools removed the links after Me2B Alliance contacted their app host provider, Blackboard. Still, the existence of such domains represents a cybersecurity threat, says Edwards. Hackers could hypothetically use the domains to pose as schools to run business email compromise schemes or other cybercrimes.
The Me2B Alliance recommends that school administrators receive training on the risks of embedding URLs in apps and that schools have a plan in place to track links in the case they expire.
Joel Schwarz, the co-founder of the Student Data Privacy Project, applauded the Me2B Alliance report and recommendations. But he cautioned that schools need more support in order to improve their data protection techniques.
“I think the idea that schools need to be trained on this is true in some cases,” said Schwarz. “I think in a lot of cases schools understand it, but their focus on COVID … they don’t have the resources for this and this is a lower priority for them right now.”
Updated 12/21/2021: This article has been corrected to reflect that the school districts removed the malicious links after being notified by BlackBoard. Blackboard did not remove the links directly.