Many people who use the internet are familiar with cookies and aware that their movements are tracked, especially after the Cambridge Analytica scandal put a spotlight on Facebook’s business model this year. But the unseen, commercial tracking of visitors to school websites — including students — raises issues that go beyond tracking on other kinds of sites, other experts agree.
“Schools shouldn’t be selling and marketing their kids’ data to third parties,” said Jules Polonetsky, chief executive of the Future of Privacy Forum, a Washington think tank focused on data privacy. “Is that what’s happening? Do they know? If they can’t answer the question, that’s a big problem.”
Student lists are now available for purchase on the basis of ethnicity, affluence, religion, lifestyle, awkwardness and even a predicted need for family planning services, according to a study released in June by Fordham University’s Center on Law and Information Policy. Where that information was drawn from is mostly undisclosed, the study found.
“There’s a continuum of data collectors, data sharers and data users within this large ecosystem,” said N. Cameron Russell, the center’s executive director, describing it as a “huge invisible world” of shifting business entities of which the public is mostly unaware. The companies offer school districts incentives to use “freemium” services, free or discounted products for which, Mr. Russell says, “you’re paying with your personal information.”
The presence of trackers from data brokers such as BlueKai, AddThis or DataLogix on school sites should be viewed as a “smoking gun” that demands an explanation, Mr. Polonetsky said, because those companies commonly engage in the buying, selling and linking of user data. Mr. Levin found all three on the websites of the Huntsville, Ala., schools on one recent day. He found AddThis on public school sites in Cleveland; Springfield, Mo.; Washington, D.C.; and Albuquerque.
BlueKai was among the 22 trackers Mr. Levin found on the Pinellas County, Fla., schools site. Ms. Wolf said she did not know how it got there. “It is the district’s expectation that our partners do not sell or misuse web visitor information,” she said.
Some limits exist on how far trackers can intrude. The Children’s Online Privacy Protection Act of 1998, known as Coppa, bars unauthorized collection of children’s personal information, including I.P. addresses, on sites aimed at children under 13.