On. Feb. 14, Sen. Tom Cotton, R-Arkansas, sent a letter to U.S. Secretary of Defense Lloyd Austin expressing concerns over Tutor.com, which contracts with several states as well as the U.S. Department of Defense to provide online tutoring services to students, military members and their families. Primavera Capital Group, a Chinese private equity firm, acquired Tutor.com as well as the Princeton Review in January 2022, the letter said. Primavera has also invested money in ByteDance, the Chinese parent company that owns TikTok, and Cotton’s letter asked the department to explain any security reviews of Primavera’s acquisition of Tutor.com.
“While providing educational services, Tutor.com collects personal data on users, such as location, Internet protocol addresses, and contents of the tutoring sessions,” Cotton wrote. “As Chinese national security laws require companies to release confidential business and customer data to the Chinese government, we are paying to expose our military and their children’s private information to the Chinese Communist Party.”
This letter prompted a wave of activity online, much of it on right-leaning websites as well as from regional publications reporting whether their local school district used Tutor.com’s services.
In an email to Government Technology this week, John Calvello, Tutor.com’s interim chief institutional officer, outlined the measures his company takes to protect personal data. This includes voluntarily allowing the Committee on Foreign Investments in the United States to conduct a review that ensures the company has stringent safeguards in place “to protect all U.S. student personal data, together with mechanisms that provide for constant monitoring and compliance.”
Tutor.com also has a binding legal agreement with the U.S. government that states Primavera will not have access to the company’s IT systems or personal data. Its designated security officer, who continuously monitors the technology and ensures data protection measures, is an American citizen who is vetted by the U.S. government. And two members of Tutor.com’s board of directors, also vetted and American citizens, are experts in U.S. national security and data security, and they are also responsible for safeguarding user privacy, Calvello wrote.
“No personal information of students or families is shared with Primavera, and Primavera does not have — and may not obtain — access to our IT systems,” Calvello wrote, adding that his company’s principal place of business is New York City. “As an American company, Tutor.com cannot be compelled to release personal data of U.S. students and families to China or any foreign government. As an American company, Tutor.com remains dedicated to the values, goals, and practices that we have championed over two decades of serving institutions and learners — foremost among which is protecting customer and learner data.”
While general paranoia around data privacy may generate PR firestorms for companies without public evidence of wrongdoing, privacy advocates and news headlines alike suggest that some fears about student data privacy are well founded. Last month, the College Board, a not-for-profit that administers Advanced Placement programs and the SAT, agreed to pay a $750,000 settlement to the New York State Education Department after New York Attorney General Letitia James accused the company of collecting personal information of students who took the PSAT, SAT or AP exams at school and then improperly selling that data to colleges and universities, scholarship programs and other customers who solicit students. The AG’s office estimated that, for 2019 alone, this affected more than 237,000 students, according to a news release last month.
The College Board, which contracts with school districts, offers online accounts where students can register for tests and use the Search tool to find information on higher-education institutions and financial aid opportunities. New York state law prohibits entities that contract with educational institutions from using student data for commercial or marketing purposes.
“Students have more than enough to be stressed about when they take college entrance exams and shouldn’t have to worry about their personal information being bought and sold,” James said in a public statement.
On its website, the College Board replied to James’ announcement, noting that it disagrees with the AG’s interpretation of the privacy laws in question, and it maintains there is no evidence that colleges and scholarship organizations have ever “misused” the student information they receive.
“Search has a proven, positive effect on college-going. Students who connect with colleges via Search receive 29 percent more offers of admission,” College Board’s statement said. “These gains are even more pronounced for underrepresented minority students who receive 65 percent more admission offers and first-generation college students who receive 55 percent more admission offers.”
Student privacy will continue to be a topic of debate in the months ahead. Internet Safety Labs (ISL), a nonprofit that works to ensure product safety in the digital world, and Common Sense Media, a nonprofit that works to promote K-12 digital citizenship, are continually examining the latest and greatest ed-tech tools for data leaks and privacy shortfalls. In a 133-page report in December 2022, based on its review of 1,357 educational apps recommended across 663 schools, ISL estimated that 96 percent of those apps shared student information with third parties. A follow-up report in June 2023 concluded that most schools do not vet all technology used by students, and that regardless of “safe harbor” certifications or other privacy promises from ed-tech products, student data from those tools still made its way to large platforms like Facebook and Twitter.
Common Sense Media expressed similar concerns in its 2023State of Kids’ Privacyreport.
“To obtain meaningful consent, consumers need to know which companies and products say they sell their data, as well as a stronger, more comprehensive state or federal privacy law that bans the practice of selling data for all users unless separate opt-in consent is explicitly obtained,” the report said. “Without these baseline expectations, the industry will continue to make money by influencing and exploiting kids’ and families’ data for commercial purposes, all while claiming they respect our privacy.”
