IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

‘Scary Apps’ List Calls Out Poor Student Data Privacy Policies

The nonprofit EdTech Leaders Alliance started a list of Scary Apps last year to raise awareness of ed-tech tools with “privacy policies that should give K-12 educators a fright.” A new one is posted each day of October.

Smartphone surrounded by Jack-o-lanterns.
Adobe Stock
On the cusp of Halloween, a new tradition is gaining attention in the ed-tech space: the Scary Apps list, compiled each October by the nonprofit EdTech Leaders Alliance (ETLA) to warn educators and district tech directors about educational apps that fail to protect student data.

Formerly part of the nonprofit Learn21, ETLA established itself as a separate entity this summer and serves as the Ohio affiliate of the Consortium for School Networking (CoSN), the International Society for Technology in Education (ISTE), the State Educational Technology Directors Association (SETDA) and the Student Data Privacy Consortium. However, ETLA Executive Director Stacy Hawthorne — a former Ohio teacher and ed-tech director who wears many hats, also being Learn21's chief academic officer and chair-elect for CoSN — said the group seeks to help educators nationwide.

Hawthorne said Learn21 initiated the Scary Apps list last year, but she researches and writes the list herself. One of the main reasons a tool ends up on the list is if its vendor refuses to sign a data privacy agreement. Other privacy problems that make for Scary Apps include sharing personally identifiable information, allowing targeted advertising and excluding children in the product’s terms of use as a potential culpability loophole.

“They’re literally marketed for school-age children, but their terms of use say they have to be 18 to be able to use it, so that’s another big one,” Hawthorne said. “I think it’s just their way of saying, ‘Oh, if something happened on our platform, they didn’t meet the terms of service, and it’s not our fault.’”

The list also calls out companies that use student data to build or refine their products, which Hawthorne said is one of the issues weaved into the Kids Online Safety and Privacy Act (KOSPA) that passed the Senate in July and awaits House approval.

“You can’t use students like that,” Hawthorne said. “It’s not technically illegal right now, but if they’re doing some of the other things, and they’re doing that, I will point it out in Scary Apps if they use the data to train their models.”

RAISING AWARENESS


A new Scary App is posted every day of October on ETLA’s website and social media pages, with details on what makes each privacy policy a poor fit for K-12 schools. For example, the list dings Grammarly for deciding it will no longer sign data privacy agreements for its free version, and Chess.com for sharing user data with third parties for targeted advertising. The entries are written and designed with a Halloween theme, and Hawthorne said the fun spin has helped raise awareness of the importance of student data privacy.

“It was catchy, and it ended up being super fun,” she said. “It just ended up getting a lot of traction. I could tell it mattered to people.”

One school technology director, who also serves as a computer science teacher, told Hawthorne he now uses the concept of Scary Apps with his students, asking them to research the privacy policies of their five favorite smartphone apps and make a Halloween-themed presentation of their own.

Districts throughout the country have requested last year’s Scary Apps slides to present at staff meetings, Hawthorne said, and she will have the 2024 list available as a free resource after October.

As for whether ed-tech companies ever reach out or make revisions based on these concerns, Hawthorne said she has not heard from any this year, and only Canva responded last year, correcting a default setting that allowed students to communicate with people outside their school.

“There was a young lady who ended up communicating with somebody outside of her school’s domain and was coerced into sending some images to the point where police had to be involved,” Hawthorne said. “So then they changed the default setting to off. You can’t communicate outside the district.”

NEW LAW SURFACES MORE SCARY APPS


Anyone who would like to submit an ed-tech tool to be considered for Scary Apps can use the link in the first tile on the list. Hawthorne said she sought out about 80 percent of the apps on last year’s list, while others came from submissions that she then double checked.

Creating the list was easier this year, she said, because a new student data privacy law in Ohio went into effect Oct. 24 requiring public schools to ensure contracts with ed-tech providers include specific terms of protection for student data privacy. ETLA served as an intermediary in contract negotiations for about 2,500 apps in the past eight weeks, Hawthorne said.

The organization is a go-between for its Ohio member districts and an attorney for The Education Cooperative Student Data Privacy Alliance, of which ETLA is a member, who negotiates ed-tech vendor contracts in compliance with the recent law. Hawthorne said she is copied on emails between the attorney and vendors, so she’s aware of any ed-tech companies that refuse the new terms.

“Last year I probably spent, honestly, about 45 minutes for each post, like, scouring privacy policies, trying to come up with apps,” Hawthorne said. “This year, I actually got the first 20 of them written from emails I saved over the last two months.”

SIGNED AGREEMENTS ARE KEY


For districts that may not have such a service at their disposal, Hawthorne recommends starting with the Student Data Privacy Consortium, a nonprofit that created a National Data Privacy Agreement template for contracts between ed-tech vendors and schools throughout the U.S. The consortium’s free resource registry hosts more than 130,000 signed data privacy agreements, according to a news release earlier this year.

Although most people who take the time to read an app’s privacy policy should be able to figure out whether it provides sufficient data protection for students, Hawthorne said a signed data privacy agreement is essential for long-term use.

“If you read a policy, and you’re like, ‘Oh, this privacy policy is fine, I have no problem with it,’ you don’t know that they don’t change it the week after you told people to use it,” she said. “If you have a signed data privacy agreement, they can’t make changes to that without you knowing it.”
Brandi Vesco is a staff writer for the Center for Digital Education. She has a bachelor’s degree in journalism from the University of Missouri and has worked as a reporter and editor for magazines and newspapers. She’s located in Northern Nevada.