Blackboard LEARN security vulnerabilities

Sandra is back after a three week blogging hiatus.

The Australian edition of SC Magazine, which focuses on IT security, reported that Blackboard Learn had serious vulnerabilities. The report revealed that "security vulnerabilities have been found in the world’s most popular educational software - holes that allow students to change grades and download unpublished exams, whilst allowing criminals to steal personal information." Initial concerns reported to Blackboard by Australian university managers were ignored or dismissed, which led to the publication of an advisory by AusCERT, a non-profit security organization funded by Queensland University. Blackboard then responded with its own advisory.

Blackboard Learn is used widely by U.S. universities and by the U.S. military. Inside Higher Ed also reported on the security concerns:

Matthew Maurer, a spokesman for Blackboard, told Inside Higher Ed via e-mail that the article was correct that there was a security flaw, and that this problem was not unique to Australian universities. But he said that the article (which has been circulating among some American IT officials) had an "exaggerated fashion" in describing the problem. "There's not a single reported case of exposure, just the theoretical," he said. Maurer said that many of the issues were very quickly fixed, and that the company is now providing information to colleges and universities so they can see that there are not serious problems remaining.

Commentary
While there may not have been a single reported case of exposure, there was a significant security flaw. Universities purchasing online learning systems and students paying tuition to access online courses should have assurance that the products do not have this level of security holes to begin with. Security issues affecting other U.S. online education initiatives remain a concern.

Previous postings on this topic:

Student Data Collection: Purpose, Costs, Risks?
Education Reform and Privacy Concerns Collide

Florida: School Board of Brevard invites parent input on student privacy

The Florida Today newspaper covered the School Board of Brevard's decision to examine parent consent when it comes to access to student information. The Board decided to obtain input from parent-advisory groups before making changes to who can request student directory information in accordance with federal laws. According to the Florida Today reports that "the district does not release certain information -- such as photos or email addresses, or a student's grade level or school name -- that federal guidelines allow."

Student directory information currently includes:

• Student's date and place of birth


• Dates of attendance and graduation


• Participation in recognized sports and activities


• Height and weight of athletic team members


• Degrees, honors and awards

"Typically, military, colleges and research institutions request the information. In addition, it is often released to graduation vendors, such as those handling class rings or senior photos. Non-educational uses of directory information must be approved by the superintendent, District Spokeswoman Christine Davis said."

Read the full article here.

Information on the Family Educational Rights and Privacy Act can be found here.

NUT Report: Funding for pre-school testing announced

With the debt-ceiling debate raging and the urgency to cut spending, the rationale and priority for a new Race to the Top pre-school standardized assessment initiative go unexplained. States will compete for $500 million in funds to develop tests that are intended to measure "academic performance but also children’s social, emotional, physical and artistic readiness for kindergarten." This assessment is intended to assist Kindergarten teachers in preparing targeted learning opportunities and are not to be used for any rewards or punishments for students, teachers, or schools.

Valerie Strauss of the Washington Post noted that in 2003 when President Bush suggested giving all children in Head Start programs a standardized test, reaction seemed different:

Critics howled. Early childhood development experts said preschoolers are too young to be evaluated by standardized tests in part because they don’t have sufficient ability to comprehend assessment cues. The plan was shelved.

A recent article in The Nation notes concerns about this initiative.

The kindergarten-entry assessments are “probably the most radical part of the [Race to the Top early learning] program,” acknowledges Sara Mead, a pre-K expert and senior associate partner at Bellweather Education Partners, a nonprofit Washington, DC, consulting firm. “It would drive a big shift towards much more measurement of early learning program outcomes, which parts of the early-childhood education community have traditionally opposed.… But these are not intended to be assessments to determine whether or not an individual child is ‘ready’ for kindergarten, and they never have high stakes for kids, in terms of denying them entry into kindergarten.”

Laura Bornfreund, a policy analyst at the New America Foundation’s Early Learning Initiative, has written that pre-K assessment remains controversial:

Concerns over inappropriate assessments of young children are rampant, so it bears repeating that appropriate kindergarten readiness assessments are not “tests” in the way adults might think of them. They do not require children to sit down with a bubble sheet and number-two pencil. Often they are based on teachers’ observations of children’s drawings or playtime interactions. For many literacy assessments teachers conduct them by sitting down with students, one by one, to ask them questions about sounds and letters or to point to pictures. The idea is to create a low-pressure experience. But there are still many questions in the research community about how to ensure that assessments are administered in ways that are sensitive to a child’s age and stage of development.

Pop Quiz

1) What is the problem this new assessment will solve?
2) Will the data collected become part of the State Longitudinal Database Systems?
3) Will the data be made available to other agencies and researchers without parental consent in accordance with the proposed regulatory changes to Family Education Rights and Protection Act?

Answers:
1) No one knows, but it's expensive.
2) No one knows, change is hard.
3) No one knows, we have to do something.

I am not an educator, not a policy wonk, nor a pre-K expert, but I am taxpayer and a NUT - No Unnecessary Testing. Peanuts anyone?

Student Data Collection: Purpose, Costs, Risks?

Secretary of Education Arne Duncan says this is a once in a lifetime opportunity to do something different. The current policies are different, but are they better, more effective, and more efficient?

According to the President's Blueprint, the state longitudinal data base initiative will provide the targeted accountability to raise achievement by ensuring students are making progress and by linking student achievement to teacher performance. The recent proposed FERPA regulations requires additional safeguards for the collection, release, and safeguarding of student data. The fiscal impact on State and local-levels is not mentioned.


Four reasons the public should have deep concerns about the development and proposed regulations and the collection of data from birth to college on every student in the nation:

April 20, 2011, SONY CEO apologizes for major security breach.
Sony Corp. Chief Executive Howard Stringer apologized for "inconvenience and concern" caused by the security breach that compromised personal data from more than 100 million online gaming accounts.

May 17, 2011, Data Breech Infects Massachusetts Unemployment Office.
An estimated 225,000 Massachusetts residents could become fraud victims as a result of a computer data breach in the state unemployment system.

May 27, 2011, Data Breech at Security Firm Linked to Attack on Lockheed.
Lockheed Martin, the nation’s largest military contractor, has battled disruptions in its computer networks this week that might be tied to a hacking attack on a vendor that supplies coded security tokens to millions of users, security officials said on Friday.

June 2, 2011, Google Mail Attack Blamed on China.
Suspected Chinese hackers tried to steal the passwords of hundreds of Google email account holders, including those of senior U.S. government officials, Chinese activists and journalists, the Internet company said.

June 3, 2011, Hackers Attack another Sony network.
Hackers broke into Sony Corp’s computer networks and accessed the information of more than 1 million customers to show the vulnerability of the electronic giant’s systems, the latest of several security breaches undermining confidence in the company.

Education Reform and Privacy Concerns Collide

In February, Grumpy Educators covered U.S. Office of Education initiatives to build and develop longitudinal data systems for education here and here. The requirement for data systems that track student data from preschool through high school and beyond is part of current education reform policy on data-driven decision-making. The data, to be accessed by researchers, auditors and other agencies, may reveal what reforms, methods or textbooks work or do not work so well.

A spokesperson from the Data Quality Campaign, a non-profit founded by the Bill and Melinda Gates Foundation, praises the proposed changes:

"We can't afford not to use this information if we want to meet our big policy goal of graduating students ready for college and career."

However, accessing the data requires changes in current privacy protection laws or the Family Educational Rights and Privacy Protection Act of 1974 (FERPA).

The expansion of state student-record systems is central to President Obama's accountability agenda, which seeks to improve education through the better use of data. In a statement issued on Thursday, the U.S. secretary of education, Arne Duncan, said the proposed new rules would "strengthen privacy protections and allow for meaningful uses of data."

According to the Chronicle, the proposed changes would allow sharing of student-level data with researchers, auditors, and other agencies without violating FERPA. The article further notes that Congress prevented the Education Department from creating a "national 'unit record' data system in 2008, but has also funded states to develop these systems.

There are many serious concerns and unanswered question about these proposed changes that affect that rights of parent consent and the collection and use of vast amounts of data on the nation's children. How long will this data remain available? How will it be stored? When will it be erased? Will it be erased? Will parents and the children themselves when adults know how the information is used?

According to a Missouri Education Watchdog alert, public input and objections to the proposed rules changes is available until Monday, May 23. Background information, examples of specific objections to the rules, and the website location for registering objections is offered.

If privacy concerns matter and the lack of interest by Congressional oversight on this matter matter to you, review the Missouri Education Watchdog blog here and consider writing an objection.


http://chronicle.com/article/New-Rules-Would-Allow-for/127047/

http://chronicle.com/article/Why-Privacy-Matters-Even-if/127461/

Arne Duncan is From the Government and He is Here to Help you

[Reprinted with permission from Missouri Education Watchdog.]
In its effort to clarify student data privacy rules for researchers and education officials alike, the U.S. Department of Education proposed several changes to the Family Educational Rights and Privacy Act, or FERPA, on Thursday and named its first chief privacy officer.
"Data should only be shared with the right people for the right reasons," U.S. Secretary of Education Arne Duncan said in a statement on the proposals. "We need common-sense rules that strengthen privacy protections and allow for meaningful uses of data. The initiatives announced today will help us do just that."

There is a pesky problem standing in the way of sharing student data between states and Federal Agencies: present FERPA standards. If these standards are not altered, the data necessary to supply the workforce cannot be shared.

The DOE promises your student's data will be secure. Really? What's happened the last several weeks or years regarding cyber information?

•TJX, the parent company of T.J. Maxx, Marshalls, and other retailers, has not acknowledged how data on more than 45 million credit and debit card users who had shopped at the company's retail locations was stolen and sold to fraudsters. (May 9, 2007)

•A data breach involving online marketer Epsilon, whose clients are a Who’s Who of major banks and retailers, was only the latest in a string of hacking attacks aimed at getting email records for more thefts. Companies that have said they were exposed since then include banks Citigroup Inc and Capital One Financial Corp, and retailers Walgreen Co and Best Buy Co. (April 5, 2011)

•According to U.S. investigators, China has stolen terabytes of sensitive data -- from usernames and passwords for State Department computers to designs for multi-billion dollar weapons systems. And Chinese hackers show no signs of letting up. "The attacks coming out of China are not only continuing, they are accelerating," says Alan Paller, director of research at information-security training group SANS Institute in Washington, DC.

Secret U.S. State Department cables, obtained by WikiLeaks and made available to Reuters by a third party, trace systems breaches -- colorfully code-named "Byzantine Hades" by U.S. investigators -- to the Chinese military. An April 2009 cable even pinpoints the attacks to a specific unit of China's People's Liberation Army. (April 14, 2010).

The data sets from the National Data Education Model are set and ready to be used on your student. Don't worry if there is a cyber security attack on the Longitudinal Data Systems; information to be gleaned from an attack would only include some of the following:

•Base salary or wage
•Blood type
•Height and Weight
•Dwelling Arrangement
•Health Care History
•Health Care Plan
•Identification Results
•Immunization Status
•Insurance Coverage
•Overall Health Status
•Residence Block Number
•Social Security Number
•Voting Status

The United States Government cannot stop cyber attacks from China; why should taxpayers believe student privacy is secure because of a change in FERPA legislation?

If you believe this information is secure, you will also believe the following:

According to the No Child Left Behind Act, by 2014 every child is supposed to test on grade level in reading and math.
Not every child can test on grade level in reading and math. It's an admirable goal, but impossible to achieve. That's not going to happen. The goal for data systems is to beef up privacy protections. Like the NCLB goal, it sounds great, but if the government cannot stop foreign countries from hacking into military computers, do you believe the DOE can safeguard student data from hackers?

Read this sentence in the second paragraph again: We need common-sense rules that strengthen privacy protections and allow for meaningful uses of data. The problem with that sentence? Strengthening privacy protections don't safeguard the privacy and the "meaningful uses of data" should raise questions for anyone concerned about the constitutional right to individual privacy that your government is determined to document and share.