Turns out that Learning Management Systems aren’t as secure as they want you to believe–SQL injection vulnerability is a pretty grievous, novice error to make for company like Blackboard.
The US Department of Education has several online resources regarding the collection of students’ personally identifiable information, and even discusses how online education platforms might collect usage metadata from all of our students–but this doesn’t violate FERPA as long as any shared metadata is not directly linked to identifiable information. So there shouldn’t be any issue with that, unless tech companies start using these data and metadata to create a profile of you, even if you don’t have an account with them.
It’s not a stretch to say that a company like Google could take all of these data and metadata from schools’ Google Apps for Education accounts and match them to personal accounts of people whose personal data match. As long as Google keeps the data for themselves (because only disclosing it would violate FERPA), there are no legal protections for any of us, especially our children, from a company that decides to use these metadata to create psychographic profiles for targeted advertising.
“Oh, so Google can show my A-student ads for colleges, and the C-student can get ads for tutoring? What’s the big deal?” The big deal is that an unscrupulous advertising firm might target students based on psychological traits rather than grades alone (which would be Huxleyan enough). Students whose schoolwork shows a lack of critical thinking, or a reactionary mindset–students who are quick to jump to conclusions just by seeing a headline without reading the whole article (or who don’t bother to read the instructions)–they might be susceptible to the kinds of propagandistic voting campaigns that a company like Cambridge Analytica boasted about.
This doesn’t even touch special education plans, disciplinary records, medical records, or even family information (some of my students’ files have had notes about their parents’ divorce arrangements). We need to start taking students’ data more seriously, otherwise they’ll have to worry about their “permanent records” for the rest of their lives.