Dear Congress, you are being duped. HR4174-S2046 is a Privacy Fail. Here’s why. And please no more suspended rules and voice votes on these bills.
The GOP Majority Staff of the Congressional House Committee on Oversight and Government Reform wrote and distributed a response to my November 12 blogpost that opposed HR4174. This response, which folks can see here begins with,
“The Eagle Forum and other groups representing interests such as home schooling have raised concerns about H.R. 4174, the Foundations for Evidence-Based Policymaking Act of 2017. The concerns relate to how the bill would affect the privacy of citizens (especially school-aged children) whose data is being stored by the federal government. Those concerns arise from a misunderstanding of what the bill does to the personal data that the government already has.”
Let me clear something up. I am not a member of Eagle Forum nor am I a member of a home school group, not that I have anything against them; I just don’t want them to be responsible for what I say. Missouri Education Watchdog lets me write on their blog but my views are my own. I am a mom. My special interests are my children. I write as a parent, because like many parent advocates, blogging is the only (small) way to be heard.
My concern DOES NOT “arise from a misunderstanding of what the bill does to the personal data that the government already has.” You have it sort of right; let me restate it:
MY CONCERN IS THAT THE GOVERNMENT HAS CITIZENS’ AND ESPECIALLY SCHOOL-AGED CHILDREN’S PERSONAL DATA, WITHOUT PERMISSION…AND IS EXPANDING ACCESS, ANALYSIS OF THIS DATA, AGAIN WITHOUT PERMISSION.
It’s not your data. Data belongs to the individual. Data is identity and data is currency. Collecting someone’s personal data without consent is theft. (When hackers took Equifax data, that was illegal. When the government takes data… no different.)
If you support parental rights, you should not support HR4174 or its sister bill S2046. Parents are often left out of the conversation about laws affecting their children.
I will say it again… When it comes to their own children, parents have little to no say in education matters. Parents are not invited to fancy conferences, we often aren’t even allowed to attend them. Parents don’t have a travel budget, a lobby budget, or a paid assistant to help write rebuttals and policy briefs. Nope, we are moms and dads and grandparents doing the best we can to protect our children. And that is why I am responding to the federal government’s response to my blogpost opposing their bill(s) HR4174 and S2046, Foundations for Evidence-Based Policymaking Act of 2017.
I invite members of Congress and policy makers, rather than refute, or ignore, please have a discussion with those closest to the children: parents.
You impose legislation that directly impacts our children and our families, without our input. We elected you to represent us, “we the people”. Please hear us, the parents. These are our children, not your human capital, not your data, not your property.
What follows are sections on:
- Brief status of student data collection
- History and mission of CEP Commission, current linking of IRS data, Census Data, Education data.
- China, the US, tech companies and collection, analysis of citizens’ data, dangers of algorithms, metadata profiling.
- Status of HR4174, voice votes and suspended rules (why this controversial bill should have had neither)
- FACTS. Links to bill text, refuting the House Oversight rebuttal.
- Here is a two pager citing only facts, bill text. http://tinyurl.com/HR4174twopage
The current state of student data collection:
You need to know that state databases (that HR4174 would link to), and edtech companies, DO collect students’ personal information without parent consent. See this report from Electronic Privacy Information Center, EPIC, Amassing student data and dissipating privacy rights and this report from EFF, Spying on Students.(broken links updated January 2019.)
Bill Gates, who has spent billions on reforming education, creating and sharing standardized data, state databases, also wants a national student database, linking k-12 and higher ed data. According to The Gates Foundation 2016 Priorities, this is the national database infrastructure he has in mind. Coincidence?
State agencies currently maintain personally identifiable data about citizens, including k-12 school children. My focus is on student data because student data are collected and shared and analyzed without parent consent. Parents have a right to direct our children’s education and citizens have a right to be secure in their property. …or do we? Taking personal information about a child, and sharing it, without the parents’ knowledge or consent is (SHOCKINGLY) legal, thanks to a 2011 executive rule change that weakened FERPA.
Any Congressperson who would like to spend his or her Thanksgiving dinner explaining to friends and relatives why you think taking personal information about a child and sharing it without parent consent is ethical or principled, please go ahead. Also, let them know that you passed a bill giving more access to this ill-gotten, personal information of students. Be my guest.
As for me, I find HR4174 collection, sharing of a school child’s personal data without parent consent, unconstitutional and unethical and a violation of children’s privacy and parental rights.
The Electronic Frontier Foundation also challenged nonconsensual sharing of students’ personal information and the weakening of FERPA. See the EPIC lawsuit against the US Department of Education here.
Very personal information about k-12 students (ie: personal background info on kindergarten-12 registration forms, demographics, race, health records, disability status, income status, a multitude of invasive surveys, even personality tests, etc.) is currently collected at all public k-12 schools and can be shared outside of the school, without the parents’ knowledge. Many have said for years, student data collection is out of control and we are not protecting children: Asleep at the Switch: Schoolhouse Commercialism, Student Privacy, and the Failure of Policymaking.
Meta data and mouse-clicks to predict a child, measure their behavior. Amazon and Facebook and Google and Microsoft and many other edtech companies are invading the classroom. Edtech companies like DreamBox, Khan Academy, and Knewton use adaptive or “personalized” online programs that collect large amounts of data on each child. Knewton claims 5- 10 million data points per child, per day. DreamBox claims 50,000 data points per hour on each student. These “Personalized” software programs embedded in education technology are collecting data about a student, secretly determining which questions students will see, measuring how fast a child reads, what he or she clicks on, how long he or she takes to answer a question. This meta data is sometimes being used to measure a child’s “social emotional learning” and engagement. One assessment company, NWEA, measuring test item response times, says if a child responds to a test question too quickly, this will give him/her a low engagement score. NWEA thinks a child’s rapid response means the child is guessing and this disengagement can be applied to other “deep rooted problems” in a student’s life such as,
“a student’s likelihood of disengaging on a test was associated with his or her self-management and self-regulation skills, the ability, for example, to show up for class prepared and on time. “As they disengage from tests and the course material, a whole host of other things come up … attendance, suspensions, course failure … that have been connected to risk of dropping out of school,”
In a digital environment, everything a child does online can be captured, connected and catalogued. The LearnSphere project funded by the National Science Foundation and handled by Carnegie Mellon, explains this project which began in 2014:
“There are several important initiatives designed to address these data access challenges, for individual researchers as well as institutions and states. LearnSphere, a cross-institutional community infrastructure project, aims to develop a large-scale open repository of rich education data by integrating data from its four components. For instance, DataShop stores data from student interactions with online course materials, intelligent tutoring systems, virtual labs, and simulations, and DataStage stores data derived from online courses offered by Stanford University. Click-stream data stored in these repositories include thousands and even millions of data points per student, much of which is made publicly available to registered users who meet data privacy assurance criteria. On the other hand, MOOCdb and DiscourseDB, also components of LearnSphere, offer platforms for the extraction and representation of student MOOC data and textual data, respectively, surrounding student online learning interactions that are otherwise difficult to access or are highly fragmented. By integrating data held or processed through these different components, LearnSphere will create a large set of interconnected data that reflects most of a student’s experience in online learning.” http://www.sr.ithaka.org/publications/student-data-in-the-digital-era/
Shouldn’t parents be able to see and consent to this information being collected and analyzed about their children? Will researchers and edtech companies be granted MORE access to the personal student data held by the National Secure Data Service, that HR4174 creates? (Yes, according to the bill excerpts below.)
Personal information about a student is already shared to a state longitudinal database, SLDS. See here for what data elements are stored in the state data dictionary. The states share this personal student data (personally identifiable information, pii) with other agencies, corporations, researchers–again without parent notification or consent, and parents cannot opt out. See here for example of state agreements to share student pii with companies, researchers, agencies, etc.
The Department of Defense also has access to student data through the Federal Learning Registry is a joint student data gathering project between the Department of Defense and the Department of Education. The Learning Registry and US Department of Education are also “encouraging districts and states to move away from traditional textbooks” and instead use the Learning Registry’s openly-licensed online materials, (Online Educational Resources, OERs), facilitated by Amazon, Microsoft, Edmodo, ASCD, Creative Commons. Can parents see this data or opt out? Nope.
The safest way to protect data, is minimize its collection. HR4174 does not minimize data collection, nor does it decrease disclosures. Schools and student databases across the country are currently being hacked and held for ransom, students threatened by cyber terrorists. With the federal government’s track record of failing FITARA security scores, and recent data breaches, the thought of the federal government coordinating and maintaining expanded access to state level student data is concerning.
History and mission of CEP Commission
HR4174 is a result of the CEP (Commission for Evidence-based Policy); as stated in the bill and in the CEP final report, its purpose is identifying and reducing or removing barriers to accessing state-level data. The CEP commission held several meetings and three public hearings. I suggest you review the minutes, video and audio of these meetings and hearings. You can read about the history of the CEP commission, watch the first public hearing, see written testimony submitted here.
The testimony from Oct 21, 2016 CEP hearing panelists is enlightening:
For example: RK Paleru of Booz Allen Hamilton’s testimony, said that BAH supports, among other things, linking student data from surveys and multiple agencies, public-private partnerships, and data analytics, and “bringing the private sector perspective to the conversation.” He also stated the need for a data clearinghouse to be self-service and like a “Pinterest for data“, or data as paid service, and wanted to promote inter-agency data sharing.
Another Oct 21 CEP hearing panelist, Rachel Zinn, Workforce Data Quality Campaign, WDQC, said because of the current ban on a federal student database, “stakeholders” don’t have access to student information, she goes on to say in order to link and share data, stakeholders often have to use “non-standard processes, often goes through personal relationships or particular capacities within agencies at particular times” .
Panelists at Feb 9, 2017 CEP hearing (listen to Audio at 57 min to 1hr14min mark):
Panelists discuss making it easier to link personally identifiable information from IRS records and personal information from Census population survey, personal information from education records and SLDS. With the CEP Commission making this personal data more accessible, more available, the researcher feels “like a kid in candy store“. There are great barriers that prevent researchers from getting this data, currently researchers have to get it by “hook or crook” or “by leveraging personal relationships”… CEP questions the coercive nature of obtaining this data. At 1hour 11 minutes, they discuss how currently they can link Census population survey data and personal IRS data, with persistence any academic researcher can access these data, you just have to know the steps to get there and I think that’s the Commission’s charge“…
The Feb 24, 2017 CEP meeting:
Again, panelists discuss how they are already linking personally identifiable education records with IRS records, but cite it is difficult and barriers need to be removed to make it easier to link this pii data between agencies.
CHINA and US: Meta data, predictive algorithms, analyzing and generating data, social engineering
Linking all this personal data on citizens reminds me of why I mentioned that China collects and links data about its citizens. Is there anything in HR4174 that says personal data cannot be used to rank a person, create a reputation score, or profile a person? HR4174 allows meta data analysis, generation of new data that can be used to predict and profile. Algorithms can be biased and wrong. HOW can you possibly police this? A good start would be Europe’s General Data Protection Rule.
Tech companies in the US are ramping up their use of predictive analytics, artificial intelligence, despite dire warnings of existential risk . This article on Twitter, Facebook and Google analytics is a warning on why we should be concerned. Do Facebook and Google have control of their algorithms anymore? A sobering assessment and a warning,
““Google, Twitter, and Facebook have all regularly shifted the blame to algorithms when this happens, but the issue is that said companies write the algorithms, making them responsible for what they churn out.”
Algorithms can be gamed, algorithms can be trained on biased information, and algorithms can shield platforms [tech companies] from blame.”
YET, have you ever heard of Yet Analytics? To quote this article, Yet, HP and the Future of Human Capital Analytics: AI and your reputation score,
“querying of big data comprising information on learning, economic and social factors and outcomes gathered by the World Bank, the World Economic Forum, the United Nations and elsewhere. The outcome is the ability to predict multi-year return on investment on a great variety of learning, economic and social measures. We knew that variables including adolescent fertility rates, infant mortality rates and the balance of trade goods all had significant relationships with GDP per capita.”
Microsoft of course uses artificial intelligence and analytics with Cortana technology, but also has MALMO built in the MINECRAFT platform, “How can we develop artificial intelligence that learns to make sense of complex environments? That learns from others, including humans, how to interact with the world? Project Malmo sets out to address these core research challenges, addressing them by integrating (deep) reinforcement learning, cognitive science, and many ideas from artificial intelligence.” Microsoft also has PROJECT BRAINWAVE capturing real time artificial intelligence data.
Facebook and your credit score? Facebook reportedly has a patent for technology that could potentially be used for evaluating your credit risk, which they say could be used to view your social network connections and determine your credit worthiness.
Status of HR4174
HR4174 was introduced on 10/31/2017 and was passed on voice vote in the House Oversight and Government Reform. Yesterday, the US House of Representatives suspended their rules, something that, according to this document, is only done on non-controversial bills. Judging by the public outcry and the rebuttal response from House Oversight, I would argue this bill is controversial and should not have been voted on suspended rule. With rules suspended and another voice vote, the House unanimously passed HR4174 on 11/15/2017. Watch the vote, starting at 4hr 52min mark here.
FACT: Parents cannot opt students out of this state data collection that is obtained without consent.
- neither FERPA nor current state law allows a parent to opt out of these federal or state-required data collection processes. https://www.cde.state.co.us/cdereval/datacollectionoptoutrequests
HR4174 will increase access to this state-level student data, allowing data to be linked or disclosed with government agencies, researchers, again without consent.
- If HR4174 does allow parental consent, does allow parents to opt out of student data collection and sharing, please correct me. It would be imperative to specifically state parental consent and opt out rights in the bill, so schools and parents are aware of this provision. There’s still time to add this opt out provision in the Senate.
FACT: HR4174 removes barriers to data access and creates a National Secure Data Service (NSDS) with a Chief Evaluation Officer in each federal department; the NSDS will be coordinated through the Office of Management and Budget (OMB). Data officers in each agency oversee the dissemination and generation of data between agencies and private users, contractors, researchers while finding new and innovative ways to use technology to improve data collection and use.
Does that sound like a national system to manage and disclose data? …Keep reading.
- § 3520A. Chief Data Officer Council
“(a) Establishment.—There is established in the Office of Management and Budget a Chief Data Officer Council (in this section referred to as the ‘Council’).
“(b) Purpose and functions.—The Council shall—
“(1) establish Governmentwide best practices for the use, protection, dissemination, and generation of data;
“(2) promote and encourage data sharing agreements between agencies;
“(3) identify ways in which agencies can improve upon the production of evidence for use in policymaking;
“(4) consult with the public and engage with private users of Government data and other stakeholders on how to improve access to data assets of the Federal Government; and
“(5) identify and evaluate new technology solutions for improving the collection and use of data.
FACT: HR4174 requires each agency (see list of 17 different agencies, A-Q below, who will maintain and disclose data) and will make any data asset maintained by the agency available to any statistical agency. The head of each agency shall …make a list of data the agency intends to collect, use, or acquire. This data may be in an identifiable form and may include operating and financial data and information about businesses, tax-exempt organizations, and government entities.
- HR4174 PART D—ACCESS TO DATA FOR EVIDENCE
“§ 3581. Presumption of accessibility for statistical agencies and units
“(a) Accessibility of data assets.—The head of an agency shall, to the extent practicable, make any data asset maintained by the agency available, upon request, to any statistical agency or unit for purposes of developing evidence.
- § 312. Agency evidence-building plan
“(a) Requirement.—Not later than the first Monday in February of each year, the head of each agency shall submit to the Director and Congress a systematic plan for identifying and addressing policy questions relevant to the programs, policies, and regulations of the agency. Such plan shall be made available on the public website of the agency and shall cover at least a 4-year period beginning with the first fiscal year following the fiscal year in which the plan is submitted and published and contain the following:
“(1) A list of policy-relevant questions for which the agency intends to develop evidence to support policymaking.
“(2) A list of data the agency intends to collect, use, or acquire to facilitate the use of evidence in policymaking.
“(3) A list of methods and analytical approaches that may be used to develop evidence to support policymaking.
“(4) A list of any challenges to developing evidence to support policymaking, including any statutory or other restrictions to accessing relevant data.
Agencies involved in the HR4174 Federal evidence-building activities.
HR4174 “SUBCHAPTER II—FEDERAL EVIDENCE-BUILDING ACTIVITIES
“§ 311. Definitions
“(1) AGENCY.—The term ‘agency’ means an agency referred to under section 901(b) of title 31.
901(b) of title 31 :
(1) The agencies referred to in subsection (a)(1) are the following:
(A) The Department of Agriculture.
(B) The Department of Commerce.
(C) The Department of Defense.
(D) The Department of Education.
(E) The Department of Energy.
(F) The Department of Health and Human Services.
(G) The Department of Homeland Security.
(H) The Department of Housing and Urban Development.
(I) The Department of the Interior.
(J) The Department of Justice.
(K) The Department of Labor.
(L) The Department of State.
(M) The Department of Transportation.
(N) The Department of the Treasury.
(O) The Department of Veterans Affairs.
(P) The Environmental Protection Agency.
(Q) The National Aeronautics and Space Administration.
FACT: Data is shared between designated statistical agencies and can be personally identifiable data. Agencies and the Director can promulgate their own rules about data disclosure and sharing. The overseers of disseminating and generating can make their own rules.
“(c) Sharing of business data among Designated Statistical Agencies.—
“(1) IN GENERAL.—A Designated Statistical Agency may provide business data in an identifiable form to another Designated Statistical Agency under the terms of a written agreement among the agencies sharing the business data that specifies—
“(A) the business data to be shared;
“(B) the statistical purposes for which the business data are to be used;
“(C) the officers, employees, and agents authorized to examine the business data to be shared; and
“(D) appropriate security procedures to safeguard the confidentiality of the business data.
(1) The Census Bureau of the Department of Commerce.
(2) The Bureau of Economic Analysis of the Department of Commerce.
(3) The Bureau of Labor Statistics of the Department of Labor.”.
- “(3) BUSINESS DATA.—The term ‘business data’ means operating and financial data and information about businesses, tax-exempt organizations, and government entities. [Note: Schools are tax-exempt and government entities.]
- “§ 3562. Coordination and oversight of policies“(a) In general.—The Director shall coordinate and oversee the confidentiality and disclosure policies established by this subchapter. The Director may promulgate rules or provide other guidance to ensure consistent interpretation of this subchapter by the affected agencies. The Director shall develop a process by which the Director designates agencies or organizational units as statistical agencies and units. The Director shall promulgate guidance to implement such process, which shall include specific criteria for such designation and methods by which the Director will ensure transparency in the process.
- “(b) Agency rules.—Subject to subsection
- (c), agencies may promulgate rules to implement this subchapter. Rules governing disclosures of information that are authorized by this subchapter shall be promulgated by the agency that originally collected the information.
FACT: Data is linked between agencies.
- “§ 316. Advisory Committee on Data for Evidence Building During the first year of the Advisory Committee, the Advisory Committee shall—
“(B) evaluate and provide recommendations to the Director on the establishment of a shared service to facilitate data sharing, enable data linkage, and develop privacy enhancing techniques,
FACT: Data may be shared with private organizations, researchers, consultants, contractors, employees of contractors, government entities, individuals who agree in writing to comply with provisions.
- “(e) Designation of agents.—A statistical agency or unit may designate agents, by contract or by entering into a special agreement containing the provisions required under section 3561(2) for treatment as an agent under that section, who may perform exclusively statistical activities, subject to the limitations and penalties described in this subchapter.
“(2) AGENT.—The term ‘agent’ means an individual—
“(A)(i) who is an employee of a private organization or a researcher affiliated with an institution of higher learning (including a person granted special sworn status by the Bureau of the Census under section 23(c) of title 13), and with whom a contract or other agreement is executed, on a temporary basis, by an executive agency to perform exclusively statistical activities under the control and supervision of an officer or employee of that agency;
“(ii) who is working under the authority of a government entity with which a contract or other agreement is executed by an executive agency to perform exclusively statistical activities under the control of an officer or employee of that agency;
“(iii) who is a self-employed researcher, a consultant, a contractor, or an employee of a contractor, and with whom a contract or other agreement is executed by an executive agency to perform a statistical activity under the control of an officer or employee of that agency; or
“(iv) who is a contractor or an employee of a contractor, and who is engaged by the agency to design or maintain the systems for handling or storage of data received under this subchapter; and
“(B) who agrees in writing to comply with all provisions of law that affect information acquired by that agency.
FACT: You are correct that HR4174 does repeal E–Government Act of 2002 (Public Law 107–347; 44 U.S.C. 3501 and re-insert it in title 44. However, the CIPSEA penalty of $250,000 fine or 5 years prison is not new; it has been in place since 2002. Student data has been collected and shared without consent since 2012-CIPSEA was not applicable or not enforced. Ironically, HR4174 weakens CIPSEA.
CIPSEA is amended to expand access to data. Additionally, once again, the Director can promulgate regulation on what data to share.
“(a) Statistical agency responsibilities.—To the extent practicable, each statistical agency or unit shall expand access to data assets of such agency or unit acquired or accessed under this subchapter to develop evidence while protecting such assets from inappropriate access and use, in accordance with the regulations promulgated under subsection (b).
“(b) Regulations for accessibility of nonpublic data assets.—The Director shall promulgate regulations, in accordance with applicable law, for statistical agencies and units to carry out the requirement under subsection (a). Such regulations shall include the following:
“(1) Standards for each statistical agency or unit to assess each data asset owned or accessed by the statistical agency or unit for purposes of categorizing the sensitivity level of each such asset and identifying the corresponding level of accessibility to each such asset. Such standards shall include—
“(A) common sensitivity levels and corresponding levels of accessibility that may be assigned to a data asset, including a requisite minimum and maximum number of sensitivity levels for each statistical agency or unit to use;
“(B) criteria for determining the sensitivity level and corresponding level of accessibility of each data asset; and
“(C) criteria for determining whether a less sensitive and more accessible version of a data asset can be produced.
“(2) Standards for each statistical agency or unit to improve access to a data asset pursuant to paragraph (1) or (3) by removing or obscuring information in such a manner that the identity of the data subject is less likely to be reasonably inferred by either direct or indirect means.
“(3) A requirement for each statistical agency or unit to conduct a comprehensive risk assessment of any data asset acquired or accessed under this subchapter prior to any public release of such asset, including standards for such comprehensive risk assessment and criteria for making a determination of whether to release the data.
Continually saying that you aren’t collecting new data is meaningless–because the data was illegally obtained in the first place. HR4174 allows personal data to be shared without consent and importantly, allows generated data, meta data analysis of citizens without consent. Personal data belongs to the individual. Data collection without consent is theft. It’s time the US updated our privacy laws –not to further weaken them. Instead, it’s time for Congress to be a leader: minimize the data collected, protect privacy and security, and look to Europe’s General Data Protection Rule, the strictest privacy law in the world.