Speaker 0
0:10 – 0:12
Welcome to Tech Talk. Bye.
Speaker 1
0:13 – 0:13
CT.
Speaker 2
0:13 – 2:12
Tea. Welcome to CTT's Tech Talk, where we dish on tech and Internet policy, while also explaining what these policies mean to our daily lives. I'm Brian Wasilowski, and it's time to talk tech. Today, we'll be talking about the privacy practices of startups in the education space. Unquestionably, privacy matters if you have a business that wants to leverage student data. But our EdTech startups thinking about privacy? And if they are, how are they communicating their practices to parents, teachers, and students? A team of researchers from Carnegie Mellon shares their research on this topic. After that, we talk about privacy, cybersecurity, and autonomous vehicles. Yes. Driverless cars are coming and perhaps sooner than expected. Are the policies in place for The US to be a leader in autonomous vehicles? And should citizens feel secure when they use them both in terms of their privacy and overall safety? Yep. Three, we are recording. Are education focused tech startups doing enough to protect the sensitive data about students that they collect? And if they do have good practices in place around student privacy, are they effectively communicating about their privacy practices? With trust being a huge factor in adoption of ed tech, these are important questions to answer. A A team of graduate students from the school of public policy and management at Carnegie Mellon University recently examined the practices of a number of education technology startups around student data privacy issues. Joe Babler is one of those graduate students, actually a recent graduate. So he's on the job market. So after he impresses you in this tech talk, hire him. He's here with us to talk about the findings of the research. Welcome, Joe. Thanks for having us. And congratulations on graduating. Thank you. Quite an accomplishment. So you were actually recommended to us, by our dear friends at the Data Quality Campaign, who I know and love and respect. So you must be doing some great work.
Speaker 1
2:13 – 2:56
Tell us about your research, why you chose to explore the issue of privacy in EdTech. Yeah. So we're a group of six, and we started out, sort of this general notion that, you know, the student data privacy is an issue, and we wanted to figure out sort of what wasn't answered yet in that space. And after doing a review of the literature and, sort of asking around, we found that while there were a lot of, you know, state lawmakers who were passing bills and there was a lot of look at some of the really big players like Facebook and Google and Pearson and those sorts, There wasn't a really good understanding of startups and sort of the day to day issues that they deal with and the questions that they have and how they actually think about implementing some of the laws that get passed or sort of addressing these technical issues. And so we decided to,
Speaker 2
2:56 – 3:23
you know, ask them, you know, just That's great. Find them and figure out what what it was what their issues were and how. Before we get too far, why don't you tell us the names of the other other people on the team so we don't forget about them? The team is Manny Pritchard and Flora Harvath and Elizabeth Martin and Daisy Huang and Neil Smith and Mitchell Babbling. That's great. So tell us about the findings. After you did this research and looked into it, what did you find? Are ed tech startups, you know, do they care about privacy? So
Speaker 1
3:24 – 5:22
the our findings are intended to be exploratory. Right? We decided to go really deep rather than sort of do a survey. So, very much sort of a way to start the conversation. But, the biggest takeaway that we had was, that companies for for these companies, these startups, you know, a couple of years old, privacy really isn't a priority. And by that, we don't mean that they don't care about privacy or they're not thinking about it. Those things are absolutely true, but they didn't get into the space to make student data more private. Right? They got into the space because they wanted to they had this cool idea for adaptive learning technology or they wanted to gamify this thing or they wanted to Or they wanted to make money. Or they wanted to make money. Right? And the privacy issue is sort of a hurdle that they have to overcome. And so be if you've got, you know, 10 staff and a pretty limited bandwidth to deal with anything, at the end of the day, privacy is something you deal with when you have to, and and, that sort of resonated with most of the companies that we spoke to. Okay. Well, for the ones who did have a privacy policy in place Yeah. Were they how were they on the communication side? Because I know that was a piece of what you looked into. That was we thought that was maybe a good way to get into this topic with them because, everyone you know, if you ask them, would you like your students' data to be more private? Of course, they'll say yes. Right? But what does that actually mean, and how do companies actually talk about it? If, privacy wasn't necessarily a priority or setting those standards wasn't always at the forefront of these companies' minds, communications was even not further on the back burner. Right? If we ask them, you know, how do you how how would you address, you know, if there was some sort of inadvertent disclosure or an issue that came up, how would you talk about that? And in general, they said, you know, what you or I might say. Like, well, we would sort of address that problem when we came to it, and we'd be as clear as we could and explain what happened and how we're addressing it. But thinking proactively about how to explain these really complicated issues to parents and students in schools wasn't something that they sort of thought thought strategically about. That makes sense. So
Speaker 2
5:22 – 5:32
as part of your paper, you provide priority for most. They're not necessarily doing a great job of communicating. Mhmm. What should they be doing?
Speaker 1
5:33 – 7:29
So we tried to pull together some sort of best practices that we got from some of the companies that we talked to and some other things that we saw throughout the EdTech space. And there are some what seem like pretty obvious things, you know, sort of constantly update your technical standards, make sure that someone's staying on top of those things, make really sure that you're not collecting and storing unnecessary data. And that can sound maybe easier than it is. We there were companies that we spoke to who did a really good job at drilling down to each field. And, you know, one company in particular, rather than collecting the using the student ID that many schools give to their students, they just gave them their own ID number because in the event that something bad happened, right, that ID would get out there, and that ID that the school gives them is attached to so many other things. They said, well, we just won't use that. We'll create, you know, create our own unique ID for them. Stuff like that and really figuring out, do we really need this information, or are we just gathering it because it feels like a thing that we might use one day? Perhaps one of the best best practices that we saw was companies thinking really clearly from day one about privacy. So many of these companies, you know, they've been live for a year or two, and they were starting to try and go into new states or new school districts. They were trying to figure out how to address these problems, and they realized that maybe they had to make some changes. And that's harder to do once you're down the road. There was one company in particular, though, that we talked to that really clearly had thought about it from day one, and it made those questions down the road so much easier to answer. Right? When a bigger company approached them because they'd sort of had a lot of success, it was easy for them to say, you know, including your, your sort of add on service isn't really in line with our privacy standards. We've built this trust with our customer, and so that's not gonna work for us. And that was an easy question for them to answer, whereas other companies hadn't thought so clearly from day one. And so it was always something that they had to sort of redo,
Speaker 2
7:30 – 7:52
down the road. That's great. And these sound like tips that actually could apply to all startups, not just EdTech startups. Although, certainly, student data is among the most sensitive. You also had some great recommendations in there for the schools themselves thinking about, you know, working with different ed tech startups and also for investors. What are some of those? And you can take either one first. Well, let me start with school districts.
Speaker 1
7:53 – 9:30
So as as privacy wasn't a priority, there also weren't a lot of ways to for force these companies or encourage these companies to make good decisions. One of the exceptions to that was was when they talked to a school district, when they went up to a school district and said, you know, we'd like you to buy our product because we think it'd really help with x, y, or z. At that point, a lot of these school districts have sort of a technology audit process that they go go through. And then the company would get, you know, somebody who actually read their privacy policy and thought about their technical standards and would come back to them and say, this doesn't work. You gotta change this in the privacy policy. You gotta you're not encrypting up to And that and companies then were happy to, you know, make those changes. They just didn't have any vehicle to get that information before. The second piece of that is that investors didn't seem to care all too much. Sort of across the board with the companies we spoke to, they'd asked the sort of basic due diligence questions, but we thought it was sort of a really missed opportunity for investors to push the companies that they invest in to just think a little bit more critically. Right? There's no one with greater interest in these companies doing well than the people that invest in them. And rather than just asking some basic due diligence questions, we think it'd be really easy and not too expensive for an angel investor to say, offer some technical advice and help that company really sort of be at the forefront of privacy rather than just making sure that they're not the next in bloom or not the next headline grabbing thing. And it it shouldn't be too hard for for them to do that. And so we think that's sort of a missed opportunity for everyone involved. Do you think that privacy itself is becoming a commodity that might be valued? I mean, because that's that's what investors
Speaker 2
9:31 – 9:41
care about. So if suddenly privacy is something that consumers are demanding, then certainly that would make a an ed tech startup more appealing. Absolutely. And,
Speaker 1
9:42 – 10:25
it it doesn't it didn't always feel at least from the perspective of the companies, it didn't always feel like parents necessarily knew what privacy meant. Right? Gotcha. They got a couple of questions, but not nearly as many as they might have if parents had sort of the time or space to think about this. But that would but clearly, parents care and companies care and investors care. And so there might be an easy sort of synergy between those two to work on that issue without spending a ton of money and sort of doing that thinking about good standards upfront rather than down the road once it's so much harder to change things once you already have a bunch of clients. That's great. So where can people find this paper? People can find this paper, we'll have it posted online. Oh, go ahead.
Speaker 2
10:26 – 11:39
Sort of summary. And then if they want a copy, they can reach out to us directly. Okay. And we'll be sure in our little write up of this podcast to include a link to that. So that's fantastic. This is wonderful work. And as I said, it seems relevant to startups beyond EdTech. So thank you for doing it. And thanks for coming on Tech Talk to share your research with us. Thanks so much for having me. One of my favorite cities in The United States, Ann Arbor, Michigan, is a leader in the deployment of driverless cars, or in more precise terms, autonomous vehicles. But before these vehicles become more common nationwide, there are a wide range of policy issues that must be addressed with a number of different federal and state agencies playing a role. The House Energy and Commerce Committee is poised to introduce a package of bills aimed at spurring the deployment of autonomous vehicles across the nation. CDT policy analyst, Joe Jerome, is here to talk about some of those bills and about autonomous vehicles in general. Welcome, Joe. Hi, Brian. So have you been in a driverless car yet? I have not. I actually that it's heartbreaking for me, but I think most most Americans have not been in a driverless car. Would you do it if someone, like, said, you know, get in this car, there's no driver, you would hop in at this point? Oh, yes. I'm all about new technologies. Really?
Speaker 0
11:40 – 12:13
And I and I I think I think we all owe it to ourselves to experience one of these things. You know, part of the conversation around here that's sort of missing is, you know, NHTSA's doing a whole lot of stuff with What's NHTSA? Oh, yeah. Yeah. We're getting into that. You already did it. Accurate. The National Highway, Traffic Safety Administration is sort of working on standards around autonomous vehicles, and they're engaged with the regular players. You know, the GMs, that's General Motors, Ford, and all these other major players. But autonomous vehicles, our first interactions with these things are really gonna be from ride hailing companies like Uber and Lyft and people in cities.
Speaker 2
12:13 – 12:45
And as a result, most people really haven't been exposed to them yet. Unless they go to Ann Arbor, which was just written up in the New York Times as, like, the next Motor City. So let's talk about, obviously, to have vehicles with no drivers on the roads across America, across state lines, you need some policies and practices. And the Energy and Commerce Committee is planning to push out a series of bills to hopefully, like, speed this up. So 14 bills. 14. Okay. That is a package. So what is their goal with this? What are they trying to accomplish? And do we think this is a positive thing? So well,
Speaker 0
12:46 – 14:54
it's a it's a positive goal. No doubt. Part of the problem is that autonomous vehicles are not really regulated at the moment, and they don't really they don't fit comfortably into any of our existing regulatory schemes. The way it works right now is the National Highway Traffic Safety Administration, NHTSA. It's a federal agency. It has broad authority to sort of regulate the safety of automobiles. It's been doing this for years, you know, think about seat belts. And so now it's moving into, like, the hardware and software of cars. At the same time, states have, you know, broad authority to deal with sort of licensing and registration of cars. And now we're having a situation where, you know, who you who you licensing? Who is doing the registration? You don't have a driver. I mean, you used to license the driver. Now you don't have that. And NHTSA, for its part, is having real challenges with it's it's created these standards that say a car is safe. If it has a a a like a, a steering wheel. Driverless cars don't necessarily need steering wheels and there's plenty of evidence to suggest that steering wheels may actually make them less safe, particularly if there's a human behind the wheel. You know, they suddenly get jogged into having to take control of the thing and they veer off the road. So there's just a lot of mismatches here. In the process, states have sort of stepped in to try and do it's at some level, there's I I think there's approximately 20 states that have various degrees of automated vehicles regulation. Then there's just a combination of different federal agencies that are engaged in in this type of stuff. NHTSA is, again, a safety agency. It hasn't, you know, traditionally dealt with cybersecurity. It hasn't dealt with something like privacy. Those are things that are generally handled by the Federal Trade Commission. And so the Federal Trade Commission, since at least 2013, has been really engaged in connected cars and and now autonomous vehicles. And so there's just a a lot of sort of stuff going all over the place, and, I think automakers would like more clarity. I think Congress sees this as an interesting place where there's a lot of bipartisan appeal. Everybody thinks driverless cars are an incredible new technology. Super cool. And so they they wanna do something.
Speaker 2
14:54 – 15:16
Okay. So what are they trying to do? There there's you said there's 14 bills and kind of what they're trying to push through. What are some of them? Obviously, we're not going through all 14. We could go through all 14. No. That'd be disastrous. Let's, let's stick with just a few, and let us know, you know, which ones you are either most excited about or most concerned with. So, I mean, I think the the big headline is that this is going to allow NHTSA to have more exemptions
Speaker 0
15:17 – 19:46
under its current Federal Motor Vehicle Safety Standards. That's m a v s s. It's going to increase the number of vehicles they can put on the road from 2,500 to a 100,000. And and so a lot of these these bills are just basically about increasing exemptions so that NHTSA can do more testing, get more stuff on the road. Okay. So, I mean, my concern I'm on the privacy and data team, so I'm thinking about it from a privacy and cybersecurity angle. And there are four provisions or four proposed bills that have, I think, important privacy and cybersecurity components. There's there's the well, they all have common they have truly terrible acronyms here. The worst I saw. I read your post, Joan. I'm just like, these are terrible acronyms. So I I think the the big one is is the the LEADER Act. With an apostrophe in it. It's terrible. Which is the let NHTSA NHTSA enforce automated vehicle driving regulations. It gives NHTSA, sole authority over the regulation of highly automated vehicles. It preempts, any related state laws that would would prevent the testing or development of autonomous vehicles. So the the problem there is there there isn't a NHTSA standard. So it's basically, I would say, preemptive preemption. It's a very, very broad state level preemption. And, you know, there has been no federal action that really warrants this. Congress is, you know, basically making the act of it's precluding states from acting when when Congress is not gonna be doing anything, and NHTSA has not taken any action. You know, I think that we saying no one can act? Is that what we get to do? It's saying it's saying it's saying NHTSA can act if it so chooses. But as we pointed out last year, NHTSA put out a a a nonbinding policy document about what federal automated vehicle policy should look like. And one of the things about that policy as the the government accountability office noted is that, NHTSA hasn't even decided whether it's going to make a final determination about whether cyber security rules is needed until 2018. After that at that point, once they make that determination, it would be many more years before they got to do anything. So basically, I think it's it's our perspective that it it's way, way, way too early to to be preempting states, particularly when, NHTSA and its other and its other, sort of rule making, particularly around vehicle to vehicle communications, has sort of been, lackadaisical is probably too strong of a word, but less focused on privacy and cybersecurity than I think we would have liked. Okay. So there there's that prong, which preempt states. There's also, the memo act, which is, like, managing government efforts to minimize AV obstruction act. So MEMO comes out of that somehow. I have no idea how. So this this act, it instructs NHTSA and the Federal Trade Commission, to basically play nice, and to stay in their respective lanes when it comes to policing the privacy and cybersecurity of automated vehicles. It would require them to sign a memorandum of understanding, an MOU that would prevent overlap and duplication of their their oversight of these things. I think our concern is that what we really need is more collaboration here, not less. This this effort to, you know, reduce duplication, it doesn't actually do anything to improve cybersecurity and data privacy through any actual standards or meaningful control. And and the fact is these agencies are working together already. Just just a couple of weeks ago, they held a joint workshop exploring privacy and cybersecurity issues. They've been involved in commenting. They clearly have a good relationship. It's not entirely clear why an MOU is needed. And I I think one of, you know, our concerns is the the dearly departed broadband privacy rules. When we looked at an MOU between the FTC and the FCC, that MOU's talked about, you know, coordination, consultation, regular meetings, sharing of information. Whereas this is about divvying up privacy and cybersecurity responsibilities, based off of an arbitrary line that isn't entirely clear. It's not entirely clear what an automated vehicle system would be, you know, when the FTC kicks in, when NHTSA kicks in. They also have very, very different, functions and operations. NHTSA is, again, a safety agency focused in focused on creating safety standards. The Federal Trade Commission is about protecting consumers, and that's where it sort of gets its privacy and cybersecurity mission. And and so it would be, I think, again, prematurely divvying up enforcement responsibilities.
Speaker 2
19:46 – 20:07
That makes sense. Okay. So what should any sort of regulations look like? Let's focus on your area of expertise, the privacy and cybersecurity. As their you know, whatever structure this ends up taking in terms of who's responsible, what are some of the biggest considerations that you think should be on the table right now? Well, I mean, this goes to our general notion that there should be some baseline rules.
Speaker 0
20:07 – 21:16
We would like to see some affirmative rule making authority from the Federal Trade Commission to work alongside NHTSA to sort of create these type of things. At the same time, you know, we'd also like to see more involvement by, I think, privacy experts and civil society in the NHTSA NHTSA's existing ongoing rule makings in vehicle to in the vehicle to vehicle space. You know, two of the other bills, because, of course, there has to be two of these bills, create councils. So one of them is about, basically, data sharing, sharing of information that results from how these cars are used, so testing, any accidents. And then there's a a council that would create a cybersecurity advisory council. These are both great ideas. They're things that we've proposed and in our comments last year around federal automated vehicles policies. We'd like to see more of these multi stakeholder councils. Of course, these bills don't actually mandate that any sort of privacy advocate or privacy expert or consumer advocate be a part of these councils. They're very much industry driven. And that's sort of been, I think, one of the the challenges around the connected car space. Industry's approach, and NHTSA has largely gone along with this, has been a a just trust us,
Speaker 2
21:16 – 21:20
which That always works out great, doesn't it? No. It doesn't work out ever.
Speaker 0
21:21 – 22:30
And then you end up having terrible terrible PR and, you know, Wired magazine will have an article with some researchers that suggest that we can hack into vehicles. And part of this is just because, the the auto industry and and some of the regulators have not been really engaged with a full group of stakeholders that have had lots of different thoughts about these things. You know, I point out just, again, we did comments, around NHTSA's vehicle to vehicle rulemaking, when with with a number of leading, computer scientists and and cryptologists who were just literally, they they approached us saying this rulemaking is a privacy and security disaster. How in the world has it gotten this far without it's getting our input into this thing? And so we actually joined with them to do a couple of comments. So, you know, I'm not sure I've really answered your question so much as I think what's really important is to get more people aware of what's going on, unless, you know, we wanna take the approach that we're just going to trust the auto industry to do things here. Well, it sounds like they should invite Joe Jerome to the table here. I I would happily be there. And, hopefully, they can they can summon me and and drop me off in an automated vehicle. That would be great. So prediction time. When do you think that we're gonna see,
Speaker 2
22:30 – 22:34
more driverless cars in DC? Oh, that's a very good question.
Speaker 0
22:35 – 22:49
Probably pretty soon. If nothing else if nothing else, the the auto industry has been keen on in making these vehicles available to as many people as they possibly can just so they can sort of show them off and show off the potential of the technology.
Speaker 2
22:50 – 22:57
Well, it's an exciting issue. I look forward to being in one, and I am glad that we have privacy folks like you paying attention Thank you Joe for being a
Speaker 1
22:59 – 23:00
tech
Speaker 2
23:02 – 23:22
talk That's it for this episode of tech talk you can read more about CDT's work on privacy and cybersecurity standards for autonomous vehicles at cdt.org. And if you'd like to get updates on all of CDT's privacy work, subscribe to our e newsletter through the CDT website and follow us on social media. I'm Brian Wasilowski. Thanks for listening.