Speaker 0
0:10 – 0:12
Welcome to Tech Talk by
Speaker 1
0:13 – 0:14
CT.
Speaker 2
0:16 – 1:57
Welcome to CDT's Tech Talk, where we dish on tech and Internet policy while actually explaining what these policies mean to our daily lives. I'm Brian Waslowski, and it is time to talk tech. This week, we'll take a look at student privacy, explore what parents, teachers, administrators, and students should be thinking about when they engage in today's digital classroom. And we'll be talking about passwords. We've heard a billion tips on what makes a good password. But today, we'll answer why certain passwords are good and go into ways that you can manage your passwords without going crazy. If you wanna make people nervous about the notion of big data, mention in the context of students or children. Yes, some might think of the potential of data and technology to transform education for the better, but plenty will worry about the privacy of their children and the potential for student data being used in ways that no sane parent, teacher, or actual student would expect. Yes. To make technology work in schools and encourage adoption, privacy really, really matters. In the absence of strong student privacy protections at the national level, many states have taken proactive steps to enhance privacy protections for students in the digital age. CDT's Alex Bradshaw joins me today to discuss what we should know about the current state of play in student privacy and the questions you should be asking if you're a parent, teacher, or student. Hi, Alex. Hi. Thanks for joining us. Welcome. So the classroom, pretty different today than when you were you and I were in school. What do you think are some of the most exciting technological changes that you've seen in classrooms? Oh my gosh. There's so many. I think on the k through 12 level,
Speaker 0
1:58 – 3:01
we have, I mean, apps and services that can track scrolling patterns on a on a site, that can track how long it takes a kid to answer a question. On the college level, we're seeing the increase in use of, MOOCs, massive online open courses. What the heck are those? Is it right? It's it's it's a funny little acronym, but basically, it it brings free courses to students online from some of the top, universities in the world, from leading academics. It's a really fantastic type of platform. And then even on, like, the administrative level for schools, schools are now using student ID cards and swipes and student ID cards to, for campus planning. So things like how long should the cafeteria be open for depending on what the hours students are are swiping in. How long should the gym be open for? What hours are are students not really using the gym? You know, what type of lunch items are are popular? What events are being attended, and by which type of groups. Are a lot of freshmen girls attending this particular event?
Speaker 2
3:02 – 3:54
So education technology is is really booming. It's a fantastic time to be in that space, and it's also a great time to be thinking about privacy. Yeah. No. Exactly. As you were saying all that stuff a lot of I'm like oh wow that's really cool thinking back to my you know k-twelve days and even college days with the Spyder card was our you know card that we swipe but I had no idea who they were using I thought it was mostly just a debit card because my parents would fill it in but also but also as you went there it raised a lot of flags for me too. So you mentioned that, you know, freshman girls going to events, like what events they went to. That could be really, you know, useful information to someone in a bad way, so what are as you're thinking about this, you're thinking about student privacy both at the K-twelve and, you mentioned higher education, what are the potential risks? And, you know, what are the things that CDT is working on, to try to mitigate
Speaker 0
3:55 – 4:37
Right. So, use of EdTech is is is, increasing, of course. And with increased use of EdTech, comes increased collection of students' data. That's not necessarily bad thing. The issue is that we don't have an extensive, federal regulatory framework in place to complement this data collection. So the main federal student privacy law is the Family Educational Rights and Privacy Act or FERPA. And then we should have a law that regulates EdTech or that extends to EdTech, but there really isn't anything yet, at least in our privacy law framework.
Speaker 2
4:38 – 4:41
So Does Ed EdTech fall differently than general privacy?
Speaker 0
4:42 – 6:07
Or how does how does it different differ them? In terms of the the the laws that apply to it? Yeah. So we so there are things like FTC act section five that can be used when EdTech's practices are considered unfair or deceptive. And it's possible that the FTC could, could go after a company based on an unfair or deceptive business practice. Like, they say they're not gonna collect certain data or not gonna share some data and they do. Okay. But that section five is really regulating more bad actors and not just putting in place certain best practices in legislation and that's what we really desperately need right now. Not just a way to to to manage the bad actors among ed tech, but managing just the majority of ed tech care. Standards. Yeah. They they want to do great work for schools and for students, but we need to be doing it with privacy in mind, with security in mind. So with that being said, CDT has been, advocating for a couple of things. One, we need to amend FERPA. FERPA is outdated. It was tough. It's a bad name too. FERPA just yeah. I know. See, I've heard of worse, but FERPA yeah. So it needs to be updated, though. It was passed in the nineteen seventies. Things like the definition of educational record arguably does not include, many types of data that that Ed Tech collects, like your lunch item choice, like geolocation data.
Speaker 2
6:08 – 6:27
And so educational record likely needs to be broadened a bit, so it will encompass those sort of those sorts of data. Yeah. Before it was probably things just like grades in general, which is what a lot of people think of. But now you were even mentioning, like, monitoring how you move the mouse on a screen or how long it takes you to answer a question. I mean, gosh, the amount that would be in your educational record
Speaker 0
6:27 – 9:07
is expansive now compared to what it was even ten years ago. Right. And then the Department of Education enforces FERPA, but then their enforcement, authority is pretty limited in terms of what penalties they can seek. And it's basically limited to removing all federal funding from school, which is a death sentence, right, for schools. And it really doesn't I don't think helps in the long run. So the penalties need to be expanded for FERPA as well. So CDT is is pushing for for those sorts of changes to the existing, federal student privacy law, but also pushing for legislation that extends to ad tech, that will put those best practices in place that we that we were talking about and and address that actors when when acts when those acts are done. And then within that legislative work, we also wanna make sure that companies and schools and legislators are thinking about putting sharing limitations and retention limits within their their policies. What do you mean by that? Can you expand on it? Right. Like, sharing with outside parties? Or Right. So a lot of the times, data that's collected on students, is is shared with third parties. Sometimes it's for research, to and, just to make sure that services are working, to make sure that that learning outcomes are are improving based on the technology, and that can be very useful. But there may be cases when sharing with a third party may not meet the students' reasonable expectation of privacy like sharing it with a marketer, you know. So, you know, why would your answer to a math question be shared, with with the magazine that is, you know, targeting teens of so and so age. Like, it just certain things don't really make sense. Okay. So we wanna make sure that when legislation is being written, but but also when companies and schools are developing their policies and sharing that they have in the back of their mind what reasonably is being expected by students and parents. Sure. And you mentioned the retention of that data. I mean, what is there a standard that CDT is advocating for, or does it differ by different types of data? I think, it may differ by different types of data, but I think more so it differs, by the the user's preferences and user's expectations. I think CDT, we use this word privacy a lot. I think at the core of privacy is user autonomy and user choice. So we really wanna see not, you know, just an automatic delete all data at so and so time. We don't need a specific necessarily a specific, you know, deadline for how long data should be held on to, but more so controls being included, in, for certain technologies that allow for students or parents to request deletion when when the data is no longer being used for k through 12 purposes.
Speaker 2
9:08 – 9:28
And just have more autonomy over how long that data is just sitting around in a company's Sure. Data bank. That makes sense. So you you've covered a lot of ground in here. Are there any areas that in, you know, know, the kind of broader national debate about student privacy that you think should be elevated a bit more or kind of missing from the conversation? Absolutely.
Speaker 0
9:28 – 10:17
I'm thinking about them more and more, these days. But, post secondary school students, privacy is not discussed very much in in, amongst stakeholders. And I think Is that because they think of they kinda treat it as adults then? Or I've heard a lot of different answers. I've heard that it's complicated. And it is complicated, but I think it's problematic enough and meaningful enough work that we need to work through those those complications. For one, when you start talking about post secondary school, it's not only FERPA that comes into play, but you're dealing with more health data being being collected. You know, when you go to your health services on on campus, you're dealing with financial information being collected and loan information and, you know, all of your financial history. So you have the Gramm Leach Bliley Act, the GLBA,
Speaker 2
10:17 – 10:41
being being applied. And this is a lot of I mean, if you're thinking at that stage of life, it's the first time you're dealing with these things when you really think about it. I mean, I think that's the first time I was aware of, wow, I I have to deal with money in a way that's very different and health is under my control more so than my parents making appointments for me. In that case poor you know data collection use and sharing practices could really impact that kids future you know personal professional and financial
Speaker 0
10:42 – 12:17
well-being. So I definitely wanna see the conversation, maybe not shift, but broaden to include college post secondary school students. I'd also like to see, more discussion around how EdTech data collection impacts historically disadvantaged students. So yes, EdTech may be used in some ways to be a great equalizer, you know, bringing, for example, the MOOCs example. Bringing top professors and top university courses to, low income and disadvantaged students. But at the same time, tracking a student, you know, throughout grade school and maybe into college could disadvantage them even more and set them back a bit and not allow them to move beyond where they might been in third grade or Sure. You know, ninth grade. And then I'd also like to for us to engage a bit more with, this question of whether the age of consent or choice should, remain 18 right now in in FERPA and in most of the bills of the student privacy bills that have been proposed. The age of consent or choice, meaning the age when the parents' rights to to, to kind of of, exercise their their child their child's rights for them stops at the age of 18. So, that means that, you know, the high schoolers have to exercise most of their rights to the FERC fund, most of their rights to these bills that we proposed through their parents. And that may not always be that that appropriate Right. When we're talking about data being collected on on young adults. Sure.
Speaker 2
12:17 – 12:29
So that So let's shift a bit to wrap this up. If you had a kid in school, you're a parent, what should you be thinking about right now in terms of your kid's privacy? We'll get back to the students. But Right.
Speaker 0
12:30 – 13:34
Well, one, I would just ask teachers, ask administrators what ed tech services are being used in the classroom. Try to be aware of of what what sorts of services are being used. Ask who makes decisions as to which services should be used. Is this done through the teacher or through the administrator? And then ask how can you exercise your rights under FERPA, you know, to, request access or review or correction or deletion of records. Parents do have a right to request access to their students educational record and correction of that record if it's and deletion in certain circumstances. So you wanna make sure you know the process for requesting that. And then you can also parents are also able to opt out of certain disclosure or certain data collection that schools may may conduct. Typically at the end of the year the school will send a notice of what sorts of data they're they're gathering or what sorts of data they consider what we call directory information, which means you don't need to give parents consent before
Speaker 2
13:34 – 14:01
you share it. And parents can opt out of certain of some of those practices. They just need to there's usually, like, a it's kind of outlined in the in the notice how parents can go about doing that. Wow. It's a lot harder to be a parent these days. Probably wasn't a good math. It's a lot more to think about. And last word. What about student? One piece of advice to let's let's pick a demographic just to make it easier for you. Like, high school student. You know, what should they be thinking about when they're taking tests or sharing their data? Do they have rights?
Speaker 0
14:02 – 14:56
Do they have rights? Under FERPA, those rights aren't aren't kicking in until you're 18, so that's kinda sad. But, but they should, one, just be thoughtful about what they're sharing online. Don't necessarily say something or share something that you don't want others to know about or your parents to know about. And then also create strong passwords. And I think we may be getting into this a little bit later. You other piece of advice for for teens, but, there are there are a ton of great sites that help you kind of form a good password. One is, how secure is mypassword.net. I just used that the other day, and mine is, like my password takes, like, three hundred and forty four days for someone to do. Oh, good job. So I'm very excited about myself. Exactly. But, yeah, I think I think students should should just be thoughtful about the about what they're sharing and also be thoughtful about, passwords
Speaker 2
14:57 – 16:21
accounts. Well, thanks for coming on the show, and hopefully, these things will move forward, and that we will get a place where technology really benefits education in the way that, you explained We Hope and Dream. I hope so too. Thanks, Alex. Raise your hand if you're guilty of using a super weak password or using the same password across every site that you use. I'm totally raising my hand right now, but working at CDT has made me marginally better at this. While we've all been lectured to improve our online passwords, there's actual math and logic behind the how and why. There's also ways that you can better manage your passwords without trying to remember which of the five to 10 variations of your standard password that you use for a particular site. Technologist Greg Norsy joins us now to talk about how to better secure your online accounts. Welcome, Greg. Hi. So working at CDT, you must be thrilled to see how our entire staff is amazing about using good passwords and protecting the accounts. Right? Yeah. Sure. And Greg actually did a training for us yesterday and some of the questions I think were, if not scary, it showed that, you know, even though we are in the tech space that we are just as guilty of, you know, the password faux pas that a lot of people make. So, Greg, end the misforce. You know, we've all heard the things of, like, use characters, you know, use capital letters, don't use phrases, use phrases. What should we be doing with our passwords?
Speaker 1
16:21 – 17:06
Sure. And I mean, the first point I want to make is that, you know, we say in academia security is not a primary task. Nobody logs on to their computer to be secure. They log on to their computer to go shopping, or you know go on Reddit or whatever, so it's not actually unreasonable for people to say you know I don't want to remember all these things, and the reason most password advice is flawed is because we don't tell people why we tell people you know make sure you put in some symbols use uppercase and lowercase but we don't really explain why we're just prescribing from on high and the reason we say you want a good password a password that has letters, numbers, symbols, uppercase, lowercase, is because a good password is hard to guess. A computer can try every word in the English language in under a minute,
Speaker 2
17:07 – 17:11
and even if you Is true? Under a minute, every word in the English language. Yes. Wow.
Speaker 1
17:13 – 17:59
Okay. So the best way to make a password harder to guess is to use something that's not an English language word. And then, basically, what you're trying to do is increase the number of possibilities for each letter in the password. So, if you're only using numbers, you only have 10 different possibilities for each space in the password. If you're using letters, numbers, uppercase, lowercase, you've got 96 different tries for just one character in the password, so it's 96 times 96 times 96 times 96. So exponentially. Yes. So, for example, if you have an 11 character password that it that is using that scheme, it would take about twenty five thousand years. If you just add one character and take it up to 12 characters, it would take two point four million years to crack on a simple desktop computer. Wow. That's incredible.
Speaker 2
17:59 – 18:21
To when people are looking to, like, get your password or whatnot or trying to guess it, you know, using computers, does it can they figure it out? You know, do they know the length? Do they have any of this information? Or does it, you know so I guess my question is, say I have an 11 character password. If someone somehow steals the concept of the password, do they know I have 11 characters or they just know I have a password?
Speaker 1
18:21 – 19:09
No. Not necessarily. They're probably they might know what the password policy is for the organization Okay. But they they won't be able to look at your password individually. Passwords are stored on this server hashed, so they're not stored in in this clear text. Oh, okay. So explain what hashed means. So a hashing algorithm is an algorithm where when given a given input, it has a given output, but the difference is that the output looks pretty random and it's very hard to look at the output and sit and go back to the input. So you can take a path when you are typing in your password on a website, they're not actually looking up in a table some password on a list. What they do is they hash your password and compare the hash they generate when you type in your password to the hash that they have on file. And if the two match,
Speaker 2
19:10 – 19:35
then they're they will let you in. This way, if someone breaks into the server, they don't have a list of your passwords. Okay. Well, that's a little bit comforting to know that, you know, every site that I go into doesn't just have a database with the exact password that I use on them. So that's a little bit comforting. So you said use numbers, characters, letters, all that sort of stuff. You know, is there an optimal length for a password that we should be thinking about? Or yes, no?
Speaker 1
19:35 – 19:56
It's more it's more about not a specific length. It's also about complexity, and you can do trade offs. So, for example, you could use a pass phrase, which might only use lowercase letters, but because you're using, like, sixteen, twenty four characters, that might be as secure as using, say, a 12 character password that's a little harder to remember, but is using numbers and symbols.
Speaker 2
19:57 – 20:05
So you did a lot of work in university on this when you were pursuing your PhD. Give us a little bit of the math behind how we should really be thinking about passwords, why it matters.
Speaker 1
20:06 – 20:58
Well, at the heart of it, there's there's a really simple formula. And, basically, what it comes down to is two parts. The first part is the number this password space, how many possible passwords do you have? The other key component is how many guesses your attacker can make per second, and the way you can calculate the password space is n to the power of r, with n being the number of possible characters for each character in the password, so for example if you had a password that was only numeric and would be 10 because you could just have 19Plus0. R is the length of the password so for example if I have a password that uses uppercase lowercase numbers and symbols and it's 10 characters long the number of possible passwords would be ninety six ninety six to the power of 10. Wow. That'll be a good number then.
Speaker 2
20:59 – 21:00
Theoretically.
Speaker 1
21:00 – 21:37
Okay. But again, I would have to do the math on I would have to pull out a paper and pen to do the math however you know you can have situations where a GPU can be guessing make a billion guesses a second if you have a GPU cluster so when you start doing the math it can actually start to break down quickly that would seem like a strong password that like an eight or nine character password if your threat model is say a government level actor or somebody who has enough money that they can spin up some Amazon GPU clusters that you know you can get that down from years and decades to days and months.
Speaker 2
21:37 – 21:41
Okay. So passwords in general it sounds as though you know
Speaker 1
21:41 – 23:23
you've given us some good tips on how to make them stronger use characters use uppercase the longer the better are there ways that we can remember these? I mean I think that's my biggest challenge with passwords. I'm constantly that person that goes into a site and clicks, you know, tell me my opinion or remind me my password or forgot my password. How do we remember these things? Well there's a few strategies. The first is it's not necessarily wrong to say remember my password there was actually a scheme that I wish I remember the name of it that came out recently where they just ditched the password entirely and it was just that whenever you want to log into this service they would send a one time code to your email which is sort of what you're basically doing when you're resetting your password. The other thing is that you should sort of have tiers of accounts. You don't necessarily need to protect your Netflix password with the same rigor that you would protect the password to your bank. And the third is that, I'm a fan of password managers. Okay. So you have one very strong password that unlocks the password manager, and then the password manager will remember the password. So So the password manager is like an app or an online software or, you know, a desktop software that basically stores all your passwords how does that work? Yes it's that it's storing all your passwords in an encrypted format it's usually the good ones can usually that there will be like an iPhone app an Android app you'll be able to use on your computer the one caveat is again when I say when I talk about tiers one of the reasons I talk about tiers is because sometimes you will run into a situation where your password bank software isn't going to work and so for example if you go to use a video game console and you want to log into Netflix and there is no password vault software for that Xbox or whatever you don't want to be in a situation where you're typing out a 24 character password on an Xbox controller that would be a nightmare
Speaker 2
23:24 – 23:39
alright so let's go beyond passwords then. What about those security questions? Do they add a layer of security to things like, you know, your mother's maiden name or your first pads or, you know, what street you lived on at the top? They did in the nineteen fifties. Okay. Do computers exist in the 1950s?
Speaker 1
23:40 – 23:42
Yes, they we use them to calculate
Speaker 0
23:43 – 23:48
ballistic tables to nuclear bombs. So why do we have those? I mean, what's what's the point of that? Well, they
Speaker 1
23:50 – 24:09
to be honest, they came about in a time where we weren't as networked, and this type of sort of information was much much harder to find out, and then it was used a lot for credit cards. These were basic authentication methods, and frankly, the financial industry, and I don't mean this in a political sense, but in a risk sense, is very conservative.
Speaker 0
24:10 – 24:14
If something doesn't seem to be need to be changed, if it's worked for a long time,
Speaker 1
24:14 – 24:18
why change it? And in pre information economy, that was a great way to think.
Speaker 2
24:19 – 25:04
Now we're seeing that, you know, these security questions are basically public knowledge. Sarah Palin had her email hacked because her secret question was where did you meet your husband, which she had mentioned in interviews with, press. That's a good point. I don't think too many people know my pet's first name, but it is kind of silly. I mean, the mother's maiden name one has been out there for ages, ages, and anyone can figure that out. I mean, it seems too too easy. To be honest, I I suggest you just put gibberish into this. Oh, yeah. Because they're not worth it. Okay. So let's wrap things up then. You know, basically, you've given us tips on how to make a good password. You've told us that the secret questions are not great. What is the one piece of advice that you can give to someone that's really concerned about, you know, security online when they're thinking about their passwords? I think,
Speaker 1
25:07 – 25:48
the passwords aren't actually the big thing. I think that, I'm a really big fan of two factor authentication. Most services on the Internet, Twitter, Facebook, Google, will all allows two factor authentication. Authentication does is that in addition to the password that you're typing in, you are given some sort of one time code every time you're logging in. That code can be sent via a text message, it can be sent via an app on the phone. For example, for example, Google has an app called Google Authenticator that does not necessarily require a phone connection, which can be nice because, you know, if you're getting your one time code via text message, what happens if you're off in Prague? Right. You know, you can't log into your account.
Speaker 2
25:49 – 26:12
So no that makes a lot of sense people have mentioned that before and I you've actually said this you know that a lot of it's about the risk assessment and the different levels of different things so you know perhaps two factor for say your bank account and your primary email address or something like that because there's a ton of information on there but maybe not for a gaming site or something. Would that be correct advice? Am I interpreting that right? Actually,
Speaker 1
26:12 – 26:20
I did a study at Palo Alto Research Center one summer when I was an intern there and we found that the highest rate of two factor adoption was on World of Warcraft.
Speaker 2
26:22 – 27:02
Who knew? Who knew? Well I value them more than their bank accounts. Oh, well, I definitely do not. I've actually never been on that, but, good for them. Good for them. Alright, Alright, Greg. Very helpful. Thanks so much for joining us and, hopefully, we'll have some tips online too soon about how to make better passwords. Sure. Thank you. That's it for this week's CDT Tech Talk. You can find more information about student privacy including a super detailed white paper and tips from Greg on making your passwords more secure at www.cdt.org. As always tweet us any questions you have or topics you'd like us to cover to at SemDemTech. Thanks for listening.