A news bomb about the theft of student data exploded in Utah’s Deseret News last July, but nobody noticed, apparently.
The article’s headline — “Wrongful Termination Lawsuit Puts Spotlight on Utah Autism Rates” — focused primarily on things other than the data theft. It highlighted former University of Utah research professor Judith Zimmerman’s allegations that university researchers were falsifying Utah’s autism rates.
But to me, the unheadlined bomb that the article dropped was the 750,000 students who had their data and their families’ data stolen by unauthorized “researchers”. The families now have no way of knowing this happened.
Zimmerman was fired for raising concerns about protected student data that she said the researchers had “compromised and accessed without proper authority.” She told the Deseret News that unauthorized individuals took 750,000 sensitive records with neither parental nor schools’ consent. This private “medical and educational information” included “names, birthdays, information about medical characteristics… special education classification and parents’ names and addresses,” reported the Deseret News.
How would these families now be notified? I wonder: with the whistleblower fired and with a years-long lawsuit and likely gag orders pending, the only people who now could potentially contact those families would be still employed at the university –who, being accused of the wrongdoing, certainly won’t go out of their way to inform the affected families right now.
I’m not going to discuss the ways in which the stolen records, and the children they represented, are vulnerable to potential crimes of credit card fraud, health insurance identity theft, crimes of predatory stalkers or the mandates of well-or-ill-intentioned governmental activists.
I’m here to ask –and answer– a very simple question that I hope readers are asking: how could this have happened? How were three quarters of a million records of children just lying around under the noses of any unscrupulous university researchers?
It’s simple. Utah has a STATE LONGITUDINAL DATABASE SYSTEM (SLDS) and it’s managed by the UECP at the University of Utah.
You, your children, and your grandchildren are in the SLDS whether you like it or not –unless you pay 100% of your own money in tuition for a 100% private school, and always have. There is no other way to opt out. I’ve tried.
Don’t get me started about how blindly stupid Utah is (all states now are) for having –and continuing to support– the SLDS.
We’re subject to this SLDS data surveillance system simply because in some USOE cubicle, some clueless grant writer responded to Obama’s mess of pottage and decided that the state of Utah might exchange students’ privacy for a $9.6 million dollar federal grant.
Utah traded all students’ data records, longitudinally (permanently) into this data-slurping machine, euphemistically titled the State Longitudinal Database System, which the feds designed and oversaw— all for the love of money and nonconsensual research.
Without parental consent, Utah children’s data now is daily being collected –using schools to vaccum it up. This is not a legitimate situation, but you can’t blame schools. They are being used. They have to give daily data to the state/fed system, or they lose funds/grind to a halt. In a recent Utah rulemaking statement, we read: “all public education LEAs shall begin submitting daily updates to the USOE Clearinghouse using all School Interoperability Framework (SIF) objects defined in the UTREx Clearinghouse specification. Noncompliance with this requirement may result in interruption of MSP funds.”
So we can’t believe the ear candy we’re told, about how this data mining is about keeping data on kids so teachers can do their best teaching. It’s not staying in the local school for teachers and administrators to legitimately peruse, but it goes into the federally designed, federally interoperable SLDS database held at UECP/U of U which many state agencies can peruse and which the feds can already partially peruse.
(Side note: the feds are feverishly working to get much greater unit-record access as we speak. If you’re interested, livestream the CEP’s federal public hearing on that subject today: https://www.youtube.com/watch?v=bvvatB_NBWI )
Every state has an SLDS system. The feds paid the states to build them. The feds told the states how the SLDS’s had to be built. Utah got nearly $10 million to make Utah’s federal SLDS in 2009. And the grant’s been renewed to keep trading cash for students, in recent years.
Utah children and their families thus have their data sucked away to where unelected, unaccountable “researchers” are entrusted with data via SLDS. The University’s “Utah Education Policy Center” (UEPC) is a founding partner in the Utah Data Alliance, which controls Utah’s SLDS system. According to UEPC’s website:
“Five other partners include the Utah State Office of Education (public education), Utah System of Higher Education, Utah College of Applied Technology, Utah Education Network, and the Department of Workforce Services. UEPC serves as the research coordinator for the Utah Data Alliance. UEPC coordinates access for individuals and organizations interested in collaborating with the Utah Data Alliance, or researchers interested in accessing data for research purposes.”
That’s a long answer to a short question. That’s how the data got stolen.
Here’s the follow up question: what’s keeping the other millions of records of students from going the same way that those 750,000 records went?
Ask your legislator that question. Ask him/her to show you any proper privacy protections that are actually in place. (FERPA was shredded; don’t let them pretend there’s protection anymore under FERPA.)
We do not even have the freedom to opt out of SLDS tracking. But all of this can change– if more good people speak up– act.
How did the fox persuade the gingerbread boy to get on his back? The fox said that he would never eat him, but would surely protect the gingerbread boy from everyone who was trying to eat him on the dangerous side of the river.
On shore stood the hungry horse, the farmer, the dog, the others– and the fox said that he could help the gingerbread boy to get away. The fox protected the gingerbread boy like the federal government is protecting your child’s personal data.
Every time I read an official promise like this recent CEP statement (and there are so many; even the federal alterations to FERPA sounded like the CEP statement) –I think of the gingerbread boy. The CEP (federal “Commission on Evidence-Based Policymaking”) promises that the government only wants more individual “data in order to build evidence about government programs, while protecting privacy and confidentiality.” I think of the fox “protecting” the gingerbread boy.
That fox wanted to eat the boy just as much as the dog and the farmer and everyone else did. Even the gingerbread boy probably suspected it, but he really, really wanted to cross that river.
When the government says that it can and will protect privacy while accessing greater amounts of data, I think:
River = money
Gingerbread boy = a child’s sensitive data
Horse = educational sales corporations
Farmer = educational researchers
Fox = federal government
Dog= state government
The oven where the boy was born = SLDS database
Three remarkable Alpine School Board Members: Wendy Hart (front left) Brian Halladay (standing, middle) and Paula Hill (front, right) have written an open letter on student privacy, citing documented realities (contracts, documents and laws) that boldly stand for student privacy and parental rights, against Common Core SAGE/AIR testing. The letter stands tall against statements from State Associate Superintendent Judy Park and the Utah State Office of Education that claim all is well with student privacy in Utah schools.
Hats off to Hart, Halladay and Hill for speaking up despite pressure to go along in silence with the decisions or positions held at the state level.
Before I post the letter, here’s a little background:
Before Common Core testing even began, Utah officially dropped out of SBAC (a federally funded Common Core test maker) but then immediately picked up, as a replacement, test maker AIR (American Institutes for Research– also federally approved, but not federally funded; Common Core-aligned; a test maker that specializes in psychometrics and behavioral testing, prioritizes promoting the LGTB philosophy –and is officially partnered with SBAC!) Many Utah parents are opting their children out of these tests, and state level officials are desperately trying to persuade the population that there’s no reason to opt out.
Statements promoting and approving AIR and SAGE, by Assistant Superintendent Judy Park, have been rebutted and even publically debated before– but this new letter stands very, very tall, shedding much more light on the student privacy dangers of SAGE/AIR and highlighting the lack of Utah laws that protect an individuals’ ownership over his/her own data.
Here’s the letter:
September 18, 2014
Dr. Judy Park
Utah State Office of Education
Dear Dr. Park,
Thank you for taking the time to address some of the issues with AIR and SAGE testing. We especially appreciate your citations of the contract. In the interest of openness and transparency, we have a point of clarification, as well as some follow-up questions.
To begin, a point of clarification. Your letter is directed to Superintendent Henshaw who communicated some of our concerns about SAGE and AIR to you. In your letter, you indicate that “False, undocumented and baseless allegations need to cease.” We wish to clarify that the concerns expressed by Dr. Henshaw were not coming from him, and, as such, your directive would not be to him but to those of us on the board and our constituents who are raising questions, based on our reading of the AIR contract with USOE. Because Dr. Henshaw reports to the Alpine School Board and not the other way around, any directive for Dr. Henshaw to rein in these ‘allegations’ from board members or constituents would be inappropriate. We can appreciate that you are troubled by this, but we would recommend that more information and more discussion would be a preferable way of resolving concerns, as opposed to suggesting that concerned representatives and their consitutents simply remain silent.
So, in that spirit of openness, we have the following clarifications and follow-up questions.
We begin by addressing the sections of the AIR contract cited in your letter of August 14. It was very much appreciated because these are the same sections of the contract that we have studied. We were hopeful that there would be additional insight. Unfortunately, we did not find any assurance in the pages listed.
I-96 – I-98: This section nicely addresses the physical, network, and software security for the server and test items. However, the only reference to AIR employees, their ability to access or use any data is left to “Utah’s public records laws, FERPA, and other federal laws.” FERPA, as many know, has been modified by the US Dept of Education to allow for the sharing of data without parental knowledge or consent as long as it can be justified as an ‘educational program’. Additionally, FERPA only contains penalties for those entities receiving federal funds. Since Utah is paying directly for SAGE testing, FERPA is a meaningless law in this regard. Additionally, Utah’s public records laws appear to only address the openness of public records, but are insufficient when it comes to privacy or use of data, including that of a minor. If there are robust privacy laws in Utah’s public records laws, we would appreciate additional citations. Please cite the other federal laws that protect the privacy of our students.
I-61: Addresses the technical protocols for the data transfer, as well as encryption of passwords. Again, this doesn’t address those who are given access by AIR to the data for whatever purpose.
I-72 – I-73: Addresses the security of those contractors who will be manually scoring during the pilot testing. This addresses a particular third-party in a particular role, but not AIR as an entity or its employees, other than this particular instance.
I-85 – I-86: Addresses the issues of users and roles for the database and USOE updates. This limits the appropriate access to those of us in Utah, based on whether we are teachers, principals, board members, USOE, etc. Again, this does not address anything about AIR as an entity or its employees.
While all these security precautions are necessary, and we are grateful they are included, they do nothing to address the particular issues that were raised at the August 12, 2014 Alpine School Board Meeting. Some of our concerns are as follows:
1) Prior to the Addendum from March 2014 (for which we are grateful) there was no prohibition on sharing data with a third-party. As indicated, the changes to FERPA would allow AIR to legally share data with a third-party as long as that sharing was for ‘an educational program’ without parental knowledge or consent. As such, the addendum now allows for that sharing only with the USOE’s consent. We are still concerned that parents are not asked to give consent and may not have knowledge of their student’s data being shared.
2) AIR itself is a research firm dedicated to conducting and applying the best behavioral and social science research and evaluation. As such, they are involved with data collection and evaluation. In the contract and addendum cited, there is nothing that prohibits how AIR or its subsidiary organizations may use, query, analyze or access any or all student data from the SAGE tests in Utah. They would have access to many data sets from many entities. They also would have multiple on-going research projects. There is no prohibition on what inquiries, research or analysis can be done on the data from SAGE testing. As long as AIR does not profit from the data or share with a third-party without the USOE’s consent, the data is managed by AIR and available for access. What are the methods in place to prevent AIR from accessing the data for additional research or analysis? AIR does not need to share the data with a third-party to violate the privacy of a student or a set of students. However, since they control and manage the database, there is nothing that would prevent this access.
3) There are no prohibitions in the contract regarding behavioral data. While we realize Mr. Cohen has said the contract does not call for gathering or evaluating behavioral data, and that AIR is not inclined to do so, there are, again, no prohibitions or penalties associated with gathering or evaluating behavioral data. State law allows for the use of behavioral data in the year-end testing. So, there are no legal prohibitions on the use or collection of behavioral data. Since behavioral research is the primary mission of AIR, as indicated by its mission statement, it is a concern for parents. If AIR has no desire to collect behavioral data as part of the SAGE testing, it should state so explicitly in a legally-binding manner.
4) Many parents have, legally, opted out of SAGE testing for their students. As such, why is AIR receiving any information on these students? Parents feel it is a grave violation of their trust by USOE that any data the USOE has received from the schools can be input into the SAGE database, not to mention the State Longitudinal Database System (SLDS). There must, at a minimum, be a way for parents to opt out of all sharing of their student’s dat with AIR and the SLDS. At what point, if any, will student data be purged from the AIR database? What is the method for demonstrating the data has been properly purged?
Additionally, we appreciate the response of Mr. Cohen to our concerns. Based on his response, we have the following questions.
1) Please list the “express purposes” for which the release, sharing or sale of data is not prohibited, per contract.
2) What third parties are AIR “explicitly permitted by the State of Utah” to provide data to?
3) What research has AIR been requested and directed by the Utah State Office of Education to conduct?
4) What entity (or entities) has AIR been authorized by the State of Utah to release data to?
5) Please list the source of the contract that states that AIR is prohibited from releasing data to the federal government.
6) What entity (or entities) have been designated by the USOE to receive data from AIR?
7) The memo does not address companies owned or operated by AIR, which would not be considered third-parties. Please state, per contract, where AIR does not share data within related party entities.
Finally, we have the following questions related to the validity and reliability of the SAGe testing. We understand that this information would not be protected by copyright, and therefore, could be provided to us, as elected officials.
1. Normative Sample Details (who took the test)
2. Coefficient Alpha Reliability
3. Content description Validity
4. Differential Item Function Analysis
5. Criterion Prediction Validity
6. Construct Identification Validity
7. Other types of validity scales/constructs that are applicable only to CAT test designs
We appreciate the opportunity to discuss this more in the future. As those who are responsible to the parents of this district, we feel it is imperative that our concerns are addressed. And, when all is said and done, it is most important that parents have the opportunity to protect whatever student information they feel is necessary. Just because parents decide to educate their children in our public school system does not mean that we, as a state government, are entitled to whatever information about their children we feel in necessary. Parents are still, by state law, primarily responsible for the education and the upbringing of their children. As such, their wishes and their need to protect information on their students is paramount. As members of the Alpine School Board, we must represent the different views and concerns of all the parents in our area. For those who have no concerns, then you may proceed as usual. For those who do have concerns, it is incumbent on us to raise these questions and to obtain the most accurate information possible.
Thank you for your time, and we look forward to more information in the future.
I wish every Utah parent, teacher, student and principal read this letter– and took action!
The time has long passed for blind trust in Dr. Park, in the State Office of Education and in the State School Board. Surely, power holders –in the legislature, in district administrative offices, and in the governor’s office who read this letter– will finally act.
Share this letter!