In my next post I’ll have more to say about security problems I’ve observed with Raz-Kids, but first I want to start with their recent statements that they don’t collect students’ personal information. It’s important to document what information they do collect, and it’s relevant to the discussion of how their data security practices have put student personal information at risk.
In an article published February 8th in the New York Times about data security problems in ed-tech apps, a representative for Cambium Learning Group, the developer of Raz-Kids was quoted as saying that Raz-Kids does not store “sensitive” personal information about students like addresses or phone numbers. Later on twitter, a company representative took it further, stating “Raz-Kids holds no personal data.”
One of my kids has a Raz-Kids account and I have seen first-hand what information the service collects.
From the FTC COPPA FAQ Page, here is a summary of what qualifies as children’s personal information under COPPA. Though COPPA does not always apply in educational settings, I view this list as a very good yardstick for what defines student personal information. I’ve highlighted the line items most relevant to Raz-Kids.
What is Personal Information?
The amended Rule defines personal information to include:
- First and last name;
- A home or other physical address including street name and name of a city or town;
- Online contact information;
- A screen or user name that functions as online contact information;
- A telephone number;
- A social security number;
- A persistent identifier that can be used to recognize a user over time and across different websites or online services;
- A photograph, video, or audio file, where such file contains a child’s image or voice;
- Geolocation information sufficient to identify street name and name of a city or town; or
- Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.
Here’s a summary of what raz-kids collects, all of which is covered by the list above. I believe common sense also tells us that the information below is personal information about a student, and that all of this information is worthy of data security protections.
- When a teacher sets up a raz-kids classroom, the teacher is prompted to enter a student’s first and last name.
- Raz-kids makes voice recordings of children reading as part of its “running record” feature . It’s described here, on a page outlining how the feature works. It’s also described under tip #1 in this raz-kids “helpful tips” page. An annotated excerpt of that page is shown below.
- Raz-kids generates reading level assessments and other metrics of a child’s reading proficiency. This falls under the last bullet above, information concerning the child that the operator collects online from the child and combines with one of the other identifiers. Screen shots of the reading level progress chart (annotated) and a quiz result showing skills to work on are shown below.
More soon on data security.