The home page of Pinellas County Schools in Florida is brimming with information for families, students, staff members and the public:
But Pinellas’ home page has been supplying information to another audience, an unseen one, as well this year.
An array of tracking scripts were embedded in the site, designed to install snippets of computer code into the browsers of anyone clicking on it, to report their visits or track their movements as they traveled around the web.
The trackers were detected last winter during a study by Douglas Levin, a Washington-based expert on educational technology. Asked about them in April, the district expressed surprise and said it would have them removed. But Levin found 22 trackers when he checked back last month.
Trackers are as common on public school websites these days as microbes on a restroom door, to judge by Levin's examination of 159 public school websites from among the nation’s largest and most tech-savvy districts. At least some form of ad tracking or online surveillance technology was embedded in all but one of them, he found.
Their use is an “industry-accepted practice,” said Lisa Wolf, the public information officer for Pinellas County Schools, echoing comments by school officials elsewhere.
Most trackers are used to help websites work better, by counting page visits or catching problems with broken links. Some are used for promotions, as in Pinellas County, where Wolf said the trackers spotted in April had been left behind after a school-choice campaign, and others were later added to boost enrollment at a technical college.
But some trackers are also designed to recognize visitors by the IP address of their device and to embed cookies in their browsers for the advertising practice known as behavioral targeting. And knowingly or otherwise, many school sites are hosting software from third-party companies whose primary business is buying and selling data for the detailed dossiers of personal information on finances, lifestyle and buying habits that advertisers prize. Those third parties may invite still other trackers onto the site, without the school’s knowledge or control.
“The price of getting information about your child’s school should not be losing your privacy to online ad brokers,” said Levin, founder of EdTech Strategies, which conducts research and advises nonprofits and government agencies on using technology to improve schools.
Many people who use the internet are familiar with cookies and aware that their movements are tracked, especially after the Cambridge Analytica scandal put a spotlight on Facebook’s business model this year. But the unseen, commercial tracking of visitors to school websites — including students — raises issues that go beyond tracking on other kinds of sites, other experts agree.
“Schools shouldn’t be selling and marketing their kids’ data to third parties,” said Jules Polonetsky, chief executive of the Future of Privacy Forum, a Washington think tank focused on data privacy. “Is that what’s happening? Do they know? If they can’t answer the question, that’s a big problem.”
Student lists are now available for purchase on the basis of ethnicity, affluence, religion, lifestyle, awkwardness and even a predicted need for family planning services, according to a study released in June by Fordham University’s Center on Law and Information Policy. Where that information was drawn from is mostly undisclosed, the study found.
“There’s a continuum of data collectors, data sharers and data users within this large ecosystem,” said N. Cameron Russell, the center’s executive director, describing it as a “huge invisible world” of shifting business entities of which the public is mostly unaware. The companies offer school districts incentives to use “freemium” services, free or discounted products for which, Russell says, “you’re paying with your personal information.”
The presence of trackers from data brokers such as BlueKai, AddThis or DataLogix on school sites should be viewed as a “smoking gun” that demands an explanation, Polonetsky said, because those companies commonly engage in the buying, selling and linking of user data. Levin found all three on the websites of the Huntsville, Alabama, schools on one recent day. He found AddThis on public school sites in Cleveland; Springfield, Missouri; Washington, D.C.; and Albuquerque, New Mexico.
BlueKai was among the 22 trackers Levin found on the Pinellas County schools site. Wolf said she did not know how it got there. “It is the district’s expectation that our partners do not sell or misuse web visitor information,” she said.
Some limits exist on how far trackers can intrude. The Children’s Online Privacy Protection Act of 1998, known as COPPA, bars unauthorized collection of children’s personal information, including IP addresses, on sites aimed at children under 13.
School pages accessible to the public are mostly for adults, but ad trackers shouldn’t be allowed on the pages students visit to do homework or check grades, said Linnette Attai, founder of PlayWell, who advises companies on compliance issues related to privacy, online safety and marketing aimed at children and teens.
But Attai said even the most sophisticated companies were having trouble keeping up with rapidly changing online ad technology and the laws that governed it. Amelia Vance, director of the education privacy project at the Future of Privacy Forum, called this a problem for schools as well.
“Since 2013, we’ve had 125 new student privacy laws passed by 39 state legislatures and the District of Columbia,” Vance said. “We have almost no funding and almost no training required by most of that legislation.”
Google and Facebook prohibit collecting or sharing information from children under 13. But Levin said the integration of free social media into many school websites had still provided a subtle entry point for commercial activity in what parents might assume was a commerce-free zone.
Google’s DoubleClick ad trackers, for instance, are commonly found on school pages that host YouTube videos, like the Community Website Introduction video on a school site in Massapequa, on New York’s Long Island. The trackers tee up videos containing advertising on the school page, once its own video finishes playing.
This year, after the Cambridge Analytica scandal cast a harsh light on the way Facebook harvests personal information for its advertising sales, the National Education Policy Center in Boulder, Colorado, announced it was deleting its own Facebook page, citing what it called Facebook’s “invasive data mining and the third-party targeting of users inherent in its business model.”
Allison Prystupa, president of the Massapequa Council of PTAs, sees Facebook as an essential tool, along with Twitter, Instagram, email and the phone apps Group Me and Remind.
Younger parents today “want that instant information, whatever way they’re going to get it,” she explained. “They don’t think twice about who’s tracking them.”
But her daughter Jillian, 20, who is studying to be a history teacher at Adelphi University in Garden City, New York, said the congressional testimony of Facebook’s chief executive, Mark Zuckerberg, in April was eye-opening.
“I don’t think we realized how much information we were giving out, or where else it could be used,” Jillian Prystupa said. She accepts ad tracking as a “business move,” she said, but the buying and selling of her information is a different story.
“I think that if a social media site or a website is going to do that, it has to be in bold letters up front before you sign up for it,” she said. “You have to know that whatever you’re giving them can be used by them in whatever way, and then you can make your own decisions.”
This article originally appeared in The New York Times.