Virtual learning compromised kids’ privacy and security

Placeholder while article actions load

Welcome to The Cybersecurity 202: The film “Midnight Cowboy” was released on this day in 1969, going on to become the only X-rated film to win the Best Picture Academy Award. 

Below: Opponents of Trump’s election lies prevail in Georgia’s GOP primaries, and the FBI worked around WhatsApp encryption to uncover an ISIS-linked plot to assassinate former president George W. Bush

Remote learning apps scooped up student information and shared it with third parties

There was also a cybersecurity consequence to virtual learning during the pandemic.

The distance learning apps that schools used frequently scooped up reams of information about students, dramatically undermining their privacy and security, an international investigation has found. 

The apps grabbed personal information, including locations, and tracked the online behavior of millions of students, my colleague Drew Harwell reports. Some apps also gained access to students’ digital contacts and cameras and recorded the keystrokes of students answering math and reading questions even before they hit submit. 

The Post is among 13 news organizations reporting on the investigation conducted by Human Rights Watch and the investigative nonprofit The Signals Network.

The findings are the latest evidence that educational apps — including those aimed at children as young as prekindergarten — frequently play fast and loose with children’s privacy and security in the pursuit of profit. 

They also underscore how the rapid shift to working, learning and doing nearly everything else online during the pandemic often came with an unexplored security cost.

  • Children were “just as likely to be surveilled in their virtual classrooms as adults shopping in the world’s largest virtual malls,” lead researcher Hye Jung Han wrote.
  • She charged that school districts had rushed to distance learning apps that were artificially underpriced because children “were forced to pay for their learning with their fundamental rights to privacy.”

Researchers analyzed 164 education apps and websites used in 49 countries. They found nearly 90 percent sent information to ad-technology companies 

Few of the companies disclosed to parents how they would use children’s information. “Some apps hinted at the monitoring in technical terms in their privacy policies, the researchers said, while many others made no mention at all,” Drew writes.

The researchers were able to see what data the apps requested from users but weren’t able in most cases to track precisely what data they extracted during actual use. 

The first concern here is privacy. The Children’s Online Privacy Protection Act (COPPA) prohibits selling the personal information of children younger than 13 without parental consent. But companies find ways to dodge that, critics say, including by having schools consent on behalf of parents or claiming disingenuously that their products should not be used by children under 13, Drew reports. 

But when privacy is compromised, security concerns are never far behind. Sensitive data that’s stored by ad firms can be hacked and exposed online. 

Researchers found some apps sent children’s records to the tech firm Oracle’s ad-targeting system BlueKai, which reported a massive 2020 data breach. An Oracle spokesperson told Drew the company found no evidence children’s data was exposed in the breach. 

Most school districts conducted no technical privacy evaluations before endorsing the apps. “Because the companies’ privacy policies often obscured the extent of their monitoring, the researchers said, district officials and parents often were left in the dark on how students’ data would be collected or used,” Drew reports.

  • The website ST Math was found to share student user data with 19 third-party trackers, including Facebook, Google, Twitter and the e-commerce site Shopify.
  • The app Schoology, which says it is used by more than 60,000 schools, included code that could extract a unique identifier from children’s phones known as an advertising ID that markets could use to track the children from device to device.
  • The creators of both apps disputed Human Rights Watch’s findings, saying tracking was not as extensive as it claimed.
  • The tools were used in some of the nation’s largest school districts, including Los Angeles, where more than 447,000 students use Schoology and 79,000 use ST Math.

Human Rights Watch researchers are pushing for reforms:

  • They want governments to conduct data-privacy audits of learning apps to help teachers weed out the most abusive ones and to guide teachers on how to prevent overcollection.
  • They want companies to commit to treating children’s data differently from adults.
  • And they want the government to ramp up regulations on learning apps so companies aren’t policing themselves.

Republicans who stood firm against Trump’s election lies prevail in Georgia primaries

Former president Donald Trump had perhaps his worst night of the 2022 primary season last night. The Republican governor and secretary of state in Georgia — who refused to support his false claims of election hacking and fraud — both prevailed against primary challengers that Trump supported. 

Georgia Gov. Brian Kemp defeated his Trump endorsed challenger, former Sen. David Perdue (R-Ga.), in a landslide, as Colby Itkowitz and David Weigel report. Secretary of State Brad Raffensperger appeared poised to defeat Trump’s pick, Rep. Jody Hice (R-Ga.) according to Associated Press projections, Colby and David report. 

Hice had attacked Raffensperger for certifying the state’s election results against Trump’s wishes. 

Raffensperger, who bucked Trump’s demands to “find” enough votes for him to carry the state, declared last night that he’d been “standing for the truth and not buckling under pressure.” 

The victories are a bright spot for election security advocates during a relatively dark primary season. 

  • Secretary of state candidates who deny without evidence that Biden won the 2020 election appear poised to win GOP primaries in numerous states.
  • The election denier Kristina Karamo has already won Michigan’s GOP primary to be secretary of state.
  • Election denier Doug Mastriano won Pennsylvania’s GOP primary for governor and will appoint the state’s next top election official if he’s victorious in November.

FBI disrupts ISIS-linked plot to assassinate George W. Bush using WhatsApp surveillance

The case offers one of the rare public examples of how police were able to complete an investigation involving WhatsApp data despite the app’s use of end-to-end encryption — which prevents WhatsApp from sharing customer messages directly with law enforcement without a warrant.

In this case, FBI agents convinced confidential informants to forward WhatsApp messages that suspect Shihab Ahmed Shihab Shihab had sent them, Forbes’s Thomas Brewster reports. They ultimately tricked Shihab into using a phone they provided to him through an informant. Agents also got location data from AT&T and some other details from the WhatsApp account.

  • The case “shows how the FBI, despite its claims of being prevented from investigating major crimes because of [WhatsApp parent] Meta and other tech providers’ use of encryption, has been able to work around WhatsApp security by using old-school policing with sourcing of informants and tracking the metadata they can get from the messaging company,” Brewster writes.

Shihab wanted to smuggle four Iraqis into the United States to assassinate Bush in retaliation for the Iraqis who were killed in the Iraq War, the Justice Department said. According to a search warrant application discovered by Brewster, Shihab said one of the proposed assassins was “the secretary of an ISIS financial minister.” Shihab planned to smuggle them across the U.S.-Mexico border to escape, the warrant said.

Hacked files show draconian Chinese surveillance in Xinjiang

The leaked files include thousands of mug shots of detainees in Xinjiang camps and a trove of other documents, including police security protocols, my colleagues Lily Kuo and Cate Cadell report. The documents also show the extent of Chinese surveillance in Xinjiang, including how China’s government punished some people for installing encrypted apps or not using Chinese-approved technologies.

  • The hacker, who hasn’t been identified, said they stole the files from the Public Security Bureau’s computer systems in two Xinjiang counties before decrypting them and handing them off to Adrian Zenz, a scholar at the Victims of Communism Memorial Foundation. 
  • Zenz later wrote up the findings in an academic paper, and more than a dozen media organizations examined the leaked documents before they were published Tuesday.
  • The hacked documents are all dated before the end of 2018 — before a Chinese government “directive issued in early 2019 tightening Xinjiang’s encryption standards,” which might have stymied the hackers’ ability to get documents, BBC News’s John Sudworth wrote.

Democrats ask Google to stop collecting data that could identify women who get abortions

Location data collected by Google could be “used by right-wing prosecutors to identify people who have obtained abortions” if the Supreme Court overturns Roe v. Wade, dozens of lawmakers warned in a letter to Google chief executive Sundar Pichai

The letter was led by Sen. Ron Wyden (D-Ore.) and Rep. Anna G. Eshoo (D-Calif.), CNBC’s Lauren Feiner reports. It joins a number of calls for limits on such data by privacy advocates and lawmakers in the wake of a leaked draft Supreme Court decision indicating that the court was considering overturning abortion protections. 

“While Google deserves credit for being one of the first companies in America to insist on a warrant before disclosing location data to law enforcement, that is not enough,” the 42 Democrats wrote. “If abortion is made illegal by the far-right Supreme Court and Republican lawmakers, it is inevitable that right-wing prosecutors will obtain legal warrants to hunt down, prosecute and jail women for obtaining critical reproductive health care.”

Google didn’t respond to CNBC’s request for comment.

Top Republicans query FBI on warrantless wiretapping of Americans (Reuters)

Hunter Biden emails that Trump allies shared contain signs of possible ‘tampering,’ analysis suggests (CyberScoop)

Someone stole Seth Green’s Bored Ape, which was supposed to star in his new show (BuzzFeed News)

Beeple’s followers lose $438,000 to phishing scam after NFT artist’s Twitter gets hacked (Forbes)

‘King of Slots’ drops suit saying spyware co. hacked phone (Law360)

McAfee CEO Peter Leav to step down, Greg Johnson to take over (Reuters)

Okta CEO: If we ‘build that trust back, we’re going to be fine’ (Protocol)

Clearview AI’s facial recognition tool coming to apps, schools (Reuters)

  • A House Oversight and Reform Committee panel holds a hearing on the Technology Modernization Fund today at 10 a.m.
  • Undersecretary of Commerce for Industry and Security Alan Estevez speaks at an event hosted by the Atlantic Council and Krach Institute for Tech Diplomacy at Purdue today at 10 a.m.
  • FBI Director Christopher A. Wray testifies before a Senate Appropriations Committee panel’s hearing today at 2 p.m. 
  • Lt. Gen. Michael S. Groen, who leads the Pentagon’s Joint Artificial Intelligence Center, speaks at an Atlantic Council event today at 2:30 p.m.
  • Secretary of State Antony Blinken outlines the U.S. government’s China policy on Thursday at 10 a.m. 

Thanks for reading. See you tomorrow.

Related posts