Technophoria: Data Security Is a Classroom Worry, Too

Edmodo’s free software allows teachers to set up virtual classrooms where they can post homework assignments, give quizzes and use third-party apps to complement lessons. Students can create individual profiles, including their photograph and other details, within their teacher’s class and post comments to a communal class feed.

Mr. Porterfield, an engineer at Cisco Systems, examined Edmodo’s data security practices by registering himself on the site as a fictional home-school teacher. As he went about creating imaginary students — complete with cartoon avatars — for his fictitious class, however, he noticed that Edmodo did not encrypt user sessions using a standard encryption protocol called Secure Sockets Layer.

That cryptography system, called SSL for short and used by many online banking and e-commerce sites, protects people who log in to sites over an open Wi-Fi network — like the kind offered by many coffee shops — from strangers who might be using snooping software on the same network. (An “https” at the beginning of a URL indicates SSL encryption.)

Without that encryption, Mr. Porterfield says, he worried about the potential for a stranger to gain access to student information, and thus hypothetically be able to identify or even contact students.

To test this hypothesis, he used a computer on his home Wi-Fi network to log in as an imaginary student; then, using another computer, he installed free security auditing software, called Cookie Cadger, to spy on the student’s online activities. Though the risk of this happening with actual students seemed small — Edmodo and other companies say they have no evidence that this kind of breach has occurred — he contacted his school district about his concerns.

“There’s a lot of contextual information you could use to gain trust, to make yourself seem familiar to the child,” he says. “As a parent, that’s the scariest thing.”

In response to an inquiry from me last week, Sara Mandel, a spokeswoman for Edmodo, said the service provided “a safe alternative to open, consumer social networking sites” because students could participate only in groups created by their teachers and because teachers decided whether students could send private messages to one another.

She added that “any school that chooses” had been able to use a completely encrypted version of the site since 2011 and that the company “is working to ensure that all of our users are using an SSL-encrypted version.”

SCHOOL administrators and teachers said they liked these online learning systems because they could control the information that students might share.

“Kids can’t talk to each other. They can only speak to the group,” says Heather Peretz, a special-education teacher at Great Neck South Middle School in Great Neck, N.Y., who uses Edmodo in her English class. “It helps them learn to be good digital citizens so they are not making inappropriate posts.”

But as school districts rush to adopt learning-management systems, some privacy advocates warn that educators may be embracing the bells and whistles before mastering fundamentals like data security and privacy.

Although a federal law protecting children’s online privacy requires online services to take reasonable measures to secure personal information — like names and e-mail addresses — collected from children under 13, the law doesn’t specifically require SSL encryption. Yet school districts often issue only general notices about classroom technology, leaving many parents unaware of the practices of the online learning systems their children use. Moreover, schools often require online participation so students can gain access to course assignments or collaborate on projects.

“What we are finding with this type of database is that parents are uninformed,” says Khaliah Barnes, a lawyer at the Electronic Privacy Information Center. “Most don’t understand how the technology works.”

Online security experts have long warned consumers about unencrypted Web sites that collect personal details. That is because on open Wi-Fi networks, hackers using simple software programs can see and copy the unique code, called a session cookie, that servers issue to authenticate a person who has logged into a Web site. By replicating that cookie, a hacker can acquire the same privileges, like the ability to edit a profile or grade a quiz, of the authenticated user for that session.