IDAC Investigation Into EdTech Apps Finds Mixed Cybersecurity Practices
September 09, 2020
Everyday more educational apps are being downloaded to provide students additional help with subjects. While these apps are great resources, a study from the International Digital Accountability Council (IDAC) released on September 1 looked into the data privacy protections in 496 edtech apps from 22 countries. While the study did not find any intentional misconduct, the authors did find security risks that require attention.
“As parents, teachers, and schools scramble to prepare for teaching and learning this fall, it is important to take a close look at the privacy and security features of edtech apps that are likely to see much greater use,” said IDAC President Quentin Palfrey, in a statement.
The goal of the study was to identify apps that could be used by a wide range of teachers and parents to promote remote learning, rather than edtech apps used strictly by the school district. Language learning, study help, book or library readers, learning games, virtual classroom, and team communication apps were used in the investigation by IDAC. The majority of the apps are being developed in the United States. Manual testing for ed tech apps was done on 78 Android or iOS apps on July 15. Meanwhile, automated testing was done on 421 Android apps.
IDAC Identifies Five Areas In Which EdTech Apps Could Improve
The study showed five areas where improvement was needed in the ed tech apps. The first area is the collection of location sharing and persistent identifiers. A persistent identifier is connected to the hardware in a way that it cannot be reset, making it easier for third parties to access information. In the case of a persistent identifier, digital items that can be accessed over the internet. The only way for users to avoid this tracking is to get a new device.
Second, IDAC identified issues where personal data was being exposed, allowing personal data of the student’s, such as name and email, to be shown. Having personal identifying information, also known as PII, exposed allows attackers to easily gain access to valuable and private information, especially those of young students. 13 edtech apps that IDAC investigated were found to have exposed Android advertising ID (AAID).
Next, IDAC authors found significant examples of third party communications. Personal information, device information, contextual information, and app information were all given to third parties. 79 of 123 ed tech apps were shown to be sharing information with third parties in the manual testing.
Location Sharing, Personal Information, Third Party Communication, and More Are Common with these Apps
The fourth was ID bridging. “ID bridging occurs when the Android ID is sent simultaneously with the Android Advertising ID (AAID),” according to the study. This was used to track and develop specific advertisements to students using those ed tech apps.
The final issue found by the IDAC was privacy issues being created by software development kits (SDK). Third party SDKs are sections of code that developers can embed in ed tech apps to perform a specific task. “Mobile analytics and advertising SDKs pose particular risks in ed tech apps – especially apps that have younger users – because of their monetization capabilities,” the authors write.
To correct these issues in the edtech apps and to be more reliable and trustworthy for parents and teachers, IDAC has recommended steps that developers take to ensure ed tech apps are safe for students.
IDAC recommends that developers should refrain from location and data sharing unless necessary, be more transparent in their privacy policies, use best practices to check that no PII was being released to third parties, ensure safeguards and privacy controls are in place, determine if the identifier is the most appropriate one and share is necessary, and carefully review third party SDKs.
Featured Image: Ramil Al-Zayat, Unsplash.