Capistrano Unified School District Data Breach- Total Registration
Author Dawn Urbanek | urbanek@cox.net | If you find this research valuable, please consider a donation to The Equity Project
June 16, 2019
Public Inquiry Unit
Office of Attorney General
PO Box 944255
Sacramento CA 94244-2550
Find out what's happening in San Juan Capistranofor free with the latest updates from Patch.
[the following Sent via e- mail]
Douglas A. Levin
President, EdTech Strategies, LLC dlevin@edtechstrategies.com
Student Privacy Pledge
Find out what's happening in San Juan Capistranofor free with the latest updates from Patch.
Erika Ross, Communications Associate, Education Privacy Project, FPF, eross@fpf.org
Diane Pinto, Public Policy Coordinator, SIIA, dpinto@siia,net
Future Privacy Forum info@fpf.org
I wanted to bring more information to your attention regarding Capistrano Unified School District's Data Breach - Total Registration. I also want to express my concern about the Capistrano Unified School Districts collection of data using "student informed consent" for not only the collection of personally identifiable information with no ability to opt out, but the collection of social, emotional, sexual and health data without parental notification.
I also want to express my deepest concerns about the College Boards new Diversity Score. That is not appropriate and will actually limit educational opportunity of students based on wealth, race and ethnicity. Such discrimination is unconstitutional and the College Board should no longer be allowed to engage in educational testing.
In California, resident students are already being denied seats at our UC's so that they can be sold for profit to International students, most of which are from the Peoples Republic of China. When diversity scoring is added, greater numbers of deserving (based on merit) California resident students will be denied access to our public education system all together. See: SWORN COMPLAINT California Taxpayers vs University of California and the State of California: The University of California- Its Admissions and Financial Decisions Have Disadvantaged California Resident Students.
Capistrano Unified School District Data Breach- Total Registration
Supporting documentation | email Douglas A. Levin | email Douglas A Levin | Privacy Agreement CUSD/Total Registration | College Board Documentation | Total Registration Documentation | Aliso Niguel High School Documentation | Dana Hills High School Documentation | San Clemente High School Documentation | San Juan Hills High School Documentation | Tesoro High School Documentation | May 14 2018 Public Records Request | May 23, 2018 CUSD Response to Public Records Request |CUSD monitizing data | CUSD Social Emotional Sexual Health Data Dashboard| CUSD Application to Conduct Research | CUSD Notice of Breach to Parents | CUSD Notice of Breach to State Attorney General | Data Mining Marco Forster Middle School| Memorandum of Understanding with Mission Hospital | Dr. Susan Holiday IT specialist |
On May 17, 2019 CUSDWatch received an e-mail from Douglas A. Levin, President of EdTech Strategies, LLC notifying me that the Capistrano Unified School District may have had a data breach involving Total Registration that was reported on DataBreaches.net: Vendor used by schools to register students for AP and PSAT exams left personal information of thousands students unsecured.
"In early April, DataBreaches.net was contacted by a researcher who had discovered that Total Registration had failed to secure their Amazon bucket, leaving student and parent information exposed in plain text, without any password required to access it."
"DataBreaches.net reached out to the firm to notify them, and received an acknowledgement that the problem had been taken care of. But the firm did not respond when this site subsequently sent them an inquiry as to whether they were notifying any students or their client school districts about the exposure."
"In the absence of an answer about notification, DataBreaches.net took a closer look at what was in the files provided to this site by the researcher."
Included in the list was Capistrano Valley High School in the Capistrano Unified School District. All CUSD high schools required students to register for AP Testing through Total Registration as evidenced by documentation contained further down in this article.
"Some of the files contained students’ date of birth, as well as additional demographic information on students and their parents. A quick analysis of files in one directory returned approximately 300,000 unique email addresses. If there were two email addresses for each student (one the student’s and one their parent’s), that would suggest that there were approximately 150,000 students’ whose data may have been in the unsecured files."
The following is a redacted sample of the data collected by the researcher.
DataBreaches.net sent email notifications to a few school districts but received no responses from the few districts it contacted. CUSDWatch was contacted because of an article that was written in San Juan Capistrano Patch on May 4, 2018: Attention CUSD Parents of AP Test Takers... You may have been overcharged for the test fee, and your child's data may have been breached
In a second e-mail from Douglas A. Levin, President of EdTech Strategies, LLC he referred me to a follow-up article The K-12 Cybersecurity Resource Center: Total Registration Totally Pwned:
"The re-selling of student data collected via the admissions testing process is big business and controversial (see, e.g., “For Sale: Survey Data on Millions of High School Students” published July 29, 2018 by Natasha Singer of the New York Times). In fact, the publication of this story in the New York Times led to the College Board’s status as a signatory in good standing of the Student Privacy Pledge to be placed ‘under review’ a mere two days later by the Future of Privacy Forum and the Software & Information Industry Association (“The College Board’s Student Privacy Pledge Status“). As of today, almost nine months later, the concerns about the College Board’s information usage practices with respect to these background questions remain unresolved."
"The U.S. Department of Education outlined these issues–along with their recommendations for how districts could remain in compliance with federal student privacy laws–in their May 2018 guidance, “Technical Assistance on Student Privacy for State and Local Educational Agencies When Administering College Admissions Examinations PDF].” That guidance summarizes the issue as follows:"
“In connection with these college admissions examinations, testing companies administer voluntary pre-test surveys asking questions about a variety of topics ranging from academic interests, to participation in extra-curricular activities, to religious affiliation. We have heard from teachers and students, however, that the voluntary nature of these pre-test surveys is not well understood, and that each of the questions requires a response, and the student must affirmatively indicate in response to multiple questions that the student does not wish to provide the information. The survey’s multiple questions are designed to allow targeted recruitment, and students are specifically asked whether they would like to receive materials from different organizations, including colleges and scholarship organizations. For students who consent to being contacted by these organizations, the testing companies then sell this information to colleges, universities, scholarship services, and other organizations for college recruitment and scholarship
solicitation.
The Capistrano Unified School District has a Long History of Monetizing Student Data
In 2018 the Capistrano Unified School District (CUSD) allowed school site Principals to enter into contracts which required all AP test takers to register for testing through a third-party for-profit company named Total Registration.
This arrangement allowed individual school sites to profit off of AP testing.
- Individual school sites set the registration fee at $100 per test. The actual cost should have been $94 per test. Parents were overcharged by $6.00 per test.
- In addition to the $6.00 overcharge, some school sites asked for volunteers to proctor the exam. The College Board refunds $9.00 per test back to schools to cover the cost of hiring test proctors. This means that schools using volunteers as protectors overcharged parents by $15 per test ($9 + $6).
- Testing fees can be reduced based on volume of tests, which would add a third revenue stream back to the District on top of the $15 per test.
- In 2018 CUSD administered 4,841 AP Tests X $6= $29,046.00
- If volunteer proctors are used 4,841 AP Tests X $15 = $72,615.00
Why should CUSD be allowed to profit off of AP testing?
Why should students be forced to provide Total Registration; a 3rd-party for-profit company, with personally identifiable data in order to take their AP tests? The school site Prinicpals did not provide any opportunity for students to opt out of providing personally identifiable information that they did not want to share. If they wanted to take the test, they had to provide ALL requested information.
This arrangement allowed individual school site Principals to determine what personally identifiable information was required to be collected in order to register for AP testing.
The Capistrano Unified School District has started to allow employees; "Principals", to enter into contracts at school sites without Board approval or District oversight. CUSD takes no responsibility for the contracts that district employees execute.
In 2018 individual school site Principals requested personally identifiable information on Total Registration AP Registration form such as social security numbers, self-reported parental income, disabilities, and/or cell phone numbers. Students could not register for their AP tests unless all of the information was provided.
What are individual school site Principals doing with the personally identifiable information they collect?
In Response to a PUBLIC RECORDS REQUEST CUSD stated:
These contracts were entered into by each school site Principal. What this response implies is that any employee of CUSD that has access to student data can enter into a third party agreement to monetize students personally identifiable information and can do so without Board approval or District oversight.
Supporting Documentation
May 17, 2019 email from Douglas A. Levin EdTech Strategies, LLC re: Total Registration
May 17, 2019 email from Douglas A. Levin EdTech Strategies, LLC re: Total Registration
March 22, 2018 California Student Data Privacy Agreement Capistrano Unified School District and Total Registration
How does CUSD reconcile the "agreement between Capistrano Unified School District and Total registration" with their response to my Public Records Request?
CUSD has never provided the individual school site contracts between the Principles and Total Registration despite this Public Records Request.
[page 3 missing from response]
No Data Security Requirements?
College Board
Our Commitment to Student Data Privacy
When students take a College Board assessment, they have every right to know what information they choose to provide, why we ask for it, and how we may share that information.
Here’s the first thing to know: The College Board collects personal information only to administer tests and deliver educational opportunities to students.
Here’s the second thing: The College Board gives students and families complete discretion as to how much additional information they disclose, beyond the minimum information needed to connect students with college success, including registering for the SAT or saving college lists.
During the registration process, we ask students for information needed to score the test. Students also complete a questionnaire, which include a series of optional questions. For instance, students can provide their race or ethnicity, and by doing so, help the College Board evaluate the fairness of the test and ensure that it is fair and accurate for all students. By sharing their course preference and potential college major, counselors and college admission officers can help students make plans for the future. Students can indicate if they come from a military family in order to be connected to unique information and resources.
As we make clear to students, they don’t have to respond to these and other optional questions, but we recommend they do because it helps us and our members best deliver programs and opportunities to serve students.
We are in constant dialogue with students, parents, educators, and state and district partners in order to evaluate our policies and procedures. As a result of this engagement, we regularly enhance student privacy. For example, just recently, we announced:
We will no longer collect Social Security numbers from students who participate in our assessment and instruction programs. (Effective August 2018)
The question about religious preference or affiliation on the questionnaire will change from "Indicate your religious preference or affiliation" to "Are you interested in religious colleges or religiously affiliated campus clubs/activities? If yes, select a religion below." (Effective August 2017)
The College Board has a deep respect for student privacy, and we are committed to protecting it. We are a signatory, with more than 200 K-12 school service providers and education leaders, of the Pledge to Safeguard Student Privacy, a public commitment for the responsible collection and use of student data. You can learn more here, including about the principles that ensure our commitment to privacy.
Additionally, here are answers to some questions we frequently receive.
Q: Does the College Board sell student data?
The College Board does not sell student data. Through Student Search Service, students may participate in a voluntary program that connects students with information about educational and financial aid opportunities from nearly 1700 colleges, universities, scholarship programs and educational organizations. When students take the SAT, PSAT/NMSQT and PSAT 10, they are asked if they want to participate. By opting in, they give the College Board permission to share their name and limited information with college and scholarship programs looking for students like them. The College Board never shares social security number, actual test scores, self-reported parental income, disabilities, or phone numbers as part of Student Search Service. Participation is completely voluntary and students can opt out at any time. Eligible institutions sign a license agreement with the College Board, and the College Board consistently monitors their use of student information for compliance. After a five year term, the institutions must permanently destroy the data.
Q: Does the College Board make unsolicited phone calls or send unsolicited texts?
We do not send students text messages or emails or call them on the phone unless they specifically opt in to the communication.
From Total Registration
Capistrano Unified School District High Schools
From Aliso Niguel High School Web Site
From Dana Hills High School web site
IMPORTANT - College Board returns $9.00 out of every $94 test fee to pay for AP Exam Procters. If Dana Hills High is using no-paid "volunteers" then Dana Hills High School is profiting by $9.00 + $6.00 overpayment. $15 per test.
From San Clemente High School Web Site
From San Juan Hills High School Web Site
From Tesoro High School Web Site
May 14, 2018 PUBLIC RECORDS REQUEST
May 14, 2018 District Response to PUBLIC RECORDS REQUEST asking for 10 days
May 23, 2018 District Response to PUBLIC RECORDS REQUEST #119
CUSDs' Application to Conduct Research
CUSD is measuring Social-Emotional Learning while everyone else realizes it is unethical to collect personally identifiable data on EVERY student with NO ABILITY FOR PARENTS TO OPT OUT!
"When the Every Student Succeeds Act was enacted, speculation swirled that states might use it as a launching pad to use measures of students’ social and emotional competencies to determine whether their schools are successful."
CUSD's "LOCAL" DASHBOARD
The Capistrano Unified School District in Orange County California is doing this. In addition to California's State Dashboard, CUSD has developed its own "local Dashboard" specifically designed to capture social, emotional, sexual and health data on every student in the District, because it does not allow students to "Opt Out".
The work they are doing is getting so close to HIPPA Violations it is scary.
I have have stood before that board many time and expressed my concern about the Collection of personally identifiable information on EVERY student with no ability to OPT OUT
See: See May 17, 2017 Board Workshop (which they do not record) Agenda Item #1 District Dashboard
Yellow: Social Emotional Indicators
Blue: Academic Indicators
See also CUSD's "Application to Conduct Research" where they sell that data to any interested party.
Letter [No Date (Really?)] from the Capistrano Unified School District to Parents re: Total Registration Breach
Submitted Breach Notification to State Attorney General Xavier Becerra
Examples of Data Collection Without Parental Notification
Example 1:
The Principal of Marco Forster Middle School entered into a "research -practice partnership" MOU with UCI that was to serve as a model for Orange County and the broader transformation of Public Education where students will participate in a Breakthrough Collaborative.
The Marco Forster Middle School will facilitate the distribution of STUDENT INFORMED CONSENT DOCUMENTS FOR RESEARCH that has been approved by school leadership as being focused on school improvement efforts and that has been approved by the UCI human subject review board to ensure protecting the privacy rights of students.
Example 2
On September 1, 2013 CUSD and Mission Hospital entered into an MOU to "improve the quality of life for faculty, staff, students and student families through education and referrals in the areas of childhood obesity and asthma."
The Original MOU
Name: Mission Hospital's Health Promotion Services - Asthma and Obesity program.
Term: 5 year contract September 1, 2013 to September 1, 2018.
Under the original MOU Mission Hospital was to share personally identifiable health data to CUSD that is suppose to be protected by HIPPA.
Agenda Item #11 makes the following changes to the original MOU
- The name "Health Promotion Services" is being changed to "Community Benefit"
- The services are being changed. Mission Hospital will no longer address the areas of childhood obesity and asthma the services will focus on substance abuse prevention and mental awareness.
- Outside Consultants may conduct student and/or Parent Surveys with CUSD's permission.
- The agreement is being modified to ensure that all survey data collected either hard copy or electronically will be gathered and stored anonymously. Note: This indicates that the personally identifiable information collected during the study of Asthma and obesity were not stored anonymously.
- The Term of the Agreement is extended to June 30, 2020. Note: That is because they want to collect 3 years of data on substance abuse prevention and mental awareness.
This Item was passed on the Consent Calendar without Discussion
This should not be done as a "modification" to an existing MOU. This should be a NEW Agreement.
Doctor Susan Holiday - Curriculum Specialist... or Data Miner?
The person dictating curriculum at CUSD is Dr. Susan Holiday. She is an IT person?
Dr. Susan Holiday is an IT/Health person. There is a lot of data to indicate that she is at CUSD to Data Mine students. She is the person that set up CUSD’s “Social/ Emotional Dashboard”; designed to collect social, emotion, sexual and health data on students.
DISSERTATION
Coaching for technology integration: A strategy in staff development
Susan E. Holliday, La Sierra University, United States
http://www.learntechlib.org/p/118686/
