Cybersecurity Starts Here
Originally published in TEACH Magazine, Digital Citizenship Special Issue, 2020
By Adam Stone
Rayna Freedman, a fifth-grade teacher at Jordan/Jackson Elementary School in Mansfield, MA, worries about the degree to which her students’ private selves are exposed online. She’s concerned about how unconcerned the kids themselves are.
“When they check the box to sign up for an app, they don’t understand what they are agreeing to,” she says. “Sharing information with companies about sites you visit, sharing your physical location or your IP address: my kids have zero knowledge about any of these. They are just checking boxes with no understanding.”
When it comes to privacy and security, K-12 teachers have good reason to worry. A recent report by the K-12 Cybersecurity Resource Center shows over 770 publicly disclosed cybersecurity-related incidents involving U.S. public schools since 2016—and that is just the hacks. When you add in all the information kids freely give away, it’s easy to see why teachers would be concerned.
In fact, teachers often are at the front line in raising awareness of cyber security. “About a third of American students learn to keep their personal information secure through school resources,” says Judith Bitterli, McAfee VP of Marketing, Consumer. “This demonstrates a crucial opportunity for teachers to instill awareness and security best practices in young children at school, so they are always protected and continue to stay safe in college and beyond.”
Let’s consider this from two angles. First, there’s the messaging itself: what do kids need to know about online security? Then there’s the how: what tools and techniques are out there to help get that message across?
What It’s All About
In order to teach privacy, educators first must learn some basic rules of the road. In the U.S. this means having at least a passing familiarity with the Children’s Online Privacy Protection Rule, a federal statute that limits a web site’s use of personal information for kids under 13.
To safeguard privacy, teachers need to ensure digital tools used in the classroom are in compliance, says Kerry Gallagher, assistant principal at St. John’s Prep in Danvers, MA and director of K-12 Education for the nonprofit ConnectSafely. “Teachers need to understand those rules. Then when a child is excited to use a particular tool or an application, they can talk about that piece of it,” she says.
Compliance is just a starting point. The heavy lifting comes when teachers try to help kids understand why digital privacy matters. That’s a hard sell when you are talking to people who may lack a basic concept of privacy—period.
“Because the children in K-12 have always lived in a world where the Internet exists and where information is free flowing and easy to access, they don’t have a strong sense of what privacy even means,” Gallagher says. “They don’t think of themselves as ‘private.’ They have a fundamentally different mindset than most adults.”
It’s hard to have a meaningful conversation about setting personal boundaries online, when kids don’t understand boundaries at all.
Sometimes a personal example is required. “I talked about how, when I got diagnosed with cancer, I had a private Facebook group to share that with,” Freedman says. “The kids asked why I didn’t want to just be public with it, and I explained that I wasn’t ready yet. That’s a new idea to kids whose parents don’t even ask before posting pictures of them on Facebook.”
In order to teach privacy, and to engage kids in conversations about security, it’s therefore necessary to go beyond a simple list of rules, the do’s and don’ts of cyber hygiene. The messaging here has to be personal and somewhat nuanced.
“It’s about calibrating their emotional intelligence with how they behave online: how did this online behavior make you feel, and do you want to feel that way?” Gallagher says. “It’s easy to put together a list of rules, but those things won’t fit every child. Our job as educators is to guide children through a path of self-discovery, and this whole area is just one more place in which we can help them to figure who they are and how they can share themselves with the world.”
There’s also a more practical, nuts-and-bolts, angle to this. For kids to stay safe, they need to know the threats.
“Account takeover is the number one abuse on the intent. That’s when someone gets your password, logs in as you, and takes over your account. Even fifth graders have passwords, so they need to be aware of that,” says Dr. Anthony Vance, associate professor of management information systems and director of Temple University’s Center for Cyber Security.
Kids also need to know that even trusted parties cannot be wholly trusted. “It used to be about bad actors hacking your system. Now kids need to think about implications of companies that you like and trust, and how they use your data,” says Matt Dascoli, a former teacher and presently Dell Education Strategist.
They also need to understand that nothing is really private online. “Young people may have the mistaken notion that they are anonymous online,” Vance says. “As a teacher you can Google ‘what is the IP address of my device’ and you’ll see the geo-location of that device. That is eye-opening for kids, that your IP address alone can tell people a lot about you.”
Finally, they need to understand digital persistence, the idea that nothing you do online ever goes away. “I tell them: let me show you what I can find out about you and what you have done,” says Kathryn Ives, Director, Integration Services of Pflugerville ISD in Texas. “I pull up the Wayback Machine and quickly find things they have posted about themselves and even things they had deleted. The room gets alarmingly still. And I follow up with: your college’s recruiters know how to do this too.”
Clearly, the privacy-and-security landscape is broad and complex. How best to communicate this mass of information, without overwhelming the kids?
Tools and Techniques
Every time a new app comes into the class, that’s an opportunity.
“When our teachers create an account on an app, they talk about how their information is protected on that app,” Gallagher says. “Then if students want to use a different app, there is a conversation about how that tool may not be prepared to protect their information, based on the requirements under the law.”
Freedman leveraged commercial technology to make the same point, introducing the Google Home smart speaker to show kids the privacy implications of the new consumer tools. “We took the district’s responsible-use policy and rewrote it for Google Home, specifying that when they are on Google Home they will not share their home address,” she says.
It took two months of classroom discussion before she ever fired up the device. “They really thought about all the data you can collect from voice,” she says. “I didn’t want to turn it on until they really understood what was going on.”
By the same token, teachers should be careful not to introduce classroom tools that fail to make the grade. “Educators may find a personal scheduling tool or a task manager that works really well for them, and they’ll recommend it to a student who struggles with organization,” Gallagher says. “But maybe that app wasn’t designed for the K-12 environment. It wasn’t designed for children.”
All these conversations need to take place not just once but throughout the school year.
“Traditionally you brought everyone down to the library for a one-time lesson,” Dascoli says. “Now with students increasingly being online in school, those opportunities for learning have to happen throughout the day. Any time the students are actually working online, that’s a perfect opportunity to talk about how we behave online, what details we share there.”
What details should they share? In the past kids were told to hide their true identities online: sharing personal information could lead to abduction. Now, with all the statistics suggesting that stranger abduction is extremely rare, students are instead encouraged to be themselves. Not that they should disclose details like their age or home address, but rather that they should strive for authenticity.
“The person you are here and now, that’s the same person you should represent online. Share your real self, be the genuine you. If you make mistakes online, that’s part of you, it’s what makes you a whole person,” Gallagher says.
In this way, kids will learn naturally to keep their private selves private. “There are some inner thoughts that you wouldn’t bring up in a face-to-face conversation, so you don’t put that online. If you wouldn’t say it in a classroom or you wouldn’t say it to your mom, then if you are being yourself online, naturally you wouldn’t say it there either,” she says.
Kids are more apt to behave appropriately when they are empowered, Freedman says. She has a class Facebook page, “and while I have their parents’ permission to post any classroom picture, the kids know that they can tell me ‘not today,’ or if it’s a group photo, they don’t have to be in that photo,” she says. “Because I give them a voice, it teaches them that they can choose what to share.”
This strategy of making it personal is key to helping kids who may have a limited understanding of ‘privacy’ at the start.
“When I teach freshman and sophomores, a lot of them say: privacy doesn’t matter because I have nothing to hide,” Vance says. “That’s not true, everyone has things that are private and valuable. So we need to have that conversation. What are the things that are valuable to you? What is personal? What could someone use against you? If you can have those conversations, they start to understand the kinds of traces that they are leaving in the digital world and what that might mean.”
Those “traces” matter—the digital persistence that can follow students through the years. How to convey this to the notoriously short-term brains of the K-12 crowd?
Sometimes the most effective way is to show them. If they’ve got a social presence, you can go back through their timeline and talk about what you see. “If they put something on there and a year later they feel like that was dumb, you can talk about whether they want to take that down, or maybe they want to leave it as an artifact, a digital record of their lives,” Gallagher says. “The important thing is to have the conversation.”
While all these human-centered strategies can help ensure safety and privacy, others take a more hardline approach. “We have boundaries,” Ives says.
“We don’t just open up the browser and tell them to search. They go into a portal and they see the resources that we have selected as a curriculum team,” she says. “Our internet is filtered, YouTube is filtered. On YouTube teachers can see anything, but the students only have access to some things, based on categories that we have selected.”
If a kid makes a request for a YouTube asset, “we will watch that video completely through, and if it matches the curriculum and it is appropriate for the student, we will unblock it for that student,” Ives says.
Even as a proponent of digital guardrails, Ives admits this approach will only get you so far. “We can block 100 different sites every single day and there will be another thousand the next day. They can always get around our filters,” she says. “So we have to have the hard conversations. They will say: ‘I use this at home so why can’t I do it here?’ We get that a lot.”
In one case a teacher called the network engineer’s office when a student accessed a ‘dark web’ site that showed disturbing content—“in the violent torture category,” Ives says. “Our job is to protect our kids and keep them safe, and yet we can’t do anything about some of these things.”
If you can’t block it, discuss it. “They have to know that we know what they are doing, that we know what they can do,” Ives says. “Then the conversation is: just because you can, should you? If you end up someplace shouldn’t be, can that harm you? Can it harm someone else? Do you think this would make your parents proud?”
Great technology, great people and great systems “can only go so far,” she says. “We still have to talk about ethics.”
Gallagher points to a number of helpful tools teachers can use to determine whether apps and web sites meet K-12 privacy standards, and also to craft useful classroom practices around privacy and security.
- ConnectSafely.org has an educator’s guide to student data privacy.
- Through the Student Data Privacy Consortium, tech companies agree to meet minimum privacy and safety requirements, giving members access to a database of vetted tools.
- Almost 400 tech companies have signed the Student Data Privacy Pledge, pledging to meet student privacy and security guidelines.
A seasoned journalist with 20+ years’ experience, Adam Stone covers education, technology, government and the military, along with diverse other topics.