Information Security in Education/Legal Issues

Introduction

 * In 2006 alone, approximately 161 billion gigabytes of digital content were created, stored, and shared around the world. This is equivalent to twelve stacks of books extending as high as the sun, or approximately six tons of books for every person on the earth (Gantz, 2008) With the development of digital content occurring at these rates, educators need to think about digital media's impact not only on student learning but also the legal issues that are connected with it. The goal of this wikibook is to provide school administrators and educators an overview of some of the legal issues relating to technology in K-12 school systems.  In particular, an overview of some of the most common laws as well as some case studies will be provided.

The Children’s Internet Protection Act (CIPA)

 * The Children’s Internet Protection Act, known as CIPA ,is a federal law enacted by Congress. The law was enacted to address concerns about minors having access to and being exposed to offensive content over the Internet.


 * The Neighborhood Children’s Internet Protection Act (N–CIPA), Sec. 1732 of CIPA, imposes certain types of requirements on any K-12 school or library receiving funding from the E-rate program. Specifically, N-CIPA requires that any public school or library receiving E-rate discounts to develop and enforce an Internet Safety Policy (ISP). The policy must address harmful or inappropriate online activities.  In particular, schools and libraries must have the following in place in order to receive discounts offered by the E-rate program:


 * ~Technology protection measures to block or filter Internet access to pictures that are obscene, child pornography, or harmful to minors.


 * ~An education program informing minors about appropriate online behavior. This must include information on cyber bullying as well as information about interacting with other individuals on social networking sites and in chat rooms.


 * ~A policy in place to monitor online activities of minors.


 * ~A policy that addresses the following: access by minors to inappropriate matter on the Internet; the safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications; unauthorized access, including so-called “hacking,” and other unlawful activities by minors online; unauthorized disclosure, use, and dissemination of personal information regarding minors; and restricting minors’ access to materials harmful to them. This policy is commonly referred to as an Acceptable Use Policy (AUP).

Acceptable Use Policy (AUP)

 * An Acceptable Use Policy (AUP) is a written agreement signed by students, their guardians, and their teachers. An AUP typically identifies the types of tools students will use on the network, defines boundaries of behavior along with the consequences of violating those boundaries, and informs students and parents of the actions that could be taken by the administration in order to maintain the school's network.


 * If a school receives federal funding for their communication technology (see CIPA), then the school is required to develop an Internet Safety Policy (ISP), which is more commonly known as an AUP. Because AUP's tend to be approved by the school board, they are a legal binding document. More information about a district's AUP can be accessed on the school's Web site.  General information on AUP's can be found at the Virginia Department of Education's Web site.

Privacy Rights

 * Privacy Concerns on a School's Network

Merriam-Webster defines privacy as the quality or state of being apart from company or observation. Unfortunately, many experts in the field of Internet security will tell you that privacy over the Internet does not exist. For example, in Bruce Schneier's 2000 book, Secrets & Lies, he elaborates on how privacy is almost non-existent with the Internet and that erasing digital information is, if not impossible, then extremely difficult to do. Steve Rambam speaks to issue of privacy being non-existent in his presentation entitled Privacy is Dead-Get Over it! And CIPA clearly states that in order to protect children on the Internet, schools need to adopt a policy that monitors online activities of minors. In addition to this, most AUP's have a clause stating something similar to the following: "It is often necessary to access user accounts in order to perform routine maintenance and security tasks; Because of this, system administrators have the right to access user accounts, including stored information, in order to uphold this policy and to maintain the system."


 * Fortunately, although it appears pretty much any computer/Internet activity that is conducted in a public educational entity can be monitored, there are some laws that protect a person's privacy. The following federal laws are the most common ones referred to regarding privacy rights:


 * ~Family Educational Rights and Privacy Act (FERPA) 20 USC 1232g (1974)


 * ~Protection of Pupil's Rights Amendments (PPRA) 20 USC 1232h (1978)


 * ~USA Patriot Act, P.L. 107-56 (October 26, 2001)


 * ~Privacy Act of 1974, 5 USC Part I, Ch. 5, Subch. 11, Sec. 552


 * ~Health Insurance Portability and Accountability Act (HIPAA)


 * ~The Electronic Communications Privacy Act (ECPA)


 * Most of these laws protect both students' and adults' privacy. However, The Patriot Act actually amends the Family Educational Rights and Privacy Act to allow educational institutions to disclose personal information to the Attorney General if the person is believed to be connected to a terroristic crime. More information on the Privacy Act can be accessed by clicking on the link above.


 * Privacy Concerns outside the School's Network
 * With the onset of social networking sites such as Facebook and MySpace, concerns arise as to how private one's personal life is, especially for educators. An example of this is seen in the case of Stacy Snyder vs. Millersville University .  Ms. Snyder was denied her teaching degree by the University due to a controversial picture that Ms. Snyder posted on her MySpace page. This case is one example of teachers posting questionable content on their personal sites.  Many school districts are now warning teachers to be cautious about their online activities.  Some districts have gone as to create policies to regulate the virtual lives of their employees. Whether or not this violates any privacy concerns or First Amendment Rights has yet to be determined.


 * Web Profiling & Search Engines
 * Web Profiling occurs when an organization monitors your movement on the Internet, collecting information on the sites you travel to, how long you stay on each page, and what you do on these sites. This information is then entered into a database to create a Web profile. This information can be utilized by marketing firms for advertising. Is this legal? Unfortunately, in most cases, the answer to this is yes.  An interesting example of this pertains to search engines.  When it comes to search engines, ALL information entered into a search engine is saved.  And according to Andrew Brown, it is not just information entered in on the search engine that is saved; E-mails, mapquests, account information, etc. So as mentioned in the opening paragraph, most of what we do on the Internet is not private, and there appears at this time, no laws to truly protect one's privacy on the Internet.

Web Publishing Issues

 * Many schools have Web sites. Some schools post pictures of their students, students' accomplishments, school newsletters, and other samples of student work on their site. Some districts restrict publishing these documents on their sites. Personal student information that is posted on a school's Web site needs to be explained in a school policy manual such as the student manual policy, the AUP, or some other policy.  And any information identifying a student on a school's Web page should not be done without the student and guardian's permission.  Information about what one can publish on the school's Web site can be retrieved from a school administrator or technology coordinator in one's district.

Copyright Infringement and Plagiarism

 * With access to the Internet, both copyright infringement and plagiarism are common concerns that need to be addressed with all persons, including students and adults.


 * Copyright Infringement occurs when a person inappropriately reproduces a work that is copyright protected. An example of this is installing a single user software program onto multiple computers. Most work that is copyright protected will identify what may be considered appropriate use of that work. If it doesn't, it is best to either receive permission from the owner of the copyright or not use the work at all.


 * Plagiarism involves stealing the work of someone else and passing it off as your own.


 * Copyright infringement is illegal. Although plagiarism is technically not illegal, if it is addressed in a school's AUP, then it technocally is illegal at the local organization Since most AUP's outline information pertaining to copyright infringement and plagiarism, it is critical that both students and adults are aware of the legalities pertaining to both, as well as the consequences at both the school level and court level.


 * Technology, Education, and Copyright Harmonization (TEACH) Act 
 * Although copyright law generally treats digital and non-digital copyright-protected works in a similar manner,special digital uses, such as online distance learning and course management systems, have some exceptions applied to them. These exceptions are addressed in the TEACH Act.


 * Under the TEACH Act:
 * • Instructors may use a wider range of works in distance learning environments.
 * • Students may participate in distance learning sessions from virtually any location.
 * • Participants have more latitude when it comes to storing, copying and digitizing materials.

Computer Fraud and Abuse Act

 * The Computer Fraud and Abuse Act (CFAA) is a law passed by the United States Congress that was designed to reduce cracking of computer systems. It involves instances when a person or persons who commit the following acts:
 * ~Access a computer without authorization in order to obtain national security data
 * ~Intentionally access a computer without authorization to obtain financial records, including consumer records from financial or consumer reporting agencies
 * ~Obtain information from any department or agency of the United States
 * ~Obtain information from any protected computer involving interstate or foreign communication
 * ~Access without authorization a government computer and affect the use of the government's operation of the computer.
 * ~Access a protected computer with the intent to defraud and there by obtaining anything of value.
 * ~Cause the transmission of a program, information, code, or command that causes damage or intentionally accesses a computer without authorization, and as a result of such conduct, causes damage.
 * ~Knowingly and with the intent to defraud,traffic a password or similar information through which a computer may be accessed without authorization.