After years of avoiding the public beatings that other technology companies have endured over the ways their educational products may threaten student privacy, Microsoft Corp. is suddenly taking heat.
At issue is the company’s newly unveiled operating system, Windows 10. Privacy experts and media outlets alike have raised the alarm over what they see as overly aggressive data collection.
One big example: Windows 10 appears to collect extensive data about the Web addresses that users visit, then sends that information back to the company’s servers for storage. In one test conducted by a computer engineer at the request of Education Week, an individual student’s login and password for a popular online educational service were among the data sent back to Microsoft.
Company officials say fears over such practices are overblown. For years, Microsoft has boasted publicly of its commitment to strong data safeguards, presenting it as a core piece of its brand. The company is also an original signatory of the Student Privacy Pledge, a voluntary commitment by industry groups to abide by privacy-protection best practices.
But chatter over Windows 10 has ballooned to such a degree that Terry Myerson, the executive in charge of the company’s Windows and devices group, felt compelled to write a blog post this month attempting to clarify what information the system is collecting, and what it is not.
“Trust is a core pillar of [the company’s vision], and we know we have to earn it,” Myerson wrote. “I assure you no other company is more committed, transparent, and listening harder to customers on this important topic than we are.”
For school officials to whom Microsoft 10 is being marketed, the trend of online education service providers seeking to collect ever more information can make life difficult, said Robert Moore, an ed-tech consultant who leads privacy initiatives for the Consortium for School Networking, a professional association for school technology officials.
That difficulty exists even when a company’s goal is simply to improve its product and better personalize its services, Moore said.
“The intent may be good, but are there ancillary practices that go along with it?” he said. “It comes back to understanding what they’re collecting, what they’re doing with it, and what you as a school district can control.”
Testing Privacy Settings
Lakewood, Fla.-based parent and computer engineer Tony Porterfield has made a habit of testing the privacy and security practices of the technology services his children use in school.
In 2013, Porterfield made waves when The New York Times published a story based on his critique of the security practices of the popular online learning platforms Edmodo and Schoology. In 2014 and earlier this year, similar stories were published based on his analyses of a behavioral management tool known as ClassDojo, and a reading assessment site known as Raz-Kids.com.
At the request of Education Week, Porterfield agreed to test Microsoft 10 this month. He upgraded a personal computer to the new operating system, elected to use the system’s default or “express” privacy settings, and accessed the Internet using the company’s new browser, known as Edge.
Porterfield then tracked what information was being automatically sent back to Microsoft servers.
When he accessed an educational website his child uses regularly for school, Porterfield found that his child’s username and password were included in the information being sent to Microsoft servers.
“Clearly, Microsoft is not intending to collect my kid’s username and password for this ed-tech app,” Porterfield said. “But they’re catching stuff they ought not to be getting. The real threat I see is breaches. We see that every day.”
A Microsoft spokeswoman said it was unclear what led to the child’s username and password to be sent and stored, but would seek to determine the cause.
Consumer advocates have cited other concerns, too. They say the system will allow Microsoft to collect and share personal information about users’ calendars, contracts, and appointments. Geo-tagged voice recordings captured by the system’s Siri-like virtual assistant, known as Cortana, are also sent back to Microsoft servers.
And some have complained that Microsoft’s “Windows Update Delivery Optimization” service essentially allows users to borrow bandwidth from other users they don’t know when updating their apps or PCs.
Taking all the steps necessary to disable those information-sharing features can lead users through a complicated maze of a dozen screens or more.
And even after those functions are disabled, Microsoft will collect other data, beginning when users open the start menu and begin typing, noted an article published by CNN Money.
The Microsoft spokeswoman acknowledged that Cortana does collect voice and location information, but said this practice is prominently disclosed when users decide to turn on the feature.
With the Windows EDU edition that would be used by schools, the default setting allows for sharing of bandwidth only within the school’s internal local area network, the spokeswoman said.
And “the average user” will not need to access more than a dozen screens to choose privacy settings, she maintained.
More Confusion Ahead
Microsoft officials say the company is collecting the information only so that user experiences are enhanced, and not to target advertising at them. They stress that the company is not scanning the content of users’ email messages and files.
Critiques centered around both of those practices have been leveled at other tech providers, including one of Microsoft’s main competitors. Last April, Google announced that it had halted the practice of scanning student Gmail accounts for any potential advertising purposes.
“We think the telemetry data in question [with Windows 10] is entirely different,” the spokeswoman said. “We are not using this data for ad-related purposes, as other educational services conceded they were.”
Other, nonpersonal information that Microsoft collects is designed to ensure the reliability of applications on the operating system and to correct flaws that would produce crashes, Myerson argued in his October blog post.
Information on the preferences of Windows 10 users, meanwhile, is collected to create a “personalized Windows experience,” Myerson wrote. Examples could include “remembering the common words you type in text-messaging conversations” or knowing your favorite sports teams.
The company declined to provide details on how widely Microsoft 10 has been adopted by K-12 schools.
Moore, the privacy consultant, said the messy privacy issues surrounding ed-tech products are only likely to get messier, leaving schools in a bind.
But even then, he said, it’s often a question of risk management for schools.
“You can be a smart consumer, but the reality is that it’s easy to get confused, even for those who are very savvy on these issues,” Moore said. “At some point, it comes down to your gut sense that a particular website or application has high value, so you want [schools] to use it, or it’s not that valuable, so maybe they should find something else.”