Coverage of the recent attack on computer networks and databases at Equifax, the credit reporting agency, is well outside the scope of a school news service like Voxitatis, but I wanted to reiterate why we have some of the policies we do.
Our editorial policies differ from those of the Associated Press and most news agencies and companies in the US in several important ways designed to protect students.
First, Voxitatis will not identify a recognizable student in a photograph. The exception to this rule would be an athlete competing in interscholastic sports, since photographs of the athlete will be found, by the time we publish the picture, in several other places. We only do this if the identity of the individual student is important to the story, such as when the story is about a personal accomplishment, rather than a team or school accomplishment.
Second, Voxitatis avoids the use of students’ last names in stories wherever possible. Our basic assumption is that, for most stories that are about schools, not about individual student accomplishments or failures, the identity of student participants is not newsworthy information. We therefore keep it out of our news reporting. As with photographs, when the story is about an individual student, not the school, we’ll probably use the name in order to make a complete and accurate report of the news.
For example, it is newsworthy that “a student” at such and such a high school said one thing; maybe it’s newsworthy that it was a male student or a member of the French Club. We always try to report only as much information about students as may be relevant and newsworthy for a given story. If, on the other hand, the story is about a football player who set a school record or a robotics team that won a state tournament, we’ll probably publish the names.
Once again, I want to remind all school teachers, administrators, students, parents, and others that any system that can be hacked will be hacked.
We learned this lesson from the breach at Target, the actions of Edward Snowden, and countless breaches of data due to incompetent information technology employees or outright criminals at other agencies, schools, companies, and so on.
The only way to keep your identity away from hackers is to keep your data off the computer networks at your school, home, business, or wherever you might want to put it.
In today’s world, that’s impractical, just as we have to make exceptions to our editorial rules about student identity for the purposes of reporting. Sometimes we have to make compromises to our rules for storing student data online. But it’s just that: We’re increasing the risk of being hacked and having our identity stolen by criminals or incompetent I/T employees every time we give our credit cards online, every test score we warehouse for a student, every grade we record online.
As many of our readers know, Voxitatis, through Seffalo Voxitatis Education, has developed software that will allow science teachers and others to provide ongoing feedback to students who complete projects online or in teams. We maintain a strict “no student names” policy on the site, although some teachers use a first name and last initial for their students.
We do what we can to protect the data, but the system is still on the internet because it has to be accessible to teachers and students at remote locations. Therefore, we assume the system can be hacked and everything on it could be stolen by a criminal. So we compromise and give students a number that can’t even track them from one class to another (they have a different number for each class they enroll in on the system).
This is a compromise because it makes the system less user-friendly. Students have a different login for their biology class, say, than they have for their algebra class. This is inconvenient and a departure from how most online teacher-student communication platforms do it. But our board of directors likes it, and so do I.
It means, even if the data are stolen and hacked, people will have no idea who did any of it, who the people are who contributed or completed work on the system, or where they go to school. The hackers will be able to steal the work itself but not the identity.
Following a practice adopted by Code.org, we have also decided to encrypt email addresses in our database. Teachers and students use their email address as a sign-on, so this is a compromise on our part. By encrypting the email address in our database, it means we can’t see what the email address is. As a result, we can’t send our users an email message.
But it also means a hacker won’t be able to harvest the email addresses of our users. That extra protection is worth it for me, because we don’t have a huge programming staff that can build safer protections for this data, like they have at Google or Facebook.