Josh Golin's Testimony to the Massachusetts Joint Committee on Education


Josh Golin

On June 27, CCFC's Josh Golin testified in front of the Massachusetts Joint Committee of Education about inBloom and other threats to students' privacy. For more information about how to stop inBloom in Massachusetts, please visit

Testimony of Josh Golin to the Massachusetts Joint Committee on Education Regarding H.331: An Act prohibiting service providers who offer cloud computing services to K-12 educational institutions from processing student data for commercial purposes.

My name is Josh Golin and I am the Associate Director of the Campaign for a Commercial-Free Childhood. CCFC is a national organization that supports parents’ efforts to raise healthy families by limiting corporations’ access to children and ending the exploitive practice of child-targeted marketing. I am here today on behalf of our 50,000 members, including the nearly 4,000 here in Massachusetts.

H.331 would prohibit providers who offer cloud-based computing services to K-12 educational institutions from processing student data for commercial purposes. This legislation is an attempt to address a growing and serious problem in Massachusetts: The exploitation of student’s private data by for-profit companies. If H.331 is strengthened, it will make Massachusetts a leader in protecting students’ privacy. We, at CCFC, are happy to work with the committee to draft legislation that gives children the protections they need.

The world of advertising is being radically transformed. The prize for marketers is no longer our eyeballs in front of a television screen, but information about who we are, what we like, and how we’re vulnerable. Schools, which collect and have access to a wealth of such personal information about students, are particularly attractive to marketers. For that reason, they need policies to insure that student information is not exploited for profit. Two recent and ongoing programs in Massachusetts illustrate why these protections are needed.

Massachusetts is one of five states committed to participate in the development and pilot testing of inBloom, a Gates Foundation initiative. Through inBloom, student information will be stored on a data “cloud” and shared with for-profit corporations, without any guarantee that the information will be safeguarded. Currently, inBloom is being piloted in Everett and education officials are considering expanding it to other districts in the state.

inBloom is configured to collect extremely sensitive, personally identifiable, student data, including student names, grades, test scores, detailed disciplinary, health and attendance records, race and ethnicity, economic and disability status. Data fields even include whether a student is pregnant, attends a religiously-affiliated school, has refugee status, has been removed from his or her home by Child Protective Services, or has been involved with law enforcement for an out-of-school incident. It is difficult to understand how students would benefit from having such sensitive personal information about them shared with for-profit corporations, but it is clear that such disclosures could harm students. Amazingly, parental consent is not required before sharing this data with inBloom and its for-profit partners, and there is no mechanism for parents to opt their children out.

It has been reported that technology companies eagerly anticipate “huge” profits from access to this data.  Currently, the inBloom website lists 21 “providers,” including giant corporations like Amazon and Dell. To date, no inBloom or Massachusetts representative has identified any protections which are in place to ensure that students’ information will not be shared within these companies, many of which have multiple divisions and thousands of employees.

The collection and sharing of this data is even more troubling because it is stored on a “data cloud” owned and operated by Amazon. In a recent survey, 86% of technology professionals said they did not trust clouds to hold their “more sensitive” data.  Indeed, inBloom Inc.’s own privacy policy acknowledges that it “cannot guarantee the security of the information stored … or that the information will not be intercepted when it is being transmitted.” 

Massachusetts officials claim that the sharing of data with inBloom and private companies is legal under the Family Educational Rights and Privacy Act (FERPA). But critics argue that the U.S. Department of Education’s 2011 changes to FERPA—which now allows school districts to share sensitive student data with private contractors—violate the original intent of the law. Recently, the Electronic Privacy Information Center filed suit against the U.S. DOE for these changes to FERPA.  It could, however, be years before this lawsuit is resolved. It is critical, therefore, that Massachusetts take real steps to protect its students privacy.

After significant public outcry, educational officials now say they are only evaluating inBloom’s potential, and have not yet committed to going forward with this ill-conceived project. It’s our hope they won’t. But inBloom is not the only cloud-based threat to students’ privacy.  Legislation is needed to protect children regardless of what DESE decides with regard to inBloom. 

For instance, Google—through Google Apps for Education—is pushing cloud-based services such as Gmail and Google Drive on schools throughout the Commonwealth and across the country. Districts such Fall River and Waltham have already signed up for what is now a free service from Google. Currently the default school setting for advertising is “off” but many online services begin commercial-free before moving to an ad-based revenue model. When its time for districts to renew their contracts, Google may demand that schools turns the ads on if they want to continue to have access to the apps for “free.”  The possibility that Google and other providers of cloud-based computing services would profit by tracking students’ email and other online activities to deliver targeted advertising is very real and very troubling.

In short, we must assure that students’ privacy is not trampled in the rush to incorporate cloud-based computing services into classrooms. We hope that this committee and the Commonwealth will take real, proactive steps to ensure that schools do not inadvertently help corporations profit from schoolchildren’s most sensitive and confidential information.


Blog Category: