News / National Pupil Database pupil privacy surveillance

Response to school pupils being spied on through webcams and school web monitoring software

Campaigners defenddigitalme call for review of school safeguarding software and Prevent policy, as creeping capability of commercial tools include surveillance of children at home.

The Prevent programme introduced in 2010, was expanded across the education sector in September 2016, under safeguarding-in-schools statutory guidance.

Software packaged as child protection products have increasingly normalised a gross invasion of private and family life. Advancing technology enables ever more one-sided opaque access to information about children, but no matching review of its growing risks or transparency to children and families about how it works.

We have obtained statistics using Freedom of Information requests that suggest 70% of schools in England use web monitoring software and a growing trend to monitor personal devices beyond the school playground, but that under a third of parents believe their school use it.

Parents want to know how these flags and watchwords are being used about their children. However none of the 400 school policies reviewed by defenddigitalme explain this.

A poll of parents commissioned by defenddigitalme in February 2018 through Survation showed that 86% of parents with children in England’s state education system think that both children and parents should be informed of what the consequences are if these keywords are searched for, and 69% believe children should be told what these keywords are. [1]

defenddigitalme is also concerned that the scope of the surveillance capability is creeping incrementally without oversight.

The Surveillance Camera Commissioner has recommended to government that his remit expands to incorporate education where surveillance camera systems under Section 29(6) Protection of Freedoms Act are utilised. But “This has not been accepted [by government] at this stage.”

Web monitoring of children and staff goes on 24/7, 365 days a year including at home in personal space and in private time.

Further Freedom-of-Information requests collected between December 2016 and April 2017 from 190 schools in England and 30 schools in Northern Ireland for the defenddigitalme report The State of Data: Rights and Responsibilities [2] show that 50% of schools that replied, already enable this web monitoring software on BYOD (Bring your own [private mobile] device).

Schools can track a child’s Internet searches on the child’s personal phone remotely, or on a school laptop a pupil has home for the summer holidays.

Software designed for web monitoring by commercial companies as part of safeguarding in schools can now be used to control the child’s webcam and record photos of the child.

The Children’s Commissioner for England believes we are failing in our fundamental responsibility as adults to give children the tools to be agents of their own lives. This surveillance is a gross example of this, despite packaging as in a child’s best interest and in the name of child protection. No one has asked parents and children if they want this recording of their Internet use which is carried out at school, in the home, and outside school hours. The Children’s Commissioner report, Who Knows What About Me, published in November 2018 highlighted that, “public bodies do not always observe robust standards of privacy, transparency, security or redress.

Jen Persson, director of defenddigitalme, said:
“There’s something very wrong when software packaged as child protection, promotes invasion of their privacy and freedoms, normalises spying into their home life, and contributes to a third of referrals into the Prevent programme. There’s no transparency of oversight, openesss on errors, or the children wrongly labelled without redress, without knowing who else sees those labels, or where the data go.

“This is Home Office policy, but despite good intentions you do not keep children safe, by exposing them or their families to new hidden risks. It’s time for the DCMS and Department for Education to step in, to find a proportionate and necessary balance here.

“There are no checks and balances in the buying policy and practice in school edTech systems and providers have no incentive to be honest about technical flaws. Worryingly, we have been approached by teachers who are scared to speak up about mistakes and security issues that affect individual children. They are wrongly labelled at risk of gang membership or at risk of suicide, where increasingly automated systems can keep flagging them for interventions, without the children knowing why, or it was all based on an error.”

Third party companies perform this data processing and behavioural tracking at home, all hours. Who is using the laptop, or device, may not be the child whose named account gets flagged.

The systems can flag indicators a child is ‘at risk’  so they can be easily identified and tracked but how is opaque. “A dynamic group is also provided so all vulnerable students across the school can be seen from a single view,” according to Net Support DNA. However, in an attempt to create access to and lists of people to see and protect, it could create ways to view a vulnerable child, and honeypots of vulnerable students anyone with access to the group single view could misuse for grooming, blackmail or other purposes. We are concerned this is open to misuse. [fig 1]and far from “making the UK the safest place to go online” actually increases risk for children.

Mark Donkersley, Managing Director, e-Safe Systems Limited, told the Communication Committee on the Children and the Internet on 11 October 2016: “Bearing in mind we are doing this throughout the year, the behaviours we detect are not confined to the school bell starting in the morning and ringing in the afternoon, clearly; it is 24/7 and it is every day of the year.  Lots of our incidents are escalated through activity on evenings, weekends and school holidays. Invariably, although the volume decreases, for example, during the six-week school  holiday in the UK, the proportion of incidents which are very serious during that period is much higher.”

Smoothwall suggests on its website, that “this consent can be withdrawn at any time by writing to the school and/or Smoothwall Ltd”. In practice, schools do not offer any option whether or not to use these systems. “How is a User Profile built? The information is stored against a user’s log-on details (but not their password). It is then analysed using a number of methods including pattern matching, algorithmic analysis, profiling and machine learning.” This company recently expanded their product to join offline and online profiles.

Technical issues in Impero Education Pro, reported in 2015 in the Guardian, suggested the software could be exploited to cause remote command execution on every client. Security researchers warned the company twice of serious flaws but the company reportedly  failed to fix them and responded, “with a legal threat to a security researcher that  highlighted a serious security flaw in your software is bizarre and shows utter disregard for customers.”

Evidence from 4,507 of 6,950 schools using the SWGfL tools who carried out e-safety self-reviews, using the 360 Degree Safe tool in analysis carried out by Andy Phippen [3], Plymouth University, shows that school staff are not equipped to deal with or challenge the outcomes from these technology. But defenddigitalme argues, lack of capability and training, does not absolve staff of accountability for the poor data management responsibilities that occur under their control.

In 2010 in the US a legal case against the imposition of similar software, Robbins v. Lower Merion School District and the school reached a financial settlement with the students.

More information

For more information contact info [at] defenddigitalme.org or 07510 889833

[1] The poll of parents was carried out by Survation, on behalf of defenddigitalme, between 17th-20th February 2018. The survey was conducted online with a sample size of 1,004 parents of children aged 5-18 in state education in England. Survation is a member of the British Polling Council and abides by its rules. Full tables can be found here: https://survation.com/wp-content/uploads/2018/03/Defend-Digital-Me-Final-Tables-1.pdf

[2] defenddigitalme’s report, The State of Data 2018: lessons for policy makers with regard to the GDPR can be found here: https://defenddigitalme.org/wp-content/uploads/2018/05/StateOfDataReport_policymakers_ddm_sml.pdf [references page 19-22]

[3] Invisibly Blighted, The Digital Erosion of Childhood, Leaton Gray, S. and Phippen, A. (p56) 2017 UCL ISBN 978-1-78277-050-3

[4] Prevent Programme and Channel Statistics

In 2015/16 according to the Prevent Programme statistical bulletin, a total of 7,631 individuals were subject to a referral due to concerns that they were vulnerable to being drawn into terrorism. The education sector made the most referrals (2,539) accounting for 33%, followed by the police (2,377) accounting for 31% of referrals. [source: Individuals referred to and supported through the Prevent Programme, April 2015 to March 2016 https://www.gov.uk/government/statistics/individuals-referred-to-and-supported-through-the-prevent-programme-april-2015-to-march-2016 ]

In 2015/16, of 7,631 individuals referred, the majority (4,274; 56%) were aged 20 years or under. Individuals 2015/16 from the education sector had the youngest median age (14). Of the 7,631individuals referred in 2015/16: 2,766 (36%) left the process requiring no further action 3,793 (50 %) were signposted to alternative services, 1,072 (14%) were  deemed suitable, through preliminary assessment, to be discussed at a Channel panel.

[5] Background to Web monitoring software: the surveillance of every child’s Internet use, records and monitors by default everything the child does online, and can include home use and outside school hours, where  they are not always restricted to the school network, or logging into the school network is necessary for homework or use at home. Often these software are installed on personal devices, imposed as a requirement to use the phone on the school network, and installed on school Chrome Books for example, taken home to do homework, or for the summer holidays.

There are around 15 different providers to UK schools of these software. They are all different and with a variety of features. Typical functionality includes:
i. Web filters to prevent access to content and page blocking — without personal data transfer
ii. Web monitoring and keyword flagging — which does transfer personal data to third parties, whether in the school, Trust, safeguarding staff, or company support staff:

  • Any use of keywords in the company/(ies) libraries of up to 20,000 words create flags
  • Alerts on individuals are sent to school administrators, authorities or police

iv. Screen recording 24/7 of everything a child sees, creates, or types on the device.

SWGFL, part of RM education for example, offers a product RM SafetyNet. Few answers are forthcoming how it works.

“Includes RM SafetyNet and prevents access to illegal content including the IWF CAIC and Online Terror Content Access attempts are proactively monitored with unique links to Police and expert support in an emergency.”All school traffic is forced through the platform, and run against mandatory lists of content which are listed as blocked, illegal or seen in some way as harmful. School administrators, pupils and parents may not know which sites are ‘flagged’ and blocked and the system cannot be switched off. The content of the lists is secret. School staff and even the help centre staff for the software do not know what words trigger watchlists; flags can be stored on children’s records forever. [source: call with SWGFL staff, summer of 2018]

The undefined “authorities” are notified, if someone tries to browse to one of those websites listed, but the school and teacher who knows the child may not necessarily be contacted. These flags are therefore created and can be acted upon for intervention without context or local knowledge. The lists and keywords come from a combination of three sources:

  • The Internet Watch Foundation (IWF) (illegal content)
  • The Counter Terrorism Internet Referral Unit (CTIRU) (Prevent)
  • Categories designed by the provider (these vary from provider to provider and can contain foreign language modules.) and include libraries of around 20,000 words claimed to each be about the prevention of bullying, self-harm, and child protection.

[6] CCTV hacked from Blackpool schools streamed online in the US  (February 2018) https://www.dailymail.co.uk/news/article-5432769/School-CCTV-systems-hacked-broadcast-online.html