I came across this interesting article in  Ed Week which discusses a report commissioned by K-12, Inc which was conducted by the New York City-based Interactive Education Systems Design in collaboration with the Center for Research in Educational Policy at the University of Memphis, found that students in full-time online programs had social skills that were equal to or better than their peers in traditional brick-and-mortar public schools.

Since we discuss these topics as well, I thought our readers would be interested in the article and the report.  I am not a believer that 100% virtual schools are the right model in general, but I do believe they have the place and it is good to know that their introduction is not having a negative impact on a child’s ability to socialize with others.  I do think that the blending of virtual or computer based learning within a traditional brick and mortar environment is a better model.  But, if school systems ignore the trend towards virtual learning, they do so at some cost to their own viability.

As always, let us know what you think.

Our first post on this subject focused on how existing federal laws affect a school district’s ability to leverage social networking, and most Web 2.0 features such as blogs, wikis, RSS, etc.  It is fair to summarize the issues exposed by the previous post as potentially overwhelming for most school districts.  This post will focus on the issues of legal risk, primarily risk of lawsuit.

The legal risk to a school district begins first and foremost from a situation where a student is exposed to something negative, whether physical, emotional, or economic, where the exposure causes harm.  A school must then be shown to have been negligent in order for the injured party to receive compensation from the school district for their injuries.  However, the costs to a district of defending themselves in a lawsuit influence decision making.

So, we have three concepts to explore:

1) Potential risk

2) Negligence

3) Cost avoidance

Potential Risk

In the case of potential risk, any risk can be avoided by making a decision to not open up the school district to any potential risk.  With respect to social networking or Web 2.0 features, if a school district blocks access to these technologies while at school, they may feel that they have then avoided the risk inherent in the technologies.  Further, publishing statements in an acceptable use policy (AUP) that the use of such technologies is prohibited while on campus or while using school property (such as a laptop) may be seen to further prevent exposure to the district to risk.

However, there have been many incidents published where not only is this not really effective as a deterrent to lawsuit, but it is not effective as a way to keep the costs down either.  Consider the real world example where two kids ride to school on a city bus and get into a fight.  The students are not in school at the time, nor are they in a school provided vehicle.  But, both students will be called into the school office upon arrival to answer for themselves.  School officials will notify both sets of parents about the incident, and it is likely that both students will face some sort of disciplinary action.  Why?  This is due to the need for the school district to be diligent in its responsibility to protect both students from harm.  If an incident like this occurs and the school chooses not to take any action, either parent could claim that the school district was being negligent since the students might continue the fight at school.

Consider another example from the virtual world.  A student, using their own computer at home, posts an anonymous threat to another student on a made up MySpace account.  The student who was threatened becomes aware of the threat and informs their parent.  The parent informs the school that they believe a student was responsible because their child has “been having problems with several kids at school”.  In this case, school officials must also take action in order to be diligent in their responsibility, even though the threat was on MySpace and not created on a school supplied piece of technology.

The strategy of avoiding risk by blocking student access to technology may not have as complete a result as the school district intended.

Negligence

For a most school district lawsuits, a plaintiff must be able to prove negligence on the part of the school district.  Thus, school districts strive to be diligent (the opposite of negligent) in their approach to matters of student safety.  Frequently, having a written procedure and then following that procedure when incidents occur is enough to show diligence unless there are steps that a reasonable person would have taken to prevent the incident from occurring.  Cases of bullying are a part of all schools, so an incident of bullying is not enough to show negligence.  A borderline situation is whether the school district should be held as negligent if they fail to have a plan to educate their students on the inappropriateness of bullying.   This is a gray area and schools who wish to be conservative should take the approach that educating students (and teachers and parents) on how to avoid and handle situations involving bullying is recommended.

In the case of cyber-bullying using a social network, the parallels to the real-world are somewhat obvious.  In many cases courts have not ruled districts to be negligent if they fail to deploy technology to quickly identify cases of cyber-bullying.  Such technology, which involves monitoring content in an on-line system and comparing the language used to lists of potentially threatening phrases has not been proven to be effective enough as of yet.  It can instead be used to search for phrases when school officials are notified by the threatened party that cyber-bullying is going on.  A district who wishes to deploy social network software should make sure that the software allows a user to notify an administrator when inappropriate content of any type is present in the system.

Of course, all school districts should publish and regularly update their Acceptable Use Policy for technology.  Courts have taken the stand that situations that clearly violate an Acceptable Use Policy are much less likely to show negligence on the part of the district.  However, actively educating members of the school community (students, teachers, and parents) about issues such as cyber-bullying, copyright infringement, etc. does serve to strengthen the position of a district.

The Oklahoma State School Board association sponsors a site called celebrateoklahoma.us based on the ning social network platform.  They published a memo to school districts addressing the safety of their site here.  The memo said many things, but in part it said:

“All of the schools in our state receiving E-Rate funding provide some level of content filtering for students and teachers on their computing networks as required by law. Unfortunately, some leaders are mistakenly operating under the assumption that blocking access to websites which permit users to engage in social networking is a complete strategy for helping students become responsible and ethical decision makers as 21st century digital citizens. Limited content filtering on school networks IS important, but students and teachers MUST be provided with opportunities to practice safe and ethical social networking AT SCHOOL if we are to fulfill our obligations to provide students with a relevant education which prepares them for today as well as the challenges of tomorrow.”

The memo talks about the steps being taken to be responsible in light of digital safety concerns.

Cost avoidance / Risk Transference

The last aspect of this issue of risk that I would like to cover is that of cost avoidance.  Essentially, the argument is that by blocking the use of social networking sites and other web services the district can avoid the cost of dealing with law suits and minimize the costs of dealing with incidents that occur.  Earlier, I used the example of a MySpace post and how parents pulled the school district into the situation.  Any conflict involving students whether occurring online or in real life, will inevitably bring school district personnel into the equation.

With respect to an increase in the potential of lawsuits as a result of deploying social networking or Web 2.0 software, a district must first determine whether their existing liability insurance would cover the costs of defending against such a lawsuit and cover the payment of any damages resulting from it.  In many cases, the risks of bodily injury while attending a sporting event, or, recently, the specter of terrorist activity drive much of the cost of insurance schools have.  While a school’s current policy may not be written to cover issues resulting from something like cyber-bullying, it is likely that the costs of adding such coverage will be relatively small in comparison to other costs.

What is the bottom line?

School districts face many risks as a result of the rise in the public’s use of litigation as a means of conflict resolution.  In addition, schools must comply with many laws that seek to regulate aspects of their operation for the public good.  While this is a very important and complex topic for schools, it is hopefully more important to get to a place where schools are able to “do the right thing” with respect to their first priniciple – provide a high quality education to every child to insure the presence of a well informed electorate capable of directing the future of our democracy.  The debate about whether technology should be available in school should be directed towards whether schools have a responsibility to teach both the use of the technology AND whether that technology can be used to assist with the first principle and not, as is often the case towards whether the deployment of the technology is too risky.

Lately, as Connected.info is being marketed in many locations across America, we have noticed a decrease in the number of questions we are getting regarding what legal risks does a school district take on by deploying a “social networking” platform.  I am not sure as to why we are hearing the question less, but perhaps there is a growing understanding of where some of the boundaries are.

But, it did remind me that I had intended to write a post about the legal aspects of Internet access in a school environment.

The Executive Summary version:

School districts are subject to a wide variety of laws along with what can be considered common sense obligations when it comes to their responsibility to take precautions to ensure the safety of children registered to attend school.  In many cases, the volume of such obligations has led many school districts to decide to no longer allow community events on school property; limit the use of sports fields by outside organizations such as Little League; and, to block access to most Internet sites that are not considered a required part of the curriculum.  This, in turn, has led to parents and students increasingly viewing those schools as being not relevant in today’s world.  A greater understanding on the part of parents about these issues could lead to changes in existing laws and the enactment of other laws which would provide legal protection to schools.

The Law and Legal Liability:

School districts are entrusted with insuring the safety of children registered to attend school.  This creates both a legal obligation and potential risks.  The legal obligations stem from laws which, if broken, can result in fines or other consequences imposed by governmental authorities.  Some risks stem from civil lawsuits brought against a school district over presumed negligence on the part of the district.  Negligence is generally defined as conduct that falls short of what a reasonable person would do to protect another individual from foreseeable risks of harm.  In the United States, then, any injury suffered by a child enrolled in school whether physical, emotional, or economic, could generate a question of whether the school district acted in a negligent way.  School districts become involved in a lot of lawsuits for a variety of reasons and therefore need to be diligent (the opposite of negligent) when it comes to taking reasonable steps to protect children enrolled in school.

Laws passed by federal, state, and local governments must also be given attention by school districts.  However, it can be difficult to determine which laws apply to school districts because of the quasi-governmental role a school district plays.  Many laws are therefore written to be specific about how they do or do not apply to school districts in order to avoid confusion.  However, even laws which apply to school districts often carry consequences which may either not apply to a particular school district or apply in a way which has very little impact.

Examples of Federal Laws:

CIPA – Children’s Internet Protection Act

CIPA is a federal law (see: http://www.fcc.gov/cgb/consumerfacts/cipa.html) that is intended to address concerns over children being exposed to inappropriate content.  The CIPA law only applies to schools who are recipients of monies from the E-rate program (many schools are).  With respect to the CIPA law, inappropriate content is defined as pictures that are a) obscene, (b) child pornography, or (c) harmful to minors.  Schools are required to implement technology to block or filter access to such pictures. Schools are also required to create an Internet safety policy which includes the education of minors about appropriate on-line behavior: including cyber-bullying awareness and response and interacting with other individuals on social networking sites and in chat rooms. They are also required to monitor the online activities of minors, but does not require them to track internet use.

Many people believe that CIPA has led to many decisions by school districts to block access to many parts of the Internet including instant messaging, chat rooms, and social networking sites because of the perception that not doing so may create both a violation of CIPA AND the appearance of negligence on their part if a child is exposed to inappropriate content while using one of these services.  In addition, since many cell phones have Internet access capability, schools feel they must ban cell phone use while at school for fear that this will also open them up to liability.

COPPA – Children’s Online Privacy Protection Act

COPPA is a federal law that is intended to insure that website operators fully disclose their intended use of information they collect about users of their web service who are children under the age of 13.  The website operator must in addition give parents the chance to prevent the disclose of any such information to any party without the parent’s approval; AND, requries the website operator to give parents access to anything collected by the operator abut their child.

Some schools do not understand what, if any, obligations are placed on them by the COPPA law.  A useful starting point is the Federal Trade Commission’s introduction – http://www.ftc.gov/coppa/intro.htm.  A read of the law does open the question about whether a school district that provides a web site which can be accessed by children under the age of 13 is required to meet the requirements of COPPA.  An example would be a homework help site, or a parent portal.  The COPPA FAQ provided by the FTC has two questions that apply:

54. Does the Rule place requirements or restrictions on schools regarding the collection or disclosure of students’ personal information on the Internet?

COPPA allows, but does not require, schools to act as agents for parents in providing consent for the online collection of students’ personal information within the school context. See Statement of Basis and Purpose, ” 64 Fed. Reg. 59888, et seq., available at www.ftc.gov/os/1999/10/64fr59888.pdf, p. 59904. In this regard, schools also must consider their obligations under the Family Educational Rights and Privacy Act (FERPA), which is administered by the U.S. Department of Education. For general information on FERPA, see www.ed.gov/policy/gen/guid/fpco/ferpa.

Many schools have implemented Acceptable Use Policies (AUPs) or other measures to educate parents and students about in-school Internet use. For example, a school may use the AUP to inform parents of what online services are provided to students, and the school’s policies regarding students’ use of the Internet.

55. Does COPPA apply to website operators that contract with schools to provide online services involving the collection, use or disclosure of students’ personal information?

Many school districts contract with third-party website operators to offer online programs solely for the benefit of their students and for the school system, e.g., homework help lines or web-based testing services. COPPA does not apply to the website operator’s collection of personal information from participating children where a school has contracted with an operator to collect personal information from students for the use and benefit of the school, and for no other commercial purpose. Thus, the operator is not required to obtain consent directly from parents, and can presume that the school’s authorization for the collection of students’ personal information is based upon the school having obtained the parents’ consent. The operator should, however, provide the school with full notice of its collection, use, and disclosure practices, so that the school may inform parents of these practices in its Acceptable Use Policy.

Thus, schools would be considered to be acting in a diligent manner by creating an Acceptable Use Policy and obtaining the acceptance of such by their parents.

FERPA – Family Educational Rights and Privacy Act (FERPA)

FERPA is a federal law which protects the privacy of educational records and ensures access by a family to their child(ren)’s educational records.  Specifically, it says that schools must not disclose information on a child’s educational record unless they receive parental approval unless it is of a directory nature.  Directory is defined as essentially contact information and birth date.  While this does place some burden on a school district, the more interesting part of the legislation from our perspective is that school districts must provide access by a family to their child’s educational record.  This includes items which are generally not well organized for ease of access or for viewing by non-district personnel.  An example would be disciplinary records which may contain language which is unflattering to a child.  While the law does not prescribe the nature of the access, it does create an obligation which could easily swamp a district that is not prepared for it.  FERPA carries with it a hefty consequence for non-compliance.  The district may have to forfeit ALL federal aid including Title 1.

FRCP – Federal Rules of Civil Procedure

FRCP is a set of requirements set upon all parties involved in a civil procedure being heard in United States district (federal) courts.  Many lawsuits brought against a school district end up in district court, or in a court which basis its procedures on the FRCP.  The FRCP is a huge set of rules, and we mention it in this blog only because of the coverage FRCP has had in respect to the requirement to make digital information available to a party in a lawsuit.  It used to be the case that the defendant in a lawsuit had quite a bit of time to produce records request in the discovery phase of a lawsuit.  However, recent changes to the law have made it a requirement to comply with discovery requests in a much shorter period of time.  Further the law now requires the retention of digital messages for a much longer period of time.

Laws which protect web site operators (and by inference schools):

Communications Decency Act:

Section 230 of the Communications Decency Act immunizes website from any liability resulting from the publication of information provided by another. This usually arises in the context of defamation, but several courts have expanded it to cover other sorts of claims as well.

Thus, if a user posts defamatory or otherwise illegal content, Section 230 shields a social network provider from any liability arising out of the publication. Websites that, in whole or in part, create or develop contested information, on the other hand, are deemed “content providers” that do not benefit from the protections of Section 230.

Consider the case of a child who engages in so called cyber-bullying.  Under Section 230, the child who was bullied only would have legal recourse against the other child’s family and not the provider, or the school.  This has an impact on civil cases where negligence is claimed.

Digital Millenium Copyright Act

Section 512(c) removes liability for copyright infringement from websites that allow users to post content, as long as the site has a mechanism in place whereby the copyright owner can request the removal of infringing content. Examples of infringing content would be MP3 music files, digital copies of DVD movies, etc.  The site must also not receive a financial benefit directly attributable to the infringing activity.

Again, this protection would extend to a school district in the case of copyrighted content being posted (published) by a student on a social network site.

(TO BE CONTINUED IN ANOTHER POST)

In part three of a series of posts I will continue to examine the elements that go into many (most?) school district acceptable use policies, sometimes also called an AUP. You can view part 1 here and part 2 here.

To review, every school district should have an AUP which covers the terms of use for their computing resources.  This of course also should deal with the Internet access provided from their computing resources.  A proper AUP should spell out not only acceptable student use, but also that of the district’s staff members.  Why?  Because a good AUP can provide the basis for a legal defense in that it shows that the school district is being diligent in its duty to protect users entrusted to its care.

(Note: The legalities are also covered in more detail in this post :http://blog.connected.info/2009/03/21/legal-aspects-of-social-networking-in-a-school-community-part-1/)

Some common elements of an AUP include:

• The Intended Purpose of Internet Access & the AUP
• CIPA compliance issues – no inappropriate content
• District’s right to monitor user activity
• Activities which are not allowed
• Security and Privacy
• Copyright issues
• Application licensing
• Consequences of non-compliance with the AUP

(The wikipedia post on AUPs covers some of the same topics at a more general level here)

Application licensing

Many school districts have adopted a policy which locks down the application content of a school computer and only allows the execution of applications from an approved list. However, in some cases, school districts have yet to deploy such solutions.  This leaves them open to software piracy on the part of their users.  Applications the district has purchased can be copied and moved to other computers, violating most software vendors license agreements.  Also, inappropriately obtained software from the Internet can be installed on school district computers.  This can open the district up to potential lawsuits and/or the expense of paying for software installed by a user, but not purchased by the school district.  In some cases, even software considered “free” or open-source can open the district up to legal issues.

The AUP should detail out what is and is not allowed with respect to application use.  There should be a statement of what the district’s policy is, for example, “The school district treats software license agreements very seriously and intends to comply with the terms and conditions set forth by the individual software vendors.”  Then, the AUP should state that either a) software not on the district’s approved list (location) should never be installed on district computers by any user or b) software not on the district’s approved list may be installed by a user on a district computer, but is subject to removal by district technical staff should the district become aware of any violations of the license agreement for such software.  In the case of b), users should be advised to retain proof of purchase or some other proof of the ability to legally use the software.

Consequences of non-compliance

The AUP should include a very detailed section on what the consequences are of not complying with the AUP.  There will by and large be a increasingly severe level of consequence as well as the always important “repeated offense” consequence.  Any financial burdens assumed by the parents of students should be spelled out clearly and in such a way that a parent signing the form can not miss it.  Having a place in the AUP where the financial burdens are initialed by the parent is a good idea.

Some common consequences include loss of use of district computing resources for a specific period of time, suspension, expulsion, as well reimbursement to the district of any expense associated with the use of the equipment in an inappropriate manner.

Summary

It is surprising to see school districts that have not invested an appropriate amount of time into the creation of a good AUP.  While other districts hire outside legal counsel or pay consultants to create their AUP, other school districts seem to feel that it is not worth the time because they have not experienced an issue to date.  Frequently, this is called security by obscurity.  In other words, because the district is not large or located in a remote part of the country, they may not attract the attention of other districts.  Also, and this is a broad generalization, the frequency of lawsuits brought against a district does tend to scale with the size of the metropolitan area served by the school district.  This really isn’t a good excuse for not having an AUP.  Also, the terminology used in an AUP can be an important learning opportunity for students, teachers, and parents.  Whether or not the school district feels a responsibility for teaching digital citizenship, students need to learn somewhere.

For further information on writing an AUP or the location of examples, see the links below:

Los Angeles Unified AUP

Very Basic AUP template in txt form

Virginia Department of Education site – includes downloadable templates

Awesome Library site – good coverage of AUP topic and includes samples

In part two of a series of posts I will examine the elements that go into many (most?) school district acceptable use policies, sometimes also called an AUP. You can view part 1 here

To review, every school district should have an AUP which covers the terms of use for their computing resources.  This of course also should deal with the Internet access provided from their computing resources.  A proper AUP should spell out not only acceptable student use, but also that of the district’s staff members.  Why?  Because a good AUP can provide the basis for a legal defense in that it shows that the school district is being diligent in its duty to protect users entrusted to its care.

(Note: The legalities are also covered in more detail in this post :http://blog.connected.info/2009/03/21/legal-aspects-of-social-networking-in-a-school-community-part-1/)

Some common elements of an AUP include:

• The Intended Purpose of Internet Access & the AUP
• CIPA compliance issues – no inappropriate content
• District’s right to monitor user activity
• Activities which are not allowed
• Security and Privacy
• Copyright issues
• Application licensing
• Consequences of non-compliance with the AUP

(The wikipedia post on AUPs covers some of the same topics at a more general level here)

Activities which are not allowed

The AUP should spell out in some detail all the possible activities which are not allowed when using the school district’s resources.  It is wise not to assume too much in this section.  For example, the district should not assume that users will understand that using the resources of the district for illegal activities are not allowed.  There are a broad range of illegal activities that should be covered.  One which is not normally thought of is using the district’s resources as part of hacking into other systems.  Since the user at a school district may assume some degree of anonymity while using a school computer, they may view this as an advantage when trying to hack into another system.  This should, of course, apply also to hacking into the district’s administrative systems, particularly the one used to record grades.  The AUP should cover intentionally spreading viruses, creating bots to impact the performance of the systems on the network, and other such uses.

It is worth including some specific examples of other, non-computer based illegal activities in the AUP – drug sales, gang activity, bullying, etc.  The main purpose is that unless these items are listed, it will be more difficult to apply appropriate consequences to the actions taken by a user.

The AUP should cover a broad set of issues relating to “inappropriate language”.  This is the area of an AUP where care must be taken to spell out activities a user can engage in, which on the surface are protected by their right to free speech.  However, the choice to refrain from such actions when the action will result in the loss of a privilege, in this case the use of a school district’s computing resources, does not in itself represent a constraint upon free speech.  The district must not do anything to prevent a user from the free expression of an opinion, even when that expression contains profanity.  However, the use of a school district’s resources to express that opinion is not protected by the US Constitution.  The AUP can also spell out the responsibility a user has to report activities of another user when they violate the AUP.  Ironically, the broader the dissemination of a message across a community of users, the better the chance that someone will report bad behavior.  This is a part of our experience with Connected.info that surprised us. Essentially, we concluded that kids like to rat each other out, especially when they can do it anonymously.  Over time, the bad behavior disappeared.

Another area of illegal activities that should be included in an AUP are things like plagiarism and copyright infringement.  Here, the inclusion in the AUP protects the school district from being seen as supporting these activities and allows the district to be protected in the eyes of courts from being liable.  It is also wise to include in the AUP notice that if copyright violations are brought to the attention of the school district, the district is required to take down or remove the offending content as soon as reasonably possible.

Security and Privacy

The AUP should remind users to protect the privacy of their information by:

• Not posting on any public medium any information which would personally identify themselves or provide information about their location such as address, phone number, birthdate, names of friends or siblings, etc.
• Keep any passwords private and not share them with other users / students.
• Report any suspicious or unauthorized activity in their account such as strange emails or chat requests, etc.

District staff and teachers need to be reminded in the AUP about the need to protect the confidentiality of student records information.  Any electronic communication of student information must include wording in the subject and body of the communication that the contents of the communication contain confidential information that is subject to federal and state law regarding the protection of such information.  The sharing of student information without parental consent is a violation of the FERPA law and can result in severe penalties to a school district including the loss of all federal funding.  Parental consent also applies to whether a student account can be created.

An interesting example of where it is not clear that parental consent is needed is the use by students of the free services provided by Google such as Google Docs.  When a school establishes a relationship with Google for the use of Google Doc in an educational setting, the creation of the required gmail account by a student is subject to the same requirement for parental approval. This is the case even though the service is provided by a commercial vendor other than the school if the school district or even an individual teacher requires the use of the Google tools.  Since Google does not require parental approval to create the gmail account, this is a violation of FERPA law.

A school district is also prohibited from entering into any relationship with a commercial vendor where the vendor intends to capture, analyze, and possibly sell data on student use of an application or website for the purpose of marketing or advertising.  Again, the use of Google doc would be a violation of this rule on the part of a school district.

For districts that intend to have students under the age of 13 use computing resources, special care must be taken to insure that student confidentiality is maintained as the COPPA law applies.  Other posts in our blog have covered a district’s responsibilities under COPPA, but the AUP must spell out what a district requires as well as the consequences for non-compliance on the part of district staff or teachers.

Copyright issues

The AUP should cover the copyright violations under the area of activities which are not allowed, but what about the copyrights and other intellectual property protections for original works created by students, teachers, and district personnel?  Inherent in any content created by a user using school district equipment is the question of intellectual property ownership.  When a student sends a paper in response to an assigned project, it should be pretty clear that the student has a copyright on the submitted work.  Thus, the AUP needs to acknowledge that the student has a copyright and that other users of district resources, for example, the teacher, must respect that copyright.  It would, for example, not be acceptable for a teacher to publish the student’s work on a 3rd party website without the student’s permission OR without including language to the effect that the student owned the copyright.  However, as we mentioned earlier, the teacher would not be able to include the student’s name in the copyright language without parental permission.  When one reflects on the number of times that this occurs on the Internet, it is clear that not many people are informed or doing what they are supposed to.

A second question that must be addressed by the district is that of ownership of content created by district employees and teachers.  Particularly in the case of teachers, this can be a touchy subject.  Many school districts have opted to use the Creative Commons license (http://creativecommons.org/) for content created by a teacher.  Other districts take the stand that since the content was created using school district equipment and resources that the district owns the rights to the content.  As more content is made available in on-line forms, this distinction can be the difference between revenue to the district and revenue to an individual teacher.  Whichever way a district decides to proceed, it is very important to include the position in the AUP so that everyone is informed.

To be continued…