As the eight-year-old startup rolled out Los Angeles Unified School District’s flashy new AI-driven chatbot — an animated sun named “Ed” that AllHere was hired to build for $6 million — a former company executive was sending emails to the district and others that Ed’s workings violated bedrock student data privacy principles. 

Those emails were sent shortly before The 74 first reported last week that AllHere, with $12 million in investor capital, was in serious straits. A June 14 statement on the company’s website revealed a majority of its employees had been furloughed due to its “current financial position.” Company founder and CEO Joanna Smith-Griffin, a spokesperson for the Los Angeles district said, was no longer on the job. 

Smith-Griffin and L.A. Superintendent Alberto Carvalho went on the road together this spring to unveil Ed at a series of high-profile ed tech conferences, with the schools chief dubbing it the nation’s first “personal assistant” for students and leaning hard into LAUSD’s place in the K-12 AI vanguard. He called Ed’s ability to know students “unprecedented in American public education” at the ASU+GSV conference in April. 

Through an algorithm that analyzes troves of student information from multiple sources, the chatbot was designed to offer tailored responses to questions like “what grade does my child have in math?” The tool relies on vast amounts of students’ data, including their academic performance and special education accommodations, to function.

Meanwhile, Chris Whiteley, a former senior director of software engineering at AllHere who was laid off in April, had become a whistleblower. He told district officials, its independent inspector general’s office and state education officials that the tool processed student records in ways that likely ran afoul of L.A. Unified’s own data privacy rules and put sensitive information at risk of getting hacked. None of the agencies ever responded, Whiteley told The 74. 

“When AllHere started doing the work for LAUSD, that’s when, to me, all of the data privacy issues started popping up,” Whiteley said in an interview last week. The problem, he said, came down to a company in over its head and one that “was almost always on fire” in terms of its operations and management. LAUSD’s chatbot was unlike anything it had ever built before and — given the company’s precarious state — could be its last. 

If AllHere was in chaos and its bespoke chatbot beset by porous data practices, Carvalho was portraying the opposite. One day before The 74 broke the news of the company turmoil and Smith-Griffin’s departure, EdWeek Marketbrief spotlighted the schools chief at a Denver conference talking about how adroitly LAUSD managed its ed tech vendor relationships — “We force them to all play in the same sandbox” — while ensuring that “protecting data privacy is a top priority.”

In a statement on Friday, a district spokesperson said the school system “takes these concerns seriously and will continue to take any steps necessary to ensure that appropriate privacy and security protections are in place in the Ed platform.” 

“Pursuant to contract and applicable law, AllHere is not authorized to store student data outside the United States without prior written consent from the District,” the statement continued. “Any student data belonging to the District and residing in the Ed platform will continue to be subject to the same privacy and data security protections, regardless of what happens to AllHere as a company.” 

A district spokesperson, in response to earlier questioning from The 74 last week, said it was informed that Smith-Griffin was no longer with the company and that several businesses “are interested in acquiring AllHere.” Meanwhile Ed, the spokesperson said, “belongs to Los Angeles Unified and is for Los Angeles Unified.”

Officials in the inspector general’s office didn’t respond to requests for comment. The state education department “does not directly oversee the use of AI programs in schools or have the authority to decide which programs a district can utilize,” a spokesperson said in a statement.

It’s a radical turn of events for AllHere and the AI tool it markets as a “learning acceleration platform,” which were all the buzz just a few months ago. In April, Time Magazine named AllHere among the world’s top education technology companies. That same month, Inc. Magazine dubbed Smith-Griffin a global K-12 education leader in artificial intelligence in its Female Founders 250 list. 

Joanna Smith-Griffin, Founder and CEO of AllHere, joins @LAUSDSup on stage as he delivers the keynote at @asugsvsummit on Unlocking the Potential of AI. With Ed, students receive personalized support to help them excel in school. #EdTech #NextGenEd pic.twitter.com/iU9xta3B8M

— allherek12 (@allherek12) April 15, 2024

Ed has been similarly blessed with celebrity treatment. 

“He’s going to talk to you in 100 different languages, he’s going to connect with you, he’s going to fall in love with you,” Carvalho said at ASU+GSV. “Hopefully you’ll love it, and in the process we are transforming a school system of 540,000 students into 540,000 ‘schools of one’ through absolute personalization and individualization.”

Smith-Griffin, who graduated from the Miami school district that Carvalho once led before going onto Harvard, couldn’t be reached for comment. Smith-Griffin’s LinkedIn page was recently deactivated and parts of the company website have gone dark. Attempts to reach AllHere were also unsuccessful.

‘The product worked, right, but it worked by cheating’

Smith-Griffin, a former Boston charter school teacher and family engagement director, founded AllHere in 2016. Since then, the company has primarily provided schools with a text messaging system that facilitates communication between parents and educators. Designed to reduce chronic student absences, the tool relies on attendance data and other information to deliver customized, text-based “nudges.” 

The work that AllHere provided the Los Angeles school district, Whiteley said, was on a whole different level — and the company wasn’t prepared to meet the demand and lacked expertise in data security. In L.A., AllHere operated as a consultant rather than a tech firm that was building its own product, according to its contract with LAUSD obtained by The 74. Ultimately, the district retained rights to the chatbot, according to the agreement, but AllHere was contractually obligated to “comply with the district information security policies.” 

 The contract notes that the chatbot would be “trained to detect any confidential or sensitive information” and to discourage parents and students from sharing with it any personal details. But the chatbot’s decision to share and process students’ individual information, Whiteley said, was outside of families’ control. 

In order to provide individualized prompts on details like student attendance and demographics, the tool connects to several data sources, according to the contract, including Welligent, an online tool used to track students’ special education services. The document notes that Ed also interfaces with the Whole Child Integrated Data stored on Snowflake, a cloud storage company. Launched in 2019, the Whole Child platform serves as a central repository for LAUSD student data designed to streamline data analysis to help educators monitor students’ progress and personalize instruction. 

Whiteley told officials the app included students’ personally identifiable information in all chatbot prompts, even in those where the data weren’t relevant. Prompts containing students’ personal information were also shared with other third-party companies unnecessarily, Whiteley alleges, and were processed on offshore servers. Seven out of eight Ed chatbot requests, he said, are sent to places like Japan, Sweden, the United Kingdom, France, Switzerland, Australia and Canada. 

Taken together, he argued the company’s practices ran afoul of data minimization principles, a standard cybersecurity practice that maintains that apps should collect and process the least amount of personal information necessary to accomplish a specific task. Playing fast and loose with the data, he said, unnecessarily exposed students’ information to potential cyberattacks and data breaches and, in cases where the data were processed overseas, could subject it to foreign governments’ data access and surveillance rules. 

Chatbot source code that Whiteley shared with The 74 outlines how prompts are processed on foreign servers by a Microsoft AI service that integrates with ChatGPT. The LAUSD chatbot is directed to serve as a “friendly, concise customer support agent” that replies “using simple language a third grader could understand.” When querying the simple prompt “Hello,” the chatbot provided the student’s grades, progress toward graduation and other personal information. 

AllHere’s critical flaw, Whiteley said, is that senior executives “didn’t understand how to protect data.” 

“The issue is we’re sending data overseas, we’re sending too much data, and then the data were being logged by third parties,” he said, in violation of the district’s data use agreement. “The product worked, right, but it worked by cheating. It cheated by not doing things right the first time.”

In a 2017 policy bulletin, the district notes that all sensitive information “needs to be handled in a secure way that protects privacy,” and that contractors cannot disclose information to other parties without parental consent. A second policy bulletin, from April, outlines the district’s authorized use guidelines for artificial intelligence, which notes that officials, “Shall not share any confidential, sensitive, privileged or private information when using, prompting or communicating with any tools.” It’s important to refrain from using sensitive information in prompts, the policy notes, because AI tools “take whatever users enter into a prompt and incorporate it into their systems/knowledge base for other users.” 

“Well, that’s what AllHere was doing,” Whiteley said. 

‘Acid is dangerous’

Whiteley’s revelations present LAUSD with its third student data security debacle in the last month. In mid-June, a threat actor known as “Sp1d3r” began to sell for $150,000 a trove of data it claimed to have stolen from the Los Angeles district on Breach Forums, a dark web marketplace. LAUSD told Bloomberg that the compromised data had been stored by one of its third-party vendors on the cloud storage company Snowflake, the repository for the district’s Whole Child Integrated Data. The Snowflake data breach may be one of the largest in history. The threat actor claims that the L.A. schools data in its possession include student medical records, disability information, disciplinary details and parent login credentials. 

The chatbot interacted with data stored by Snowflake, according to the district’s contract with AllHere, though any connection between AllHere and the Snowflake data breach is unknown. 

In its statement Friday, the district spokesperson said an ongoing investigation has “revealed no connection between AllHere or the Ed platform and the Snowflake incident.” The spokesperson said there was no “direct integration” between Whole Child and AllHere and that Whole Child data was processed internally before being directed to AllHere.

The contract between AllHere and the district, however, notes that the tool should “seamlessly integrate” with the Whole Child Integrated Data “to receive updated student data regarding attendance, student grades, student testing data, parent contact information and demographics.”

Earlier in the month, a second threat actor known as Satanic Cloud claimed it had access to tens of thousands of L.A. students’ sensitive information and had posted it for sale on Breach Forums for $1,000. In 2022, the district was victim to a massive ransomware attack that exposed reams of sensitive data, including thousands of students’ psychological evaluations, to the dark web. 

With AllHere’s fate uncertain, Whiteley blasted the company’s leadership and protocols.

“Personally identifiable information should be considered acid in a company and you should only touch it if you have to because acid is dangerous,” he told The 74. “The errors that were made were so egregious around PII, you should not be in education if you don’t think PII is acid.” 

L.A. parents and students, we want to hear from you. Tell us about your experience using AllHere’s Ed:

Police officers are employed to keep their communities safe. Since the 1960s, “Officer Friendly” has assured children that the police are there to help. 

But a damning new investigation in The Washington Post reveals how cops routinely subject children to sexual abuse, with little accountability. Between 2005 and 2022, reporters identified 1,800 officers across the country who were charged with child sexual abuse. 

The officers routinely spent months grooming kids, documents revealed, and many used the threat of arrest to force compliance. 

Among perpetrators were school resource officers, who “have unparalleled access to children, often with very little supervision.” 

Read The Washington Post story here.

Go deeper: I previously reported on a dataset of misconduct incidents involving school-based cops, including 285 cases where students were injured or killed. 

In the news

This again? The Los Angeles Unified School District has confirmed that student records were stolen and are for sale on the dark web following a cyberattack on SnowFlake, a cloud service the district and other companies have relied on to store their data. The data breach appears separate from a similar incident at LAUSD that I reported on earlier this month. | Bleeping Computer

More from America’s second-largest district: LAUSD will ban students from using cell phones during the school day beginning next year. It remains unclear how the district plans to enforce the rules, but apparently some schools have begun to require students to keep their phones in “magnetically locked pouches.” | LAist

Read more from The 74: The bans have been a boon for a company that makes locked phone pouches. 

57 shootings a day: In schools nationwide, children are traumatized “not from bullets fired within, but from violence happening outside.” This must-read investigation by The Trace maps out the 188,080 shootings that unfolded within 500 yards of a school over the last decade. | The Trace

The Supreme Court will review a Biden administration effort to block state laws that ban transgender youth from accessing gender-affirming health care, including puberty blockers and hormone therapy. | The Associated Press

Meanwhile, the justices will not take up a case challenging a New Orleans school resource officer’s decision to tase a high school student with an intellectual disability during a violent outburst. A lower court rejected the student’s claim of excessive force. | Education Week 

‘Does he speak good English?’ My colleague Jo Napolitano is out with a groundbreaking investigation into the frequency with which schools nationwide reject enrollment to older immigrant students. | The 74 

Violent incidents are significantly less common in schools with anonymous tip lines than those without them, new federally funded research found. | National Institute of Justice

Editorial Board: “Without a visible presence like guards or weapons detectors, school security does indeed feel performative.” | The Seattle Times

Design firms ponder what a surgeon general’s warning on social media could look like. | Fast Company

Ohio lawmakers have approved legislation that would protect students from discrimination on the basis of their hairstyle. | Dayton Daily News

ICYMI @The74

• ‘Astonishing’ Absenteeism, Trauma Rates Root of Academic Crisis
  
• ACLU Urges Six WV Schools to Review Student Policies Violating First Amendment
  
• More Weapons Showing Up in Washington’s Schools

Emotional support

This is your morning reminder to do a lil stretch.

For more school safety news, subscribe to Mark’s School (in)Security newsletter below.

Last week, I set out to write a quick news hit on the FCC’s new cybersecurity grants for schools and libraries — a pilot program that will pump $200 million toward next-gen firewalls and other tools.

But that’s when things got weird. 

I came upon a new listing on a notorious dark web forum — the Amazon for stolen data, if you will — that offered millions of files purportedly stolen from the Los Angeles Unified School District for a thousand bucks.

LAUSD officials said they’re investigating the anonymous threat actor’s claims and a threat intelligence executive told me the district must carry out a full incident response to verify if the files are real.

Or new. 

It isn’t déjà vu: America’s second-largest school district fell victim to a massive ransomware attack in 2022. Thousands of students’ mental health records and other sensitive files found their way to the dark web. It’s possible that the LAUSD data got a facelift of its own, with the same data repackaged to make a quick buck. 

Read more about the latest LAUSD incident — and about the FCC’s new effort to thwart similar attacks nationally — here. 

In the news

Today in Florida, workers are set to demolish the Marjory Stoneman Douglas High School building where a gunman killed 17 people in a 2018 rampage. | The Associated Press

Relatives of 17 children killed during the 2022 school shooting in Uvalde, Texas, have sued state law enforcement officers who waited 77 minutes before confronting the gunman at Robb Elementary School. | The Texas Tribune

Special report: Through an unprecedented trove of dispatch call data for 852 California school addresses, reporters offer a rare look at “the vast presence of police in schools.” A third of calls “were about serious incidents that reasonably required a police presence.” | EdSource

New York lawmakers approved landmark rules that ban social media companies from using “addictive” algorithms to customize children’s feeds. Here’s a strong rundown on how the rules work. | Democrat & Chronicle

SWATted down: A Washington man has been sentenced to three years in prison for calling in hoax police reports in more than 20 states, including inciting false school shooting panic, leading to frantic lockdowns and massive police responses. | The News Tribune

First they came for the books. Next they came for the books about book bans. | The Washington Post

A new program in Illinois to help low-income families pay for the funeral costs of children killed by guns was designed to ease grief and financial burdens. After a year, just two families have been compensated. | The Trace

Prioritizing ‘profit over the wellbeing and safety of children’: Residential treatment companies that provide behavioral health services have put children at risk of sexual abuse and dangerous physical restraints, a new Senate committee report argues. | NBC News

First comes marriage, then comes homeroom: Missouri lawmakers failed to pass legislation that sought to prevent anyone under 18 years old from getting married, keeping in place the state’s minimum age of 16. | The Kansas City Star

A Tennessee school district where officials failed to prevent rampant racist bullying against a Black student will overhaul its anti-harassment procedures after reaching a settlement agreement with the Justice Department. Federal investigators found the student’s classmates passed around a drawing of a Ku Klux Klansmen, added him to a bigoted group chat and sold him to white peers in a mock “slave auction.” | The Washington Post

New York City school bathrooms could soon have “vape sensors” following a court settlement with tobacco company Juul that’ll direct $27 million to the city’s schools to combat youth vaping. | Chalkbeat

Research & advocacy

‘New Jim Code’: Federal officials have failed to deter the civil rights harms that artificial intelligence in schools poses to students of color, a new report argues. | The Center for Law and Social Policy

DACA recipients are more likely than migrants without deportation safeguards to ask the police for help, suggesting the program increases engagement with police and reduces fear among crime victims. | Journal of Urban Economics

DACA recipients are more likely than migrants without deportation safeguards to ask the police for help, suggesting the program increases engagement with police and reduces fear among crime victims. | Journal of Urban Economics

ICYMI @The74

• Report: Higher Rates of Depression, Anxiety for LGBTQ Teens Forcibly Outed
  
• LA Schools Chief Carvalho Warns Student Homelessness Across City Worse Than Data Shows
  
• Psychologist Peter Gray Sounds the Alarm About Excessive Adult Oversight & What It’s Doing to Kids’ Mental Health

Emotional support

I promised you a new pup. I bring you a new pup. 

Sinead, editor Kathy Moore’s new emotional support companion, surveys her domain. 

For more school safety news, subscribe to Mark’s School (in)Security newsletter below.

A Los Angeles Unified School District spokesperson confirmed they’re investigating a listing on a notorious dark web marketplace, posted Thursday by a user named “The Satanic Cloud,” which seeks $1,000 in exchange for what they claim is a trove of more than 24 million records. The development comes nearly two years after the district fell victim to a ransomware attack that led to a widespread leak of sensitive student records, some dating back years. 

Simultaneously, federal officials were citing that earlier ransomware attack in L.A. and subsequent breaches, with FCC Chairwoman Jessica Rosenworcel noting that they’ve become a growing scourge for districts of all sizes.

“School districts as large as Los Angeles Unified in California and as small as St. Landry Parish in Louisiana were the target of cyberattacks,” Rosenworcel said, adding that these events lead to real-world learning disruptions and sometimes millions in district recovery costs. “This situation is complex, but the vulnerabilities in the networks that we use in our nation’s schools and libraries are real and growing.”

“So today, we’re going to do something about it,” she said.

The five-person FCC voted 3-2 to approve the pilot, which will provide firewalls and other cybersecurity services to eligible school districts and libraries over a three-year period. While the pilot aims to study how federal funds can be deployed to bolster the defenses of these vulnerable targets, some have criticized the initiative for being too little, too late. When Rosenworcel first outlined the proposal in July, education stakeholders demanded a more urgent and substantive federal response.

Districts selected to participate in the newly approved pilot will receive a minimum of $15,000 for approved services and the commission aims to “provide funding to as many schools and school districts as possible,” it notes in a fact sheet. While the funding “will not, by itself, be sufficient to fund all of the school’s cybersecurity needs,” the fact sheet notes, the commission seeks to ensure that “each participating school will receive funding to prioritize implementation of solutions within one major technological category.”

The Satanic Cloud, which posted the most recent batch of LAUSD data, told The 74 it’s entirely separate from what was stolen in the September 2022 ransomware attack on the nation’s second-largest school district. An executive at a leading threat intelligence company said his team suspects the data did originate from the earlier event.

The Los Angeles district is aware of the threat actor’s claims, a spokesperson told The 74 in an email Thursday, and “is investigating the claim and engaging with law enforcement to investigate and respond to the incident.”

‘It’s definitely sensitive data’

In an investigation last year, The 74 found that thousands of L.A. students’ psychological evaluations had been leaked online after cybercriminals levied a ransomware attack on the system. The district had categorically denied that the mental health records had been compromised, but within hours of the story, acknowledged that they had. 

Just last month, a joint investigation by The 74 and The Acadiana Advocate revealed that officials at the 12,000-student St. Landry Parish School Board, located some 63 miles west of Baton Rouge, waited five months after a ransomware attack to inform data breach victims that their sensitive information had been compromised. The notice came after an earlier investigation by the news outlets uncovered that personally identifiable student, employee and business records had been exposed, despite the district’s assertion otherwise, and that St. Landry had likely violated the state’s breath notification law. Within hours of the first story publishing, the Louisiana Attorney General’s Office issued a notification warning to the district. 

The latest Los Angeles files were listed Thursday on the dark web marketplace BreachForums, an online outpost that was taken offline briefly last month after it came under the control of federal law enforcement officials. The Federal Bureau of Investigation first targeted BreachForums in March 2023 when it arrested the site’s owner, 20-year-old Conor Brian Fitzpatrick, at his home in Peekskill, New York. At the time, BreachForums was among the largest hacker forums and claimed more than 340,000 users. 

A sample file included in the L. A. listing is a spreadsheet with the names, student identification numbers and other demographic information of more than 1,000 students and their parents. Data disclose students who receive special education services, their addresses and their home telephone numbers. A list of file names suggest the records include similar information about teachers. 

Reached for comment through the encrypted messaging app Telegram, the BreachForums user who listed the Los Angeles data told The 74 “there is no connections” to the previous ransomware attack. The breach, the threat actor said, originated via the Amazon Relational Database Service, which allows businesses to create cloud-based databases. The service has been the subject of previous hacks that led to the public disclosure of troves of sensitive information. 

Kaustubh Medhe, the vice president of research and threat intelligence at the threat intelligence company Cyble, said the latest threat actor has a history of engaging in discussions about cryptocurrency scams on Telegram but this is the first time they’ve sought to sell stolen data. Cyble’s research team, he told The 74, sees “a high likelihood” that the data was sourced from files exposed in the earlier ransomware attack. 

“Historically, we have seen this kind of activity where old data leaks are recirculated on dark web forums by different actors,” Medhe said. Either way, Medhe said it’s incumbent on district officials to take urgent action. The files, he said, could be useful for “some kind of profiling or some kind of targeted phishing activity.

“It’s definitely sensitive data, for sure,” he said, adding that district officials should analyze the sample data set available online and confirm if the records align with their internal databases and, perhaps, those stolen in 2022. “They would need to do a thorough incident response and investigation to rule out the possibility of a new breach.” 

‘An important step forward’

During Thursday’s FCC meeting, Commissioner Anna Gomez said the pilot program was an issue of educational equity. She cited a federal Cybersecurity and Infrastructure Security Agency report, which noted that as ransomware attacks and data breaches at K-12 districts have surged in the last decade, districts with limited cybersecurity capabilities and vast resource constraints have been left most vulnerable. Connectivity, she said, is “essential for education in the 21st century.”

“Technology and high-speed internet access opens doors and unbounded opportunity for those who have it,” Gomez said. “Unfortunately, our increasingly digital world also creates opportunities for malicious actors.” 

Faced with a growing number of cyberattacks, educators have for years called on the FCC to provide cybersecurity resources with money from the federal E-rate program, which offers funding to most public schools and libraries nationwide to make broadband services more affordable. It’s a move that more than 1,100 school districts endorsed in a joint 2022 letter — but one the commission declined to adopt. In a press release, the commission said the pilot was kept separate “to ensure gains in enhanced cybersecurity do not undermine E-rate’s success in connecting schools and libraries and promoting digital equity.” The pilot will be allocated through the Universal Service Fund, which was created to subsidize telephone services for low-income households. 

In a letter to the commission last month, the American Library Association, Common Sense Media, the Consortium for School Networking and other groups said the selection process for eligible schools and libraries was unclear and could confuse applicants. On Thursday, the library association nonetheless expressed its support. 

“The FCC’s decision today to create a cybersecurity pilot is an important step forward for our nation’s libraries and library workers, too many of whom face escalating costs to secure their institution’s systems and data,” President Emily Drabinski said in a statement. “We remain steadfast in our call for a long-term funding mechanism that will ensure libraries can continue to offer the access and information their communities rely on.”

Among the pilot program’s critics is school cybersecurity expert Doug Levin, who told The 74 that many school districts lack sufficient cybersecurity expertise and, as a result, the advanced tools that the pilot seeks to provide may not be “a good fit for school systems with scarce capacity.”

“There’s no argument that schools need support,” said Levin, the co-founder and national director of the K12 Security Information eXchange. But the FCC’s “techno-solutions point of view to the problem,” he said, is far too small to make a meaningful impact and could instead prompt a vendor marketing surge that “may end up convincing some [schools] to buy solutions that, frankly, they don’t need.” 

Individuals whose sensitive information was made public after a July 2023 cyberattack on the St. Landry Parish School Board were not notified for five months — long after state law mandates and only after a newspaper investigation prompted the Louisiana Attorney General’s Office to contact the district and warn school officials of their obligations. 

The long-delayed notification was revealed in emails and other records obtained by The Acadiana Advocate this month in response to a Jan. 9 public records request. 

They showed that within hours of the reporters revealing that a data breach exposed sensitive information about thousands of teachers and students, a lawyer with the state attorney general’s office was on the phone to the school district. The attorney, focused on consumer protection, questioned them “directly in response to the article,” one email states.

The Dec. 4 investigation, co-published by The Advocate and The 74, contradicted school district assertions that no sensitive student, employee or business owners’ information had been exposed online after the July attack. It found the St. Landry Parish School Board likely violated a state data breach notification law when it failed to notify victims or the state attorney general for months. 

L. Christopher Styron, the lawyer with the state attorney general’s office, reacted swiftly, calling the district to inquire about the incident. He followed up with an email outlining St. Landry’s data breach response obligations under state law — rules that school officials had failed to follow. 

Under Louisiana’s breach notification law, schools and other entities are required to notify affected individuals “without unreasonable delay,” and no later than 60 days after a breach is discovered. Entities that fail to alert the state attorney general’s office within 10 days of notifying affected individuals can face fines up to $5,000 for each day past the 60-day mark.

The late-in-the-year series of events prompted St. Landry officials, who long held that no sensitive data was stolen or published online, to take action. Officials told state lawyers it alerted victims that their information had been compromised. It’s unclear how many victims among thousands of students, district employees and local and out-of-state businesses, received the letter. Medusa, a nefarious cybercrime syndicate that has carried out numerous devastating attacks on school districts in the last year, took credit for the St. Landry breach. 

The school board’s attorney Courtney Joiner wrote in a response email to Styron a day later that he was “working with the School Board to address the notice issue without further delay.” 

In a letter dated Dec. 21, schools Superintendent Milton Batiste III acknowledged to an unverified number of victims that “sensitive information may have been obtained by an unknown malicious third-party,” according to the records. Officials didn’t send a formal notice to the attorney general’s office until Jan. 10, a day after The Advocate filed its public records request.

Donna Sarver, who worked as a math teacher in St. Landry for three years before leaving in 2020, is among those whose personal information was compromised. In an interview last week, she blasted the district for sending her a letter in the mail “well after the fact” that she had been victimized. 

“I really thought it was too little, too late,” she said. “This should have happened much earlier.”

Sarver and other data breach victims, including parents, students and business owners whose tax records are held by St. Landry schools, were unaware until the late December notification that district leaders had failed to secure their sensitive information and left them unknowingly exposed to identity theft for months.

It took the district 149 days after the breach to tell victims they “may have been impacted by the incident” and another 19 to formally notify the attorney general. 

Officials with the school board declined to answer any questions for this story. A list of written questions were submitted but officials had yet to respond by the time of publication. The attorney general’s office didn’t respond to interview requests. 

St. Landry’s response resembles that of school districts across the country, investigative reporting by The 74 has revealed. Cybergangs have ramped up their attacks on school districts and now routinely threaten to leak sensitive files in a bid to coerce seven-figure ransom payments. As federal officials warn of the burgeoning threat’s impact on students and teachers, education leaders nationwide have sought to downplay the attacks’ severity and obscure any subsequent harm to individuals.

James Lee, the chief operating officer of California-based Identity Theft Resource Center said the delay by St. Landry officials is “reflective of a problem we have” nationally where cyberattack victims have grown increasingly resistant to filing breach notices. 

“In many instances, it’s because the decision to issue a notice resides 100% with the organization that loses control of the information,” Lee said. “Highlighting circumstances like this will help us address these gaps so we can get better notifications to consumers when their information has been compromised and they’re at risk.” 

‘For reasons that are unknown’

In August 2023, the 12,000-student district some 63 miles west of Baton Rouge acknowledged its computer network had come under attack but told the public the breached servers didn’t contain any sensitive employee or student information.

But The 74’s data analysis of some 211,000 leaked records revealed they contained the Social Security numbers of at least 13,500 people, some 100,000 sales tax records for local and out-of-state companies and several thousand student records including home addresses and special education status. 

Similarly, the district appeared to offer inaccurate, misleading and contradictory claims in its delayed response to the attorney general, its letter to data breach victims and statements to the press.

In its letter to the AG’s office, the district stated that the stolen files had been “recovered.” However, a check by The 74 last week revealed they remain readily available for download on Telegram, the encrypted social media platform Medusa uses to make public the records of victims who don’t pay to keep them private. 

Superintendent Batiste wrote in that Jan. 10 notice that the district’s computer network had been encrypted by “a malicious person or group” in July but that St. Landry had never received a ransom demand. 

Yet, among the cache of district documents available on Telegram is a text file titled “LOOK!!!!,” which includes a link to Medusa’s dark-web outpost, complete with a $1 million ransom demand and a countdown clock warning education leaders their time to respond is running out. The note also contained links to Medusa’s Telegram channel and to a website designed to resemble a technology news blog — a front of sorts — with a video highlighting the St. Landry records in its possession. 

It was in August 2023, that the Louisiana State Police Cyber Crime Unit notified school officials that “an unknown number of files containing sensitive information” had been compromised, the letter states. That same month, Batiste had assured the public otherwise. 

Files posted to a Medusa leak site “were recovered by the Cyber Crime Unit” with the state police, Batiste’s letter continues, “but, for reasons that are unknown, the files recovered from the dedicated leak site by the Cyber Crime Unit were not provided to us until December 6” — two days after the newspaper investigation published. 

‘How do you recover it?’

The cybercriminals behind the St. Landry breach employed “double extortion,” a growing ransomware strategy where hackers break into a victim’s computer network through phishing emails, download compromising records and lock them with an encryption key. Criminals demand a ransom payment from victims to unlock the encrypted files and leak them online if they refuse to pay. The stolen information is routinely flaunted on the dark web and other shady corners of the internet. 

In asserting to reporters last year that the Medusa hack didn’t lead to a breach of sensitive information — despite overwhelming evidence that it had — district officials acknowledged they hadn’t taken any steps to understand the scope of what was stolen or to notify individual victims. 

Byron Wimberly, the district’s computer center supervisor, insisted at the time that sensitive records had not been stored on the hacked servers. The files that were uploaded by the ransomware gang, he suggested, must have originated somewhere other than St. Landry schools — even though thousands of them contain district letterhead and more than a dozen victims verified the validity of their stolen information. 

Tricia Fontenot, the district’s supervisor of instructional technology, told reporters late last year that law enforcement investigators had never filled them in on the stolen data or if any sensitive information had been leaked at all. 

“We never received reports of the actual information that was obtained,” Fontenot said. “All of that is under investigation. We have not received anything in regard to that investigation.”

Fontenot’s statement contradicts Batiste’s timeline to the AG saying state police informed them in August that files containing sensitive information had been accessed. A state police spokesperson said in an email last week the agency finished its investigation on Aug. 20. 

Reached by phone last week, Fontenot declined to comment.

The Dec. 21 letter that school officials sent to data breach victims states that the district was hacked by “an unknown malicious” threat actor but isn’t explicit to recipients about whether their information was included.

It remains unclear how many of the thousands of data breach victims identified in the news outlets’ investigation — including teachers, staff, students and sales tax filers from across the country — received the Dec. 21 notice. 

The data breach letter states that victims were being notified months after the incident because “the process of obtaining and then reviewing the acquired files took several months.”

“We are now in the process of notifying individuals whose personal information we believe to have been included in the acquired files, including you,” the letter states, acknowledging that stolen information contains individuals’ names, addresses, birth dates, Social Security numbers and driver’s licenses. 

Louisiana’s data breach notification law doesn’t apply to some types of sensitive files exposed in the breach, such as student disciplinary records. 

School districts nationwide, along with other government agencies and for-profit companies, routinely hire cybersecurity experts and attorneys to investigate the scope of data leaks and to notify breach victims in compliance with state laws, partly because of the complexities involved. A federal breach notification law doesn’t exist and state requirements vary. 

School officials told reporters last year they expected law enforcement to investigate the attack’s impact on individual data breach victims. Lee of the nonprofit Identity Theft Resource Center said such a practice would be highly unusual. 

“In fact, I don’t think I’ve ever heard of that kind of arrangement,” he said. “Most organizations do hire their own cybersecurity experts whether it’s a school district or it’s a nonprofit or a commercial entity.” 

Sarver, the former St. Landry math teacher, said school leaders left data breach victims to fend for themselves by waiting months to tell them their personal information had come up for grabs on a website maintained by criminals.

While the district offered a year of credit monitoring — a common practice after entities suffer data breaches — Sarver said she decided not to enroll. The service would last just 12 months; her records could be available forever. 

“How do you recover it once it’s out there?” she said. “Do you tell the people who got it illegally that you have to take it down and hope they do?”

This story was supported by a grant from the Fund for Investigative Journalism

Taken together, the trio would create sweeping restrictions on children’s access to social media, impose new requirements on social media companies to ensure their products aren’t harmful to youth mental health and bolster educators’ digital surveillance obligations to ensure kids aren’t swiping through their favorite feeds in class. 

The three separate digital safety bills have bipartisan support and lawmakers could greenlight them as part of the FAA reauthorization legislation, which faces a Friday deadline. If passed, the legislative package could potentially end years of debate on these thorny questions and would mark the most consequential effort to regulate tech companies and children’s online safety in decades.

“Parents know there’s no good reason for a child to be doom-scrolling or binge-watching reels that glorify unhealthy lifestyles,” Sen. Ted Cruz, a Texas Republican who is co-sponsoring The Kids Off Social Media Act, said in a press release. “Young students should have their eyes on the board, not their phones.” 

The move comes as lawmakers across the political spectrum sound an alarm over concerns that teens’ addiction to their social media feeds — complete with algorithms designed to keep them hooked and coming back for more — have exacerbated mental health issues in young people. It follows congressional testimony by two Meta whistleblowers who accused the social media behemoth of knowing that apps like Instagram inflamed body image issues and other negative triggers among youth but failed to act to mitigate the harm while upholding a “see no evil, hear no evil” culture.

The controversial and heavily debated bills saw new life in January after social media executives were grilled during a contentious congressional hearing and Meta CEO Mark Zuckerberg apologized to parents who said their children were damaged, and in some cases died, after the company’s algorithms fed them a barrage of pernicious content. 

But critics contend the provisions amount to heavy-handed and unconstitutional censorship that fails to confront the root cause of young people’s anguish — and in some cases could hurt them by limiting their access to educational materials, blocking information designed to help them deal with mental health issues or by subjecting them to greater online surveillance.

The three amendments are:

• The Kids Online Safety Act would require tech companies to “exercise reasonable care” to ensure their services don’t surface in children’s feeds material deemed harmful, including posts that promote suicide, eating disorders and sexual exploitation.
  
  First introduced in 2022, the legislation would also require tools that would give parents greater ability to monitor their children’s’ online activities and mandate tech companies enable their most restrictive privacy settings for their youngest users by default. 

• The Children and Teens’ Online Privacy Protection Act, also known as COPPA 2.0, amends a 1998 law that requires tech companies receive parental consent before collecting data about children under 13 years old. COPPA 2.0 would extend existing requirements to children under 16, ban targeted advertising for children and require tech companies to delete data collected about children upon parental request. 

• The Kids Off Social Media Act, introduced last week by Cruz and Hawaii Democratic Sen. Brian Schatz, would prohibit children under 13 years old from creating social media accounts and restrict tech companies from using algorithms to serve content to children under 17. It would also require schools that receive federal internet connectivity funding to block students’ access to social media sites on campus networks. 

The bill’s provisions have faced widespread pushback from digital rights and privacy advocates, including the nonprofit Electronic Frontier Foundation, which called it an unconstitutional infringement that “replaces parents’ choices about what their children can do online with a government-mandated prohibition.” 

On Tuesday, TikTok and its Chinese parent company sued to stop a new law that bans the popular social media app in the U.S. unless it sells the platform to an approved buyer, accusing the government of stifling free speech and unfairly singling it out based on unfounded accusations it poses a national security threat.

In March, Georgia joined a growing list of states — including Louisiana, Arkansas, Texas and Utah — to impose new parental consent requirements for children to create social media accounts. The Georgia law also bans social media use on school devices and creates age verification requirements for porn websites.

Aliya Bhatia, a policy analyst at the nonprofit Center for Democracy and Technology, said that each bill now included in the FAA reauthorization act has been the subject of debate and opposition. Including them in unrelated, must-pass legislation with a short deadline, she said, “undermines the active conversations that are happening” about the bills, which she said are “just not ready for prime time.”

The Kids Online Safety Act, which has the bipartisan backing of more than two-thirds of senators, is endorsed by a host of child welfare and digital safety advocates, including the American Psychological Association, Common Sense Media and the American Academy of Pediatrics, who argue the rules could protect youth from the corrosive effects of social media. 

At the same time, the legislation, which has differing House and Senate versions, has also received scrutiny from civil rights groups and those representing LGBTQ+ students. The groups argue the bill amounts to government censorship with a likely disparate impact on LGBTQ+ youth and students of color. The Heritage Foundation, a conservative think tank, has endorsed the legislation as a way to restrict youth access to LGBTQ+ content, stating on X that “keeping trans content away from children is protecting kids.” 

Privacy advocates have warned the legislation could result in age-verification requirements across the internet that could require online users of all ages to provide identifying information to web platforms. 

Meanwhile, social media’s effects on youth mental well-being remain the subject of research and debate. In a first-ever health advisory last year, the American Psychological Association noted that while social media use “is not inherently beneficial or harmful to young people,” the platforms should not surface to their young users content that encourages them to engage in risky behaviors or is discriminatory. 

In a separate health advisory last year, Surgeon General Vivek Murthy noted that social media use is nearly universal among young people, with more than a third of teens saying they use the apps “almost constantly.” While its impact on youth mental health isn’t fully understood, Murphy said, emerging research suggests that its use can be harmful — perpetuating a national youth mental health crisis “that we must urgently address.” 

The Kids off Social Media Act, which would prohibit youth access to sites like Instagram, is rooted in a 20-year-old law that requires schools and libraries to monitor and filter youth internet use as a condition of receiving federal E-Rate internet connectivity funding. In response, schools nationwide have adopted digital surveillance tools that use algorithms to sift through billions of student communications to identify problematic online behaviors.

Meanwhile, a recent investigation by The Markup found that web filters regularly used in schools do more than keep kids from goofing off in class. They also routinely limit students’ access to homework materials, educationally appropriate information about sexual and reproductive health and resources designed to prevent youth suicides. 

For years, privacy advocates have called on the Federal Communications Commission to clarify how the rules apply to the modern internet and have argued that schools’ tech-driven monitoring efforts go far beyond their original intent. 

When the law went into effect in 2001, monitoring “quite literally meant looking over a kid’s shoulder as they used the computer,” said Kristin Woelfel, a policy counsel of the Center for Democracy and Technology, but in 2024 student monitoring has become “a very specific term that now means really pervasive and technical surveillance.” 

In a survey of students, parents and teachers last year, the nonprofit found a majority supported digital activity monitoring in schools yet nearly three-quarters of youth said that filtering and blocking technology made it more difficult to complete some homework, a challenge reported more often among LGBTQ+ students, and that the tools routinely led to disciplinary actions and police involvement. 

“They don’t work as people think they do,” she said. “That, coupled with data that shows it’s actually detrimental to students, indicates even more that this is not the right path forward.” 

In a letter to lawmakers last week, a coalition of education nonprofits including the American Library Association and the Consortium for School Networking expressed concern about attaching social media limitations to E-Rate funding, which schools rely on to facilitate learning. 

“Schools and libraries will face delays or denials of E-rate funding due to allegations of non-compliance,” the groups wrote, arguing that it would give federal authorities control over social media policies that should be left to local officials. “The bill’s provisions seem to suggest that technology-driven learning models are always harmful, even when carefully crafted to promote educational purposes. In fact, there are several social media uses that can be beneficial for education and learning.”

In a press release announcing the legislation, Schatz offered the opposite perspective.

“There is no good reason for a nine-year-old to be on Instagram or TikTok,” he said. “There just isn’t. The growing evidence is clear: social media is making kids more depressed, more anxious, and more suicidal.”

In justifying the legislation, Schatz cites reporting by the psychologist and author Jonathan Haidt, who argues in his new book The Anxious Generation that young people — and girls, in particular — face a “tidal wave” of anguish that can be traced back to the rise of smartphones. 

Haidt’s characterization of tech’s role in youth well-being has been heavily critiqued, including by developmental psychologist Candice Odgers, who argued in the scientific journal Nature that claims “that digital technologies are rewiring our children’s brains and causing an epidemic of mental illness is not supported by science.” 

Among the evidence is a 2023 report which examined Facebook’s impact on the well-being of nearly 1 million people ages 13 to 34 and 35 and over as it was being adopted in 72 countries and found “no evidence suggesting that the global penetration of social media is associated with widespread psychological harm.”

Updated, correction appended April 18

In the middle of night, students at Utah’s Kings Peak High School are wide awake — taking mandatory exams. 

At this online-only school, which opened during the pandemic and has seen its enrollment boom ever since, students take tests from their homes at times that work best with their schedules. Principal Ammon Wiemers says it’s this flexibility that attracts students — including athletes and teens with part-time jobs — from across the state. 

“Students have 24/7 access but that doesn’t mean the teachers are going to be there 24/7,” Wiemers told The 74 with a chuckle. “Sometimes [students] expect that but no, our teachers work a traditional 8 to 4 schedule.” 

Any student who feels compelled to cheat while their teacher is sound asleep, however, should know they’re still being watched. 

For students, the cost of round-the-clock convenience is their privacy. During exams, their every movement is captured on their computer’s webcam and scrutinized by Proctorio, a surveillance company that uses artificial intelligence. Proctorio software conducts “desk scans” in a bid to catch test-takers who turn to “unauthorized resources,” “face detection” technology to ensure there isn’t anybody else in the room to help and “gaze detection” to spot anybody “looking away from the screen for an extended period of time.” 

Proctorio then provides visual and audio records to Kings Peak teachers with the algorithm calling particular attention to pupils whose behaviors during the test flagged them as possibly engaging in academic dishonesty. 

Such remote proctoring tools grew exponentially during the pandemic, particularly at U.S. colleges and universities where administrators seeking to ensure exam integrity during remote learning met with sharp resistance from students. Online petitions demanded institutions end the surveillance regime; lawsuits accused the tools of violating their constitutional rights and relying on “racist algorithms” that set off a red flag when the tool failed to detect Black students’ faces.  

At the same time, social media platforms like TikTok were flooded with videos purportedly highlighting service vulnerabilities that taught others “how to cheat.”

K-12 schools’ use of remote proctoring tools, however, has largely gone under the radar. Nearly a year since the federal public health emergency expired and several since the vast majority of students returned to in-person learning, an analysis by The 74 has revealed that K-12 schools nationwide — and online-only programs in particular — continue to use tools from digital proctoring companies on students, including those as young as kindergarten. 

Previously unreleased survey results from the nonprofit Center for Democracy and Technology found that remote proctoring in K-12 schools has become widespread. In its August 2023 educator poll, 36% of teachers reported that their school uses the surveillance software.

Civil rights activists, who contend AI proctoring tools fail to work as intended, harbor biases and run afoul of students’ constitutional protections, said the privacy and security concerns are particularly salient for young children and teens, who may not be fully aware of the monitoring or its implications. 

“It’s the same theme we always come back to with student surveillance: It’s not an effective tool for what it’s being claimed to be effective for,” said Chad Marlow, senior policy counsel at the American Civil Liberties Union. “But it actually produces real harms for students.” 

Wiemers is aware that the school, where about 280 students are enrolled full time and another 1,500 take courses part time, must make a delicate “compromise between a valid testing environment and students’ privacy.” When students are first subjected to the software he said “it’s kind of weird to see that a camera is watching,” but unlike the uproar at colleges, he said the monitoring has become “normalized” among his students and that anybody with privacy concerns is allowed to take their tests in person.

“It’s always strange in a virtual setting — it’s like you’re watching yourself take the test in the mirror,” he said. “But when students use it more, they get used to it.”  

Children ‘don’t take tests’

Late last year, Proctorio founder and CEO Mike Olsen published a blog post  in response to research critical of the company’s efficacy. A tech-savvy Ohio college student had conducted an analysis and concluded Proctorio’s face-detection capabilities relied on an open-source software library with a history of racial biases — including a failure to recognize Black faces more than half of the time. 
The student tested the company’s face-detection capabilities against a dataset of nearly 11,000 images, called FairFace, which depicted people of multiple races and ethnicities, with results showing a failure to distinguish Black faces 57% of the time, Middle Eastern faces 41% of the time and white faces 40% of the time. Such a high failure rate was problematic for Proctorio, which relies on its ability to flag cheaters by zeroing in on people’s facial features and movements. 

Olsen’s post sought to discredit the research, arguing that while the FairFace dataset had been used to identify biases in other facial-detection algorithms, the images weren’t representative of “a live test-taker’s remote exam experience.” 

“For example,” he wrote, “children and cartoons don’t take tests so including those images as part of the data set is unrealistic and unrepresentative.” 

To Ian Linkletter, a librarian from Canada embroiled in a long-running battle with Proctorio over whether its products were harmful, Olsen’s response was baffling. Sure, cartoon characters don’t take tests. But children, he said, certainly do. What he wasn’t sure about, however, was whether those younger test-takers were being monitored by Proctorio — so he set out to find out. 

He found two instances, both in Texas, where Proctorio was being used in the K-12 setting, including at a remote school tied to the University of Texas at Austin. Linkletter shared his findings with The 74, which used the government procurement tool GovSpend to identify other districts that have contracts with Proctorio and its competitors. 

More than 100 K-12 school districts have relied on Proctorio and its competitors, according to the GovSpend data, with a majority of expenditures made during the height of the pandemic. And while remote learning has become a more integral part of K-12 schooling nationwide, seven districts have paid for remote proctoring services in the last year. While extensive, the GovSpend database doesn’t provide a complete snapshot of U.S. school districts or their expenditures. 

“It was just obvious that Proctorio had K-12 clients and were being misleading about children under 18 using their product,” Linkletter said, adding that young people could be more susceptible to the potential harms of persistent surveillance. “It’s almost like a human rights issue when you’re imposing it on students, especially on K-12 students.” Young children, he argued, are unable to truly consent to being monitored by the software and may not fully understand its potential ramifications. 

Proctorio did not respond to multiple requests for comment by The 74. Founded in 2013, the Arizona-based company claims it provided remote proctoring services during the height of the pandemic to more than 2,000 education institutions globally. 

In 2020, Proctorio sued Linkletter  over a series of tweets in which the then-University of British Columbia learning technology specialist linked to Proctorio-produced YouTube videos, which the company had made available to instructors. Using the video on the tool’s “Abnormal Eye Movement function,” Linkletter tweeted that it showed “the emotional harm you are doing to students by using this technology.”

Proctorio’s lawsuit alleged that Linkletter’s use of the company’s videos, which were unlisted and could only be viewed by those with the link, amounted to copyright infringement and distributing of confidential material. In January, Canada’s Supreme Court declined to consider Linkletter’s claim that the litigation was specifically designed to silence him.

While there is little independent research on the efficacy of any remote proctoring tools in preventing cheating, one 2021 study found that Proctorio failed to detect test-takers who had been instructed to cheat. Researchers concluded the software is “best compared to taking a placebo: It has some positive influence, not because it works but because people believe that it works, or that it might work.” 

Remote proctoring costs K-12 schools millions

A rubric at UT High School, the online K-12 school operated by the University of Texas, indicates that Proctorio is used for Credit by Exam tests, which award course credit to students who can demonstrate mastery in a particular subject. For students in kindergarten, first and second grade, the district pairs district proctoring with a “Proctorio Secure Browser,” which prohibits test takers from leaving the online exam to use other websites or programs. Beginning in third grade, according to the rubric uploaded to the school’s website, test takers are required to use Proctorio’s remote online proctoring.

Proctorio isn’t the only remote proctoring tool in use in K-12 schools. GovSpend data indicate the school district in Las Vegas, Nevada, has spent more than $1.4 million since 2018 on contracts with Proctorio competitor Honorlock. Spending on Honorlock by the Clark County School District surged during the pandemic but as recently as October, it had a $286,000 company purchase. GovSpend records indicate the tool is used at Nevada Learning Academy, the district’s online-only program which claims more than 4,500 elementary, middle and high school students. Clark County school officials didn’t respond to questions about how Honorlock is being utilized. 

Meanwhile, dozens of K-12 school districts relied on the remote proctoring service ProctorU, now known as Meazure Learning, during the pandemic, records indicate, with several maintaining contracts after school closures subsided. Among them is the rural Watertown School District in South Dakota, which spent $18,000 on the service last fall. 

Aside from Wiemers, representatives for schools mentioned in this story didn’t respond to interview requests or declined to comment. Meazure Learning and Honorlock didn’t respond to media inquiries. 

At TTU K-12, an online education program offered by Texas Tech University, a web page notes the institution relies on Proctorio for “all online courses and Credit by Examinations,” flagging suspicious activity to teachers for review. In an apparent nod to Proctorio privacy concerns, TTU instructs students to select private spaces for exams and that if they are testing in a private home, they have to get the permission of anyone also residing there for the test to be recorded. 

Documents indicate that K-12 institutions continue to subject remote learners to room scans even after a federal judge ruled a university’s use of the practice was unconstitutional. In 2022, a federal judge sided with a Cleveland State University student, who alleged that a room scan taken before an online exam at the Ohio institution violated his Fourth Amendment rights against unreasonable searches and seizures. The judge ruled that the scan was “unreasonable,” adding that “room scans go where people otherwise would not, at least not without a warrant or an invitation.” 

Marlow of the ACLU says he finds room scans particularly troubling — especially in the K-12 context. From an equity perspective, he said such scans could have disproportionately negative effects on undocumented students, those living with undocumented family members and students living in poverty. He expressed concerns that information collected during room scans could be used as evidence for immigration enforcement 

“There are two fairly important groups of vulnerable students, undocumented families and poor students, who may not feel that they can participate in these classes because they either think it’s legally dangerous or they’re embarrassed to use the software,” he said. 

The TTU web page notes that students “may be randomly asked to perform a room scan,” where they’re instructed to offer their webcam a 360-degree view of the exam environment with a warning: Failure to perform proper scans could result in a violation of exam procedures.

“If you’re using a desktop computer with a built-in webcam, it might be difficult to lift and rotate the entire computer,” the web page notes while offering a solution. “You can either rotate a mirror in front of the webcam or ask your instructor for further instruction.”

‘A legitimate concern’ 

Wiemers, the principal in Utah, said that Proctorio serves as a deterrent against cheating — but is far from foolproof. 

“There’s ways to cheat any software,” he said, adding that educators should avoid the urge to respond to Proctorio alerts with swift discipline. In the instances where Proctorio has caught students cheating, he said that instead of being given a failing grade, they’re simply asked to retake the test. 

“There are limitations to the software, we have to admit that, it’s not perfect, not even close,” he said. “But if we expect it to be, and the stakes are high and we’re overly punitive, I would say [students] have a legitimate concern.”

During a TTU K-12 advisory board meeting in July 2021, administrators outlined the extent that Proctorio is used during exams. Justin Louder, who at the time served as the TTU K-12 interim superintendent, noted that teachers and a “handful of administrators within my office” had access to view the recordings. Ensuring that third parties didn’t have access to the video feeds was “a big deal for us,” he said, because they’re “dealing with minors.” 

While college students “really kind of pushed back” on remote proctoring, he noted that they only received a few complaints from K-12 parents, who recognized the service offered scheduling benefits. Like Wiemers, he framed the issue as one of 24-hour convenience. 

“It lets students go at their own pace,” he said. “If they’re ready at 2 o’clock in the morning, they can test at 2 o’clock in the morning.”

Correction: A copyright infringement case brought by Proctorio against longtime company critic Ian Linkletter is still being argued in court. An earlier version of this story mischaracterized the litigation as being ruled in Proctorio’s favor.

Pew Research Associate Luona Lin called the findings released Thursday “jarring”: Nearly a quarter of educators said they experienced a lockdown due to a gun — or fears of one — on their campus last school year.

Teachers who work in high schools, and those located in urban areas, were far more likely to experience lockdowns. Among high school educators, 34% reported at least one gun-related lockdown during the 2022-23 school year, as did 31% of those who teach in urban areas.

“One of the most striking findings is just the sheer number of teachers who say they have experienced a lockdown,” Lin told The 74. Pew sought to probe educators’ perspectives of school gun violence after researchers conducted interviews to understand their “day-to-day lives and their perspectives” on hot-button issues, she said. Gun violence came up again and again. 

“A lot of teachers definitely talked about worrying about school shootings happening in their school,” she said. “One of the teachers we talked about it with actually said, ‘I think about it every day.’”

Though the Pew data don’t offer insight into the frequency that firearms are ultimately found, tallies on campus attacks have shown a staggering upward trend, with record numbers over the last three years.

Just this week, James and Jennifer Crumbley were each sentenced to 10-15 years in prison after being found guilty of involuntary manslaughter for their role in failing to prevent a 2021 school shooting that was carried out by their then-15-year-old son. The shooting at his Oxford, Michigan, high school led to the death of four students. The Crumbleys are the first parents in U.S. history to be sentenced to prison in response to an active shooting perpetrated by their child. More than two-thirds of active shootings at K-12 campuses were carried out by perpetrators between the ages of 12 and 18, according to federal data. 

For some teachers who participated in the Pew poll — 59% of whom say they worry about a school shooting unfolding at their schools — gun-related lockdowns are frequent. While 15% said they experienced one lockdown last school year, 8% said they were forced to take cover at least twice. 

The new data on the opinions of K-12 teachers comes roughly 25 years after the 1999 Columbine High School shooting in suburban Denver, which became a national flashpoint on school violence after two student gunmen killed 13 of their classmates before taking their own lives. Since then, national spending on school security has surged — and so, too, have the number of campus attacks.

Though school shootings are politically fraught and carry devastating consequences for communities, they remain statistically rare. Between 2000 and 2021, there have been 46 “active shooter incidents” at K-12 campuses, which resulted in 108 deaths and 168 injuries, according to the most recent federal data. Active shootings are defined as those where a gunman fires indiscriminately at people in a public place like a school. 

Beyond active shootings like those at Oxford and Columbine, federal data on campus gun incidents indicate 188 shootings that resulted in casualties during the 2021-22 school year— more than twice as many as the year earlier, which at the time was a record high.

While a majority of educators fear school shootings, 39% said their school has done a fair or poor job preparing for one while 30% — particularly those with school-based police officers — said their district has done an excellent or very good job. 

In preventing future attacks, 69% of educators endorsed efforts to improve mental health screenings and treatments for children, 49% supported campus cops and 33% favored metal detectors. 

Just 13% of teachers who participated in the Pew survey said arming educators would be an extremely or very effective approach to prevent the tragedies. 

Teachers’ responses were often similar to those offered by parents and students in previous Pew surveys on school shooting fears and preparation — with all parties being swayed, at least in part, by partisan politics. 

Republican-leaning educators were more likely than their Democratic colleagues to support campus police, metal detectors and arming teachers. Democratic teachers were more likely than GOP educators to support efforts to improve students’ mental health. 

In a fall 2022 survey, two-thirds of parents said they were at least somewhat worried about a shooting unfolding at their child’s school, and 63% endorsed improvements in mental health for students as a way to prevent shootings, a rate higher than any other intervention. 

In a similar Pew survey, from 2018, 57% of teens said they were somewhat or very worried about a school shooting occurring on their campus. 

Pew’s educator survey included responses from 2,531 public K-12 teachers in October and November who are members of Rand’s American Teacher Panels, a nationally representative sample of U.S. educators. 

“Gun violence and all of these gun policy issues, they are definitely partisan,” Lin said. “The views of teachers, the views of parents, are reflective of the overall population’s views on this, and definitely the partisan differences as well.”

As artificial intelligence tools become more common in schools, most teachers say their districts have adopted guidance and training for both educators and students, according to a new, nationally representative survey by the nonprofit Center for Democracy and Technology. What this guidance lacks, however, are clear instructions on how teachers should respond if they suspect a student used generative AI to cheat. 

“Though there has been positive movement, schools are still grappling with how to effectively implement generative AI in the classroom — making this a critical moment for school officials to put appropriate guardrails in place to ensure that irresponsible use of this technology by teachers and students does not become entrenched,” report co-authors Maddy Dwyer and Elizabeth Laird write.

Among the middle and high school teachers who responded to the online survey, which was conducted in November and December, 60% said their schools permit the use of generative AI for schoolwork — double the number who said the same just five months earlier on a similar survey. And while a resounding 80% of educators said they have received formal training about the tools, including on how to incorporate generative AI into assignments, just 28% said they’ve received instruction on how to respond if they suspect a student has used ChatGPT to cheat. 

That doesn’t mean, however, that students aren’t getting into trouble. Among survey respondents, 64% said they were aware of students who were disciplined or faced some form of consequences — including not receiving credit for an assignment — for using generative AI on a school assignment. That represents a 16 percentage-point increase from August. 

The tools have also affected how educators view their students, with more than half saying they’ve grown distrustful of whether their students’ work is actually theirs. 

Fighting fire with fire, a growing share of teachers say they rely on digital detection tools to sniff out students who may have used generative AI to plagiarize. Sixty-eight percent of teachers — and 76% of licensed special education teachers — said they turn to generative AI content detection tools to determine whether students’ work is actually their own. 

The findings carry significant equity concerns for students with disabilities, researchers concluded, especially in the face of research suggesting that such detection tools are ineffective.

The Minnesota House of Representatives voted 124-8 Monday afternoon to approve legislation that removes a ban on school resource officers using prone restraint on students. The bill now moves to the Senate for consideration.

Nearly four years after George Floyd suffocated to death while being pinned face down to the pavement by a police officer, Minnesota Democrats are fast-tracking legislation that would undo a less-than-year-old ban prohibiting school-based cops from using that same type of restraint on students. 

As early as Monday, the state’s House of Representatives is slated to consider a proposal that presents a drastic departure from provisions approved by Democratic Gov. Tim Walz — rules that explicitly barred school resource officers from using face-down “prone restraint.”

The ban was part of a broader police reform movement that followed Floyd’s murder. The fatal physical hold led to the largest civil rights protest in U.S. history, a national reckoning on racism, policy reforms that sought to address police brutality and, in Minneapolis and dozens of districts nationwide, the removal of sworn officers from school campuses. In Minnesota, new state rules barred police officers from using chokeholds on people and prone restraints were banned in the state’s prisons. 

Now, as the state’s Democrats make a 180-degree turn on the campus reform, education equity advocates have accused state leaders of falling to the political pressure of law enforcement groups ahead of a November election where party lawmakers seek to maintain their narrow majority in the state House. The proposal cleared the House Ways and Means committee earlier this week. 

Physical restraints have led to devastating consequences for children including injury and, in some cases, death. Yet for Republican lawmakers and law enforcement, the change in Minnesota went a step too far. Police departments statewide pulled their cops from schools in protest of the restraint restriction. 

During a recent Senate Judiciary and Public Safety Committee hearing, Democratic Sen. Bonnie Westlin, lead sponsor of the Senate version of the bill that would restore prone restraints in schools, presented it less as a backtrack and more as an opportunity. The issue is about ensuring campus cops remain “important team members in our schools,” Westlin said, while creating uniformity across school resource officers’ duties, their training requirements and accountability.  

Along with removing restraint rules for school-based police and campus security staff, the pending legislation would allocate $150,000 this year to develop consistent, statewide training standards for school resource officers and require police to complete the lessons before working on campuses. The bill also seeks to clarify that school-based police officers should not be involved in routine student discipline. 

“When a local community determines that they would like to engage SROs, we want to make sure there is uniformity about expectations for everyone concerned,” Westlin said.

Advocates who lauded the prone restraint ban, however, say that lawmakers have turned their backs on Floyd’s legacy. 

“How is it that — in the state where this man gets killed and the world erupted — that we are not the leading people who are banning this on our kids?” asked advocate Khulia Pringle, the Minnesota director of the National Parents Union and a steering committee member of the Solutions Not Suspensions Coalition, a group of education nonprofits that has lobbied against the legislation. “It’s banned in prisons, it’s banned for students with disabilities. 

“Why can’t we extend that same courtesy to all children?” 

The ‘fix’

Presented by Democratic leaders as an “SRO fix” bill, the proposal comes after police departments got wind of the restraint ban last fall — an under-the-radar change in a larger education bill that passed without opposition. In response, about 40 law enforcement agencies removed their school resource officers from campuses. 

Under the language in the current law, school resource officers and campus security personnel are prohibited from using face-down prone restraints and “certain physical holds,” including those that restrict or impair “a pupil’s ability to breathe” or their “ability to communicate distress.” 

The ban represented an extension of state rules that have been on the books for years. In 2015, after state education officials warned in a report that “it is only a matter of time before a Minnesota child is seriously injured or killed while in prone restraint,” lawmakers banned educators from using the technique on children with disabilities. Nationally, 37 states have laws that curtail educators from using prone restraints and other tactics that restrict students’ breathing. 

In Washington, D.C., Democratic lawmakers have sought for years to pass a federal ban on student restraints. Nationally, about 35,000 students were placed in physical restraints at school during the 2020-21 school year, according to the most recent data from the Education Department’s civil rights office. Black students represented 15% of K-12 school enrollment and 21% of those placed in physical holds. Meanwhile, students with disabilities represented 14% of the national enrollment — and 81% of those subjected to restraints. 

After the new changes were put in place in Minnesota and students returned to classes last fall, law enforcement agencies argued it stirred confusion among their ranks, opened their departments to lawsuits and tied their officers’ hands in how they work to keep schools safe and combat crimes like vandalism. Republican lawmakers seized on the furor and demanded a special legislative session to repeal the law. 

The Coon Rapids Police Department, located in a northern Minneapolis suburb, is among the agencies that removed its officers from schools. That decision was reversed and the agency’s four campus cops returned to schools in November after the state attorney general issued a clarification on the law’s limits. The school resource officer program was put on hold temporarily last fall in part because of how officers are trained to do their jobs, Captain of Investigations Tanya Harmoning told The 74. She said she wasn’t sure how often prone restraint had been used by her officers inside schools. Regardless of whether an officer is stationed inside a school building or on a city street, she said, they “are all trained in the same tactics.” 

“Our officers are trained a certain way to handle certain situations,” she said. “Some of these people transition back out onto the road, so to expect them to transition from ‘you can do it here, but you can’t do it here,’ kind of thing, that’s just not how we train our people.”

In two legal opinions last fall, Attorney General Keith Ellison clarified that the ban didn’t restrict officers from using prone restraints in cases involving imminent harm or death, which offered assurances to many law enforcement agencies that agreed to return officers to schools. 

The special session that Republicans and police brass demanded didn’t come to fruition but the issue has become a top priority this year for Gov. Walz and his Democratic-Farmer-Labor Party, which controls both chambers of the state legislature. 

State officials and education leaders have sought to frame the debate as being not about prone restraint, but rather the need to get police back in schools. 

‘The voices of all stakeholders’

When Democratic Rep. Cedrick Frazier appeared before the House Education Policy Committee in mid-February, he acknowledged the timing of his testimony: “We are not far removed,” he said, “from the tragic murder of George Floyd.” 

He pivoted to a state law passed in response that banned police from using chokeholds — rules that he said were critical to their discussions about school-based police. With the chokehold ban in place, he suggested the prone restraint prohibition was unnecessary. 

“The tension and anxiety that has been discussed, in large part, stems from the egregious visual of that tragic day,” Frazier testified. But even without a ban on prone restraints, he said that state law would continue to prohibit school-based officers from pinning students to the ground in ways that restrict breathing.

“Our only focus must be doing everything we can to ensure that while our young people are in our schools, that we ensure that their environment is safe from any type of harm,” Frazier said. “We must ensure our young people have the best environment to have the best possible outcomes.” 

His testimony didn’t explicitly touch on prone restraints or why police needed greater autonomy around their use in classrooms. Representatives for Frazier and the governor didn’t respond to requests for comment and state Sen. Westlin’s office declined an interview request. 

In his testimony, Education Commissioner Willie Jett focused on schools’ need for campus police officers and the bill’s new training requirements. He, too, didn’t touch specifically on restraint procedures. 

“SROs are viewed by many as essential to maintaining safe and secure learning environments and data from the 2022 Minnesota student survey tells us that an overwhelming majority of students from all demographic areas value the SROs in their schools,” Jett said. 

In Minnesota, state education officials have sought to reduce schools’ reliance on restraint tactics for years. The most recent state data on restrictive procedures reveal that students with disabilities were subjected to more than 10,000 physical restraints during the 2021-22 school year, with such holds disproportionately used on Black and Indigenous students. Frequently, state data show, these holds result in injuries — and more often for adults than children. During the 2021-22 school year, districts reported 733 staff injuries from placing students in restraints — a rate that equates to about one staff injury for every 14 physical holds. That same year, 161 students were reported injured.  

Frazier’s work leading the reform bill appears to be at odds with his broader championing of policing and public safety. After Floyd’s murder, Frazier became known in the state as a key negotiator in favor or progressive police reforms, often drawing on his personal experiences with inequities growing up as a Black teen on Chicago’s South Side. In September, as police agencies statewide began pulling officers from schools, Frazier signaled his support for the new prone restraint ban. The House People of Color and Indigenous Caucus, which Frazier co-chairs, released a statement expressing that same sentiment.

“The provision in the education bill passed earlier this year related to school personnel is clear: School staff, including school resource officers, are not allowed to use prone restraints,” or other holds that restrict a student’s ability to breathe, the caucus wrote in the statement, which bore Frazier’s name. Given the attorney general’s opinion extending SROs’ authority to restrain kids in serious cases, the group wrote, “changes to the law are not needed.”

In Republican’s unsuccessful bid to force a special legislative session, they found common ground with Education Minnesota, the state teacher’s union, which noted that school staff needed clear guidance on how to protect themselves and students during potentially dangerous situations. In 2021, union spokesperson Chris Williams told The 74 the group was concerned about “the ongoing racial disparities that we know exist in the use of restrictive procedures,” and noted support for rules that prohibited prone restraint in classrooms. 

Williams didn’t respond to a list of questions about the pending legislation introduced by Frazier who, along with being a state representative, works as a teacher’s union staff attorney. 

‘Prone kills kids’

When Matt Shaver testified at the House education committee last month, he opened with a grim warning: “Prone kills kids.”

“We are advocates for kids — and prone kills kids,” said Shaver, the policy director of the nonprofit EdAllies, which is a member of the Solutions Not Suspensions Coalition working to maintain the current prone restraint ban. “This is not about whether SROs belong in schools,” as lawmakers and state education officials have cast the conversation, he said. “This is about whether we believe holds that kill children belong in school.” 

Shaver cited a recent study which examined childhood fatalities that stemmed from physical restraints over a 26-year period. Researchers identified 79 incidents where restraints led to deaths in settings including foster homes, psychiatric agencies and schools. Deaths were most common when children were held in the face-down prone restraints — and most often for benign childhood behaviors like failing to remain silent or sit without wriggling. Investigations into the fatalities found that adults routinely failed to follow proper restraint policies and laws. 

“In 15 fatalities, children vomited, urinated or turned blue during the restraint,” researchers concluded in the 2021 study, which was published in the academic journal Child & Youth Care Forum. “These signals should have been detected by an adult monitoring these events and immediately triggered a change in tactics or discontinuation of the restraint.”

Shaver told The 74 he believes the Democrats are reacting to the politics of the police “work stoppage” and a desire not to appear soft on crime ahead of the November election. That has placed them in the position, he said, of wanting to overturn the restraint restriction, but “not in a way that will freak out their base.” 

“They may have failed at doing that,” Shaver said.

In about a third of Florida school districts, and concentrated in rural panhandle enclaves like Daniels’s Liberty County, corporal punishment as a form of student discipline remains deeply ingrained in the culture. It’s why on this morning in early December, school leaders instructed the 18-year-old to bend over a desk.

What came next — a paddling that left deep purple bruises and welts for a minor school offense that Daniels said stemmed from a misunderstanding about Christmas decorations on a campus door — was far beyond routine student discipline, the Liberty County High School senior told The 74.

It was, she alleges, sexual assault. 

“They were so eager to go in there and spank me,” said Daniels, who said she was struck by Assistant Principal Tim Davis, a former Major League Baseball player who pitched for the Seattle Mariners, while Principal Eric Willis observed and laughed. “They took their time, they watched me.”

Liberty County School District officials didn’t respond to multiple interview requests. Reached by The 74 on his cell phone, Davis declined to comment on the incident or allegations that his use of force was sexual assault.  

The incident, which has sparked controversy in Florida’s least populous county roughly 50 miles west of Tallahassee, comes as state lawmakers debate the fate of rules that have long permitted teachers to spank students as a disciplinary measure. A significant body of research suggests that corporal punishment has the opposite effect of improving student behaviors and a data analysis by The 74 shows in parts of Florida, it’s most often used to address minor infractions like “excessive talking,” “insubordination” and “horse play.” 

Florida is one of 16 states where laws explicitly allow educators to use corporal punishment on students, and the practice is not expressly prohibited by laws in an additional seven states, according to a recent review by the U.S. Department of Education. In a letter last year, Education Secretary Miguel Cardona urged state lawmakers and school leaders “to move swiftly toward condemning and eliminating” a practice that “can lead to serious physical pain and injury,” is associated with heightened mental health issues, stunted brain development and hindered academic performance. Nationally, federal data show that corporal punishment is disproportionately used on students of color and those with disabilities. 

Prompted by the advocacy of two Florida college students, there is now pending legislation in the state, where roughly a third of districts use corporal punishment to discipline kids, that would require educators to get permission from parents each year before spanking their children. The measure would also ban the use of physical force on students with disabilities. The bill garnered unanimous support in a state House subcommittee last month. Yet a companion bill in the Senate has remained stalled and lawmakers worry the effort will falter this legislative session — as similar efforts have for years. 

Rep. Katherine Waldron, a Democrat who co-sponsored the bipartisan bill, said the subcommittee hearing was the furthest any effort to reform state corporal punishment rules has gotten to date. She credited the momentum to student advocacy, and specifically to the University of Florida students who launched a statewide campaign to change the law. 

“It’s great that we have this level of student involvement in the whole process and they’re really helping to push the bill and they’re learning a lot,” Waldron said. “Any time we have that kind of momentum for a good bill like this, I think representatives should pay attention and try to help.” 

In Liberty County, Daniels said that school officials accused her of lying to a substitute teacher and using her position in the school honor society to get her friend out of class to help with the holiday decorating. When school administrators approached her about the incident a week later, they gave her two options: in-school suspension or corporal punishment — a choice she said left her feeling coerced. The entire incident stemmed from an honest misunderstanding, she said, and accepting in-school suspension would have required her to miss an exam for a dual-enrollment college class and to be late for work at Chick-fil-A. 

She chose to get spanked. 

“As soon as it happened, I really just felt sexually assaulted. I felt disgusted with myself that I even kind of gave them permission,” said Daniels, who transitioned to online-only instruction after the incident and fears she may someday run into Davis or Willis at their small-town grocery store. Daniels has spoken out against corporal punishment in Florida schools and her paddling garnered local media attention. Her mother launched a Change.org petition calling on lawmakers to ban the “systemic issue prevalent across 19 school districts in Florida.” 

“I felt like they really just got off by it,” Daniels said, adding that a parent could face child protective services investigations for leaving similar bruises on their kid. “I don’t even think I could look them in the eyes now, not even now. And you know about my senior year, after the situation I really truly started realizing, I’m not going to have a senior year anymore.” 

‘You can get a paddling’

In recent years there have been numerous cases in Florida that resemble the one involving Daniels. Yet even in districts where parents can opt their children out of being hit as a form of discipline — and even in incidents where parents accuse educators of going too far — law enforcement officials have pointed to a state law permitting the practice. Kristina Vann, Daniels’s mother, said she had not given Liberty County educators consent to hit her daughter.

That didn’t stop Assistant Principal Davis from drawing the paddle. 

Daniels reported the incident to the Liberty County Sheriff’s Office and, in an interview with The 74, Undersheriff Robert “Dusty” Arnold acknowledged the agency looked into the case but said they don’t plan to pursue criminal charges. He called the case “a non-issue” involving a permitted form of discipline that Daniels had consented to. The entire incident, he said, was “being blown out of proportion.” 

“It’s the state law,” Arnold said in an interview. “And if you choose to take a paddling, you can get a paddling. My understanding is she was given options and she chose that.”

Sam Boyd, a supervising attorney at the nonprofit Southern Poverty Law Center, which has worked to prohibit corporal punishment in Florida and nationally, said he’s aware of “a fact pattern” of corporal punishment incidents “that may be much more of a serious sexual assault than punishment.” 

The case involving Daniels, who is an adult in the eyes of the law, presents its own set of complicated legal questions, he said. 

“To the extent that schools are stepping in for parents, if that’s the theory behind corporal punishment, it’s hard to see how that makes any sense in the context of people who are legally adults,” he said. “As a policy matter, it doesn’t make any sense to be using corporal punishment against adults, although of course it doesn’t in our view, make any sense to be using it against minors either.” 

Florida’s law permitting corporal punishment in schools has been used in previous incidents to shield educators from criminal charges. In 2018, for example, charges were dropped against a Lake County bus monitor who was accused of using corporal punishment on students with disabilities in ways that constituted child abuse, including grabbing children by their faces, twisting their heads and pushing them against a wall in the bus. Prosecutors concluded that the state law superseded a school district policy banning corporal punishment. 

Three years later, in 2021, an elementary school principal in Hendry County was caught on video spanking a 6-year-old girl with a wooden paddle despite a district policy prohibiting such actions. Although the state corporal punishment law requires educators to comply with local district rules, prosecutors declined to pursue charges and claimed the girl’s mother — an undocumented immigrant who filmed the encounter and shared the footage with a local television station — had consented to the beating and at no point spoke up to “raise any objection.” 

The Hendry County incident prompted an investigation by The 74, which revealed numerous incidents where students had been subjected to corporal punishment in school districts across the country where that practice had been outlawed. 

For University of Florida student Graham Bernstein, that investigation served as a wake-up call. The Hendry County incident coincided with another failed legislative effort to ban corporal punishment and he felt that more needed to be done to stop the practice, he told The 74. He joined up with a classmate, Konstantin Nakov, and wrote the bill now pending in Tallahassee that the duo hopes will persuade state officials to view Florida’s history of corporal punishment in a different light. 

The business of hitting kids

First, Bernstein and Nakov set out to get a better understanding of corporal punishment in Florida which, according to state data, was used to punish 509 students last school year.

Through emails and public records requests with districts statewide, the students found that the practice was being used to discipline the same students repeatedly — about half of whom were in special education — and often for minor classroom infractions. In Columbia County, records shared with The 74 revealed, spanking was primarily reserved for elementary school students. Of the 824 incidents of corporal punishment in the north central Florida county between August 2018 and May 2022, 84% were attributed to minor infractions including the use of inappropriate language, disrupting the classroom environment and inappropriate use of electronic devices. Fewer than 13% of incidents were initiated after a student hit a classmate.

The practice was also used more than a dozen times at Pathways Academy, an alternative education program in Columbia County which says on its website that it specifically serves students “with behavior, academic and attendance barriers” and those with disabilities who need additional support “to overcome their own barriers.” 

Columbia County school district officials didn’t respond to requests for comment about their corporal punishment practices. 

While previous efforts to ban corporal punishment in Florida schools have focused on the research suggesting it’s an ineffective disciplinary tool and has negative consequences for students, Bernstein and Nakov used another tact to get support from Republicans, who represent the rural, predominantly conservative counties where the practice is primarily used. 

They took a page from GOP Florida Gov. Ron DeSantis’s playbook and presented the issue as one of parental rights.

“I don’t know what it is about conservative Republicans, but some of them just think that it’s a good disciplinary intervention to strike children,” Bernstein said. “A big emphasis has been recently on the whole idea of parental rights and making it so the government doesn’t have the ability to do something without a parent agreeing to it. And so we thought we can apply that here. … Especially with some of these more conservative legislators, who are really zealous supporters of this idea of parental rights, let’s test their rhetoric against them and see if it sticks.” 

Still, getting buy-in from lawmakers wasn’t easy, said Nakov, who graduated from the University of Florida last year and now attends medical school in Bradenton, Florida. He and Bernstein have spent the last several years sending emails to legislative offices and taking road trips to the statehouse to speak with potential sponsors. 

Rep. Mike Beltran, a Republican from Apollo Beach who co-sponsored the bill, said the legislation fits in line with other efforts in Florida to bolster parental rights. 

“I don’t think the parents should spank the kids either, but certainly the school should not be doing it and certainly the school should not be doing it without the parents’ approval or knowledge,” Beltran said. “There’s no due process — there’s no due process at all — and you’re going to spank them?”

If Florida bans corporal punishment and educators fail to comply, Beltran said that students and parents should “sue their pants off.” 

‘I took it very easy on her’

Back in Liberty County, Brooklynn Daniels’s mother used a school communication platform to confront Davis on the way he spanked her daughter. In a text chat on the app ParentSquare that she shared with The 74, Vann offered the assistant principal photographic proof that her daughter’s “butt is red all over,” from the paddling. Davis declined the photo and defended his actions. 

“I can assure you I took it very easy on her,” Davis wrote. “I’m teased by staff in the front office about how soft I swing a paddle and I took it especially easy on Brooklyn, as I do with any female.” 

Vann was floored at his characterization, especially given Davis’s career in professional baseball in the 1990s, which also included stints with the Tampa Bay Devil Rays and the Milwaukee Brewers. 

“That man went from swinging bats for a living to beating children,” she said. “So how do I know where he went to school to learn how to — instead of hitting a baseball out into the outfield — to gently swing a paddle to hit my kid?” 

Vann sees insular, hometown favoritism at the root of how school leaders handled her daughter and defended Davis, a Liberty County High School alumnus. The family moved to the rural county from urban Tallahassee — and longtime residents, Vann said, resented Brooklynn.

“She’s made homecoming twice, she’s a cheerleader, she’s well known in the community. She’s made her mark here and she’s not from Liberty County,” she said. “We have what they call the good ol’ boys system here. If you’re not born and raised here, they’re not going to protect you and they don’t like you. They don’t like outsiders.” 

To Undersheriff Arnold, a fourth-generation Liberty County resident, the culture of school corporal punishment contributes to a polite community where people refer to others by “sir” and “ma’am.” He recalled the times when he was paddled inside the local schools, where he and other students were sternly punished “if you got out of line.” 

“It’s a lot of what our country is missing now: Too many people get away with too many things and there’s no punishment for anything, there’s no accountability for anything anymore,” Arnold said. “When you’re held accountable, it keeps you in check.” 

Arnold said he isn’t aware of any other instances in the county where a student reported school corporal punishment to law enforcement. He described the incident involving Daniels as one where a high school beauty pageant contestant has sought to rake in views and likes on social media. He offered a steadfast endorsement of local education leaders, adding that he’s “a little bit passionate when it comes to our school district.” 

“I know what kind of school we have, I have children at that school, and I trust those individuals with my kids’ lives,” he said. “They are good people — they are really good people. They don’t want to do anything else in this county but help these children get an education.”

Yet for Daniels, she can’t get away from the thick wooden paddle and the bruises it left on her body.

“It was black and blue and purple and yellow and you could see where all the bruises had already started forming” in just minutes, she said, after she left the principal’s office and rushed into a school bathroom.

“It’s insane how hard they hit me.”

She had just taken her son out to target practice in what she described on social media as a “mom and son day testing out his new Christmas present:” a 9-millimeter pistol the high schooler referred to online as “My new beauty.”

The images were pivotal to an unprecedented conviction this week that legal scholars predict could create a new tool for prosecutors as the nation looks for ways to stem a record-setting uptick in mass shootings.

“This is the last picture we have of that gun until we see it murder four kids on Nov. 30, and the person holding it is Jennifer Crumbley,” Oakland County Prosecutor Karen McDonald said before a jury convicted the mother on four counts of involuntary manslaughter — one for each of the students her son gunned down at Oxford High School. 

“She’s the last person we see with that gun,” McDonald said. 

Crumbley is the first parent to be held directly responsible for a school shooting carried out by their child, turning on its head a bedrock legal principle: People cannot be held responsible for the actions of others.

“Look, I thought this case could go either way and still when the result came out I was a bit stunned because it’s such a deep legal principle,” Ekow Yankah, a University of Michigan law professor, told The 74.

And if other parents are charged in connection with shootings acted out by their children, Yankah said, the Crumbley conviction may make them more likely to accept a plea deal behind closed doors.

“Prosecutors will be tempted to use this power in ways that we don’t see,” he said. “A prosecutor is going to sit across from a parent when people are crying out for somebody to be held accountable and the prosecutor is going to be able to say, ‘I’m offering you three years to five years in prison, but if you don’t take this deal, I will prosecute for 15 years.’ ” 

For gun control advocates and the parents of children killed in their classrooms, the landmark trial’s outcome was welcomed. Craig Shilling, the father of Oxford shooting victim Justin Shilling, told a local TV station the conviction is “definitely a step towards accountability.” About three-quarters of school shooters obtain their guns from a parent or another close relative, according to a 2019 U.S. Secret Service report. In about half of cases, the guns had been readily accessible. 

The conviction is in many ways a watershed moment that hinged heavily on portrayals of Crumbley as a neglectful mom who paid more attention to her horses and an affair than to the son she’d gifted a gun to as he struggled with his mental health and exhibited violent behaviors. 

In this case, the gunman was charged as an adult while his mother was found guilty of crimes that stemmed from her role as an egregiously aloof and reckless parent. The gunman pleaded guilty in October 2022 to 24 charges, including first-degree murder and terrorism causing death, and was sentenced to life in prison without parole in December. 

The shooter’s father, James Crumbley, is scheduled to face a similar trial next month. 

Yankah, the UMichigan law professor, told The 74 he wasn’t aware of any other cases where a parent was held liable for the crimes of a child who was simultaneously considered “a legal agent” and therefore responsible for his own actions. 

It’s not the first time a parent has been held legally responsible for crimes committed by their children —including in helping their child secure a firearm later used in a mass shooting. Still, experts said the Crumbley case does present a significant escalation in a generations-long push to hold parents accountable for the misdeed of their kids.

One study, published in the Utah Law Review in 2008, noted that such efforts appeared cyclical, noting that “every couple of decades or so” lawmakers claimed to “discover” the idea of holding parents to account for teenage crimes. 

Punishing parents

States nationwide maintain “parental responsibility laws,” which impose civil or criminal liability on adults under the premise that their failures to take control as parents led to their kids’ bad acts. There is research that ties youth delinquency to poor parenting. 

One recent parental responsibility law, passed by Nevada lawmakers in 2022, specifically addressed guns. It imposed civil liability on parents for negligence or willful misconduct if they allow their minor children to use or possess guns if the child has been adjudicated delinquent, was convicted of a crime, has the propensity to commit violence or intends to use the weapon unlawfully. 

Efforts to hold parents accountable for their children’s behaviors are rooted in the very origins of the nation’s juvenile justice system in the early 1900s, which authorized the state to intervene when parents failed in their duties, according to research into the laws’ origins and their constitutional implications. By the 1970s, the report notes, lawmakers began to place a greater emphasis on parents as a factor in juvenile crime and turned to “vicarious blaming.”

Little is known, however, about whether such efforts have been effective in reducing juvenile crime. Eve Brank, a professor of law and psychology at the University of Nebraska-Lincoln, told The 74 that she is unaware, after decades of researching the emergence of parental responsibility laws, of “any empirical research that shows that imposing punishments on parents because of the actions of the children will decrease juvenile crime.”

She is also unaware of any data indicating how frequently those laws are used. In 2015, she conducted a survey of police chiefs and district attorneys, who reported infrequent enforcement. Through her research, Brank has identified three types of such laws: civil liability, contributing to the delinquency of a minor and parental involvement. 

Under the statutes, parents can be held responsible for helping or encouraging their child to commit a crime and financially liable for damages. They can also be required to pay fines or attend parenting classes due to their children’s criminal acts. 

Among them are truancy laws, which require students to attend school. In New Jersey, for example, parents who don’t compel their children to attend school can face disorderly conduct charges and fines. Such efforts, however, have been heavily criticized — including during the 2016 presidential election when Vice President Kamala Harris was scrutinized for her embrace of California rules that imposed jail time and fines on parents in truancy cases while she served as state attorney general. 

In 2017, Pennsylvania lawmakers reformed state truancy rules and made them less punitive after a Reading County woman was found dead in 2014 while serving a two-day jail sentence for her children’s truancy because she was unable to pay a $2,000 fine. 

“Many of those statutes came under a lot of strain in the last say 15 years,” including ones around truancy, Yankah said, adding that people were skeptical about whether they addressed the root causes underlying the social problems they sought to address and could uphold long standing racial disparities in the judicial system. “Frankly, communities of color really learned that — as is so often the case — when we pass more criminal statutes the people who are in the crosshairs are politically vulnerable. It was a lot of Black mothers, and so those statutes kind of faded out of popularity.” 

In some cases, parental responsibility laws have failed under court scrutiny. Among them is an ordinance in Maple Heights, Ohio, that held parents criminally liable for “failing to supervise a minor” if their child committed what would be considered a misdemeanor or a felony if it had been carried out by an adult. The state appeals court struck down the statute in 2008 after a parent faced charges after her 17-year-old son was accused in juvenile court of carrying a concealed weapon, resisting arrest and failing to comply with a police officer. 

Meanwhile, officials have also sought to hold parents responsible when their children bully other kids. In 2016, the city council in Shawano, Wisconsin, passed an ordinance that imposed $366 fines on parents who failed to address their child’s harassment directed at other kids. 

In a high-profile cyberbullying case from 2013, a Florida sheriff bemoaned his inability to arrest the parents of a girl who was charged criminally for harassing a 12-year-old classmate so relentlessly online that it led the girl to die by suicide. Among the harassment was an online message encouraging the 12-year-old to “drink bleach and die,” yet the parents continued to give the bully access to social media. 

“I’m aggravated that the parents aren’t doing what parents should do,” Polk County Sheriff Grady Judd told reporters at the time. “Responsible parents take disciplinary action.” 

A new category of parental responsibility

Crumbley’s conviction, Brank said, “doesn’t fit into any of these categories” of traditional parental responsibility laws and is instead a first-of-its-kind extension of the manslaughter statute. 

As officials seek to crack down on mass shootings, the Crumbley case is one of several recent examples where prosecutors sought to hold parents accountable when their children carried out what once were unthinkable acts of violence.

In December, a Virginia mother was given a two-year prison sentence for felony child neglect after her 6-year-old son brought a gun to his Newport News elementary school and shot his first-grade teacher. In a separate prosecution, the mother pleaded guilty to using marijuana while owning a firearm and for making false statements about her drug use. 

In a separate prosecution that may have laid the groundwork for the Crumbley case, an Illinois father pleaded guilty to misdemeanor reckless conduct on charges that stemmed from a shooting carried out by his son at a 2022 Highland Park Independence Day parade, which left seven people dead. That case centered on how his son, who was 19 at the time, obtained a gun license. 

At the time of the massacre, the gunman was too young to apply for a firearm license so his father sponsored his application despite knowing his son had a history of behaving violently. Several months before the attack, a relative reported to police that the teenager had a large collection of knives and had threatened to “kill everyone.” 

In the Highland Park case, the state prosecutor was explicit: The father’s guilty plea, he said, should be a “beacon” to others that parents can be held accountable for the actions of their children. 

“We’ve laid down a marker to other prosecutors, to other police in this country, to other parents, that they must be held accountable,” Lake County State Attorney Eric Rinehart said. “The risk of potentially losing this innovative prosecution — and not putting down any marker — was too great for our trial team.” 

Yankah said it’s important to look at new parental accountability efforts through their historical contexts. 

“Looking back at history,” he said, “shows us that our historical experiments with this kind of liability for parents has rarely solved the underlying problem,” he said. “Maybe this kind of case will have an effect, maybe parents will be more attentive. But to speak honestly, I think what a case like this shows is how many different things we as a society have to work on if we really want to be free of this violence.”

In response to an inquiry by The 74, the nonprofit Future of Privacy Forum said last week it would review Raptor Technologies’ status as a Student Privacy Pledge signatory after a cybersecurity researcher found more than 4 million sensitive records maintained by the company were readily available without any encryption protection despite Raptor’s claims that it scrambles its data. 

“We are reviewing the details of Raptor Technologies’ leak to determine if the company has violated its Pledge commitments,” David Sallay, the Washington-based group’s director of youth and education privacy, said in a Jan. 24 statement. “A final decision about the company’s status as Pledge signatory, including, if applicable, potential referrals to the [Federal Trade Commission] and relevant State Attorneys General, is expected within 30 days.” 

Should the privacy forum choose to take action, Raptor would become just the second-ever education technology company to be removed from the pledge. 

Texas-based Raptor Technologies, which counts roughly 40% of U.S. school districts as its customers, offers an extensive suite of software designed to improve campus safety, including a tool that screens visitors’ government-issued identification cards against sex offender registries, a management system that helps school leaders prepare for and respond to emergencies, and a threat assessment tool that allows educators to report if they notice “something a bit odd about a student’s behavior” that they believe could become a safety risk. This means, according to a Raptor guide, that the company collects data on kids who appear ‘unkempt or hungry,” withdrawn from friends, to engage in self-harm, have poor concentration or struggle academically. 
Rather than keeping students safe, however, cybersecurity researcher Jeremiah Fowler said the widespread data breach threatened to put them in harm’s way. And as cybersecurity experts express concerns about digital vulnerabilities among education technology providers, they’ve criticized the Student Privacy Pledge for lackluster enforcement in lieu of regulations and minimum security standards. 

Fowler, a cybersecurity researcher at vnpMentor and a self-described “data breach hunter,” has been tracking down online vulnerabilities for a decade. The Raptor leak is “probably the most diverse set of documents I’ve ever seen in one database,” he said, including information about campus surveillance cameras that didn’t work, teen drug use and the gathering points where students were instructed to meet in the event of a school shooting. 

vpnMentor notified Raptor of the security lapse in December and Fowler said the company was responsive and worked quickly to fix the problem. The breach wasn’t the result of a hack and there’s no evidence that the information has fallen into the hands of threat actors, though Fowler wasn’t the only researcher who stumbled onto the documents in the last several months. 

The situation could have grown far more dire without Fowler’s audit. 

“The real danger would be having the game plan of what to do when there is a situation,” like an active shooting, Fowler said in an interview with The 74. “It’s like playing in the Super Bowl and giving the other team all of your playbooks and then you’re like, ‘Hey, how did we lose?’”

David Rogers, Raptor’s chief marketing officer, said last week the company is conducting an investigation to determine the scope of the breached data to ensure “that any individuals whose personal information could have been affected are appropriately notified.” 

“Our security protocols are rigorously tested, and in light of recent events, we are committed to further enhancing our systems,” Rogers said in a statement. “We take this matter incredibly seriously and will remain vigilant, including by monitoring the web for any evidence that any data that has been in our possession is being misused.” 

‘Maybe this is a pattern’

Raptor is currently among more than 400 companies that signed the Student Privacy Pledge, a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children. 

Raptor and the other companies have vowed against selling students’ personally identifiable information or using it for targeted advertising, among other commitments. They also agreed to “maintain a comprehensive security program that is reasonably designed to protect the security, confidentiality and integrity” of student’s personal information against unauthorized or unintended disclosure. Cybersafeguards, the pledge notes, should be “appropriate to the sensitivity of the information.” 

Raptor touts its pledge commitment on its website, where it notes the company takes “great care and responsibility to both support the effective use of student information and safeguard student privacy and information security.” The company claims on its website that it ensures “the highest levels of security and privacy of customer data,” including encryption “both at rest and in-transit,” meaning that data is scrambled into an unusable format without a password while it is being stored on servers and while it’s being moved between devices or networks. 

Its privacy policy, however, offers a more proscribed assurance, saying the company takes “reasonable” measures to protect sensitive data, but that it cannot guarantee that such information “will be protected against unauthorized access, loss, misuse or alterations.” 

Districts nationwide have spent tens of millions of dollars on Raptor’s software, according to GovSpend, a government procurement database. Recent customers include the school districts in Dallas, Texas, Broward County, Florida, and Rochester, New York. Under a state law in New York, education technology companies that collect student data are required to maintain a cybersecurity program that includes data encryption and controls to ensure that personally identifiable information doesn’t fall into the hands of unauthorized actors. 

Countering Raptor’s claims that data were encrypted, Fowler told The 74 the documents he accessed “were just straight-up PDFs, they didn’t have any password protections on them,” adding that the files could be found by simply entering their URLs into a web browser. 

Officials at the Rochester school district didn’t respond to requests for comment about whether they had been notified about the breach and its effects on their students or if they were aware that Raptor may not have been in compliance with state encryption requirements. 

Doug Levin, the national director of the nonprofit K12 Security Information eXchange, said the Raptor blunder is reminiscent of a 2022 data breach at the technology vendor Illuminate Education, which exposed the information of at least 3 million students nationwide, including 820,000 current and former New York City students. Levin noted that both companies claimed their data was encrypted at rest and in transit — “except maybe it wasn’t.” 

A decade after the privacy pledge was introduced, he said “it falls far short of offering the regulatory and legal protections students, families and educators deserve.”

“How can educators know if a company is taking security seriously?” Levin asked. Raptor “said all of the right things on their website about what they were doing and, yet again, it looks like a company wasn’t forthright. And so, maybe this is a pattern.” 

State data breach rules have long focused on personal information, like Social Security numbers, that could be used for identity theft and other financial crimes. But the consequences of data breaches like the one at Raptor, Fowler said, could be far more devastating — and could harm children for the rest of their lives. He noted the exposure of health records, which could violate federal privacy law, could be exploited for various forms of fraud. Discipline reports and other sensitive information, including about student sexual abuse victims, could be highly embarrassing or stigmatizing. 

Meanwhile, he said the exposure of confidential records about physical security infrastructure in schools, and district emergency response plans, could put kids in physical danger. 

Details about campus security infrastructure have been exploited by bad actors in the past. After Minneapolis Public Schools fell victim to a ransomware attack last February that led to a large-scale data breach, an investigation by The 74 uncovered reams of campus security records, including campus blueprints that revealed the locations of surveillance cameras, instructions on how to disarm a campus alarm system and maps that documented the routes that children are instructed to take during an emergency evacuation. The data can be tracked down with little more than a Google search. 

“I’ve got a 14-year-old daughter and when I’m seeing these school maps I’m like, ‘Oh my God, I can see where the safe room is, I can see where the keys are, I can see the direction they are going to travel from each classroom, where the meetup points are, where the police are going to be,” Fowler said of the Raptor breach. “That’s the part where I was like, ‘Oh my God, this literally is the blueprint for what happens in the event of a shooting.” 

‘Sweep it under the rug’

The Future of Privacy Forum’s initial response to the Raptor breach mirrors the nonprofit’s actions after the 2022 data breach at Illuminate Education, which was previously listed among the privacy pledge signatories and became the first-ever company to get stripped of the designation. 

The forum’s decision to remove Illuminate followed an article in The 74, where student privacy advocates criticized it for years of failures to enforce its pledge commitments — and accused it of being a tech company-funded effort to thwart government regulations. 

The pledge, which was created by the privacy forum in partnership with the Software and Information Industry Association, a technology trade group, was created in 2014, just one week after California lawmakers passed rules placing restrictions on the ways ed tech companies could use the data they collect about K-12 students. 

Along with stripping Illuminate of its pledge signatory designation, the forum referred it to the Federal Trade Commission, which the nonprofit maintains can hold companies accountable to their commitments via consumer protection rules that prohibit unfair and deceptive business practices. The company was also referred to the state attorneys general in New York and California to “consider further appropriate action.” It’s unclear if regulators took any actions against Illuminate. The FTC and the California attorney general’s office didn’t respond to requests for comment. The New York attorney general’s office is reviewing the Illuminate breach, a spokesperson said. 

“Publicly available information appears to confirm that Illuminate Education did not encrypt all student information” in violation of several Pledge provisions, Forum CEO Jules Polonetsky told The 74 at the time. Among them is a commitment to “maintain a comprehensive security program” that protects students’ sensitive information” and to “comply with applicable laws,” including New York’s  “explicit data encryption requirement.” 

After the breach and before it was removed from the pledge, the Software and Information Industry Association recognized Illuminate with the sector’s equivalent of an Oscar. 

Raptor isn’t the only pledge signatory to fall victim to a recent data breach. In December, a cybersecurity researcher disclosed a security vulnerability at Education Logistics, commonly known as EduLog, which offers a GPS tracking system to give parents real-time information about the location of their children’s school buses. A statement the forum provided The 74 didn’t mention whether it had opened an inquiry into whether EduLog had failed to comply with the pledge commitments. 

Despite the forum’s actions against Illuminate Education, and its new inquiry into Raptor, the pledge continues to face criticism for having little utility, including from Fowler, who likened it to “virtue signaling” that can be quickly brushed aside. 

“Pledges are just that, they’re like, ‘Hey, that sounds good, we’ll agree to it until it no longer fits our business model,” he said. “A pledge is just like, “whoops, our bad,” a little bit of bad press and you just sweep it under the rug and move on.” 

Chad Marlow, a senior policy counsel at the American Civil Liberties Union focused on privacy and surveillance issues, offered a similar perspective. Given the persistent threat of data breaches and a growing number of cyberattacks on the K-12 sector, Marlow said that schools should take a hard look at the amount of data that they and their vendors collect about students in the first place. He said Raptor’s early intervention system, which seeks to identify children who pose a potential threat to themselves or others, is an unproven surveillance system that could become a vector for student discrimination in the name of keeping them safe. 

Although he said he has “a great deal of admiration” for the privacy forum and the privacy pledge goals, it falls short on accountability when compared to regulations that mandate compliance.

“Sometimes pledges like this, which are designed to make a little bit of progress, actually do the opposite because it allows companies to point to these pledges and say, ‘Look, we are committed to doing better,’ when in fact, they’re using the pledge to avoid being told to do better,” he said. “That’s what we need, not people saying, ‘On scout’s honor I’ll do X.’”  

Disclosure: The Bill & Melinda Gates Foundation and the Chan Zuckerberg Initiative provide financial support to the Future of Privacy Forum and The 74.

The Senate Judiciary Committee hearing in Washington, D.C., was the latest act in a bipartisan effort to bolster federal regulations on social media platforms like Instagram and TikTok amid a growing chorus of parents and adolescent mental health experts warning the services have harmed youth well-being and, in some cases, pushed them to suicide. 

In an unprecedented moment, Meta founder and CEO Mark Zuckerberg, at the urging of Missouri Republican Sen. Josh Hawley, stood up and turned around to face the audience, apologizing to the parents in attendance who said their children were damaged — and in some cases, died — because of his company’s algorithms. 

“I’m sorry for everything you’ve all gone through,” said Zuckerberg, whose company owns Facebook and Instagram. “It’s terrible. No one should have to go through the things that your families have suffered.”

Senators argued the companies — and tech executives themselves — should be held legally responsible for instances of abuse and exploitation under tougher regulations that would limit children’s access to social media platforms and restrict their exposure to harmful content.

“Your platforms really suck at policing themselves,” Sen. Sheldon Whitehouse, a Rhode Island Democrat, told Zuckerberg and the CEOs of X, TikTok, Discord and Snap, who were summoned to testify. Section 230 of the Communications Decency Act, which allows social media platforms to moderate content as they see fit and generally provides immunity from liability for user-generated posts, has routinely shielded tech companies from accountability. As youth harms persist, he said those legal protections are “a very significant part of that problem.” 

Whitehouse pointed to a lawsuit against X, formerly Twitter, that was filed by two men who claimed a sex trafficker manipulated them into sharing sexually explicit videos of themselves over Snapchat when they were just 13 years old. Links to the videos appeared on Twitter years later, but the company allegedly refused to take action until after they were contacted by a Department of Homeland Security agent and the posts had generated more than 160,000 views. The lawsuit was dismissed in May by the Ninth Circuit, which cited Section 230. 

“That’s a pretty foul set of facts,” Whitehouse said. “There is nothing about that set of facts that tells me Section 230 performed any public service in that regard.”

In an opening statement, Democratic committee chair, Sen. Dick Durbin of Illinois, offered a chilling description of the harms inflicted on young people by each of the social media platforms represented at the hearing. In addition to Zuckerberg, executives who testified were X CEO Linda Yaccarino, TikTok CEO Shou Chew, Snap co-founder and CEO Evan Spiegel and Discord CEO Jason Citron.

“Discord has been used to groom, abduct and abuse children,” Durbin said. “Meta’s Instagram helped connect and promote a network of pedophiles. Snapchat’s disappearing messages have been co-opted by criminals who financially extort young victims. TikTok has become a, quote, ‘platform of choice’ for predators to access, engage and groom children for abuse. And the prevalance of [child sexual abuse material] on X has grown as the company has gutted its trust and safety workforce.” 

Citron testified that Discord has “a zero tolerance policy” for content that features sexual exploitation and that it uses filters to scan and block such materials from its service. 

“Just like all technology and tools, there are people who exploit and abuse our platforms for immoral and illegal purposes,” Citron said. “All of us here on the panel today, and throughout the tech industry, have a solemn and urgent responsibility to ensure that everyone who uses our platforms is protected from these criminals both online and off.” 

Lawmakers have introduced a slate of regulatory bills that have gained bipartisan traction but have failed to become law. Among them is the Kids Online Safety Act, which would require social media companies and other online services to take “reasonable measures” to protect children from cyberbullying, sexual exploitation and materials that promote self-harm. It would also mandate strict privacy settings when teens use the online services. Other proposals would compel social media companies to report suspected drug activity to the police — some parents said their children overdosed and died after buying drugs on the platforms — and a bill that would hold them accountable for hosting child sexual abuse materials. 

In their testimonies, each of the tech executives said they have taken steps to protect children who use their services, including features that restrict certain types of content, limit screen time and curtail the people they’re allowed to communicate with. But they also sought to distance their services from harms in a bid to stave off regulations. 

“With so much of our lives spent on mobile devices and social media, it’s important to look into the effects on teen mental health and well-being,” Zuckerberg said. “I take this very seriously. Mental health is a complex issue, and the existing body of scientific work has not shown a causal link between using social media and young people having worse mental health outcomes.” 

Zuckerberg pointed to a recent analysis by the National Academies of Sciences, Engineering and Medicine, which concluded there is a lack of evidence to confirm that social media causes changes in adolescent well-being at the population level and that the services could carry both benefits and harms for young people. While social media websites can expose children to online harassment and fringe ideas, researchers noted, the services can be used by young people to foster community. 

In October, 42 state attorneys general filed a lawsuit against Meta, alleging that the social media giant knowingly and purposely designed tools to addict children to its services. U.S. Surgeon General Vivek Murthy issued an advisory last year warning that social media sites pose a “profound risk of harm” to youth mental health, stating that the tools should come with warning labels. Among evidence of the harms is leaked internal research from Meta which found that Instagram led to body-image issues among teenage girls and that many of its young users blamed the platform for increases in anxiety and depression. 

Republican lawmakers devoted a significant amount of time during the hearing to criticizing TikTok for its ties to the Chinese government, calling out the app for collecting data about U.S. citizens, including in an effort to surveil American journalists. The Justice Department is reportedly investigating allegations that ByteDance, the Chinese company that owns TikTok, used the app to surveil several American journalists who report on the tech industry. 

In response, Chew said the company launched an initiative — dubbed “Project Texas” — to prevent its Chinese employees from accessing personal data about U.S. citizens. But employees claim the company has struggled to live up to its promises. 

YouTube and TikTok are by far the platforms where teens spend the most hours per day, according to a 2023 Gallup survey although Neal Mohan, the CEO of Google-owned YouTube, was not called in to testify.

Mainstream social media platforms have also been exploited for domestic online extremism. Earlier this month, for example, a teenager accused of carrying out a mass shooting at his Iowa high school reportedly maintained an active presence on Discord and, shortly before the rampage, commented in a channel dedicated to such attacks that he was “gearing up” for the mayhem. Just minutes before the shooting, the suspect appeared to capture a video inside a school bathroom and uploaded it to TikTok. 

Josh Golin, the executive director of Fairplay, a nonprofit devoted to bolstering online child protections, blasted the tech executives’ testimony for being little more than “evasions and deflections.” 

“If Congress really cares about the families who packed the hearing today holding pictures of their children lost to social media harms, they will move the Kids Online Safety Act,” Golin said in a statement. “Pointed questions and sound bites won’t save lives, but KOSA will.” 

The safety act, known as KOSA, has faced pushback from civil rights advocates on First Amendment grounds, arguing the proposal could be used to censor certain content and violate the privacy of all internet users. Sen. Marsha Blackburn, a Republican from Tennessee and KOSA co-author, said last fall the rules are important to protect “minor children from the transgender in this culture” and cited the legislation as a way to shield children from “being indoctrinated” online. The Heritage Foundation, a conservative think tank, endorsed the legislation, stating on X that “keeping trans content away from children is protecting kids.” 

Snap’s Evan Spiegel and X’s Linda Yaccarino both agreed to support the Kids Online Safety Act.

Aliya Bhatia, a policy analyst with the nonprofit Center for Democracy and Technology, said that although lawmakers made clear their intention to act, their directives could end up doing more harm than good. She said the platforms serve as “peer-to-peer learning and community networks” where young people can access information about reproductive health and other important topics that they might not feel comfortable receiving from adults in their lives. 

“It’s clear that this is a really tricky issue, it’s really difficult for the government and companies to decide what is harmful for young people,” Bhatia said. “What one young person finds helpful online, another might find harmful.”

South Carolina’s Sen. Lindsey Graham, the committee’s ranking Republican, said that social media companies can’t be trusted to keep kids safe online and that lawmakers have run out of patience.

“If you’re waiting on these guys to solve the problem,” he said, “we’re going to die waiting.” 

It wasn’t until after 7 p.m. that evening when the boys, 5-year-old William and 8-year-old Joseph, arrived on a school bus unharmed.Their delayed return was the result of what officials at Kentucky’s Jefferson County Public Schools dubbed a “transportation disaster”: A tech-enabled bus routing system implemented to improve efficiency backfired and some kids didn’t make it home until nearly 10 p.m. 

“I was wondering, ‘Is my son safe?’ ” Bramel told The 74. “Are they safe? Are they OK? Did anything happen?”

Months later, Bramel is once again upset and concerned that his kids had been left vulnerable. Again, technology is the culprit. After the bus delay fiasco, school officials in Louisville signed up for a GPS tracking system offered by the Montana-based company Education Logistics, commonly known as Edulog. Through an app, the system gives parents real-time information about the location of their children’s school buses. 

The service offers parents valuable updates about bus arrivals and departures and tools like it have been embraced by families and heralded by school officials across the country, especially when there are busing snafus. Bramel said he now regularly relies on the Edulog service. Yet in Louisville and at districts nationwide, cybersecurity researchers found, vulnerabilities could have left sensitive data open to exploitation by bad actors. 

James Sebree, a senior staff research engineer at Maryland-based cybersecurity company Tenable, said his inquiry into Edulog’s Parent Portal began after a friend voiced security concerns as it was being rolled out at his child’s school. What he found was alarming. Because the Edulog apps lacked sufficient authentication and access controls, anybody could access a large swath of sensitive information about students and families with little more than a free account. Among the exposed records were the real-time location of school buses, pick-up and drop-off times, information about scheduled delays, logs of students who were assigned to specific routes and their parents’ contact information. 

“It was startling to see the extent to which we were able to access information by bypassing the client-side restrictions, particularly when that information involved minors,” Sebree said in an email to The 74. Sebree said his firm isn’t aware of any instances where the data was actually exploited by bad actors and that Edulog worked quickly to patch the vulnerabilities once Tenable alerted them to the issues in early September. But the bug while it existed, he said, was relatively easy to exploit. 

“GPS data in conjunction with parental contact information, if compromised,” he said, “ could lead to scary situations for parents and students.”

School districts nationwide have increasingly turned to GPS tracking systems to help keep parents in the loop about arrival and departure times, particularly amid a national school bus driver shortage that’s led to chaos in many places and education leaders having to rethink their transportation logistics. 

In Louisville, the school bus woes forced leaders to cancel classes for several days right at the beginning of the new academic year. Last March, Chicago Public Schools approved a $4 million contract with Edulog to address widespread transportation hurdles of its own, including canceled routes and unreliable service. In some instances, the district has called on taxis and paid $500 transportation stipends to parents to get kids to and from school. 

As school districts increasingly turn to thousands of third-party education technology vendors to streamline instruction and across all parts of their operations, the Edulog vulnerability highlights how such arrangements can introduce new privacy and security risks, especially when for-profit companies collect sensitive information like real-time location data involving students. 

Edulog claims more than 6 million students are transported on school buses equipped with its software. Recent customers include the school districts in Wichita, Kansas, Newport News, Virginia, and Greenwich, Connecticut, according to data from GovSpend, which tracks government procurement. 

In a Dec. 14 blog post on the Edulog website, the company acknowledged that it had been notified of “a potential vulnerability” and that they had “researched the issue and resolved it in the next build of the product.” Yet the company is not contractually obligated to notify their customer districts or parents that the weakness was uncovered, Lam Nguyen-Bull, Edulog’s chief experience officer and general counsel, told The 74 in an interview. At the same time, she recognized the student safety risks involved in the potential breach of real-time GPS data is “certainly a concern.” 

“That’s something that districts have to weigh, as it is any time you get into a service like this: What are you willing to risk and is it worth the cost?” she said. “You can take as many cautions as possible, but a creative and dedicated person will always be able to find a vulnerability.” 

Mark Hebert, the Jefferson County Public Schools spokesperson, said in an email the Louisville district relies on Edulog’s “Lite” version, which offers parents bus location information “but little else.” 

Yet for Bramel, news that the bus tracker that he found so handy carried privacy risks brought newfound anxiety. Bramel said that he had heard rumors about a Edulog security lapse but hadn’t received formal outreach from the district, leaving him to wonder about the types of information that could have been exposed. 

He said school transportation in Louisville remains so erratic that he’s considered moving out of the district boundaries altogether. Allowing anyone access to real-time school bus information, he said, could have been catastrophic. 

“That’s infuriating because that puts my child at risk, that’s their life in danger,” he said. “A perpetrator could be meeting up or something like that. Human trafficking is still going on.” 

The privacy implications of bus trackers

Edulog’s Nguyen-Bull noted that privacy issues have been present ever since GPS services were first introduced to consumers in the late 1980s. Such implications are perhaps amplified in the context of students and schools, but ultimately, she said, they take a back seat for most people.

“The truth is, we generally are lazy beings, right?” Nguyen-Bull said. “We go for convenience.” 

Edulog has been providing school districts with bus routing services since 1977, but Nguyen-Bull said it was consumers who ultimately began to push for real-time GPS tracking about a decade ago. 

Numerous companies now offer such services for school buses, including in big urban districts like New York City, which just launched its long-awaited tracker last week; Dallas and Los Angeles. The services, however, haven’t always lived up to the expectations of parents or school bus drivers, with both reporting accuracy concerns. The power of real-time information has also introduced new safety risks, Nguyen-Bull said. If the app says a bus is expected to arrive five minutes late, she said that “personal optimizers” will use that information to delay their trek to the bus stop. 

“That creates problems where kids are rushing across streets or they’re not being careful in how they approach the bus,” she said, adding that the issue is compounded in instances when the GPS information is inaccurate. “We’ve become so reliant on our phones that we don’t actually look up and see what the reality is.” 

Meanwhile, over the last year the federal government has placed a heightened emphasis on cybersecurity risks introduced to the education sector through third-party technology vendors like Edulog. In September, the federal Cybersecurity and Infrastructure Security Agency called on education technology vendors to sign a voluntary pledge and commit to building products with robust security protections. Companies that sign the pledge agree to “radical transparency” and to “take ownership of customer security outcomes.” 

In a December blog post, the federal cybersecurity agency noted that school districts should not be required to “bear the cybersecurity burden alone,” and advocated for shifting many responsibilities to vendors. 

“Cybersecurity issues facing K-12 could be much more effectively and cheaply dealt with earlier in the supply chain, by focusing on a relatively smaller number of linchpin companies serving very large numbers of students and educators instead of school district by school district, school by school,” the post noted. 

But Nguyen-Bull said her company was uninterested in signing the pledge, calling it meaningless without any clear cybersecurity standards. Yet she also balked at the idea of regulations that would set specific cybersecurity requirements. 

“We’re not just going to sign random pledges that ask for slightly different things if we don’t know if we can track those things,” she said. “As a small family-run business, we don’t have five compliance people tracking all of the different pledges and ensuring that we check all of the boxes.”

Sebree, of the cybersecurity firm Tenable, said that transparency about security lapses is key, telling The 74 in an email that vendors “have an ethical responsibility” to inform customers in a timely manner so they can make knowledgeable decisions. 

“Notifying their customers that a vulnerability had been discovered and fixed, even if no evidence of a breach was found, would have been the most transparent action here,” he said. “Customers deserve to know when their data has been at risk so they can make decisions in the future with all of the information in hand.” 

Louisville father Bramel said that he and other parents should also have been notified — either by the district or the company itself — about the extent that information had been exposed to preserve trust.

“When you’ve got to rely on this system to cover your kids and they can’t have open communication, what other issues are going on besides that issue?” Bramel asked. “I’m honestly shocked there aren’t lawsuits and stuff like that happening right now … because this is completely uncalled for.”

Nearly 44% of public K-12 schools were staffed with school resource officers at least once a week during the 2021-22 school year, according to a national survey released Wednesday by the Education Department’s National Center for Education Statistics. Between Floyd’s murder in May 2020 and June 2022, more than 50 school districts nationwide ended their school resource officer programs or cut their budgets following widespread Black Lives Matter protests and concerns that campus policing has detrimental effects on students — and Black youth in particular. 

The data reflect an 11% decrease in school policing from the 2019-20 school year, when more than 49% of schools had a regular police presence, according to the nationally representative federal survey. That year, schools underwent an increase in campus policing after the 2018 mass school shootings in Parkland, Florida, and Santa Fe, Texas, prompted a surge in new security funding and mandates, a pattern that could repeat itself when future federal numbers capture the nation’s reaction to the 2022 school shooting in Uvalde, Texas.

“This is the George Floyd effect,” said criminal justice researcher Shawn Bushway, who pulled up a calculator during a telephone interview with The 74 and crunched the federal survey data against a tally of districts that removed cops from their buildings, which collectively served more than 1.7 million students. 

“It’s not seismic, but I think what’s most interesting about it is that it’s the reversal of a trend in a fairly dramatic way,” said Bushway, a University at Albany in New York professor. “It’s been going up quite a bit and now it’s dropped.”

The new federal data were published the same week as Thursday’s release of a damning U.S. Department of Justice report that cited “critical failures” by police during the May 2022 mass shooting at Uvalde’s Robb Elementary School in which 19 students and two teachers were killed. During the shooting, 376 law enforcement officers responded to the scene but waited more than an hour to confront the 18-year-old shooter, a botched reaction that disregarded established police protocols and, investigators said, cost lives.

“Had law enforcement agencies followed generally accepted practices in an active shooter situation and gone right after the shooter to stop him, lives would have been saved and people would have survived,” U.S. Attorney General Merrick Garland said at a Thursday afternoon press conference in Uvalde.

“Their loved ones deserved better,” he said. 

Chris Chapman, the associate commissioner of the National Center for Education Statistics, said on a press call Tuesday that the survey data didn’t make clear a definitive reason for the decline in school-based officers. Experts said that several other factors, including campus closures during the pandemic, budget constraints and a national police officer shortage, may have also contributed. 

Either way, the downward trend may be short-lived. 

Multiple districts that cut their school resource officer programs after Floyd’s murder, including those in Denver, Colorado, and Arlington, Virginia, reversed course after educators reported an uptick in classroom disorder after COVID-era remote learning. Mass school shootings have long driven efforts to bolster campus policing, a reality that has played out in the last several years as the nation experienced an unprecedented number of such attacks. 

Despite officers’ grievously mishandled response in Uvalde, the shooting led to renewed efforts in Texas and elsewhere to strengthen police presence in schools. A similar situation played out after the mass shooting at Parkland’s Marjory Stoneman Douglas High School. Federal data show national growth in campus policing even after the school resource officer assigned to the Broward County campus failed to confront the gunman, who killed 17 people. 

The now-former officer, Scot Peterson, was acquitted of criminal negligence and perjury charges but faces a new trial in a civil lawsuit by shooting victims’ families, who allege his failure to intervene during the six-minute attack displayed a “wanton and willful disregard” for students’ and teachers’ safety. Qualified immunity generally protects officers from liability for mistakes made on the job. 

After Parkland, a new Florida law required an armed security presence on every K-12 campus. The Uvalde shooting led to similar mandates in Texas and Kentucky. In both states, a police officer labor shortage, which experts said may have contributed to the 2021-22 decline in schools, has hindered officials’ efforts to comply. In Kentucky, more than 40% of schools lack school resource officers, a reality that school officials have blamed on a lack of funding and a depleted applicant pool. 

“It wouldn’t surprise me if, when that data comes back out, we see that spike go back up,” said Mo Canady, executive director of the National Association of School Resource Officers, which offers a training program for campus cops. “It’s not the way I want to gain business, but some of the busiest years we’ve had training wise are 18 months after a school massacre. I can tell you that 2019 was the biggest year in our association’s history by far — and that’s coming right off the Marjory Stoneman Douglas massacre.”

Advocates for police-free schools recognize the headwinds they face. Tyler Whittenberg, the deputy director of the Advancement Project’s Opportunity to Learn initiative, said that while advocates “are proud of the victories that were won” after George Floyd’s murder, educators who removed police from schools “are fighting really hard to hold onto those gains,” some of which face state efforts to place police in districts that don’t want them. 

“We’re not really rushing to a conclusion that this represents an overall reduction in police in schools, especially because for many of our partners on the ground this is not their day-to-day experience,” he said. “They’re having to fight back — especially at the state level — against efforts to increase the number of police in their schools.” 

Safety threats on the decline

In the 1970s, just 1% of schools were staffed by police. Decades of efforts since then to swell their ranks have coincided with a marked improvement in campus safety. 

During the 2021-22 school year, 67% of schools reported at least one violent crime on campus, totaling some 857,500 violent incidents. Federal data show the nation’s schools experienced a violent crime rate of 18 incidents per 1,000 students in 2021-22. That’s a steep decline from 1999-00, when schools recorded a violent crime rate of 32 incidents per 1,000, and 2009-10, when the violent crime rate was 25 per 1,000. 

Police officers’ contributions to making schools safer over the past two decades, however, remain the subject of ongoing research and heated debate. In a study last year, which was published in the peer-reviewed Journal of Policy Analysis and Management, Bushway and his colleagues found that placing school resource officers on campuses led to a marginal decline in some forms of school violence. And although researchers were unable to analyze officers’ effects on mass school shootings because such tragedies are statistically rare, they were associated with an uptick in reported firearm offenses — suggesting an increased detection of guns. The officers were also associated with a stark uptick in student disciplinary actions, including suspensions and arrests, particularly among Black students and those with disabilities. 

“There’s a cost-benefit here and everybody’s calculus on how you weigh these different things is going to be different,” Bushway said. “There’s no pure answer to that question, different people are going to answer that question differently.”

Previous research suggests that suspensions do not lead to improved student behaviors or improve school safety, but have detrimental effects on punished students’ academic performance, attendance and behavior. Their effects on non-misbehaving students remain unclear. 

Other researchers have reached a much more critical conclusion about the effects of school-based police on students. In a meta-analysis published in November on the existing literature into school officers’ efficacy, researchers failed to identify evidence that school-based law enforcement promoted safety in schools but reinforced concerns that their presence “criminalizes students and schools.” 

“I think the evidence is increasingly supporting the notion that police don’t belong in schools,” report author Ben Fisher, an associate professor of civil society and community studies at the University of Wisconsin-Madison, told The 74. Removing officers who have been there for years, he said, may cause problems of its own. “If we’re going to get police out of schools, which I think is the right long-term vision and short-term vision, I think we need to do it thoughtfully with plans in place to make schools welcoming and supportive.” 

The federal survey, which was conducted between Feb. 15 and July 19, 2022, also found large geographical differences in the types of tools that school-based police use on the job. Across the board, officers in urban areas were less likely than their rural and suburban counterparts to carry guns and pepper spray or to be equipped with body-worn cameras. 

Beyond data on campus policing, the new federal survey offers a comprehensive look at the state of campus safety and security, reflecting school leaders’ responses to the pandemic and record numbers of mass school shootings. Other findings include: 

• In 2021-22, about 49% of schools provided diagnostic mental health assessments to evaluate students for mental health disorders. This is a decline from 2019-20, when 55% conducted assessments. Meanwhile, 38% provided students with treatments for mental health disorders in 2021-22, down from 42% in 2019-20. 

• Restorative justice, a conflict resolution technique, was used in 59% of schools in 2021-22, which was similar to 2019-20 but an increase from the 42% that used the approach in 2017-18. 

• The latest data indicate a decline in campus drug and alcohol incidents. In 2021-22, 71% of schools reported at least one incident involving the distribution, possession or use of illegal drugs, down from 77% in 2019-20. Meanwhile, 34% reported at least one alcohol-related incident in 2021-22, down from 41% in 2019-20. 

Amid reports of heightened antisemitism and Islamophobia in schools and colleges since the start of the Israel-Hamas war, a senior Education Department official said the agency has received a “huge, huge influx” of civil rights complaints that have led to a surge in federal investigations. 

Since the Oct. 7 attack by Hamas terrorists on Israel and the subsequent bombing and invasion of Gaza by the Israeli military, the Education Department’s Office for Civil Rights has opened 29 investigations into schools’ and colleges’ responses to complaints of discrimination based on shared ancestry, which includes antisemitism and Islamophobia. 

Of the new investigations, the senior official told The 74, 19 are in response to conduct that unfolded in schools in the last two months alone. Of the incidents since Oct. 7 that are now under investigation, 17 took place on college campuses. 

Last fiscal year, by contrast, the office opened 28 shared ancestry investigations over the entire 12-month period. The year before, there were just 15. Such inquiries seek to determine whether schools adequately respond to incidents that create hostile learning environments in violation of Title VI of the Civil Rights Act, which prohibits discrimination based on race, ethnicity or national origin. 

“We are deeply concerned about the incidents that we’ve seen reported in schools all over the country, and about the safety of students, and the protection of non-discrimination rights for students in P-12 schools as well as in institutions of higher education,” Catherine Lhamon, the department’s assistant secretary for civil rights, said in an interview Wednesday with The 74. “We’re very, very concerned about what we’re seeing in schools.”

Though officials declined to comment on the specifics of active federal investigations, a spike in reported antisemitic and Islamophobic incidents in and outside of schools have convulsed the nation and elevated student safety concerns. 

Near Louisiana’s Tulane University, a clash between pro-Palestinian and pro-Israel protesters turned violent and police are investigating a hit-and-run at Stanford University as a potential hate crime targeting an Arab Muslim student. At Rutgers University, officials suspended its “Students for Justice in Palestine” chapter following claims the group disrupted classes and vandalized campus. At Harvard University, a rabbi said he was instructed by administrators to hide the campus menorah each night of Hanukkah due to vandalism fears. In California, a college professor was charged with involuntary manslaughter and battery after an alleged physical altercation broke out at a demonstration that led to the death of a Jewish protester. 

Outside of schools, police said a 6-year-old Chicago boy was stabbed to death and his mother seriously injured by their landlord in an alleged anti-Muslim attack, and in Burlington, Vermont, three college students of Palestinian descent were shot while walking down a sidewalk over Thanksgiving weekend. 

The escalating confrontations have embroiled school leaders, who have been criticized for failing to clamp down on hate speech and discrimination. Just days after a tense Dec. 5 House committee hearing in Washington about rising antisemitism on college campuses, Elizabeth Magill resigned as University of Pennsylvania president. She and the presidents of Harvard University and the Massachusetts Institute of Technology were accused of being equivocating and evasive after giving carefully worded replies to repeated questions about whether calling for the “genocide of Jews” violated their schools’ code of conduct. Magill responded that it’s “a context-dependent decision,” underscoring school leaders’ obligations to ensure safe learning environments while protecting people’s free speech rights. 

Harvard University President Claudine Gay announced her resignation Tuesday after facing similar scrutiny for her testimony at the congressional hearing and unrelated plagiarism allegations.

Of the 29 active federal Title VI investigations opened since Oct. 7, just eight are focused on incidents in K-12 schools — including at three of the nation’s 10 largest districts. Among them are the New York City Department of Education, the Clark County School District in Las Vegas, Hillsborough County Schools in Tampa, Florida, and the Cobb County School District in suburban Atlanta.

Though the circumstances prompting the investigations remain unknown, many of the institutions included on the Education Department’s list of active investigations have experienced high-profile incidents involving discrimination. 

In New York City, a raucous, pro-Palestinian protest broke out at a Queens high school and prompted a lockdown after a teacher posted a picture of herself at a pro-Israel rally on social media. Also turning to social media, one student said the teacher “is going to be executed in the town square,” and another promoted “a riot” against her. 

In suburban Atlanta, the Cobb County School District sparked controversy following the Hamas attack when it sent an email to the school community that warned of an “international threat,” noting that “while there is no reason to believe this threat has anything to do with our schools, parents can expect both law enforcement and school staff to take every step to keep your children safe.” Because of the message, several Muslim parents said their children had become the targets of Islamophobic bullying. 

In a January fact sheet, the civil rights office highlighted hypothetical instances that put school districts at odds with their Title VI obligations. Among them: A Jewish student is targeted by his peers with swastikas and Nazi salutes but his teacher tells him to “just ignore it” without taking steps to address the harassment. Another example involves school officials failing to remedy a Muslim student’s complaints that she was called a “terrorist” and told “you started 9/11.”

Even before the most recent conflict between Hamas and Israel, law enforcement agencies across the U.S. have reported an uptick in hate crimes over the last several years, including on campuses. 

Reported hate crimes surged 7% between 2021 and 2022, according to federal data released by the Federal Bureau of Investigation in October, including a 36% increase in anti-Jewish incidents — which accounted for more than half of incidents based on religion. Among all reported hate crimes, 10% occurred at K-12 schools and colleges.

The Education Department last month released its most recent Civil Rights Data Collection, the first since the pandemic. Students reported 42,500 harassment allegations during the 2020-21 school year, including bullying on the basis of sex, race, sexual orientation, disability and religion. Of those, 29% involved harassment or bullying on the basis of race while only a sliver — 3% — involved students saying they were targeted because of their religion. 

The current climate has put Jewish college students on edge, according to a recent survey by the Anti-Defamation League, a nonprofit focused on eradicating antisemitism. Since the beginning of the academic year, 73% of Jewish college students said they’ve been witness to antisemitism. Prior to this school year, 70% reported experiencing antisemitism throughout their entire college experience. Yet just 30% of Jewish college students said their college administration has taken sufficient steps to address anti-Jewish prejudice. 

During a televised interview on MSNBC Friday, Jonathan Greenblatt, the national director and CEO of the Anti-Defamation League, said he thought conditions would improve on college campuses for Jewish students because the Title VI investigations now being launched by the Education Department would force college administrators to take action. 

Muslim Americans of all ages have similarly reported an uptick in hateful rhetoric. In a two-week period between Oct. 7 and Oct. 24, reports of bias incidents and requests for help at the Council on American-Islamic Relations surged 182% from the average 16-day period in 2022. 

As lawmakers call on school leaders to take a stronger stance against hate speech, they’ve faced pushback from free speech advocates. Earlier this month, New York Gov. Kathy Hochul warned university presidents of “aggressive enforcement action” if they failed to discipline students “calling for the genocide of any group of people.” In a statement, the Foundation for Individual Rights in Education, a right-leaning nonprofit focused on students’ free speech rights, said Hochul’s admonition “cannot be squared with the First Amendment.”  

“Colleges and universities can and should punish ‘calls for genocide’ when such speech falls into one of the narrowly defined categories of unprotected speech, including true threats, incitement and discriminatory harassment,” the group said in the statement. “But broad, vague bans on ‘calls for genocide,’ absent more, would result in the censorship of protected expression.”

The senior Education Department official said that schools must “navigate carefully” their obligations under Title VI and the First Amendment. Even if a student’s speech is protected, the official said, school leaders still have an obligation to uphold all students’ nondiscrimination rights.

“What concerns me is when a school community throws up its hands and says, ‘This speech is protected and so there’s nothing more for us here,’” said Lhamon, the assistant secretary for civil rights. “That may be true, but that’s only true where a hostile environment isn’t created that the school needs to respond to.”

It was early August when teacher Heather Vidrine first heard about a cyberattack on her former school district in St. Landry Parish, but she didn’t think much about it — even after her Facebook got hacked. 

Now, she’s left to wonder whether the two are connected. 

Her Social Security number and other personal information were stolen in a ransomware attack against her former employer, the St. Landry Parish School Board, an investigation by The 74 and The Acadiana Advocate revealed. The reporting included a data analysis by The 74 of some 211,000 files that a cybercrime syndicate leaked online in August after the district refused to pay a $1 million ransom. 

The 12,000-student district some 63 miles west of Baton Rouge told the public in August that its hacked computer servers did not contain any sensitive employee or student information, but the stolen files analysis tells a different story. 

Four months after the attack, the joint investigation revealed that Vidrine was among thousands of students, teachers and business owners who had their personal information exposed online. More than a dozen victims said they were similarly unaware those details were readily available, leaving them vulnerable to identity theft.

The number of cyberattacks on K-12 school districts and breaches of their sensitive student and employee data have reached critical levels — enough to prompt the Biden White House to convene an August summit on how to tackle the threat — and in multiple instances, districts have been accused of withholding information from the public.

“They want to brush everything under the rug,” said Vidrine, who worked for St. Landry schools for eight years before leaving in 2021. “The districts don’t want bad publicity.”

Among the district’s breached documents are thousands of health insurance records with the Social Security numbers of at least 13,500 people, some 100,000 sales tax records for local and out-of-state companies and several thousand student records including home addresses and special education status.

A failure to notify families and educators such personal information was leaked, experts said, could run afoul of Louisiana’s data breach notification rules.

Louisiana law mandates that schools and other entities notify affected individuals “without unreasonable delay,” and no later than 60 days after a breach is discovered. 

Breached entities that fail to alert the state attorney general’s office within 10 days of notifying affected individuals can face fines up to $5,000 for every day past the 60-day mark. 

The St. Landry district discovered the cyberattack in late July and reported it to state police and the media within days. District administrators dispute that the hack led to a breach of sensitive information, but also acknowledged last week they haven’t taken steps to understand the scope of what was stolen or to notify individual victims. 

In some circumstances, entities can delay their notice to victims if doing so could compromise the integrity of a police investigation, and law enforcement sources confirmed an active criminal probe. Under Louisiana law, the state attorney general’s office must approve such disclosure delays. 

Reporters filed a public records request with the state attorney general’s office Oct. 23 asking for any breach notices from the St. Landry district. The office responded Nov. 2 that the request did not yield any results, indicating such a disclosure was never made. The office didn’t respond to further questions about whether it was looking into St. Landry’s apparent failure to file a breach notice or if the district had requested an extension on its notification obligations based on the ongoing state police investigation.

As time drags on, breach victims remain unprotected and unaware of their heightened risk of identity theft. James Lee, the chief operating officer of California-based Identity Theft Resource Center said a four-month delay is “a long time to not notify somebody of that level of sensitive information.”

“Because the school district hasn’t issued a notice, then it’s hard to know exactly what happened and why,” Lee said. “That’s important because that also leads you to, ‘Well, what does the individual need to do to protect themselves now that their information has been exposed?’”

‘Double extortion’

Ransomware attacks have become a growing threat to U.S. schools and breaches in some of the largest districts have attracted scrutiny. But experts said that small- and mid-sized districts are even more vulnerable to attacks and leaders there face political pressures that could lead them to downplay their far-reaching consequences. 

The first indication of a problem with St. Landry’s computer network came in late July, when an employee in the district’s central office reported spyware on their device, Superintendent Milton Batiste III said in August following the attack.

The ransomware group Medusa, believed by cybersecurity experts to be Russian, has taken credit for the St. Landry Parish leak. The syndicate has leveled multiple school district attacks, including a massive breach in Minneapolis earlier this year.

A district spokesperson confirmed last week that it refused to pay the ransom, in line with what federal law enforcement advises. By mid-August, the trove of stolen files was publicized on a website designed to resemble a technology news blog — a front of sorts — and became available for download on Telegram, an encrypted social media platform that’s been used by terror groups and extremists. 

The threat actors appeared to employ a tactic that’s grown in popularity in recent years called “double extortion.” Hackers gain access to a victim’s computer networks, often through phishing emails, download compromising records and lock them with encryption keys. Criminals then demand the victim pay a ransom to regain access. When victims fail or refuse to pay, the files are published online for anyone to exploit. 

Current and former students were affected by the attack, though the number of exposed records that contain personal information about young people is far narrower than those of current and former district staff. 

One St. Landry mother, who is also a district employee, was outraged when she learned that her son’s information was leaked — especially because he hasn’t attended a district public school for two years. The woman, who asked not to be identified for fears she could lose her job, was livid that the district had claimed employee and student records had been kept safe. She said she was offered free credit-monitoring services after a recent cyberattack on the state Office of Motor Vehicles led to a statewide data breach. 

“If they’re lying about it and our information did get out there, then that’s a whole other situation,” she said. “They’re telling all their employees all of our information did not get messed with.” 

She implored district leaders to notify the parents of children who had their information exposed, including those whose kids are no longer in the school system. If she had known her 17-year-old son was caught up in the breach, she said, she could have already taken steps to protect him.

District officials said they were unaware of the extent of the breach. Tricia Fontenot, the district’s supervisor of instructional technology, said after notifying state police about the attack the board was never told the nature of the data that was stolen or if any data was stolen at all. She said when the board asked state police for updates, it was told an active investigation was in progress and no information could be released. It did not give a timeline for when its investigation would be completed.

“We never received reports of the actual information that was obtained,” she said. “All of that is under investigation. We have not received anything in regards to that investigation.”

The board, Fontenot said, decided to “trust the process.”

As seen in other school district cyberattacks across the country, however, law enforcement’s responsibility is to try and apprehend the cybercriminals not to determine the extent of a breach or provide information needed to notify or protect district employees and students. That work is done by the school districts, who often hire cybersecurity consultants to help carry out those complex tasks.

Byron Wimberly, St. Landry’s computer center supervisor, maintained that the compromised servers had not been used to store personal information. He used the frequency of cyberattacks as grounds to question whether St. Landry was the source of the breached data.

“You know how many people get hacked a year? Can you point that to the school board 100%?” Wimberly said.

However, evidence that the leaked sensitive data is a result of the July cyberattack is overwhelming, namely the more than 200,000 files posted to Telegram that link back to St. Landry schools. In fact, folders that were breached and uploaded to the web point in part to a central office clerk, who saved many of the most sensitive files to one of the least secured places: her computer’s desktop. 

The records identify more than 2,700 current and former St. Landry Parish students, including their full names, race and ethnicity, dates of birth, home addresses, parents’ phone numbers and login credentials for district technology. Spreadsheets listed students who were eligible for special education services and those who were classified as English language learners.

The health records that include Social Security numbers and other personally identifiable information for at least 13,500 people far exceed the number of individuals currently employed by the district. That’s because the records also encompass former employees, retirees and those who have since died, as well as their dependents, including spouses and children. Attached to the records are scanned copies of formal documents about major life events: Births, marriages, divorces and deaths. 

Thousands of people who have received retirement benefits from the school district had their full names published, along with Social Security numbers and health insurance premiums.

Also included are some 100,000 sales tax records for local and out-of-state companies that conducted business in St. Landry Parish, with affected individuals extending far beyond Louisiana borders. Local victims include the owners of a diner, a gun store and an artist who makes soap with goat milk. It also includes a metal pipe company in Alabama, an Indianapolis-based cannabis company and a senior official at Ring, the Amazon-owned surveillance camera company headquartered in Santa Monica, California.

Unlike most states, Louisiana lacks a central sales tax agency. Instead, there are 54 different collection agencies that range from sheriff’s offices to parish governments to school boards. St. Landry Parish’s sales tax collection office is overseen by the St. Landry Parish School Board. Louisiana schools’ largest source of local revenue is derived from sales taxes. 

Thousands of other files appeared to get captured at random: a limited set of files with student disciplinary records, a collection of wedding photographs, documentation for campus security cameras and artistic renderings of Jesus Christ.

Amelia Lyons, the co-owner of a St. Landry Parish glass business whose information was exposed, said a call from a reporter was the first time she had heard about the breach — a reality she called “alarming.” 

“I feel like I should have gotten a more formal notification about this,” Lyons said.

‘A soft target’

The St. Landry Parish breach is part of a disturbing increase in cyberattacks targeting school districts nationally in the past few years, with victims ranging from rural school systems to those in major metropolitan areas such as Los Angeles, Las Vegas, Minneapolis and suburban Washington, D.C. 

Ransomware attacks on the national education sector have surged by 80% in the past year alone, according to a recent report by the nonprofit Institute for Security and Technology. Earlier this year, hackers waged attacks on seven Louisiana colleges over four months, among them Southeastern Louisiana University, which also faced a data breach and claims it hadn’t been forthcoming with the public. 

It’s also not the first time St. Landry schools have fallen victim. In 2020, the school board took its system offline for at least two weeks following a similar cyberattack.

While hacker groups have grown more sophisticated, school districts routinely maintain outdated technology and lack expertise and dedicated staff to thwart threats, said Kenny Donnelly, executive director of the Louisiana Cybersecurity Commission, which was created to help schools and other entities bolster their defenses. As a result, schools are “low-hanging fruit,” said Donnelly, who said that educators should expect to see even more attacks in the coming years. 

“Educational entities are going to be a soft target,” he said. “If they’re not being hit, they’re going to be hit if they’re not doing the things they need to do to get their networks and their security in order.” 

Still, experts say leaders at small and mid-sized districts are often surprised when they become the targets of international cybercriminals.

“They’re such a small fish in the ocean, (they think) why would anybody bother with them?” said Doug Levin, the national director of the nonprofit K12 Security Information eXchange. It’s improbable that hackers targeted St. Landry specifically, he said, and more likely that a district employee opened a spam email and clicked on a phishing link. 

“It’s a question of them throwing their fishing hook in the barrel … and just waiting to see who bites,” Levin said. “They don’t know who their next victim is going to be and they don’t really care.” 

When a small- or medium-sized district takes the bait, the impact can be substantial because they’re often among their communities’ largest employers. In the roughly 80,000-resident St. Landry Parish, the breached health insurance records represent roughly 1 in 6 residents.

‘A cause of action’

Data breach victims who were contacted for this story said the district should have taken more proactive steps to notify them that their sensitive information had been stolen. 

“I just want (the district) to be professional,” said Vidrine, the former science teacher. “A notification that this happened: ‘We’re tending to it and you need to protect yourself. We made a mistake.’”

The district also faces risks of civil liability, said Chase Edwards, an associate law professor at the University of Louisiana at Lafayette. A failure to notify affected individuals is “what class actions are made of,” Edwards said.  

The school district has a duty to protect any private information they collect, Edwards said, and are both legally and ethically obligated to notify breach victims. 

About 1.25 million U.S. children are the victims of identity theft each year, according to a recent report by the research firm Javelin. Social Security numbers and other personal information about children are particularly valuable to thieves, who can use the records to obtain credit cards and loans without detection for years. 

Because children don’t typically have credit cards, they also don’t receive credit reports that can alert them when something is amiss, Lee said. Dark-web marketplaces that sell personal information often put a premium on children’s Social Security numbers, which Lee said are primarily used by fraudsters to apply for jobs. Once victims learn they’ve been compromised, the problem “is not easy to address and can have lifelong impacts,” he said. 

Death certificates and obituaries included in the St. Landry breach present their own unique set of risks. Even after death, Social Security numbers and other personally identifiable information that can be mined from obituaries is valuable to criminals who carry out a type of identity theft known as “ghosting.”

‘The hacker of today’

People whose information may have been compromised should assume that identity theft criminals will try to use it nefariously and take steps to protect themselves, Lee said. Such criminals, he said, are often part of “very sophisticated networks” based overseas.

“It’s not the Hollywood version of somebody sitting in a dark room in a hoodie with a can of Red Bull and Twinkies,” Lee said. “That’s not the hacker of today. They’re not sitting in their parents’ basement. They’re in call centers in Dubai and in Cambodia and in North Africa.”

It’s important that potential victims freeze their credit, Lee said, and implement robust privacy protections on their online accounts, including two-factor authentication and unique login credentials stored in password managers.

A finance and technology executive whose information was compromised in the St. Landry breach knows firsthand the headaches that come with identity theft: Following a previous incident, he said, someone used his information to file a false tax return. 

The executive, who asked not to be named because he wasn’t authorized to speak with the press, has never stepped foot in St. Landry parish. Yet his data was exposed because his former employer conducts business there. Having stringent security measures in place offered him peace of mind, he said, when he learned from a reporter that his information had again been exposed. 

Fontenot said efforts to notify will begin when state police wrap up their investigation and that district leaders, including the school board attorney, will identify a course of action.

But St Landry should take immediate steps to protect breach victims — including a notification to the state cybersecurity commission, said Donnelly, its executive director. 

“That they didn’t notify us of this, it’s disappointing,” said Donna Sarver, a math teacher who worked for the district for three years before leaving in 2020. She and other victims, she said, now have to fend for themselves. 

“But it’s a poor parish and I don’t think they do anything unless they really, really have to.”

This story was supported by a grant from the Fund for Investigative Journalism.

“I’m so sorry to tell you this but unfortunately your private information has been leaked,” read the email, sent to Hecht in the middle of the night Oct. 25 from an account tied to a school district in California. Attached were PDFs with personal information about her daughters including their names, photographs and the home address where they’d just spent the night asleep. 

“Be careful out there,” the cryptic message warned. “Don’t shoot the messenger!”

Some 200,000 similar student profiles had been leaked, the email claimed, following a recent cyberattack on Clark County School District, the nation’s fifth-largest district and where Hecht’s three daughters are enrolled. But the message, she’d soon learn, was not from a California student but from the student’s email account, which had also been compromised. An unidentified, publicity-hungry hacker was using it as a “burner” account to brazenly extort Clark County schools by frightening district parents directly.

“I put my child on the bus and then immediately called the district,” Hecht told The 74. “I called the school, they transferred me to the district, the district transferred me to their IT department, who then transferred me to the help desk. I have yet to hear anything back.”

The Clark County threat actors claim their in-your-face tactics, which apparently involve not just direct outreach to parents, but also to media outlets, is already being used against at least one other district. Also distinct from other recent K-12 ransomware attacks, including high-profile incidents in Los Angeles and Minneapolis, the Vegas school district hackers claimed to use weak passwords — in this case students’ dates of birth — and flimsy Google Workspace file-sharing practices. Deploying those relatively low-tech incursions allowed them to gain access to reams of sensitive files, including students’ special education records. 

Schools nationwide rely heavily on Google Workspace to create, and share records and the methods the hacker used to exploit district systems, a cybersecurity expert said, offer valuable lessons for all of them. 

“This is not going to qualify as sophisticated hacking,” said Doug Levin, the national director of the K12 Cybersecurity Information eXchange, and is perhaps a sort of brand-building exercise. “Given that they reached out to the media” and have demanded payments smaller than those typically leveraged by ransomware gangs, “it seems they may be more interested in publicity and reputation than they are money.”

For Las Vegas educators, the hack has already brought significant consequences, including a class-action lawsuit and calls for Superintendent Jesus Jara to resign. 

Clark County school leaders first confirmed on Oct. 16 that they became aware of a “cybersecurity incident” on Oct. 5, noting in a statement that it was “cooperating with the FBI as they investigate the incident” and that such attacks against schools have become routine. “Rest assured that we will share information as it becomes available so everyone is informed and can respond to protect personal information.”

When contacted by The 74, a Clark County spokesperson declined to comment further and shared a copy of the district’s previous statement. 

Yet as Hecht and others accuse the district of failing to inform parents about the extent of records stolen, much of the information being revealed about the data breach has come from the threat actor themselves, including taunts that they were still in Clark County’s computer systems. In two follow-up emails shared with The 74, Hecht was sent web links that purportedly included troves of sensitive information about students including disciplinary records and test scores. 

In an Oct. 26 message to Hecht, threat actors this time used a Clark County student’s email address “to show how much of a joke their IT security is and to show how seriously they are taking this.” 

Beyond outreach to parents, the hacker — which could be one or multiple people — sent files to the local Fox TV station on Oct. 25 without solicitation, first communicating with a reporter via Facebook. Identifying themselves as “SingularityMD (the hacker team),” the threat actor disputed Clark County’s statement that it had detected “a security issue” on its own and that district leaders had only become aware after the hackers sent an email “to tell them we had been in their network for a few months.” 

A hack with TikTok origins

Perhaps most revealing are communications between the hacker and a cybersecurity researcher at the blog DataBreaches.net, where the threat actor divulged their techniques and offered advice on how other districts can protect themselves. 

In recent years, cybercriminals have gravitated toward “double-extortion ransomware” schemes, where they gain access to a victim’s computer network, often through a phishing email, download compromising records and lock the files with an encryption key. Criminals then demand the victim pay a ransom to unlock the files and stop them from being posted online. Yet in this case, the threat actors appear to have skipped past the first part and are employing an extortion strategy that centers exclusively on holding students’ sensitive information hostage. 

For years, the 325,000-student Clark County district, whose systems were also breached in 2020, has reportedly reset all students’ passwords to their birth date at the beginning of each academic year. Using a student’s date of birth as a password has long been viewed as an insecure practice. In the case of Las Vegas schools, hackers claim the breach began on TikTok, where a student shared their birth date. The student used their district email address to create a TikTok account and their student ID became their username on the social media platform. 

Once the hacker used that information to compromise the student’s account, they claim to have exploited poor data-sharing practices in the district’s Google Workspace to access the sensitive files. The compromised account was used to access information available to any student, which in turn offered records that allowed the hacker to escalate the breach until they were able to access administrative files. 

“Google groups and google drives, if not configured correctly will expose teachers and staff files and conversations,” the hacker told DataBreaches.net. “In rare instances teachers have created shared drives and given the google group access to this drive. So if one was to add themselves to the group, they can then also access the drive contents. Nothing fancy at all.”

Schools are particularly easy targets because so many students have access to a district’s computer network, the hacker noted, with a word of advice: “I would recommend school districts separate the student network from the teacher network to make this process harder for teams like us.” 

The same technique, the hacker claims, was used recently to compromise records maintained by Jeffco Public Schools in suburban Denver. In Nevada, SingularityMD says it demanded a ransom of roughly $100,000 versus just $15,000 from the 77,000-student Colorado district.

Federal law enforcement officials generally advise cybersecurity victims against paying ransoms, which can embolden hackers and spur future attacks. In the last year, ransomware attacks against the education sector have surged by 80%, according to a recent report by the nonprofit Institute for Security and Technology, which observed an uptick in incidents immediately after hackers succeeded in securing payments. 

Levin said the hacker’s breach methods should set off alarm bells for educators nationwide, with “virtually every school in the U.S.” relying on cloud-based suites, like Google Workspace, to create and share content internally, with parents and with the public. 

“It’s very easy to overshare information and grant rights for people who shouldn’t be able to see this information,” Levin said. “That’s what it looks like happened in Clark County is they got access to some student accounts, found some shared folders and in the shared folders was more sensitive information that allowed them to escalate privileges and get to even more sensitive information.” 

Google spokesperson Ross Richendrfer said in an email that as districts become “a top target” for cybercriminals, “there’s not just one way that attackers attempt to infiltrate schools.” This particular incident, he said, was “the result of compromised passwords and configuration issues at the user/admin level.” 

He pointed to the company’s K-12 Cybersecurity Guidebook, which notes that while Google products “are built secure by default, it is critical that admins also properly use and configure networks and systems to ensure security.” The guidance also recommends that districts train teachers and staff on best practices around file sharing. 

In response to an email request, a Jeffco Public Schools spokesperson shared a Nov. 1 statement acknowledging the breach, which noted that staff members had received “alarming email messages from an external cybersecurity threat actor.” The district is working with outside cybersecurity experts and the police to determine the scope and credibility of the attack. 

With respect to the emails from the California student, it appears the hacker used a compromised account associated with the roughly 4,440-student Coalinga-Huron Unified School District in Fresno County merely to communicate with other victims. The threat actor said that compromised student email addresses are used as “burner accounts” when they are not useful in escalating permissions beyond the student level. 

Still, the district has conducted an assessment of its systems to ensure that it also hasn’t become the victim of a data breach, Superintendent Lori Villanueva told The 74. She said the student’s email address was used to send four emails, which were then deleted. 

“We canceled that email account, we set up a new one for the student, and we’re just running our own diagnostics to make sure there was no other unusual activity,” Villanueva said. Allowing students to choose their own passwords can have drawbacks, she said, if they settle on weak credentials. “My people have been in contact with the Clark County school district and are trying to cooperate with them as much as we can but we’re really limited to that one tiny piece of information.” 

Never before had she experienced an incident where a student’s email address was compromised and exploited in such a major way, she said. 

“Nothing this widespread, nothing in another state, nothing this big,” she said. “For our little neck of the woods here, this was a little crazy.” 

Reputational damage

For Hecht, the Las Vegas mom, the cyberattack in Clark County is deeply personal. In fact, she has a hypothesis about why she, in particular, received direct communication from the hackers. 

In 2021, her daughter Harli was the subject of numerous news reports when she contracted COVID and never recovered. 

“The only thing I can think of is somebody knows that I’m not quiet, that I will talk,” she said. If the hacker’s goal was to get Hecht fired up, it worked. The district, she said, needs to be held accountable for a failure to protect her children. Still, she said she hasn’t been able to get any answers from school administrators. 

“I’ve emailed the superintendent and I just continue to call that helpline,” she said “Nothing. Nobody has responded. I can’t even get through, it just rings and rings and rings. To me, that tells me there are so many parents calling.”

Hecht said she has since retained a lawyer, and a pair of other parents have already filed a class-action lawsuit against the district. The Oct. 31 complaint accuses Clark County schools of negligence, particularly in the wake of the 2020 ransomware attack. The lawsuit alleges the district has refused “to fully disclose any details of the attack and what data were accessed and were available for third parties to exploit.” 

“We think the district should be held accountable for their failures and ideally they will be able to make a more secure network in the future and anyone who has been subject to these data breaches will get the proper identity protection provided by the district at a minimum,” attorney Steve Hackett, who represents the families, told The 74.

Among those calling for Superintendent Yara to resign is Nevada Assembly Speaker Steve Yeager, who charged the district with nontransparency.

In an email, a district spokesperson said that individuals found to be affected by the breach will receive data breach notifications in the mail and declined to comment on whether it had, or planned to, pay the ransom. The district’s refusal to pay a ransom after the 2020 breach led hackers to release Social Security numbers, student grades and other private information. 

“As the investigation continues, we are committed to cooperating with agencies responsible for finding the responsible party and holding them accountable,” the statement said. 

The district also offered a sharp rebuttal to calls for Jara’s resignation, specifically referring to its contentious relationship with the local teachers union: “Superintendent Jara will remain superintendent as long as the Board of Trustees desires him to do so,” the statement continued “No bullying pressure, harassment or coordination with the leadership of the Clark County Education Association will deter him from his job to educate over 300,000 students and protect taxpayer resources from those who wish to harm the district or its finances.” 

Hecht said the release of sensitive files, like medical records and special education reports, is particularly concerning, with implications extending far beyond those of Social Security numbers and financial records. She offered a message of her own directly to the hackers. 

“It worries me because this stuff is going to follow them for life,” she said. “Look, I know that our district is not great, but if you’re going to go against the district, don’t take our kids down with you. They did nothing wrong.”

As artificial intelligence rapidly expands its presence in classrooms, President Biden signed an executive order Monday requiring federal education officials to create guardrails that prevent tech-driven discrimination. 

The wide-ranging, all-of-government order, which the White House called “the most sweeping actions ever taken to protect Americans from the potential risks of AI systems,” offers several directives that are specific to the education sector. The order dealing with emerging technologies like ChatGPT directs the Justice Department to coordinate with federal civil rights officials on ways to investigate discrimination perpetuated by algorithms. 

Within a year, the education secretary must release guidance on the ways schools can use the technology equitably, with a particular focus on the tools’ effects on “vulnerable and underserved communities.” Meanwhile, an Education Department “AI toolkit” released within the next year will offer guidance on how to implement the tools so that they enhance trust and safety while complying with federal student privacy rules. 

For civil rights advocates who have decried AI’s potentially unintended consequences, the order was a major step forward. 

The order’s focus on civil rights investigations “aligns with what we’ve been advocating for over a year now,” said Elizabeth Laird, the director of equity and civic technology at the nonprofit Center for Democracy and Technology. Her group has called on the Education Department’s Office for Civil Rights to open investigations into the ways AI-enabled tools in schools could have a disparate impact on students based on their race, disability, sexual orientation and gender identity. 

“It’s really important that this office, which has been focused on protecting marginalized groups of students for literally decades, is more involved in conversations about AI and can bring that knowledge and skill set to bear on this emerging technology,” Laird told The 74. 

In draft guidance to federal agencies on Wednesday, the Office of Management and Budget spelled out the types of AI education technologies that pose civil rights and safety risks. They include tools to detect student cheating, monitor their online activities, project academic outcomes, make discipline recommendations or facilitate surveillance online and in-person.  

An Education Department spokesperson didn’t respond to a request for comment Monday on how the agency plans to respond to Biden’s order. 

Schools nationwide have adopted artificial intelligence in divergent ways, including in personalized learning to provide students individualized lessons and with the growing use of chatbots like ChatGPT by both students and teachers. It’s also generated heated debates over technology’s role in exacerbating harms to at-risk youth, including educators’ use of early warning systems that mine data about students — including their race and disciplinary records — to predict their odds of dropping out of school. 

“We’ve heard reported cases of using data to predict who might commit a crime, so very Minority Report,” Laird said. “The bar that schools should be meeting is that they should not be targeting students based on protected characteristics unless it meets a very narrowly defined purpose that is within the government’s interests. And if you’re going to make that argument, you certainly need to be able to show that this is not causing harm to the groups that you’re targeting.” 

AI and student monitoring tools

An unprecedented degree of student surveillance has also been facilitated by AI, including online activity monitoring tools, remote proctoring software to detect cheating on tests and campus security cameras with facial recognition capabilities. 

Beyond its implications on schools, the Biden order requires certain technology companies to conduct AI safety testing before their products are released to the public and to provide their results to the government. It also orders new regulations to ensure AI won’t be used to produce nuclear weapons, recommends that AI-generated photos and videos be transparently identified as such with watermarks and calls on Congress to pass federal data privacy rules “to protect all Americans, especially kids.”

In September, The Center for Democracy and Technology released a report that warned that schools’ use of AI-enabled digital monitoring tools, which track students’ behaviors online, could have a disparate impact on students — particularly LGBTQ+ youth and those with disabilities — in violation of federal civil rights laws. As teachers punish students for using ChatGPT to allegedly cheat on classroom assignments, a survey suggested that children in special education were more likely to face discipline than their general education peers. They also reported higher levels of surveillance and subsequent discipline as a result. 

In response to the report, a coalition of Democratic lawmakers penned a letter urging the Education Department’s civil rights office to investigate districts that use digital surveillance and other AI tools in ways that perpetuate discrimination. 

Education technology companies that use artificial intelligence could come under particular federal scrutiny as a result of the order, said consultant Amelia Vance, an expert on student privacy regulations and president of the Public Interest Privacy Center. The order notes that the federal government plans to enforce consumer protection laws and enact safeguards “against fraud, unintended bias, discrimination, infringements on privacy and other harms from AI.” 

“Such protections are especially important in critical fields like healthcare, financial services, education, housing, law and transportation,” the order notes, “where mistakes by or misuse of AI could harm patients, cost consumers or small businesses or jeopardize safety or rights.”

Schools rely heavily on third-party vendors like education technology companies to provide services to students, and those companies are subject to Federal Trade Commission rules against deceptive and unfair business practices, Vance noted. The order’s focus on consumer protections, she said, “was sort of a flag for me that maybe we’re going to see not only continuing interest in regulating ed tech, but more specifically regulating ed tech related to AI.”

While the order was “pretty vague when it came to education,” Vance said it was important that it did acknowledge AI’s potential benefits in education, including for personalized learning and adaptive testing. 

“As much as we keep talking about AI as if it showed up in the past year, it’s been there for a while and we know that there are valuable ways that it can be used,” Vance said. “It can surface particular content, it can facilitate better connections to people when they need certain content.” 

AI and facial recognition cameras

As school districts pour billions of dollars into school safety efforts in the wake of mass school shootings, security vendors have heralded the promises of AI. Yet civil rights groups have warned that facial recognition and other AI-driven technology in schools could perpetuate biases — and could miss serious safety risks. 

Just last month, the gun-detection company Evolv Technology, which pitches its hardware to schools, acknowledged it was the subject of a Federal Trade Commission inquiry into its marketing practices. The agency is reportedly probing whether the company employs artificial intelligence in the ways that it claims. 

In September, New York became the first state to ban facial recognition in schools, a move that followed outcry when an upstate school district announced plans to roll out a surveillance camera system that tracked students’ biometric data. 

A new Montana law bans facial recognition statewide with one notable exception — schools. Citing privacy concerns, the law adopted this year prohibits government agencies from using facial recognition, but with a specific carveout for schools. One rural education system, the 250-student Sun River School District, employs a 30-camera security system from Verkada that uses facial recognition to track the identities of people on its property. As a result, the district has a camera-to-student ratio of 8-to-1. 

In an email on Wednesday, a Verkada spokesperson said the company is in the process of reviewing Biden’s order to understand its implications on the company.

Verkada offers a cautionary tale about the potential security vulnerabilities of campus surveillance systems. In 2021, the company suffered a massive data breach and hackers claimed to expose the live feeds of 150,000 surveillance cameras — including those in place at Sandy Hook Elementary School in Newtown, Connecticut, the site of a mass shooting in 2012. A post-incident investigation conducted on behalf of the company found the breach was more limited, affecting some 4,500 cameras.

Hikvision has similarly made inroads in the school security market with its facial recognition surveillance cameras — including during a pandemic-era push to enforce face mask compliance. Yet the company, owned in part by the Chinese government, has also faced significant allegations of civil rights abuses and in 2019 was placed on a U.S. trade blacklist after being implicated in the country’s “campaign of repression, mass arbitrary detention and high-technology surveillance” against Muslim ethnic minorities. 

Though multiple U.S. school districts continue to use Hikvision cameras, a recent investigation found the company’s software seeks to detect ethnic minorities despite claiming for years it had ended the practice.

 In an email, a Hikvision spokesperson didn’t comment on how Biden’s executive order could affect its business, including in schools, but offered a letter it shared to its customers in response to the investigation, saying an outdated reference to ethnic detection appeared on its website erroneously.

“It has been a longstanding Hikvision policy to prohibit the use of minority recognition technology,” the letter states. “As we have previously stated, that functionality was phased out and completely prohibited by the company in 2018.“

Data scientist David Riedman, who built a national database to track school shootings dating back decades, said that artificial intelligence is at “the forefront” of the school safety conversation and emerging security technologies can be built in ways that don’t violate students’ rights. 

Riedman became a figure in the national conversation about school shootings as the creator of the K12 School Shooting Database but has since taken on an additional role as director of industry research and content for ZeroEyes, a surveillance software company that uses security cameras to ferret out guns. Instead of using facial recognition, the ZeroEyes algorithm was trained to identify and notify law enforcement within seconds of spotting a firearm. 

The company maintains that its object-detection approach — as opposed to facial recognition — can “evade privacy and bias concerns that plague other AI models,” and internal research found that “only 0.06546% of false positives were humans detected as guns.” 

“The simplicity” of ZeroEye’s technology, Riedman said, puts the company in good standing as far as the Biden order is concerned.

“ZeroEyes isn’t looking for people at all,” he said. “It’s only looking for objects and the only objects it is trying to find, and it’s been trained to find, are images that look like guns. So you’re not getting student records, you’re not getting student demographics, you’re not getting anything related to people or even a school per se. You just have an algorithm that is constantly searching for images to see if there is something that looks like a firearm in them.”

However, false positives remain a concern. Just last week at a high school in Texas, a false alarm from ZeroEyes prompted a campus lockdown that set off student and parent fears of an active shooting. The company said the false alarm was triggered by an image of a student outside who the system believed was armed based on shadows and the way his arm was positioned. 

Publicly traded Evolv Technology acknowledged that the Federal Trade Commission had “requested information about certain aspects of its marketing practices” in a disclosure to investors last week, following scrutiny that the company overstated the capabilities of its technology in promotions that could give customers, including schools, a false sense of security. 

Citing two anonymous sources, Bloomberg reported that Evolv is the subject of an FTC investigation into whether its scanners — essentially next-generation metal detectors with a heftier price tag — employ artificial intelligence to identify weapons in the ways that it claims.

It’s unclear whether Massachusetts-based Evolv’s sales pitches to the education sector are part of the federal probe. An FTC spokesperson declined to comment Tuesday. In its Oct. 12 disclosure form with the Securities and Exchange Commission, and in a statement this week to The 74, Evolv said the company was “pleased to answer” regulators’ questions. 

“When Evolv receives inquiries from regulators, our approach is to be cooperative and educate them about our company,” the statement continued. “The company stands behind its technology’s capabilities and performance track record.”

The company has claimed that it uses AI to scan for the unique “signatures” of tens of thousands of weapons, allowing it to distinguish “all the guns, all the bombs and all the large tactical knives” out there from everyday items like keys and laptops. 

Yet the scanner’s efficacy — including its ability to prevent campus violence — has faced pushback for several years, particularly by IPVM, an independent security and surveillance industry research group that tests and evaluates products. Conor Healy, the group’s director of government research, said that false and misleading marketing claims have been “a pattern with the company” for years. Among the inaccurate assertions, he said, is that the tool “eliminates the friction” that students experience when they pass through security everyday. 

“That has been shown to be just simply not true at all,” Healy told The 74 this week. “There’s quite a lot of friction. The schools that we’ve looked at have 20% to 60% false alarm rates.” 

Districts have increasingly turned to “weapons detection” systems from Evolv and competing security vendors in response to fears of school shootings — anxiety that the company says “keeps both students and staff from doing their best work.”

Evolv states that its system “combines powerful sensor technology with proven artificial intelligence” to identify threats like guns in hundreds of U.S. schools. Capable of scanning more than 4,000 people an hour, Evolv says its devices are “10X faster than metal detectors,” and “help reduce opportunities for bias” by decreasing secondary screenings by humans.

Evolv extols the benefits of its scanners well beyond schools’ physical safety. While frequent false alarms by traditional metal detectors lead to “security anxiety” and “inconvenient delays,” according to the company’s website, Evolv scanners offer “a more effective and dignified solution, fostering a safer, more inclusive environment that bolsters academic achievement and staff retention.” 

IPVM has accused the company of failing to substantiate that its product is 10 times faster than traditional metal detectors, and a 2022 BBC investigation found the scanners may miss certain knives and bombs. Meanwhile, IPVM has documented instances where false alarms were activated in schools by water bottles, binders and laptops.

In a statement to Pennsylvania-based IPVM last month, Evolv said “we understand if any of our past statements appeared to generalize our capabilities,” which may violate an FTC rule that requires company claims to be evidence-backed. 

With AI a constant, if little understood, buzzword across many sectors right now, the FTC in February warned companies against exaggerating the capabilities of their artificial intelligence offerings, adding that “false or unsubstantiated claims about a product’s efficacy are our bread and butter.” 

“The minute you hear the word AI in marketing, alarm bells should go off in your head,” said Healy, whose group has also done broader analyses of the school security industry and the efficacy of specific surveillance tools routinely installed in schools. 

“As far as [Evolv’s] artificial intelligence goes, it does not appear to be very intelligent,” he said, because it routinely fails to differentiate everyday school supplies like Chromebooks from weapons like guns. “What AI is actually in the system? That is something that Evolv has not told us very much about.” 

Evolv has resisted calls to disclose additional information about the ways its scanners function. While scanners’ sensitivity settings can alter their performance, a company spokesperson previously told The 74 that publicly sharing information about those settings “is irresponsible and puts people at greater risk.” 

“We must assume any published information regarding details of a physical screening system will be studied and leveraged by a bad actor seeking to do harm,” the statement continued. The company declined to comment on the false alarm rates reported by its customer districts, which include Atlanta, Charlotte, North Carolina, and Louisville, Kentucky.

 “Our systems are designed to detect many types of weapons and components of weapons, but there is no perfect solution that will stop 100% of threats, including ours, which is why security must include a layered approach that involves people, process and technology.” 

Knives became a point of conflict last year after the school district in Utica, New York, spent nearly $4 million to install Evolv scanners across 13 of its campuses. The scanners were ultimately removed after a student was stabbed multiple times with a knife during a fight in a high school hallway. The knife-wielding student had passed through an Evolv scanner with the blade in his backpack, a later investigation revealed. 

While the detectors had false alarms, including on a student’s lunch box, an Evolv scanner failed to alarm when an off-duty police officer accidentally brought a service revolver to a Utica district open house.

Meanwhile, in Buffalo, New York, Evolv scanners were credited for keeping a high school safe. Earlier this month, an 18-year-old pleaded guilty to a criminal weapons possession charge after he was caught trying to bring a handgun into a high school. A school security officer reportedly found the disassembled “ghost gun” in the teenager’s backpack as he passed through a weapons detector. Buffalo schools spent $2.7 million to roll out the Evolv system earlier this year. A Buffalo schools spokesperson declined to comment.

As companies increasingly market products with artificial intelligence capabilities to schools, school security consultant Kenneth Trump predicts — or at least hopes — that regulation is imminent. He pointed to new rules in New York that prohibit facial recognition in schools. The ban was adopted after an upstate school district’s decision to install surveillance cameras with facial recognition capabilities prompted an outcry. 

“The marketing claims are so off the charts by many vendors that there’s really no chance for the average school administrator to know what’s true, what’s false and really the gaps and the limitations that these products have,” said Trump, president of Cleveland-based National School Safety and Security Services. Though he expects regulators to soon reign in security companies, “up until that happens, how many school districts are going to fall victim to questionable marketing and grandiose ideas that don’t come to fruition?”

In a letter shared exclusively with The 74, the coalition expressed concerns that AI-enabled student monitoring tools could foster discrimination against marginalized groups, including LGBTQ+ youth and students with disabilities. The Education Department’s Office for Civil Rights should issue guidance on the appropriate uses of emerging classroom technologies, the lawmakers wrote, and crack down on practices that run afoul of existing federal anti-discrimination laws. 

“While the expansion of educational technology helped facilitate remote learning that was critical to students, parents and teachers during the pandemic,” the lawmakers wrote, “these technologies have also amplified student harms.” 

Lawmakers asked the Education Department’s civil rights office whether it has received complaints alleging discrimination facilitated by education technology software and whether it has taken any enforcement action related to potential civil rights violations. 

The letter comes in response to a recent national survey of educators, parents and students, the findings of which suggest that schools’ use of digital tools to monitor children online have a disparate impact on students based on their race, disability, sexual orientation and gender identity. The survey, conducted by the nonprofit Center for Democracy and Technology, found that while activity monitoring has become ubiquitous in schools and is intended to keep students safe, it’s used regularly as a discipline tool and routinely brings youth into contact with the police.

Findings from the CDT survey, lawmakers wrote, “raise serious concerns about the application of civil rights laws to schools’ use of these technologies.” Letter signatories include Democratic Reps. Lori Trahan of Massachusetts, Sara Jacobs of California, Hank Johnson of Georgia, Bonnie Watson Coleman of New Jersey and Adam Schiff of California. Trahan, who serves on the House Energy and Commerce Committee’s Innovation, Data and Commerce Subcommittee, has previously called for tighter student data privacy protections in the ed tech sector. 

The monitoring tools, such as those offered by for-profit companies GoGuardian and Gaggle, rely on artificial intelligence to sift through students’ online activities and flag school administrators — and sometimes the police — when they discover materials related to sex, drugs, violence or self-harm. 

Two-thirds of teachers reported that a student at their school was disciplined as a result of activity monitoring and a third said they know a student who was contacted by the police because of an alert generated by the software. 

Children with disabilities were more likely than their peers to report being watched, and special education teachers reported heightened rates of discipline as a result of activity monitoring. The findings, researchers argue, could run afoul of federal rules that entitle children with disabilities equal access to an education. Even beyond the technologies, students with disabilities are subjected to disproportionate levels of school discipline, including restraint and seclusion, when compared to their general education peers. 

Half of all students said their schools responded fairly to alerts generated by monitoring software, a sentiment shared by just 36% of LGBTQ+ youth. In fact, LGBTQ+ youth were more likely than their straight and cisgender peers to report that they or someone they know was disciplined as a result of monitoring. And nearly a third of LGBTQ+ youth reported that they or someone they know was outed because of the technology. 

More than a third of teachers said their school monitors students’ online behaviors outside of school hours — and sometimes on their personal devices. 

In a similar student survey, released this month by the American Civil Liberties Union, a majority of respondents expressed worries that the monitoring tools — despite being designed to keep them safe — could actually cause harm and a third said they “always feel” like they’re being watched. 

The 74 has reported extensively on schools’ use of digital surveillance tools to monitor students’ online behaviors, and the tools’ implications for youth civil rights. The company Gaggle previously flagged to administrators student communications that referenced LGBTQ+ keywords like “gay” and “lesbian.” The company says it halted the practice last year in the wake of pushback from civil rights activists. 

Given the survey findings, the lawmakers urged the Education Department to clarify “how educators can fulfill their civil rights obligations” as they develop policies related to artificial intelligence, whose rapidly evolving role in education more broadly — including students’ use of tools like ChatGPT — has become a topic of debate. 

“This research is particularly concerning due to linkages between school disciplinary policies and incarceration rates of our nation’s youth,” the coalition wrote, adding concerns that the tools can create hostile learning environments. 

Reeled in by deceptive, fear-based marketing and an influx of federal cash, school leaders have purchased and pervasively deployed student surveillance tools while failing to consider their detrimental consequences to young people’s civil rights, a new ACLU report concludes. 

In a youth survey accompanying the American Civil Liberties Union report released Tuesday, a majority of students expressed worries that the tools — designed to keep them safe — could actually cause harm and a third said they “always feel” like they’re being watched. 

The 61-page report, titled “Digital Dystopia,” also offers an in-depth look at the rise of schools’ reliance on surveillance technology over the last few decades, arguing the tools have failed to improve campus safety while subjecting students — particularly students of color and those who are undocumented, LGBTQ or from low-income households — to discrimination. 

“The ed tech surveillance companies, after fanning the flames of fear, were making these broad statements about the efficacy of their products, about their ability to keep students safe” from threats like school shootings and suicide, despite a lack of evidence to back up their claims, report lead author and ACLU senior policy counsel Chad Marlow told The 74. 

Rather than making kids safe, Marlow said, the tools could be damaging to their development and well-being. “The harm is actually significant and, by not acknowledging the harms that are caused, there’s less incentive to look at other interventions,” he said.

Three-quarters of students worry about at least one negative consequence of student surveillance, which includes the widespread proliferation of digital tools that monitor their online communications for references to sex, drugs, violence or self-harm, according to the online survey. Commissioned by the ACLU, the polling firm YouGov queried 502 teens throughout the country in October 2022. Nearly a quarter of respondents said that digital monitoring tools limit the resources they feel they can access online while a similar percentage worried the information collected about them could be shared with the police or be used against them in the future by a college or an employer. Some 27% feared the tools could be used for disciplinary purposes.

As a result, students alter their behaviors due to fears that “deviating from expectations is punishable in the world that they’re growing up in,” Marlow said. “What does that tell them about innovation or exploring new ideas?”

Survey findings resemble those from another youth survey, released last month by the nonprofit Center for Democracy and Technology, which found that while a majority of parents and students still embrace digital tools that monitor students’ online behaviors, their support has dwindled over the last year. 

Both reports identified detrimental effects of digital surveillance that researchers said run counter to federal civil rights laws that protect students from discrimination based on race, disability, sexual orientation or gender identity. 

In the student survey conducted by the Center for Democracy and Technology, researchers found that while districts bought digital monitoring tools to keep students safe, they are used regularly as discipline tools that routinely bring youth in contact with the police. LGBTQ+ youth and those with disabilities were significantly more likely to experience the harms of surveillance. For example, 65% of LGBTQ+ youth said they or someone they knew got into trouble due to online activity monitoring, compared to 56% of their straight and cisgender peers. Meanwhile, nearly a third of LGBTQ+ students said that they or someone they know has been “outed” by the technology.

In the absence of rigorous, independent research on the efficacy of school surveillance tools to improve campus safety, the ACLU report argues that schools are left to make purchasing decisions based on what the group called fear-based marketing tactics. Security companies hype the risks of school violence and student self-harm while overstating the utility of their products, the report says. Security industry lobbying efforts, meanwhile, have successfully steered hundreds of millions of dollars in government school safety spending toward unproven technologies. 

“It would be like going to buy a car and the only source of information is the car salesperson,” Marlow said. “That’s probably not the best way to make a car purchasing decision, but that’s what’s happening with student surveillance.” 

The Security Industry Association, a trade group that represents security companies and lobbies on their behalf, didn’t immediately respond to a request for comment. 

The ACLU survey results suggest, however, that students have a complicated relationship with school surveillance: While recognizing its potential harms, many also believe it serves its intended purpose. Specifically, 40% of students reported that surveillance technology makes them feel “safe” and 43% said it makes them feel “protected.” Meanwhile, just 14% said it makes them feel “anxious” and a fraction of respondents, 7%, said the tools made them feel “unsafe.” 

Marlow said this support may be the result, at least in part, of successful marketing and a belief that few other options exist. 

“​​When you talk about keeping students safe, I think students are smart enough to realize that in too many places in this country, gun control is off the table,” he said. “Because of the dominance of money and power of the ed tech surveillance industry,” that’s used in marketing and lobbying, “the discussion is almost entirely centered around, ‘Do we use or do we not use student surveillance technologies?’ while alternatives like mental health screenings fail to receive similar consideration. “In that option, between a highly questionable, harmful protection or nothing at all, no one wants to pick nothing at all.” 

While the report focuses largely on digital tools that monitor students’ behaviors online, it also questions the efficacy of surveillance cameras in creating physical safety for students in schools. Cameras have become nearly ubiquitous, with 91% of districts equipping their schools with them in the 2019-20 school year, according to the most recent data included in a U.S. Department of Education report released last month. 

Meanwhile, just 55% of schools offered students mental health assessments, according to the most recent federal data, and 42% offered mental health treatment services. 

Despite a sharp rise in schools’ reliance on surveillance and other tools in the last two decades, the number of school shootings has grown. 

There were a record 188 school shootings resulting in injuries or deaths in the 2021-22 school year, according to the federal report. That’s twice as many shootings on campus than the previous record — set just one year earlier. Placing security cameras in schools, Marlow argues, has failed to deter the very crimes they were installed to prevent. In an ACLU analysis of the 10 deadliest school shootings in the last two decades, for example, researchers found that surveillance cameras were present for eight, including in Parkland, Florida, and Uvalde, Texas. 

Along with scrutiny from researchers and civil rights groups, schools’ use of digital monitoring tools has led to several lawsuits alleging they’re ineffective and violate students’ civil liberties. 

In one class-action lawsuit, filed this year in California, the parents of two students claim the student surveillance company Securly secretly collected physical location data from childrens’ mobile devices and sold the information to targeted advertising vendors without their knowledge or consent. 

A separate federal negligence lawsuit, filed in 2021 in Oklahoma, accuses the digital surveillance company Gaggle of being ineffective at keeping kids safe from self-harm. The lawsuit, filed by the parents of a 15-year-old boy who died by suicide, accuses the surveillance company and the state’s third-largest school district of failing to act on warning signs that could have prevented the teenager’s 2019 death. 

The student submitted a “personal odyssey” essay in his freshman English class that was riddled with references to self-harm and suicide, but his teacher failed to act, the complaint alleges, giving him a grade of 100%. The district used Gaggle to identify and flag troubling student digital communications, including references to self-harm and suicide. Yet the lawsuit alleges the company “failed to notify school administration” about the student’s warning signs, including the essay titled “Running Out of Reasons” and an email with a classmate where the two contemplated a plan to “go out at the same time.”

A Gaggle spokesperson didn’t immediately respond to a request for comment. Securly spokesperson Josh Mukai called the lawsuit “baseless and uninformed.”

“Securly has never sold student data to third parties, nor have we ever used student data to target advertisements,” Mukai said in an email. “Securly’s suite of student safety solutions upholds the highest standards for student data privacy and complies with all international, federal and state privacy regulations.”

Half of teachers say they know a student at their school who was disciplined or faced negative consequences for using — or being accused of using — generative artificial intelligence like ChatGPT to complete a classroom assignment, according to survey results released Wednesday by the Center for Democracy and Technology, a nonprofit think tank focused on digital rights and expression. The proportion was even higher, at 58%, for those who teach special education. 

Cheating concerns were clear, with survey results showing that teachers have grown suspicious of their students. Nearly two-thirds of teachers said that generative AI has made them “more distrustful” of students and 90% said they suspect kids are using the tools to complete assignments. Yet students themselves who completed the anonymous survey said they rarely use ChatGPT to cheat, but are turning to it for help with personal problems.

“The difference between the hype cycle of what people are talking about with generative AI and what students are actually doing, there seems to be a pretty big difference,” said Elizabeth Laird, the group’s director of equity in civic technology. “And one that, I think, can create an unnecessarily adversarial relationship between teachers and students.”   

Indeed, 58% of students, and 72% of those in special education, said they’ve used generative AI during the 2022-23 academic year, just not primarily for the reasons that teachers fear most. Among youth who completed the nationally representative survey, just 23% said they used it for academic purposes and 19% said they’ve used the tools to help them write and submit a paper. Instead, 29% reported having used it to deal with anxiety or mental health issues, 22% for issues with friends and 16% for family conflicts.

Part of the disconnect dividing teachers and students, researchers found, may come down to gray areas. Just 40% of parents said they or their child were given guidance on ways they can use generative AI without running afoul of school rules. Only 24% of teachers say they’ve been trained on how to respond if they suspect a student used generative AI to cheat. 

The results on ChatGPT’s educational impacts were included in the Center for Democracy and Technology’s broader annual survey analyzing the privacy and civil rights concerns of teachers, students and parents as tech, including artificial intelligence, becomes increasingly engrained in classroom instruction. Beyond generative AI, researchers observed a sharp uptick in digital privacy concerns among students and parents over last year. 

Among parents, 73% said they’re concerned about the privacy and security of student data collected and stored by schools, a considerable increase from the 61% who expressed those reservations last year. A similar if less dramatic trend was apparent among students: 62% had data privacy concerns tied to their schools, compared with 57% just a year earlier. 

Those rising levels of anxiety, researchers theorized, are likely the result of the growing frequency of cyberattacks on schools, which have become a primary target for ransomware gangs. High-profile breaches, including in Los Angeles and Minneapolis, have compromised a massive trove of highly sensitive student records. Exposed records, investigative reporting by The 74 has found, include student psychological evaluations, reports detailing campus rape cases, student disciplinary records, closely guarded files on campus security, employees’ financial records and copies of government-issued identification cards. 

Survey results found that students in special education, whose records are among the most sensitive that districts maintain, and their parents were significantly more likely than the general education population to report school data privacy and security concerns. As attacks ratchet up, 1 in 5 parents say they’ve been notified that their child’s school experienced a data breach. Such breach notices, Laird said, led to heightened apprehension. 

“There’s not a lot of transparency” about school cybersecurity incidents “because there’s not an affirmative reporting requirement for schools,” Laird said. But in instances where parents are notified of breaches, “they are more concerned than other parents about student privacy.” 

Parents and students have also grown increasingly wary of another set of education tools that rely on artificial intelligence: digital surveillance technology. Among them are student activity monitoring tools, such as those offered by the for-profit companies Gaggle and GoGuardian, which rely on algorithms in an effort to keep students safe. The surveillance software employs artificial intelligence to sift through students’ online activities and flag school administrators — and sometimes the police — when they discover materials related to sex, drugs, violence or self-harm. 

Among parents surveyed this year, 55% said they believe the benefits of activity monitoring outweigh the potential harms, down from 63% last year. Among students, 52% said they’re comfortable with academic activity monitoring, a decline from 63% last year. 

Such digital surveillance, researchers found, frequently has disparate impacts on students based on their race, disability, sexual orientation and gender identity, potentially violating longstanding federal civil rights laws. 

The tools also extend far beyond the school realm, with 40% of teachers reporting their schools monitor students’ personal devices. More than a third of teachers say they know a student who was contacted by the police because of online monitoring, the survey found, and Black parents were significantly more likely than their white counterparts to fear that information gleaned from online monitoring tools and AI-equipped campus surveillance cameras could fall into the hands of law enforcement. 

Meanwhile, as states nationwide pull literature from school library shelves amid a conservative crusade against LGBTQ+ rights, the nonprofit argues that digital tools that filter and block certain online content “can amount to a digital book ban.” Nearly three-quarters of students — and disproportionately LGBTQ+ youth — said that web filtering tools have prevented them from completing school assignments. 

The nonprofit highlights how disproportionalities identified in the survey could run counter to federal laws that prohibit discrimination based on race and sex, and those designed to ensure equal access to education for children with disabilities. In a letter sent Wednesday to the White House and Education Secretary Miguel Cardona, the Center for Democracy and Technology was joined by a coalition of civil rights groups urging federal officials to take a harder tack on ed tech practices that could threaten students’ civil rights. 

“Existing civil rights laws already make schools legally responsible for their own conduct, and that of the companies acting at their direction in preventing discriminatory outcomes on the basis of race, sex and disability,” the coalition wrote. “The department has long been responsible for holding schools accountable to these standards.”

Yet even before the first class started, the 133,000-student district in Prince George’s County, Maryland, faced an assault on its security — one carried out completely online. 

Rather than barge through the front entrance of a school, threat actors appeared to break in through a backdoor in the district’s computer network. The mid-August intrusion meant the high-performing school system — among the nation’s 20 largest — joined a growing list of school district ransomware victims, another proof point that the education sector is now a primary target of cyber gangs. 

“Schools have this delicious trove of data and do not have the same protections” as banks and other for-profit businesses, said Jake Chanenson, lead author of a recent University of Chicago report on school district cyber risks. 

In the case of Prince George’s County Public Schools, the attack appeared to enter its final stage on Tuesday when the Rhysida gang posted to its leak site a collection of data it purportedly stole nearly a month ago. A cursory review of the files suggest they date back two decades. 

The back-to-school season, already a particularly busy period for school technology leaders, has become a prime time for district ransomware attacks, according to cybersecurity experts. In August alone, ransomware gangs claimed new attacks on 11 K-12 school systems, according to an analysis by The 74 of the cyber group’s dark web leak sites. Among them are three New Jersey districts, two in Washington state, a Denver charter school network and a district in remote Alaska. Several additional districts have disclosed cyberattacks since the start of the new year, including news of a breach last week against Florida’s Hillsborough County Public Schools, the seventh-largest district in the U.S. 

In Chambersburg, Pennsylvania, district officials said a ransomware attack had forced them to cancel classes for three days in just the second week of the academic year. 

At the Lower Yukon School District in Alaska, technology director Joshua Walton said a hack and subsequent data breach by the burgeoning ransomware gang NoEscape was first initiated in late July, before the fall semester began. 

“Your confidential documents, personal data and sensitive info has been downloaded,” the group wrote in a ransom note obtained by The 74. “Published information will be seen by your colleagues, competitors, lawyers, media and the whole world.” 

Ultimately, the district refused to pay the group’s $300,000 ransom demand, leading to a small data breach that doesn’t appear to include sensitive information about educators or students. Rather, an analysis of the leak suggests stolen files center primarily on campus maintenance work. 

Previous data breaches following district ransomware attacks, such as the ones in Los Angeles and Minneapolis, have led to widespread disclosure of sensitive information, including student psychological evaluations, reports of campus rape cases, student discipline records, closely guarded files on campus security, employees’ financial records and copies of government-issued identification cards. 

Though Walton was confident that similarly sensitive records had not been stored on the breached computer server, he told The 74 the Lower Yukon hack could have been far more disruptive had it been carried out just a few weeks later. Instead, they had a few remaining weeks of summer to restore their systems before their nearly 2,000 students returned. 

“It was an inconvenience for sure, but I’ve seen a lot of data breaches over the years and ours is nothing comparable,” Walton said. “I couldn’t imagine that happening when school starts because we’re all rushing to get all of the support tickets taken care of and making sure that school is starting off on the right foot. If it would have happened then, it would have been a whole different ball game.” 

This year, the return-to-school season kicked off with a warning from federal law enforcement about the growing threat that cyberattacks pose for school districts. During a cybersecurity summit at the White House in early August, federal officials warned the coming months could be particularly volatile. Harm isn’t limited to victim districts but rather encompasses their employees, students and families whose sensitive records, including financial information, are vulnerable to data breaches. 

WIth “Social Security numbers and medical records stolen and shared online,” such attacks have left “classroom technology paralyzed and lessons ended,” First Lady Jill Biden said. “So if we want to safeguard our children’s futures, we must protect their personal data.”

There isn’t any hard data on the frequency that ransomware groups exploit back-to-school season compared to other times, said Doug Levin, the national director of the K12 Security Information eXchange. He said it’s also difficult to identify when attacks first begin, with threat actors sometimes infiltrating district servers months before the ransomware attack is initiated. That said, the existing evidence suggests about a quarter of cyber incidents affecting school districts appear to occur during those first few weeks and months of school. He said the chaos of getting technology into students’ hands and setting them up with new online accounts creates an ideal opportunity for criminals to catch district tech officials off guard. 

“With all of these new devices being deployed with all sorts of new tools and applications coming online, I certainly have heard reports of upticks in phishing attacks against school districts already,” Levin said. “It’s definitely a time where you know people are more likely to make mistakes.”

Similar concerns were included in a notice last month by the New Jersey Cybersecurity and Communications Integration Cell, where officials warned that cybercriminals routinely exploit holiday breaks to target schools. 

“Threat actors take advantage of this pastime when staff is away or just prior to busy seasons, such as the beginning of the school year, long weekends or before the end of a marking period when final grades are due,” the warning notes. “Within the last few weeks, publicly announced ransomware attacks sharply increased.”

‘Exclusive, unique and impressive’

Following a common ransomware playbook in Prince George’s County, the Rhysida gang claimed the theft of sensitive documents, posting screenshots online showing birth certificates, passports and other records purportedly stolen from the district. Unless the district agreed to pay the group 15 bitcoin worth some $375,000, Rhysida threatened to publish the “exclusive, unique and impressive” data on its leak site. 

Such negotiations appeared to expire by Tuesday morning: A trove of files purportedly stolen from the district were published to the cyber group’s leak site, suggesting education leaders had refused to pay the ransom. The development comes after a ticker on the gang’s leak site, meant to signify the district’s approaching ransom payment deadline, was paused or delayed on several occasions. 

A day after the district detected the breach on Aug. 14, it said in a statement that some 4,500 user accounts out of 180,000 were affected, forcing district employees to reset their passwords. Impacted individuals, the district said, “will be contacted in the coming days.” 

The school system is “offering free credit monitoring and identity protections to all staff,” district spokesperson Meghan Gebreselassie said in an email Tuesday morning but declined to comment further. In a Sept. 1 update, the district said staff, students and their families would receive a year of free credit monitoring and identity protection services, acknowledging the attack “may result in unauthorized disclosure of personal information.” 

“We are working diligently to confirm the extent of information that was impacted by this incident, and we will move quickly to provide direct notice to those who are impacted once this determination is made,” the statement says.

Yet special education advocate Ronnetta Stanley said the Prince George’s district hasn’t done enough to keep the community in the loop about the attack and its potential effects on students and parents. The types of information that may have been breached, she told The 74, “has not been clearly communicated.” Special education records, which have been exposed in previous attacks like the one against the Los Angeles Unified School District near the start of the 2022-23 school year, could be at risk in Prince George’s County, she fears.

“There have not been any specific details about exactly what was breached, who may have been affected by it and, then what is the remedy for what should be happening with compromising information?” said Stanley, founder of the special education advocacy group Loud Voices Together. “Not knowing what was leaked and who was affected, it’s difficult to say what the ramifications will be.” 

The recent risk report by the University of Chicago researchers found that district leaders are frequently unaware of the peril that cyber gangs pose, often implement education technology tools without considering privacy implications and routinely endorse digital tools that present potential privacy issues. While banks and large corporations have become harder targets as they bolster their cybersecurity defenses, schools have fallen behind, said lead author Chanenson, a doctoral student studying computer science. 

“This is only going to get worse,” he said, “until we give schools the resources they need to up their defensive game.” 

Ransomware’s long tail

Among the school districts listed on ransomware gang leak sites in August is the one in Edmonds, Washington — a development that for locals may feel like déjà vu. The Akira group named Edmonds as being among its latest victims on Aug. 24, just six months after district officials announced that a “data event” was to blame for a two-week internet blackout in late January. 

Data stolen in the winter 2023 breach, the district warned in February, could include names, Social Security numbers, student records, financial information and medical documents. The district is still analyzing the extent of the attack and plans to notify affected individuals once their review is finalized, district spokesperson Harmony Weinberg said in a Sept. 8 email to The 74. 

It’s unclear, however, whether the district was victimized a second time this summer, a development officials deny. Cybercriminals routinely target victims on multiple occasions — especially those that pay ransoms to retrieve stolen files. In Edmonds, the district recently became “aware of a public allegation by the group believed to be responsible for our winter 2023 data security incident,” Weinberg said. 

“We reviewed the district’s network systems in relation to this data security incident, and found no evidence that any systems were infected with ransomware,” Weinberg continued. “Further, we are not aware of any malicious activity occurring within our network systems since the winter 2023 event.” 

Meanwhile, the Los Angeles and Minneapolis school districts continue to grapple with the fallout from cyberattacks that crippled their systems last school year and led to the widespread data breaches of sensitive records about students and educators. After the Los Angeles district was targeted in a back-to-school ransomware attack over Labor Day weekend last year, the nation’s second-largest school system kicked off this school year by announcing plans to borrow $166 million to bolster its cybersecurity defenses. 

Seven months after Minneapolis Public Schools fell target to a cyberattack that it euphemistically called an “encryption event,” tens of thousands of individual victims are just beginning to learn their sensitive records were compromised as community members blast education officials for leaving them in the dark about key details. 

On numerous occasions over the last several months, educators have complained to district officials that they were being targeted by fraudsters, according to email records obtained by The Daily Dot. “I had my bank account drained last week and had $3 to my name,” one person wrote in an email to Minneapolis schools. Another individual reported getting hit with a fraudulent $2,500 charge on a credit card, while parents reported receiving emails from unverified senders related to their children’s college financial aid. 

In a Sept. 1 update on the Minneapolis district website, a breach notice said school officials undertook a “time-intensive” review to determine what information had been stolen, which included names, Social Security numbers, financial information and medical records. 

“Although it has been difficult to not share more information with you sooner, the accuracy and the integrity of the review were essential,” the district notice notes. Meanwhile, a “summary report” released last week by the law firm Mullen Coughlin stated that the district had provided written notices to more than 105,000 people whose personal information had gotten caught up in the attack. 

The documents were Minneapolis Public Schools’s first public comments on the attack since April 11.  

Such disclosures often fall short in providing victims enough information to keep themselves safe, said Marshini Chetty, a University of Chicago associate professor focused on privacy and cybersecurity. 

“Disclosure is not enough because people may not fully realize what could actually happen and how their data can be misused,” Chetty said. While victim districts routinely offer credit monitoring and other tools to mitigate financial crimes and fraud, she said it’s more challenging to remedy situations where sensitive information, like medical records or student disciplinary records, are disclosed. 

“A lot of times schools are reactive rather than proactive,” she said.  If district leaders aren’t doing enough to protect the data from being stolen in the first place, “then it’s almost too late.”