This week I head to DC for the Student Privacy Boot Camp for Edtech Companies. This event, co-hosted by Rethink Education and the Future of Privacy Forum is timely. Over the past several weeks, student data privacy has again been in the news as a software engineer and dad from the Silicon Valley took some time to reveal that many of the applications his children use in school could be easily hacked to capture student information.

The forum will address the U.S. laws that govern how companies handle student data, case studies of heroes and villains, and inform the attendees on what to expect from the federal government in the future. I look forward to all of this. Having just re-written Hapara’s privacy policy, these issues are top of mind for me at the moment.

As I was doing the research for the privacy policy re-write, I examined my own views on student and adult data privacy. What are the dangers of allowing a student username or email to escape onto the internet? When setting policy you do not build for the 80% case as you might when designing a product. You must not only consider the probable, you must build for the possible.

My physics background trained me to consider the extremes of scientific models to evaluate their extensibility. Making the case for student data privacy does not require an imagining the extremes exercise. Instead let’s construct a very real scenario.

Imagine an email address escapes from your application or service and that it escapes with some content that reveals the name of a class or the details of a class assignment. This is a very simple breach, and seemingly far less severe than say revealing credit card information as happened with the Playstation incident a few years ago.

Minor as it may seem, an email is a window into a person’s private life. As adults we share emails cautiously with service providers because we know the spam that is often associated with the exchange. You may have heard the saying, if you are not purchasing the product, you are the product. Sometimes, sadly, even when you purchase the product you still become the product for someone else. Those tiny tick boxes that allow you to opt out of the information that your service provider thinks you might find valuable are becoming harder and harder to find.

Spam is one thing, but personal contact is another. Even children that attend schools with strong digital citizenship curriculum need practice discerning real content from click bait. If a child’s email, heaven forbid, were to fall into the hands of a sexual predator with enough contextual information to propose a meet up, the child might be tricked into putting themselves in a horribly dangerous situation.

As a former teacher, a father, and now a provider of edtech for children and adolescents, I don’t need any convincing. Data security is a top priority, and I look forward to learning how we can best protect the information and activity of our children while still giving them educational opportunities help them learn faster and take their learning deeper.