Uncovering Security Flaws in Digital Education Products for Schoolchildren

Natasha Singer, writing for the New York Times:

When Tony Porterfield’s two sons came home from elementary school with an assignment to use a reading assessment site called Raz-Kids.com, he was curious, as a parent, to see how it worked. As a software engineer, he was also curious about the site’s data security practices.
 And he was dismayed to discover that the site not only was unencrypted, but also stored passwords in plain text — security weaknesses that could potentially have allowed unauthorized users to gain access to details like students’ names, voice recordings or skill levels. He alerted the site to his concerns. More than a year later, the vulnerabilities remain.

The full article is here.

This reminded me of Quinn Norton’s ‘Everything Is Broken’ (warning: lots of swear words in there).

There are lots of areas where security simply isn’t discussed, partly because it’s not demanded by customers. How would they know to ask for security features, if they don’t know what they’re asking for?

“For many younger companies, the focus has been more on building the product out and less on guaranteeing a level of comprehensive privacy and security protection commensurate with the sensitive information associated with education,” said Jonathan Mayer, a lawyer and computer science graduate student at Stanford University. “It seems to be a recurring theme.”

This isn’t just a recurring theme in education. It’s a recurring theme everywhere.