Remote Learning During Covid-19: Global Privacy Report

With millions of children forced to learn from home due to Covid-19 lockdowns, online learning platforms have experienced an unprecedented growth in demand. We analyzed 57 platforms recommended by governments around the world and found that over half pose a significant risk to children's digital privacy.
Remote learning platforms privacy investigation header illustration

UPDATED 23 September 15:45 GMT to reflect changes to the privacy policies of Seneca Learning made since this report was published and to add a clarification based on additional information shared by the company.

Key Findings

Weak privacy protections: 58% (33) of the 57 platforms analyzed pose a high risk to children’s digital privacy.

  • 15 have no dedicated privacy policy
  • 26 collect excessive amounts of personally identifiable information (PII)
  • 33 store location information
  • 45 have open-ended or undisclosed data retention time limits.
  • 5 share personally identifiable information with third parties

Alarming security issues: One third (19) of all platforms have security issues.

  • 8 do not have HTTPS fully-enabled
  • 5 have unpatched server-side software with known vulnerabilities
  • 12 set insecure cookies
  • 2 submit passwords in plain text

Advanced advertising: Three-quarters (43) of the platforms contain ad tracking.

  • 13 platforms contain advanced ad tracking
  • 30 contain moderate ad tracking
  • 21 feature Facebook trackers
  • 40 feature Google ad tracking

Introduction

At least 1.2 billion children around the world have been affected by school closures due to Covid-19 lockdowns. In response, governments around the world have rushed to recommend online platforms to help students continue to learn from home.

We analyzed 57 online learning platforms recommended by the national and state governments of the G20 and found that more than half pose a significant risk to children’s digital privacy.

Given the sensitive nature of children’s personal data and its potential to lead to real-world consequences, protecting children’s digital privacy and online security is incredibly important.

Despite this, 15 platforms recommended by governments don’t even have a dedicated privacy policy and 8 don’t have HTTPS enabled across the entire platform.

Almost half of all platforms collect a huge amount of personally identifiable information, including the user’s location, mobile phone number and home address. Yet only one in five clearly state how long this data will be held for.

As children are more vulnerable than adults to online threats, governments should be leading the way in promoting safe, secure and privacy-protecting platforms.

Instead, they are recommending platforms that put their security and digital privacy at risk.

As Privacy International recently stated, “The rushed adoption of technology around the world, to deliver emergency remote instruction, risks undermining learners’ and children’s rights at an unprecedented speed and scale.”

Although some children are beginning to return to the classroom, remote learning is set to continue for many millions around the world and demand for online learning platforms remains well above the pre-pandemic average.

Overview

The following table shows an overview of the 57 platforms we analyzed in terms of the overall risk level for privacy. It shows a top-level view of the risks posed by privacy policies, security issues, and the extent of ad tracking technology present. For a more detailed view, see the full findings.

Note: Security testing was performed on web platforms only, hence the “-” security entries for all app platforms.

[1] Access is limited to Indian IP addresses

Overview Analysis

Of the 57 government-recommended remote learning platforms that we analyzed, we were disturbed to discover only 10 could be considered to pose a low risk to user privacy based on the contents of their privacy policies.

Over half of these official recommendations (33) actually represent a high privacy risk based on their privacy policies or worse, lack thereof.

One third of the platforms (19) contained security flaws that could compromise the privacy of user data, with five of those at high risk due to server software vulnerabilities.

In terms of intrusive ad tracking, we flagged 13 platforms as engaging in advanced advertising practices with privacy implications, while another 13 appeared to be tracking-free. That left a majority somewhere in the middle, typically working with Facebook, Google or both.

Overall, only two remote learning platforms were low risk across each category: Stile in Australia and in Germany, Anton.

Another five just missed out on a clean score due to the presence of Google ad tracking.

The countries whose governments made the worst recommendations were:

  • Japan
  • Russia
  • Mexico
  • Indonesia
  • Saudi Arabia
  • South Africa

However more than half of the G20 governments, including the US, made at least one risky recommendation.

Privacy

The following table shows a breakdown of key privacy policy elements for each online education platform. This is a top-level view, for more detail, see the full findings.

[1] Lacks appropriate detail about personal data collected by cookies.

[2] This was assumed from information taken from a privacy policy annex, as PII collection not specified in main policy.

[3] Update: Seneca Learning has now updated its privacy policy to reduce the amount of PII collected to a “low” level.

[4] Update: Seneca Learning shared with us URLs from its help section showing account data is deleted after 6 years of inactivity. This is not referenced in or linked from the main privacy policy however.

Summary Findings

  • 15 platforms lack a dedicated privacy policy
  • 26 collect excessive PII
  • 33 collect location information
  • 45 have open-ended or undisclosed data retention time limits.
  • 7 lack a cookie policy
  • 40 either have relationships with third parties with implications for children’s privacy, or do not address this in their policies:
    • 5 share PII with third parties
    • 16 contain third-party ad tracking
    • 6 share aggregated user data
    • 9 have open-ended policies in this area
    • 3 collect or source user data via third parties
    • 13 fail entirely to address this issue

No Dedicated Privacy Policy

The following platforms either have no privacy policy at all or have privacy provisions that are limited to a clause or two in their general Terms of Service. This clearly does not suggest a privacy-centric approach and we have flagged these platforms as high risk by default.

  • Educ.ar (ARG)
  • Aula Em Casas (BRA)
  • Eduyun (CHN)
  • Swayam App (IND)
  • SnapAsk (JAP)
  • Telesecundaria (MEX)
  • Russian Electronic School (RUS)
  • YaKlass (RUS)
  • Tatweer for educational services (SAU)
  • V School (SAU)
  • Vodacom eSchool (ZAF)
  • Korean Education Broadcasting System (KOR)
  • EBA: Eğitim Bilişim Ağı (TUR)
  • EBA App (TUR)

Privacy Red Flags

We also flagged platforms as high risk if their policies failed to properly outline how they protect children’s sensitive personal data, or if they disclosed commercial exploitation of that data.

A full list of privacy red flags can be found in the source datasheet. However, we have also picked out some of the more egregious examples, as follows.

The US government-recommended platform Scholastic Learn At Home comes under the company’s general privacy policy rather than its much stricter “EdTech” policy. The company advised us that this was because it was intended for home use rather than in the classroom but unfortunately this means that many protections don’t apply as a result.

Instead, Scholastic collects a laundry list of PII from Learn at Home users, including name, home address, email, phone, precise location data, along with detailed device and usage data.

The site also features extensive third-party ad tracking and targeted advertising.

In Australia, Cisco’s WebEx videoconferencing platform is recommended by the government in Victoria, where lockdown was reinstated following new coronavirus outbreaks. Unfortunately, not only are Webex-specific policies not very easy to find among the general Cisco privacy provisions but the personal data collection is extremely extensive and includes recordings of video calls.

Cisco also claims broad rights over how it can use personal information. Despite disclosing extensive sharing with third parties for advertising and other purposes, the policy includes no active protections for children.

Open School in Canada has a very barebones privacy policy that, despite an almost complete lack of substantive content, makes statements about not using cookies that were contradicted by our tests.

In Japan, we found that Snapask not only collects extensive PII but also sells it to academic institutions. Worryingly, there was neither a childrens privacy policy nor a sunset period for data retention.

Study Sapuri also had multiple red flags. The platform does not clearly specifiy what PII it collects while disclosing that not only does it use the data for ads but it also shares data with companies using the service and employs behavioral targeting.

Russian platform Teach.ru collects extensive personal data and employs it for advertising. It also tracks visitors after leaving the site in order to show them targeted ads based on their browsing behavior. Teach.ru is another learning platform with no sunset period on data retention.

Mano in Brazil collects SMS and chat messages as part of its invasive personal data collection. It is also one of four platforms collecting precise location data. Indonesia’s Kelas Pintar also advises that its users should expect that messages can be read.

Mexican platform Aprendre 2.0 has perhaps the most disturbing level of personal data collection, in that it collects racial or ethnic origin along with photos or images of faces.

We should point out that there were also a small number of platforms, such as BrainPop and Khan Academy, that we deemed to be Medium Risk, despite extensive data collection and third-party ad tracking. This was due to comprehensive children’s privacy protections that mitigate some of that risk.

Security

The following table shows a breakdown of the results of our testing of each online education platform where we discovered security risks with implications for user privacy. This is a top-level view, for more detail, see the full findings.

Summary Findings

  • 12 sites were vulnerable to attack through failure to securely configure session cookies
  • 8 sites were not secure as HTTPS has not been implemented, either not at all or was not used on every web page
  • 5 sites were running outdated server-side software with known vulnerabilities that have privacy implications
  • 2 sites passed passwords in plain text

Web Server Vulnerabilities

The highest-risk platforms from a security perspective were those running outdated versions of server-side software, such as Apache and NGINX.

These sites also failed to hide their server signatures, meaning it’s trivial for an attacker to see what version of the software they are running and check public databases for vulnerabilities and then look for exploits, such as this one.

Mexican site Aprendre 2.0 is the most egregious offender. Its Apache and OpenSSL software is seven years out-of-date and has five severe known vulnerabilities, four of which risk a total compromise of user privacy. This shoddy approach to server maintenance does little to reassure that security is front-of-mind for those responsible for the platform.

The other sites with high-risk server vulnerabilities were:

While the 12 sites found to have non-secure session cookies may pose less of a risk to user privacy overall than those with unpatched server-side software, their users are still vulnerable to attack.

Note that while many sites in this report featured misconfigured cookies, we only deemed those with session cookies lacking the appropriate security flags as exposing users to a mid-level risk of attack.

How Can Non-secure Cookies be Exploited?

Let’s take the example of EBA: Eğitim Bilişim Ağı. This site has both HTTPS and HTTP variants available, which means a single internal link to the HTTP variant, a HTTP downgrade attack from a bad actor, or even a phishing attempt, could switch a visitor from the secure version of the site to the non-secure HTTP version.

Once the site visitor is using the HTTP variant, a bad actor on the same network could potentially monitor network traffic from the site visitor, and therefore steal any non-secure cookies sent by their browser, which they could then use to hijack their session and hence personal details.

Use of a HSTS header would stop this from happening, as once seen, the browser would only try and access the HTTPS version of the site. Unfortunately, this header has not been implemented.

It’s a similar story at Argentina’s Educ.ar.

We also found that passwords were submitted unencrypted over the network by two sites, in clear violation of users’ expectation of security:

Ad Tracking

The following table shows a breakdown of the results of our testing of each online education platform for the use of third-party cookies, requests to third-party advertising domains and any other evidence of ad trackers. This is a top-level view, for more detail, see the full findings.

Summary Findings

  • 21 platforms featured Facebook trackers
  • 40 featured Google ad tracking
  • 9 shared data with programmatic advertising platforms
  • 15 featured other forms of ad tracking
  • 15 were free of ad tracking

Privacy Implications

It’s important that parents, whose children are using remote learning platforms, are aware of the forms of advertising many educational resources are engaging in.

Most educational products we analyzed appear to run digital advertising to attract new users, often retargeting visitors who have yet to sign up to their service around the web. A retargeted visitor could be either a parent or a child, and retargeting children undermines their rights to digital privacy, not to mention the risks of exposing them to this form of advertising at a young age.

More worryingly, we found some of the platforms hosting AdSense and other banner-type (display) advertising scripts. If the right filters are not set in place by the educational platform, non-child friendly advertising could be inadvertently displayed.

The above risks are heightened if a child is on a ‘shared’ computer used by other adults in the household. Advertising cookies set in web browsers of shared computers can generate an inaccurate digital profile of a user, which advertisers can target. A child may therefore be exposed to advertising aimed at adults.

The fact that 15 platforms, including Stile in Australia; Anton and Moodle in Germany; and Starfall in the US, were able to operate without resorting to this kind of tracking shows that it’s possible.

To those parents concerned about excessive advertising, we recommend following the advice below, and particularly the use of a trusted Ad-blocker to block ads from being displayed.

Advice for Parents

  • Read the privacy policies of any remote learning apps or websites you’re planning to use. Familiarize yourself with the privacy settings.
  • Disable intrusive settings such as location tracking, camera access, etc. unless they are absolutely necessary.
  • Remove as much public-facing profile information as possible.
  • Social media: Never create an account using your social media profile. Social media companies and third-party platforms financially benefit from the sharing of personal data via this form of access.
  • Security: If the website and/or app allows it, set up two-factor authentication and log-in alerts for when the account is accessed from an unrecognized device. The latter will help you spot if your child’s account has been compromised.
  • Use a Virtual Private Network: A VPN ensures that your child’s web browsing activities stay private. IP address tracking is a very common practice by learning platforms, and a VPN will mask your true IP location and prevent it from being collected. VPNs also encrypt insecure web connections, for added security.
  • Use an Ad blocker: Online advertising can not only be inappropriate at times, but it can also be a source of extensive data mining, viruses or malware. Installing an ad blocker, like Adblock Plus, allows your child to browse websites without being exposed to aggressive advertising.
  • If you’re using a shared device, clear all browser cookies from your web browser’s settings after each use. This prevents advertisers from retargeting your device via tracking cookies.

Methodology

We selected the platforms for inclusion in this study by reviewing the recommendations made by G20 governments for remote learning platforms for use by students while schools were closed due to the pandemic. We selected those with the highest peak traffic numbers and installs.

For countries where state governments made the recommendations, such as in the US, we selected high-traffic platforms that had been recommended by multiple states. In Australia, where only a single state, Victoria, is currently recommending online learning resources, we limited ourselves to that state’s recommendations.

We conducted analysis in three areas: privacy policies, website security and ad tracking. We used a combination of publicly available tools to conduct our tests along with CVE databases.

About Us

Top10VPN.com is the world’s largest VPN review website. We recommend the best VPN services to help protect consumers’ privacy online. We also aim to educate the general public about digital privacy and cybersecurity risks through our free online resources and research.

For more of our original cybersecurity research, take a look at our COVID-19 Digital Rights Tracker; Employee Surveillance research or the Dark Web Market Price Index 2020: Covid-19 Edition.

Additional research by Christine O’Donnell and JP Jones