Enigma 2019

Many of the security and privacy mechanisms we build - permission prompts, security warnings, privacy policies - make one critical assumption: the end-user is an adult with agency to make their own decisions. Children, and especially children in schools, operate in a different security and privacy context than the general-purpose online tools they use. Young students can't evaluate security risks or consent to data sharing, but we give them the same security warnings and privacy controls that confuse adults.

Authentication mechanisms aren't designed for children and don't adapt to their age. Password "best practices" aren't considerate of children who are learning to type. Many two-factor and password reset systems don't work for kids who aren't allowed to have phones. Mobile apps that never expire sessions don't make sense for schools who can't afford a device for every student.

The classroom setting is different than the corporate or consumer internet environment. The dynamic power structure of teachers, school administrators, students, and parents needs to be understood and baked into authentication and authorization tools for schools. Teachers play the role of system administrators, fielding support questions, fixing keyboards, and resetting passwords. School and district administrators have important and complicated relationships with the classroom, and technology is deployed both top-down and bottom-up, making inflexible systems brittle.

While many recognize the promise of technology in the classroom, many attempts to design kid-friendly systems are met with suspicion. Early academic data is sensitive. The concept of a "permanent record" is an educational privacy trope. In the era of big data, this is even more concerning. When students create content in edtech apps, that may be the first time they associate their online identity with data.

While edtech promises a revolution in learning outcomes, it first needs to be both safe and useful. This talk introduces security and privacy challenges kids face using technology in the classroom. It's imperative that we apply security and privacy design principles with an understanding of the real-world classroom context to realize the benefits of education technology for society.