Privacy Risks of Remote Learning Platforms

The following table shows an overview of the 57 platforms we analyzed in terms of the overall risk level for privacy. It shows a top-level view of the risks posed by privacy policies, security issues, and the extent of ad tracking technology present. For a more detailed view and for a list of individual platform URLs, see the full findings

Note: Security testing was performed on web platforms only, hence the “-” security entries for all app platforms.

^{[1] Access is limited to Indian IP addresses}

Overview Analysis

Of the 57 government-recommended remote learning platforms that we analyzed, we were disturbed to discover only 10 could be considered to pose a low risk to user privacy based on the contents of their privacy policies.

Over half of these official recommendations (33) actually represent a high privacy risk based on their privacy policies or worse, lack thereof.

One third of the platforms (19) contained security flaws that could compromise the privacy of user data, with five of those at high risk due to server software vulnerabilities.

In terms of intrusive ad tracking, we flagged 13 platforms as engaging in advanced advertising practices with privacy implications, while another 13 appeared to be tracking-free. That left a majority somewhere in the middle, typically working with Facebook, Google or both.

Overall, only two remote learning platforms were low risk across each category: Stile in Australia and in Germany, Anton.

Another five just missed out on a clean score due to the presence of Google ad tracking.

• GoNoodle (CAN)
• Ma classe à la maison (FRA)
• ClassDojo (USA)
• Kerboodle (GBR)
• MyMaths (GBR)

The countries whose governments made the worst recommendations were:

• Japan
• Russia
• Mexico
• Indonesia
• Saudi Arabia
• South Africa

However more than half of the G20 governments, including the US, made at least one risky recommendation.

The following table shows a breakdown of key privacy policy elements for each online education platform. This is a top-level view, for more detail, see the full findings.

^{[1] Lacks appropriate detail about personal data collected by cookies.}

^{[2] This was assumed from information taken from a privacy policy annex, as PII collection not specified in main policy.}

^{[3] Update: Seneca Learning has now updated its privacy policy to reduce the amount of PII collected to a “low” level.}

^{[4] Update: Seneca Learning shared with us URLs from its help section showing account data is deleted after 6 years of inactivity. This is not referenced in or linked from the main privacy policy however.}

Summary Findings

• 15 platforms lack a dedicated privacy policy
• 26 collect excessive PII
• 33 collect location information
• 45 have open-ended or undisclosed data retention time limits.
• 7 lack a cookie policy
• 40 either have relationships with third parties with implications for children’s privacy, or do not address this in their policies:
  • 5 share PII with third parties
  • 16 contain third-party ad tracking
  • 6 share aggregated user data
  • 9 have open-ended policies in this area
  • 3 collect or source user data via third parties
  • 13 fail entirely to address this issue

No Dedicated Privacy Policy

The following platforms either have no privacy policy at all or have privacy provisions that are limited to a clause or two in their general Terms of Service. This clearly does not suggest a privacy-centric approach and we have flagged these platforms as high risk by default.

• Educ.ar (ARG)
• Aula Em Casas (BRA)
• Eduyun (CHN)
• Swayam App (IND)
• SnapAsk (JAP)
• Telesecundaria (MEX)
• Russian Electronic School (RUS)
• YaKlass (RUS)
• Tatweer for educational services (SAU)
• V School (SAU)
• Vodacom eSchool (ZAF)
• Korean Education Broadcasting System (KOR)
• EBA: Eğitim Bilişim Ağı (TUR)
• EBA App (TUR)

Privacy Red Flags

We also flagged platforms as high risk if their policies failed to properly outline how they protect children’s sensitive personal data, or if they disclosed commercial exploitation of that data.

A full list of privacy red flags can be found in the source datasheet. However, we have also picked out some of the more egregious examples, as follows.

The US government-recommended platform Scholastic Learn At Home comes under the company’s general privacy policy rather than its much stricter “EdTech” policy. The company advised us that this was because it was intended for home use rather than in the classroom but unfortunately this means that many protections don’t apply as a result.

Instead, Scholastic collects a laundry list of PII from Learn at Home users, including name, home address, email, phone, precise location data, along with detailed device and usage data.

The site also features extensive third-party ad tracking and targeted advertising.

In Australia, Cisco’s WebEx videoconferencing platform is recommended by the government in Victoria, where lockdown was reinstated following new coronavirus outbreaks. Unfortunately, not only are Webex-specific policies not very easy to find among the general Cisco privacy provisions but the personal data collection is extremely extensive and includes recordings of video calls.

Cisco also claims broad rights over how it can use personal information. Despite disclosing extensive sharing with third parties for advertising and other purposes, the policy includes no active protections for children.

Open School in Canada has a very barebones privacy policy that, despite an almost complete lack of substantive content, makes statements about not using cookies that were contradicted by our tests.

In Japan, we found that Snapask not only collects extensive PII but also sells it to academic institutions. Worryingly, there was neither a childrens privacy policy nor a sunset period for data retention.

Study Sapuri also had multiple red flags. The platform does not clearly specifiy what PII it collects while disclosing that not only does it use the data for ads but it also shares data with companies using the service and employs behavioral targeting.

Russian platform Teach.ru collects extensive personal data and employs it for advertising. It also tracks visitors after leaving the site in order to show them targeted ads based on their browsing behavior. Teach.ru is another learning platform with no sunset period on data retention.

Mano in Brazil collects SMS and chat messages as part of its invasive personal data collection. It is also one of four platforms collecting precise location data. Indonesia’s Kelas Pintar also advises that its users should expect that messages can be read.

Mexican platform Aprende 2.0 has perhaps the most disturbing level of personal data collection, in that it collects racial or ethnic origin along with photos or images of faces.

We should point out that there were also a small number of platforms, such as BrainPop and Khan Academy, that we deemed to be Medium Risk, despite extensive data collection and third-party ad tracking. This was due to comprehensive children’s privacy protections that mitigate some of that risk.

The following table shows a breakdown of the results of our testing of each online education platform where we discovered security risks with implications for user privacy. This is a top-level view, for more detail, see the full findings.

Summary Findings

• 12 sites were vulnerable to attack through failure to securely configure session cookies
• 8 sites were not secure as HTTPS has not been implemented, either not at all or was not used on every web page
• 5 sites were running outdated server-side software with known vulnerabilities that have privacy implications
• 2 sites passed passwords in plain text

Web Server Vulnerabilities

The highest-risk platforms from a security perspective were those running outdated versions of server-side software, such as Apache and NGINX.

These sites also failed to hide their server signatures, meaning it’s trivial for an attacker to see what version of the software they are running and check public databases for vulnerabilities and then look for exploits, such as this one.

Mexican site Aprende 2.0 is the most egregious offender. Its Apache and OpenSSL software is seven years out-of-date and has five severe known vulnerabilities, four of which risk a total compromise of user privacy. This shoddy approach to server maintenance does little to reassure that security is front-of-mind for those responsible for the platform.

The other sites with high-risk server vulnerabilities were:

• Clickview (AUS)
• Knowledgehook (CAN)

While the 12 sites found to have non-secure session cookies may pose less of a risk to user privacy overall than those with unpatched server-side software, their users are still vulnerable to attack.

Note that while many sites in this report featured misconfigured cookies, we only deemed those with session cookies lacking the appropriate security flags as exposing users to a mid-level risk of attack.

How Can Non-secure Cookies be Exploited?

Let’s take the example of EBA: Eğitim Bilişim Ağı. This site has both HTTPS and HTTP variants available, which means a single internal link to the HTTP variant, a HTTP downgrade attack from a bad actor, or even a phishing attempt, could switch a visitor from the secure version of the site to the non-secure HTTP version.

Once the site visitor is using the HTTP variant, a bad actor on the same network could potentially monitor network traffic from the site visitor, and therefore steal any non-secure cookies sent by their browser, which they could then use to hijack their session and hence personal details.

Use of a HSTS header would stop this from happening, as once seen, the browser would only try and access the HTTPS version of the site. Unfortunately, this header has not been implemented.

It’s a similar story at Argentina’s Educ.ar.

We also found that passwords were submitted unencrypted over the network by two sites, in clear violation of users’ expectation of security:

• Aprende 2.0 (Mexico)
• Eduyun (China)

The following table shows a breakdown of the results of our testing of each online education platform for the use of third-party cookies, requests to third-party advertising domains and any other evidence of ad trackers. This is a top-level view, for more detail, see the full findings.

Summary Findings

• 21 platforms featured Facebook trackers
• 40 featured Google ad tracking
• 9 shared data with programmatic advertising platforms
• 15 featured other forms of ad tracking
• 15 were free of ad tracking

Privacy Implications

It’s important that parents, whose children are using remote learning platforms, are aware of the forms of advertising many educational resources are engaging in.

Most educational products we analyzed appear to run digital advertising to attract new users, often retargeting visitors who have yet to sign up to their service around the web. A retargeted visitor could be either a parent or a child, and retargeting children undermines their rights to digital privacy, not to mention the risks of exposing them to this form of advertising at a young age.

More worryingly, we found some of the platforms hosting AdSense and other banner-type (display) advertising scripts. If the right filters are not set in place by the educational platform, non-child friendly advertising could be inadvertently displayed.

The above risks are heightened if a child is on a ‘shared’ computer used by other adults in the household. Advertising cookies set in web browsers of shared computers can generate an inaccurate digital profile of a user, which advertisers can target. A child may therefore be exposed to advertising aimed at adults.

The fact that 15 platforms, including Stile in Australia; Anton and Moodle in Germany; and Starfall in the US, were able to operate without resorting to this kind of tracking shows that it’s possible.

To those parents concerned about excessive advertising, we recommend following the advice below, and particularly the use of a trusted Ad-blocker to block ads from being displayed.