‘Overkill’ – In CPS, student protection act hinders teachers, curriculum

On deadline, things are a bit different for this issue of The Champion. 

An air of ambiguity looms over Journalism and other programs at Lane and many other schools, because the basic programs that students need to create and learn (in the Champion’s case, Adobe Indesign and Student Newspapers Online – programs that help us put together our newspaper both in print and online) have been restricted by additional layers of privacy.  

To some, like Lane computer science teacher Jeff Solin, these new security measures verge on suffocation. 

“It’s important to wear your seatbelt in your car,” Solin said “But if somebody said that you have to wear twenty seatbelts in your car, you’d think… isn’t that a little overkill?” 

“That’s kind of what Chicago Public Schools has done with SOPPA,” he continued.

SOPPA, an Illinois law borne out of large-scale data exposure and designed to protect student privacy and personal information, has had the unfortunate boomerang effect of restricting CPS student access, to some utilitarian, some beloved, and many curriculum-centric programs. In response, some teachers have had to completely redesign their curriculum. 

In 2019, Gov. J.B. Pritzker signed an update to the Student Online Personal Protection Act (SOPPA), which aims to protect the privacy of students in Illinois public schools, especially in regards to data collection from students who use educational websites and programs. 

Illinois Families for Public Schools (ILFPS), a parent advocacy group that pushed for the update, sums up the bill on its website. 

“The legislation…will provide much greater transparency and control to parents on how schools, vendors and the Illinois State Board of Education (ISBE) are collecting and using data from public school students from preschool through 12th grade.” 

Part of the impetus for such regulation lay with standardized testing and concerns over the trove of personal data that testing companies accrue. IFPS, the aforementioned parent advocacy group, pointed to a 2018 hacking of testing giant Pearson, which exposed the personal data of hundreds of thousands of current and former CPS students, highlighting the need for greater data regulation. 

The new state SOPPA update went in effect this past summer, effective July 1st. 

Included in SOPPA is the promise that parents will be notified in the event of any data breaches or violations. Currently, no such breaches are noted on the CPS SOPPA website.  

But according to CPS, the state’s version of SOPPA did not go far enough.

“Two years ago,” CPS Director of Information Security Craig Youngberg told The Champion, “Our legal team was asked if we wanted to join that standard Illinois SOPPA template, but our lawyers didn’t think there was enough concern for what we had to do in Chicago, so we chose not to sign onto that condition.” 

As a result of this, Youngberg said, CPS has conducted its own reviews of vendors it contracted with — such as different websites and online programming — to ensure their security.  

As part of their push for this update, Illinois Families for Public Schools cited dubious legal consent agreements that students had to sign with some vendors such as testing company The College Board. Such agreements stipulated that students and parents would relinquish their right to sue companies like College Board — which, according to ILFPS, is a right recognized by the Illinois School Student Records Act.

CPS tries to limit the amount of information sent out to vendors from the beginning, so in the event of a data breach such as that of the Pearson example, less personal information is out in the open, according to Youngberg. 

“That way, when everything breaks, as it might one day, only a small amount [of personal data] is out there,” Youngberg said.  

“Even if they are collecting just your email,” said Damir Ara, an assistant principal in charge of the SOPPA process at Lane, “that’s more than enough.”

These additional layers of compliance make it difficult for smaller, often non-profit organizations and vendors, who often don’t have legal teams to respond to negotiations. A non-profit, university-developed program that Solin uses for his entire Microarchitecture and Logic design course falls under the new SOPPA guidelines simply because it shares a student’s first name and email, according to him, and thus needs a comprehensive data sharing agreement with CPS. 

There are boilerplate data sharing and SOPPA agreements between districts and companies outside of CPS that don’t require negotiation, according to both Solin and Youngberg. But CPS layered extra stipulations on top of these, leading some, especially non-profits like the Micro-architecture program, to stray away from negotiations entirely, effectively severing use for Computer Science teachers like him. 

“[The program was likely] developed by graduate students and a professor — they don’t care if some guy in Chicago Public Schools wants to use it for his students. I reached out to them, and I never heard back,” Solin said. 

“They also don’t have legal teams to look over all the data-sharing contracts,” Solin added.  

Youngberg admitted CPS would have to look at the situation of smaller nonprofits more. 

“We’re concerned about them because data is data as far as I’m concerned — it doesn’t matter if a real big guy or a small [site] is breached, if they still have 20,000 CPS students records in there, it’s a problem.”

Code.org, according to Solin and alluded to by Youngberg, entered negotiations with CPS but found CPS SOPPA terms to be too unreasonable, leaving tens of thousands of students without the federally-promoted Computer Science website they had come to know.  Code.org labels itself as a non-profit that seeks to “expand access to Computer Science in schools and increase participation by young women and students from other underrepresented groups.” 

School districts across the state have found much different results using their much less intensive SOPPA Vendor review process. Code.org, for example, is used by many schools nationally and complied with other Illinois school districts under the state version of SOPPA, but not the CPS iteration, according to Solin.

“I think that’s completely unreasonable,” Solin said. “It completely hurts educational learning experiences for thousands and thousands of kids.” 

In the event that a Lane teacher is requesting use of a non-approved site like Solin, they would give such a request to Assistant Principal Ara, who would then send that request to a department at CPS central office.  

But according to Ara, there is only one CPS official in charge of a backlogged SOPPA vendor process downtown. 

“There’s only one contact, technically, that I can go to, and it’s a really small office,” Ara said. “I know this person is very busy with many of the same requests that I have [from other schools,] so requests take longer.” 

“One office, one person, isn’t enough,” Ara said in response to whether Lane administration needed help from CPS, before adding that he understood the amount of red tape involved in such a system slows things down. Someone to help expedite the process, he continued, would be welcome. 

Craig Youngberg, however, accepted that some growing pains were expected in such an intensive process.

“We knew this was coming. … We knew it would be a push to get things through,” Youngberg said. 

According to him, CPS started communicating to principals two years ago, and spoke of the need for administrations to reach out to vendors, and their teachers, and get them into the SOPPA process. 

A basic part of the system as Youngberg denoted, is the communication between teachers and administrators, who know what sites and programs they need for their given curriculum. 

“We don’t know what the teachers are using at the central office,” Youngberg added. 

But even with this process, teachers like Solin feel frustrated. 

“Teachers were not in the position to be able to do anything about it,” Solin said. “CPS made these decisions that massively impact teachers and students — but teachers aren’t the people that can solve that problem.” 

“I’m reaching out to Adobe, and trying to get hold of their legal team [for a different program] — I shouldn’t have been the one to do that,” Solin said. 

“CPS,” said an exasperated Solin, “should have been all over that.” 

On the CPS database of SOPPA vendors, Adobe Creative Cloud is nowhere to be found  — leaving teachers who are uncertain of whether it’s approved to instead rely on hasty workarounds. Digital Imaging teacher Amy Diamond, for example, is using a nearly 10-year-old version of her class’s Adobe design program. “It’s been awful, but we’ll make it work,” she said of the outdated software.  

Until any substantiated reports of an agreement with the Adobe Creative Cloud and its third-party vendor arise, the only certainty for The Champion’s requisite newspaper layout program seems to be the presence of red tape. It’s anyone’s guess, including ours, as to whether Lane’s only student newspaper will have a crisp print issue to slip into the eager hands of students and staff during the week.  

For other staples of Lane students’ educational diet, like Kahoot! and Desmos, it’s not looking likely that they’ll still be usable once a firewall shields some non-approved sites after the SOPPA process winds down. Both are currently labeled as “not currently approved” on the CPS SOPPA database. While this could certainly mean both very large and popular websites are late to the process, it could also mean they have refused to play ball entirely. 

Even without the firewall, teachers are frustrated and bracing for the change. While the computer science department has been focused on the issue for a long time, Solin said many have been caught off guard.  

“I don’t think administrations and schools realized the impact of what was coming,” he said.