Students’ New Surveillance State

For 24 hours a day, seven days a week, American public school students are being watched and tracked online, according to a new law review article by Danielle K. Citron, a University of Virginia School of Law professor who writes and teaches about privacy, free expression and civil rights.

Teachers, administrators and school resource offices have the tools to watch — in real time — students’ searches, emails, chats, photos, calendar invites, geolocation and more, according to Citron’s research. Private companies are facilitating this continuous and indiscriminate surveillance by scanning, tracking and analyzing the most intimate aspects of young people’s lives — their online activities.

Her article, “Under Their Eye: The Surveilled Student,” which is forthcoming in the Stanford Law Review, provides an analysis of the costs and benefits of this surveillance, identifies the underlying legal issues and provides recommended solutions. Citron, a recipient of a MacArthur “genius grant,” is the Jefferson Scholars Foundation Schenck Distinguished Professor in Law and the Caddell and Chapman Professor of Law at UVA. Among a bevy of other thought-leadership positions, Citron is the co-director of the Law School’s LawTech Center (along with Professor Elizabeth A. Rowe) and the vice president of the Cyber Civil Rights Initiative, a nonprofit devoted to fighting for civil rights and liberties in the digital age.

How did the idea for this article come together?

For my first and second books, about cyberstalking and intimate privacy, I focused on the different ways cyber abuse impacts adults, although I did allude to children. I knew that I wanted to tackle the question about children’s safety and privacy as a separate line of inquiry because the cost-benefit analysis and our understanding of their intimate privacy would be different. I wrote this piece as the first part of a larger book project that I’m co-authoring with Hany Farid, a computer scientist and distinguished policy wonk who’s an expert on children’s online safety and the father of PhotoDNA. Hany is why we have technical tools to prevent the reposting of child sexual exploitation material. We want to write a book together about children’s internet safety and privacy, and I want to begin laying the legal foundation for our project.

This article will be part of a series of articles cultivating an understanding of student and youth intimate privacy as a subpart of intimate privacy. My most immediate follow-up to this article is a co-authored piece with Professor Ari Waldman concerning youth intimate privacy — how law tends to give parents control over their children’s privacy and how some parents have interests that diverge from children’s and undermine their children’s well-being with access to their most intimate thoughts, searches and lives. This is especially true for children who are exploring their gender identity and sexual orientation. Scholars who write about gender and transgender identity say that when one’s gender identity is revealed without their permission at an early age — when they’re outed — it can shatter who they are at their core.

Why are students a distinct issue?

Young people need intimate privacy when they’re in the process of forming their identity, which is their full-time job. Every day, young people are searching, chatting, texting, emailing, browsing, reading, and sharing on their laptops. They are using school-provided laptops to research a paper, search for information about reproductive health and research information about their sexual identity. Their thinking and innermost thoughts are expressed and recorded in their online activities. Digital technologies can be indispensable to students’ self-development. Online tools can enable self-exploration, enhance the sense of human dignity, and facilitate close relationships. They can, yes, but those wonderful possibilities are not guaranteed. For students, all of those possibilities are in jeopardy.

Students are now under continuous surveillance by public schools and companies in ways that adults would reject. In 2013, U.S. adults made clear that they don’t want even a small semblance of this, when they rejected the continuous and indiscriminate monitoring of telephone data that was then provided to government.

So why do now we have children’s internet activity on school-provided laptops being scanned, analyzed, and reported to public schools and school resource officers?

Public school districts think federal law requires them to monitor their students, which is a misunderstanding of the federal Children’s Internet Protection Act. CIPA was passed in 2000, when students had access to school computers only when they were physically at school, whether in computer labs or classrooms. The idea was that we didn’t want students to be in the computer room looking at porn, so schools had to block porn to receive a federal discount for internet access. That’s literally what Congress was thinking about. But schools are effectively saying, “Because we have to block porn, it requires us to see, block and, crucially, monitor everything students do with laptops,” even though students use these laptops at home, on weekends, and during the summer and holidays. So, students are being monitored by schools every second of every day. This is happening even though CIPA has a clear disclaimer that continuous tracking of students online is not required.

Schools ignore that disclaimer in the name of protecting students from self-harm, bullying and threats. They are not just blocking pornography and other visual obscenity, as the law requires, but they are spending public funds on contracts with private companies that scan and analyze students’ online activities. Those private companies rely on software to alert them about concerning material; their content moderators — who are not well-trained — have seconds to review the flagged material, which they then forward to school administrators and other officials. Those alerts usually are flagged after school hours and on weekends, so law enforcement officers are the ones who are contacted.

What has been Congress’ reaction to this?

The Federal Communications Commission, which has enforcement power over these issues, has been silent on this activity, even though advocates have brought the issue to their attention. Given the FCC’s inaction, schools continue to get federal discounts on internet access and to proceed with the over-surveillance of children. Senators Warren, Blumenthal and Markey spearheaded a congressional inquiry in 2021 into the private-public surveillance of students, and they made clear in their report that this is far beyond what federal law requires and they’re worried, as I am, that the surveillance chills students’ free expression and worse endangers students, especially nonwhite students who end up facing discipline for minor infractions. They were very clear that this pervasive student surveillance was bad for students, bad for their privacy, not great for safety and unclear as to efficacy.

Where is the misunderstanding?

The federal law at issue explicitly says “Nothing in this title […] shall be construed to require the tracking of Internet use by any identifiable minor or adult user.” It explicitly says so in the law! So, it is this odd misinterpretation, to read one part of the statute and ignore the other.

Why would schools have incentive to go further than just blocking pornography and other visual obscenity, as the law requires? Why are they using this law to monitor for safety threats?

School administrators say that the monitoring makes teachers feel safer and better informed to help prevent student self-harm, suicide and threats. I believe them. School administrators and teachers are genuinely concerned about the safety and well-being of their students. But I think schools have to look at the surveillance in a clear-eyed manner. They need to work on understanding the risks to privacy and whether these surveillance tools are effective at all, or instead if they are making students less safe. They need to consider how they can best balance addressing safety concerns while protecting privacy. This article is just a first step to say, “Hey, we don’t even know if these tools work, because they don’t let us inside the systems to do the efficacy analysis.”

Why aren’t we allowed inside their black box, to see what they’re collecting, whether it’s effective and what they plan to do with the data?

These are private companies being granted access to all student data and then shielded from liability because they’re acting on behalf of government, which is frankly bonkers. Because they’re private entities, they don’t have to respond to records requests, as government agencies do. These companies are getting quite a bit of private funding because investors think they’re going to make money when they get bought or go public. These companies may be bought by Google or Amazon or Microsoft. We should worry about that — the end goal of the dominant tech companies. My concern grows out conversations with chief privacy officers who have said in public that the goal is to own all personal data and provide all the services of our lives, including health care. I’m not saying anything that’s confidential; these goals are part of the public record, so to speak.

So this is the trade-off for school safety?

This is big business, and the biggest losers are students. I’d love the promise of safety to be fulfilled. Less bullying, less sextortion and child pornography, all the ways we could protect children at school. Right now, privacy and safety are viewed as incompatible. But it’s not a zero-sum game — we can protect students’ intimate privacy and endeavor to protect their safety. But right now, we’re not doing this meaningful calculus at all and right now, I think students are less safe. Children are more often being disciplined for minor infractions like cursing than for [true] threats. This is often left to the discretion of school resource officers, and we find that Black students are disciplined more often in these cases. Kristin Henning at Georgetown Law wrote a brilliant book about the policing of students by school resource officers and how it brings all the recurring pathologies of the criminal justice system into the schools.

What other literature and data did you rely on?

I’m building on the work of intrepid journalists, congressional findings by Senators Warren and Markey, and scholarly research — that work gives us some important insight to what is happening. Legal scholars have been looking at the implications for school surveillance on the Fourth Amendment as well.   

I’ve worked with the Center for Democracy and Technology for years, and they have done amazing qualitative and quantitative research on the chilling effects and the pervasiveness of these surveilled laptops. Something like 89% of teachers reported that their students’ laptops are being monitored by companies like Bark and Gaggle. (There are five or so dominant student surveillance companies). And then CDT did qualitative and quantitative studies about how the surveillance impacts kids, and they interviewed parents and students.

What were their findings?

They have six main findings and five recommendations for reform. They offer a ton of data and anecdotes about how this monitoring technology has serious and harmful impacts on K-12 students, including students no longer trusting their teachers to protect their interests.

What impact do you hope the article will have?

Through my work with the Cyber Civil Rights Initiative, I’m in touch with lawmakers and their staff. Usually people contact us — Capitol Hill staffers, state lawmakers or advocacy groups that I’ve worked with. For example, I have a new piece coming out about how to fix Section 230 of the Communications Decency Act with six very concrete proposals that should be law. Rep. Jake Auchincloss read the paper and spent an hour on the phone with me and his staffer Joe Valente. After working closely together, we are working on a draft bill based on my proposal. Every time I write, I try to articulate the theory behind my concepts like intimate privacy and pair those concepts with concrete proposals rooted in reality.

A modest reform would be reworking CIPA’s monitoring provision so schools understand they are not required to track students online to obtain federal funding. But they should go further and regulate monitoring so that schools can qualify for the discount only if their surveillance technologies are independently shown to be effective and to minimize harm to privacy, expression and equality. And the details of the contracting process and the terms of contracts should be out in the open.

If these are public school districts, what about changing policy at the local level?

I’m not giving up on city and state lawmakers. In fact, most of my success in the work that we’ve done at the Cyber Civil Rights Initiative has been with state lawmakers. When we proposed criminalizing the nonconsensual distribution of intimate images, we worked with members of Congress who introduced a bill that has been reintroduced four times; it is now called the SHIELD Act. Thanks to the intrepid work of CCRI’s president, Dr. Mary Anne Franks, we’re still supporting efforts to get that federal bill passed into law. By contrast, in the decade that we’ve been working on these issues, we now have 48 states, D.C. and Guam that have criminalized the practice. When we started, it was three. As Professor Richard Schragger has illuminated in his scholarship, localities are important laboratories of democracy. I am game to work with local school boards and local government on these issues.

What are parents’ attitudes toward this?

Some are not fully informed of what’s going on and how it’s not actually making students safer. And then there are parents who do not like this at all. But schools are the deciders and they want students to use school-provided laptops to do their work, while protecting their in-school networks from viruses and other malware. The question is whether those laptops should be equipped with monitoring software in the way that such monitoring is currently conceived. That is what I am interrogating.