Trust, Because You Can’t Verify - Privacy and Security Hurdles in Education Technology Acquisition Pratices

The EdTech landscape is expanding rapidly in higher education institutes (HEIs). This growth brings enormous complexity. Protecting the extensive data collected by these tools is crucial for HEIs as data breaches and misuses can have dire security and privacy consequences for the data subjects, particularly students, who are often compelled to use these tools. This urges an in-depth understanding of HEI and EdTech vendor dynamics, which is largely understudied.  

To address this gap, we conducted a semi-structured interview study with 13 participants who are in EdTech leadership roles at seven HEIs. Our study uncovers the EdTech acquisition process in the HEI context, the consideration of security and privacy issues throughout that process, the pain points of HEI personnel in establishing adequate protection mechanisms in service contracts, and their struggle in holding vendors accountable due to a lack of visibility into their system and power-asymmetry, among other reasons. We discuss certain observations about the status quo and conclude with recommendations for HEIs, researchers, and regulatory bodies to improve the situation. 

Easton Kelso is a senior undergraduate researcher at Arizona State University studying Computer Science with a concentration in cybersecurity, set to graduate this year and starting to pursue a master’s degree in the same area. They got started in research during their first year at university and have focused on security and privacy issues that HEIs face with the growing technological landscape, especially in the use of EdTechs. 

Rakibul Hasan is an assistant professor in the School of Computing and Augmented Intelligence at ASU.