Educational Privacy in the Online Classroom: FERPA, MOOCS, and the Big Data Conundrum

Abstract

TABLE OF CONTENTS I. INTRODUCTION II. BIG DATA AND PRIVACY III. FERPA IV. MOOCs V. FERPA and MOOCs A. Does FERPA Even Apply to MOOCs? 1. Education Records 2. Students B. Impacts of FERPA Application to MOOCs 1. FERPA PII Disclosure Exceptions a. Consent b. Directory Information Exception c. Research Exception d. School Official Exception e. Data De-identification Exception 2. Method for De-identification C. FERPA's Purpose and Flaws VI. CONCLUSION I. INTRODUCTION Massively open online courses (MOOCs) are virtual classrooms that run on the Internet. In addition to their educational functions, MOOCs collect, centralize, and analyze massive amounts of information about their students. This information can include education records, student performance, and even how, when, and where a student clicks each time she logs in. Such widespread information collection and analysis is colloquially known as Big data is shorthand for the ability to store so much information that even trivial details can be kept and analyzed for emergent trends in areas such as consumer preferences, economic development, and crime mapping. Despite its large scale, big data raises privacy concerns on an individual level because it also excels at revealing unexpected correlations that may disclose not only someone's identity but some new fact about that person. Big data thus has the potential to actually create personally identifiable information without affirmative action on the part of the user whose data was collected. This dynamic may violate certain statutory privacy protections. The Family Educational Rights and Privacy Act (FERPA) (1) is one such privacy statute. However, FERPA is so dated that when confronted with a technology that can collect and use big data, like MOOCs, the statute practically breaks down. This Note examines the individual privacy concerns implicated by big data in general, assesses whether the privacy language of FERPA can address big data collection and analysis in the MOOC context, and provides broad suggestions for updating FERPA so that it may better adapt to big data privacy concerns. Registering for a MOOC goes something like this: To take a course--perhaps Astrophysics or Introduction to Philosophy--you must first create an account with your selected MOOC provider. One example is edX, a nonprofit founded by Harvard and MIT in 2012. (2) To register with edX, you create a username and password and provide the following information: your email address, full name, country, and, optionally, your gender, year of birth, highest level of education completed, and reason for registering. (3) To complete registration, you must also agree to edX's terms of service and honor code. (4) None of these requirements are particularly unique for website registration. But once you begin your selected MOOC, you create a new set of data points over the duration of your participation, collected by the MOOC. Among other things, edX logs when you access a module (the virtual equivalent of a classroom unit), how often you come back to the module, how long it takes for you to complete a quiz, your quiz scores, how many times you watch a video, and whether you stop visiting a course, resume it, and then stop again. (5) In all, edX collects approximately twenty gigabytes of user data per course (6)--the equivalent of millions of physical pages of information. (7) This collection is completely unremarkable in the online context. Indeed, it is ubiquitous across essentially all services on the Internet. Advertisers and other service providers can track a person's web browsing using cookies (8) or the more sophisticated canvas fingerprint. (9) Other software applications can log keystrokes or record behavior by observing how a user's mouse moves across a webpage. (10) Such tracking is not the only way to collect data. …