Taken together, the trio would create sweeping restrictions on children’s access to social media, impose new requirements on social media companies to ensure their products aren’t harmful to youth mental health and bolster educators’ digital surveillance obligations to ensure kids aren’t swiping through their favorite feeds in class. 

The three separate digital safety bills have bipartisan support and lawmakers could greenlight them as part of the FAA reauthorization legislation, which faces a Friday deadline. If passed, the legislative package could potentially end years of debate on these thorny questions and would mark the most consequential effort to regulate tech companies and children’s online safety in decades.

“Parents know there’s no good reason for a child to be doom-scrolling or binge-watching reels that glorify unhealthy lifestyles,” Sen. Ted Cruz, a Texas Republican who is co-sponsoring The Kids Off Social Media Act, said in . “Young students should have their eyes on the board, not their phones.”&�Բ�����;

The move comes as lawmakers across the political spectrum sound an alarm over concerns that teens’ addiction to their social media feeds — complete with algorithms designed to keep them hooked and coming back for more — have exacerbated mental health issues in young people. It follows congressional testimony by of knowing that apps like Instagram inflamed body image issues and other negative triggers among youth but failed to act to mitigate the harm while upholding a “see no evil, hear no evil” culture.

The controversial and heavily debated bills saw new life in January after social media executives were grilled during a contentious congressional hearing and Meta CEO Mark Zuckerberg apologized to parents who said their children were damaged, and in some cases died, after the company’s algorithms fed them a barrage of pernicious content. 

But critics contend the provisions amount to heavy-handed and unconstitutional censorship that fails to confront the root cause of young people’s anguish — and in some cases could hurt them by limiting their access to educational materials, blocking information designed to help them deal with mental health issues or by subjecting them to greater online surveillance.

The three amendments are:

• The Kids Online Safety Act would require tech companies to “exercise reasonable care” to ensure their services don’t surface in children’s feeds material deemed harmful, including posts that promote suicide, eating disorders and sexual exploitation.
  
  First introduced in 2022, the legislation would also require tools that would give parents greater ability to monitor their children’s’ online activities and mandate tech companies enable their most restrictive privacy settings for their youngest users by default. 

• The Children and Teens’ Online Privacy Protection Act, also known as COPPA 2.0, amends a 1998 law that requires tech companies receive parental consent before collecting data about children under 13 years old. COPPA 2.0 would extend existing requirements to children under 16, ban targeted advertising for children and require tech companies to delete data collected about children upon parental request. 

• The Kids Off Social Media Act, introduced last week by Cruz and Hawaii Democratic Sen. Brian Schatz, would prohibit children under 13 years old from creating social media accounts and restrict tech companies from using algorithms to serve content to children under 17. It would also require schools that receive federal internet connectivity funding to block students’ access to social media sites on campus networks. 

The bill’s provisions have faced widespread pushback from digital rights and privacy advocates, including the nonprofit Electronic Frontier Foundation, which called it an unconstitutional infringement that “replaces parents’ choices about what their children can do online with a government-mandated prohibition.” 

On Tuesday, TikTok and its Chinese parent company that bans the popular social media app in the U.S. unless it sells the platform to an approved buyer, accusing the government of stifling free speech and unfairly singling it out based on unfounded accusations it poses a national security threat.

In March, — including Louisiana, Arkansas, Texas and Utah — to impose new parental consent requirements for children to create social media accounts. The Georgia law also bans social media use on school devices and creates age verification requirements for porn websites.

Aliya Bhatia, a policy analyst at the nonprofit Center for Democracy and Technology, said that each bill now included in the FAA reauthorization act has been the subject of debate and opposition. Including them in unrelated, must-pass legislation with a short deadline, she said, “undermines the active conversations that are happening” about the bills, which she said are “just not ready for prime time.”

The Kids Online Safety Act, which has the bipartisan , is endorsed by a host of , including the American Psychological Association, Common Sense Media and the American Academy of Pediatrics, who argue the rules could protect youth from the corrosive effects of social media. 

At the same time, the legislation, which has differing House and Senate versions, has also received and those representing LGBTQ+ students. The groups argue the bill amounts to government censorship with a likely disparate impact on LGBTQ+ youth and students of color. The Heritage Foundation, a conservative think tank, has endorsed the legislation as a way to restrict youth access to LGBTQ+ content, that “keeping trans content away from children is protecting kids.”&�Բ�����;

Privacy advocates have warned the legislation could result in age-verification requirements across the internet that could require online users of all ages to provide identifying information to web platforms. 

Meanwhile, social media’s effects on youth mental well-being remain the subject of research and debate. In last year, the American Psychological Association noted that while social media use “is not inherently beneficial or harmful to young people,” the platforms should not surface to their young users content that encourages them to engage in risky behaviors or is discriminatory. 

In , Surgeon General Vivek Murthy noted that social media use is nearly universal among young people, with more than a third of teens saying they use the apps “almost constantly.” While its impact on youth mental health isn’t fully understood, Murphy said, emerging research suggests that its use can be harmful — perpetuating a national youth mental health crisis “that we must urgently address.”&�Բ�����;

The Kids off Social Media Act, which would prohibit youth access to sites like Instagram, is that requires schools and libraries to monitor and filter youth internet use as a condition of receiving federal E-Rate internet connectivity funding. In response, schools nationwide have adopted digital surveillance tools that use algorithms to sift through billions of student communications to identify problematic online behaviors.

Meanwhile, a recent found that web filters regularly used in schools do more than keep kids from goofing off in class. They also routinely limit students’ access to homework materials, educationally appropriate information about sexual and reproductive health and resources designed to prevent youth suicides. 

For years, privacy advocates have called on the Federal Communications Commission to clarify how the rules apply to the modern internet and have argued that schools’ tech-driven monitoring efforts go far beyond their original intent. 

When the law went into effect in 2001, monitoring “quite literally meant looking over a kid’s shoulder as they used the computer,” said Kristin Woelfel, a policy counsel of the Center for Democracy and Technology, but in 2024 student monitoring has become “a very specific term that now means really pervasive and technical surveillance.”&�Բ�����;

of students, parents and teachers last year, the nonprofit found a majority supported digital activity monitoring in schools yet nearly three-quarters of youth said that filtering and blocking technology made it more difficult to complete some homework, a challenge reported more often among LGBTQ+ students, and that the tools routinely led to disciplinary actions and police involvement. 

“They don’t work as people think they do,” she said. “That, coupled with data that shows it’s actually detrimental to students, indicates even more that this is not the right path forward.”&�Բ�����;

In a letter to lawmakers last week, a coalition of education nonprofits including the American Library Association and the Consortium for School Networking expressed concern about attaching social media limitations to E-Rate funding, which schools rely on to facilitate learning. 

“Schools and libraries will face delays or denials of E-rate funding due to allegations of non-compliance,” the groups wrote, arguing that it would give federal authorities control over social media policies that should be left to local officials. “The bill’s provisions seem to suggest that technology-driven learning models are always harmful, even when carefully crafted to promote educational purposes. In fact, there are several social media uses that can be beneficial for education and learning.”

In a announcing the legislation, Schatz offered the opposite perspective.

“There is no good reason for a nine-year-old to be on Instagram or TikTok,” he said. “There just isn’t. The growing evidence is clear: social media is making kids more depressed, more anxious, and more suicidal.”

In justifying the legislation, Schatz cites reporting by the psychologist and author Jonathan Haidt, who argues in his new book that young people — and girls, in particular — face a “tidal wave” of anguish that can be traced back to the rise of smartphones. 

Haidt’s characterization of tech’s role in youth well-being has , including by developmental psychologist Candice Odgers, who argued in that claims “that digital technologies are rewiring our children’s brains and causing an epidemic of mental illness is not supported by science.”&�Բ�����;

Among the evidence is on the well-being of nearly 1 million people ages 13 to 34 and 35 and over as it was being adopted in 72 countries and found “no evidence suggesting that the global penetration of social media is associated with widespread psychological harm.”

Updated, correction appended April 18

In the middle of night, students at Utah’s Kings Peak High School are wide awake — taking mandatory exams. 

At this online-only school, which opened during the pandemic and has ever since, students take tests from their homes at times that work best with their schedules. Principal Ammon Wiemers says it’s this flexibility that attracts students — including athletes and teens with part-time jobs — from across the state. 

“Students have 24/7 access but that doesn’t mean the teachers are going to be there 24/7,” Wiemers told ���˶��� with a chuckle. “Sometimes [students] expect that but no, our teachers work a traditional 8 to 4 schedule.”&�Բ�����;

Any student who feels compelled to cheat while their teacher is sound asleep, however, should know they’re still being watched. 

For students, the cost of round-the-clock convenience is their privacy. During exams, their every movement is captured on their computer’s webcam and scrutinized by Proctorio, . Proctorio software conducts “desk scans” in a bid to catch test-takers who turn to “unauthorized resources,” “face detection” technology to ensure there isn’t anybody else in the room to help and “gaze detection” to spot anybody “looking away from the screen for an extended period of time.”&�Բ�����;

Proctorio then provides visual and audio records to Kings Peak teachers with the algorithm calling particular attention to pupils whose behaviors during the test flagged them as possibly engaging in academic dishonesty. 

Such remote proctoring tools grew exponentially during the pandemic, particularly at U.S. colleges and universities where administrators seeking to ensure exam integrity during remote learning met with sharp resistance from students. Online end the surveillance regime; the tools of and that set off a red flag when the tool failed to detect Black students’ faces.  

At the same time, social media platforms like TikTok were flooded with videos purportedly highlighting service vulnerabilities that taught others

K-12 schools’ use of remote proctoring tools, however, has largely gone under the radar. Nearly a year since the federal public health emergency expired and several since the vast majority of students returned to in-person learning, an analysis by ���˶��� has revealed that K-12 schools nationwide — and online-only programs in particular — continue to use tools from digital proctoring companies on students, including those as young as kindergarten. 

Previously unreleased survey results from the nonprofit Center for Democracy and Technology found that remote proctoring in K-12 schools has become widespread. In its August 2023 36% of teachers reported that their school uses the surveillance software.

Civil rights activists, who contend AI proctoring tools fail to work as intended, harbor biases and run afoul of students’ constitutional protections, said the privacy and security concerns are particularly salient for young children and teens, who may not be fully aware of the monitoring or its implications. 

“It’s the same theme we always come back to with student surveillance: It’s not an effective tool for what it’s being claimed to be effective for,” said Chad Marlow, senior policy counsel at the American Civil Liberties Union. “But it actually produces real harms for students.”&�Բ�����;

Wiemers is aware that the school, where about 280 students are enrolled full time and another 1,500 take courses part time, must make a delicate “compromise between a valid testing environment and students’ privacy.” When students are first subjected to the software he said “it’s kind of weird to see that a camera is watching,” but unlike the uproar at colleges, he said the monitoring has become “normalized” among his students and that anybody with privacy concerns is allowed to take their tests in person.

“It’s always strange in a virtual setting — it’s like you’re watching yourself take the test in the mirror,” he said. “But when students use it more, they get used to it.”&�Բ�����; 

Children ‘don’t take tests’

Late last year, Proctorio founder and CEO Mike Olsen published   in response to research critical of the company’s efficacy. A tech-savvy Ohio college student had conducted an analysis and concluded Proctorio’s relied on an open-source software library with a — including a failure to recognize Black faces more than half of the time. 
The student tested the company’s face-detection capabilities against a dataset of nearly 11,000 images, , which depicted people of multiple races and ethnicities, with results showing a failure to distinguish Black faces 57% of the time, Middle Eastern faces 41% of the time and white faces 40% of the time. Such a high failure rate was problematic for Proctorio, which relies on its ability to flag cheaters by zeroing in on people’s facial features and movements. 

Olsen’s post sought to discredit the research, arguing that while the FairFace dataset had been used to identify biases in other facial-detection algorithms, the images weren’t representative of “a live test-taker’s remote exam experience.”&�Բ�����;

“For example,” he wrote, “children and cartoons don’t take tests so including those images as part of the data set is unrealistic and unrepresentative.”&�Բ�����;

To Ian Linkletter, a librarian from Canada embroiled in a long-running battle with Proctorio over whether its products were harmful, Olsen’s response was baffling. Sure, cartoon characters don’t take tests. But children, he said, certainly do. What he wasn’t sure about, however, was whether those younger test-takers were being monitored by Proctorio — so he set out to find out. 

He found two instances, both in Texas, where Proctorio was being used in the K-12 setting, including at a remote school tied to the University of Texas at Austin. Linkletter shared his findings with ���˶���, which used the government procurement tool GovSpend to identify other districts that have contracts with Proctorio and its competitors. 

More than 100 K-12 school districts have relied on Proctorio and its competitors, according to the GovSpend data, with a majority of expenditures made during the height of the pandemic. And while remote learning has become a more integral part of K-12 schooling nationwide, seven districts have paid for remote proctoring services in the last year. While extensive, the GovSpend database doesn’t provide a complete snapshot of U.S. school districts or their expenditures. 

“It was just obvious that Proctorio had K-12 clients and were being misleading about children under 18 using their product,” Linkletter said, adding that young people could be more susceptible to the potential harms of persistent surveillance. “It’s almost like a human rights issue when you’re imposing it on students, especially on K-12 students.” Young children, he argued, are unable to truly consent to being monitored by the software and may not fully understand its potential ramifications. 

Proctorio did not respond to multiple requests for comment by ���˶���. Founded in 2013, claims it provided remote proctoring services during the height of the pandemic to education institutions globally. 

In 2020,  over a series of tweets in which the then-University of British Columbia learning technology specialist linked to Proctorio-produced YouTube videos, which the company had made available to instructors. Using the video on the tool’s “Abnormal Eye Movement function,” Linkletter that it showed “the emotional harm you are doing to students by using this technology.”

Proctorio’s lawsuit alleged that Linkletter’s use of the company’s videos, which were unlisted and could only be viewed by those with the link, amounted to copyright infringement and distributing of confidential material. In January, Canada’s Supreme Court Linkletter’s claim that the litigation was specifically designed to silence him.

While there is little independent research on the efficacy of any remote proctoring tools in preventing cheating, one 2021 study found that who had been instructed to cheat. Researchers concluded the software is “best compared to taking a placebo: It has some positive influence, not because it works but because people believe that it works, or that it might work.”&�Բ�����;

Remote proctoring costs K-12 schools millions

A , the online K-12 school operated by the University of Texas, indicates that Proctorio is used for Credit by Exam tests, which award course credit to students who can demonstrate mastery in a particular subject. For students in kindergarten, first and second grade, the district pairs district proctoring with a “Proctorio Secure Browser,” which prohibits test takers from leaving the online exam to use other websites or programs. Beginning in third grade, according to the rubric uploaded to the school’s website, test takers are required to use Proctorio’s remote online proctoring.

Proctorio isn’t the only remote proctoring tool in use in K-12 schools. GovSpend data indicate the school district in Las Vegas, Nevada, has spent more than $1.4 million since 2018 on contracts with Proctorio competitor Spending on Honorlock by the Clark County School District surged during the pandemic but as recently as October, it had a $286,000 company purchase. GovSpend records indicate the tool is used at , the district’s online-only program which claims more than 4,500 elementary, middle and high school students. Clark County school officials didn’t respond to questions about how Honorlock is being utilized. 

Meanwhile, dozens of K-12 school districts relied on the remote proctoring service ProctorU, now known as , during the pandemic, records indicate, with several maintaining contracts after school closures subsided. Among them is the rural Watertown School District in South Dakota, which spent $18,000 on the service last fall. 

Aside from Wiemers, representatives for schools mentioned in this story didn’t respond to interview requests or declined to comment. Meazure Learning and Honorlock didn’t respond to media inquiries. 

At TTU K-12, an online education program offered by Texas Tech University, the institution relies on Proctorio for “all online courses and Credit by Examinations,” flagging suspicious activity to teachers for review. In an apparent nod to Proctorio privacy concerns, TTU instructs students to select private spaces for exams and that if they are testing in a private home, they have to get the permission of anyone also residing there for the test to be recorded. 

Documents indicate that K-12 institutions continue to subject remote learners to room scans even after a federal judge ruled a university’s . In 2022, a federal judge sided with a Cleveland State University student, who alleged that a room scan taken before an online exam at the Ohio institution violated his Fourth Amendment rights against unreasonable searches and seizures. The judge ruled that the scan was “unreasonable,” adding that “room scans go where people otherwise would not, at least not without a warrant or an invitation.”&�Բ�����;

Marlow of the ACLU says he finds room scans particularly troubling — especially in the K-12 context. From an equity perspective, he said such scans could have disproportionately negative effects on undocumented students, those living with undocumented family members and students living in poverty. He expressed concerns that information collected during room scans could be used as evidence for immigration enforcement 

“There are two fairly important groups of vulnerable students, undocumented families and poor students, who may not feel that they can participate in these classes because they either think it’s legally dangerous or they’re embarrassed to use the software,” he said. 

The TTU web page notes that students “may be randomly asked to perform a room scan,” where they’re instructed to offer their webcam a 360-degree view of the exam environment with a warning: Failure to perform proper scans could result in a violation of exam procedures.

“If you’re using a desktop computer with a built-in webcam, it might be difficult to lift and rotate the entire computer,” the web page notes while offering a solution. “You can either rotate a mirror in front of the webcam or ask your instructor for further instruction.”

‘A legitimate concern’ 

Wiemers, the principal in Utah, said that Proctorio serves as a deterrent against cheating — but is far from foolproof. 

“There’s ways to cheat any software,” he said, adding that educators should avoid the urge to respond to Proctorio alerts with swift discipline. In the instances where Proctorio has caught students cheating, he said that instead of being given a failing grade, they’re simply asked to retake the test. 

“There are limitations to the software, we have to admit that, it’s not perfect, not even close,” he said. “But if we expect it to be, and the stakes are high and we’re overly punitive, I would say [students] have a legitimate concern.”

During a TTU K-12 advisory board meeting in July 2021, administrators outlined the extent that Proctorio is used during exams. Justin Louder, who at the time served as the TTU K-12 interim superintendent, noted that teachers and a “handful of administrators within my office” had access to view the recordings. Ensuring that third parties didn’t have access to the video feeds was “a big deal for us,” he said, because they’re “dealing with minors.”&�Բ�����;

While college students “really kind of pushed back” on remote proctoring, he noted that they only received a few complaints from K-12 parents, who recognized the service offered scheduling benefits. Like Wiemers, he framed the issue as one of 24-hour convenience. 

“It lets students go at their own pace,” he said. “If they’re ready at 2 o’clock in the morning, they can test at 2 o’clock in the morning.”

Correction: A copyright infringement case brought by Proctorio against longtime company critic Ian Linkletter is still being argued in court. An earlier version of this story mischaracterized the litigation as being ruled in Proctorio’s favor.

Pew Research Associate Luona Lin called the findings released Thursday “jarring”: Nearly a quarter of educators said they experienced a lockdown due to a gun — or fears of one — on their campus last school year.

Teachers who work in high schools, and those located in urban areas, were far more likely to experience lockdowns. Among high school educators, 34% reported at least one gun-related lockdown during the 2022-23 school year, as did 31% of those who teach in urban areas.

“One of the most striking findings is just the sheer number of teachers who say they have experienced a lockdown,” Lin told ���˶���. Pew sought to probe educators’ perspectives of school gun violence after researchers conducted interviews to understand their “day-to-day lives and their perspectives” on hot-button issues, she said. Gun violence came up again and again. 

“A lot of teachers definitely talked about worrying about school shootings happening in their school,” she said. “One of the teachers we talked about it with actually said, ‘I think about it every day.’”

Though the Pew data don’t offer insight into the frequency that firearms are ultimately found, tallies on campus attacks have shown a staggering upward trend, with record numbers over the last three years.

Just this week, James and Jennifer Crumbley to 10-15 years in prison after being found guilty of involuntary manslaughter for their role in failing to prevent a 2021 school shooting that was carried out by their then-15-year-old son. The shooting at his Oxford, Michigan, high school led to the death of four students. The Crumbleys are the first parents in U.S. history to be sentenced to prison in response to an active shooting perpetrated by their child. More than two-thirds of active shootings at K-12 campuses were carried out by perpetrators between the ages of 12 and 18, . 

For some teachers who participated in the Pew poll — 59% of whom say they worry about a school shooting unfolding at their schools — gun-related lockdowns are frequent. While 15% said they experienced one lockdown last school year, 8% said they were forced to take cover at least twice. 

The new data on the opinions of K-12 teachers comes roughly 25 years after the 1999 Columbine High School shooting in suburban Denver, which became a national flashpoint on school violence after two student gunmen killed 13 of their classmates before taking their own lives. Since then, national spending on school security has surged — and so, too, have the number of campus attacks.

Though school shootings are politically fraught and carry devastating consequences for communities, they remain statistically rare. Between 2000 and 2021, there have been 46 “active shooter incidents” at K-12 campuses, which resulted in 108 deaths and 168 injuries, according to . Active shootings are defined as those where a gunman fires indiscriminately at people in a public place like a school. 

Beyond active shootings like those at Oxford and Columbine, federal data on campus gun incidents indicate 188 shootings that resulted in casualties during the 2021-22 school year— more than twice as many as the year earlier, which at the time was a record high.

While a majority of educators fear school shootings, 39% said their school has done a fair or poor job preparing for one while 30% — particularly those with school-based police officers — said their district has done an excellent or very good job. 

In preventing future attacks, 69% of educators endorsed efforts to improve mental health screenings and treatments for children, 49% supported campus cops and 33% favored metal detectors. 

Just 13% of teachers who participated in the Pew survey said arming educators would be an extremely or very effective approach to prevent the tragedies. 

Teachers’ responses were often similar to those offered by parents and students in previous Pew surveys on school shooting fears and preparation — with all parties being swayed, at least in part, by partisan politics. 

Republican-leaning educators were more likely than their Democratic colleagues to support campus police, metal detectors and arming teachers. Democratic teachers were more likely than GOP educators to support efforts to improve students’ mental health. 

In , two-thirds of parents said they were at least somewhat worried about a shooting unfolding at their child’s school, and 63% endorsed improvements in mental health for students as a way to prevent shootings, a rate higher than any other intervention. 

In , from 2018, 57% of teens said they were somewhat or very worried about a school shooting occurring on their campus. 

Pew’s educator survey included responses from 2,531 public K-12 teachers in October and November who are members of , a nationally representative sample of U.S. educators. 

“Gun violence and all of these gun policy issues, they are definitely partisan,” Lin said. “The views of teachers, the views of parents, are reflective of the overall population’s views on this, and definitely the partisan differences as well.”

As artificial intelligence tools become more common in schools, most teachers say their districts have adopted guidance and training for both educators and students, by the nonprofit Center for Democracy and Technology. What this guidance lacks, however, are clear instructions on how teachers should respond if they suspect a student used generative AI to cheat. 

“Though there has been positive movement, schools are still grappling with how to effectively implement generative AI in the classroom — making this a critical moment for school officials to put appropriate guardrails in place to ensure that irresponsible use of this technology by teachers and students does not become entrenched,” report co-authors Maddy Dwyer and Elizabeth Laird write.

Among the middle and high school teachers who responded to the online survey, which was conducted in November and December, 60% said their schools permit the use of generative AI for schoolwork — double the number who said the same just five months earlier on a similar survey. And while a resounding 80% of educators said they have received formal training about the tools, including on how to incorporate generative AI into assignments, just 28% said they’ve received instruction on how to respond if they suspect a student has used ChatGPT to cheat. 

That doesn’t mean, however, that students aren’t getting into trouble. Among survey respondents, 64% said they were aware of students who were disciplined or faced some form of consequences — including not receiving credit for an assignment — for using generative AI on a school assignment. That represents a 16 percentage-point increase from August. 

The tools have also affected how educators view their students, with more than half saying they’ve grown distrustful of whether their students’ work is actually theirs. 

Fighting fire with fire, a growing share of teachers say they rely on digital detection tools to sniff out students who may have used generative AI to plagiarize. Sixty-eight percent of teachers — and 76% of licensed special education teachers — said they turn to generative AI content detection tools to determine whether students’ work is actually their own. 

The findings carry significant equity concerns for students with disabilities, researchers concluded, especially in the face of are ineffective.

The Minnesota House of Representatives voted 124-8 Monday afternoon to approve legislation that removes a ban on school resource officers using prone restraint on students. The bill now moves to the Senate for consideration.

Nearly four years after George Floyd suffocated to death while being pinned face down to the pavement by a police officer, Minnesota Democrats are fast-tracking legislation that would undo a less-than-year-old ban prohibiting school-based cops from using that same type of restraint on students. 

As early as Monday, the state’s House of Representatives is slated to consider a proposal that presents a drastic departure by Democratic Gov. Tim Walz — rules that explicitly barred school resource officers from using face-down “prone restraint.”

The ban was part of a broader police reform movement that followed Floyd’s murder. The fatal physical hold led to the largest civil rights protest in U.S. history, a national reckoning on racism, policy reforms that sought to address police brutality and, in Minneapolis and dozens of districts nationwide, the removal of sworn officers from school campuses. In Minnesota, new state rules barred police officers from using chokeholds on people and prone restraints were banned in the state’s prisons. 

Now, as the state’s Democrats make a 180-degree turn on the campus reform, education equity advocates have accused state leaders of falling to the political pressure of law enforcement groups ahead of a November election where party lawmakers seek to maintain their narrow majority in the state House. The proposal cleared the House Ways and Means committee earlier this week. 

Physical restraints have for children including injury and, in some cases, death. Yet for Republican lawmakers and law enforcement, the change in Minnesota went a step too far. Police departments statewide pulled their cops from schools in protest of the restraint restriction. 

During a recent Senate Judiciary and Public Safety Committee hearing, Democratic Sen. Bonnie Westlin, lead sponsor of the Senate version of the bill that would restore prone restraints in schools, presented it less as a backtrack and more as an opportunity. The issue is about ensuring campus cops remain “important team members in our schools,” Westlin said, while creating uniformity across school resource officers’ duties, their training requirements and accountability.  

Along with removing restraint rules for school-based police and campus security staff, the pending legislation would allocate $150,000 this year to develop consistent, statewide training standards for school resource officers and require police to complete the lessons before working on campuses. The bill also seeks to clarify that school-based police officers should not be involved in routine student discipline. 

“When a local community determines that they would like to engage SROs, we want to make sure there is uniformity about expectations for everyone concerned,” Westlin said.

Advocates who lauded the prone restraint ban, however, say that lawmakers have turned their backs on Floyd’s legacy. 

“How is it that — in the state where this man gets killed and the world erupted — that we are not the leading people who are banning this on our kids?” asked advocate Khulia Pringle, the Minnesota director of the National Parents Union and a steering committee member of the Solutions Not Suspensions Coalition, a group of education nonprofits that has lobbied against the legislation. “It’s banned in prisons, it’s banned for students with disabilities. 

“Why can’t we extend that same courtesy to all children?” 

The ‘fix’

Presented by Democratic leaders as an “SRO fix” bill, the proposal comes after police departments got wind of the restraint ban last fall — an under-the-radar change in a larger education bill that passed without opposition. In response, about 40 law enforcement agencies removed their school resource officers from campuses. 

, school resource officers and campus security personnel are prohibited from using face-down prone restraints and “certain physical holds,” including those that restrict or impair “a pupil’s ability to breathe” or their “ability to communicate distress.”&�Բ�����;

The ban represented an extension of state rules that have been on the books for years. In 2015, after that “it is only a matter of time before a Minnesota child is seriously injured or killed while in prone restraint,” lawmakers banned educators from using the technique on children with disabilities. Nationally, that curtail educators from using prone restraints and other tactics that restrict students’ breathing. 

In Washington, D.C., Democratic lawmakers have sought for years to pass . Nationally, about 35,000 students were placed in physical restraints at school during the 2020-21 school year, from the Education Department’s civil rights office. Black students represented 15% of K-12 school enrollment and 21% of those placed in physical holds. Meanwhile, students with disabilities represented 14% of the national enrollment — and 81% of those subjected to restraints. 

After the new changes were put in place in Minnesota and students returned to classes last fall, law enforcement agencies argued it stirred confusion among their ranks, opened their departments to lawsuits and tied their officers’ hands in how they work to keep schools safe and combat crimes like vandalism. Republican lawmakers seized on the furor and demanded a special legislative session to repeal the law. 

The Coon Rapids Police Department, located in a northern Minneapolis suburb, is among the agencies that removed its officers from schools. That decision was reversed and the agency’s four campus cops after the state attorney general issued a clarification on the law’s limits. The school resource officer program was put on hold temporarily last fall in part because of how officers are trained to do their jobs, Captain of Investigations Tanya Harmoning told ���˶���. She said she wasn’t sure how often prone restraint had been used by her officers inside schools. Regardless of whether an officer is stationed inside a school building or on a city street, she said, they “are all trained in the same tactics.”&�Բ�����;

“Our officers are trained a certain way to handle certain situations,” she said. “Some of these people transition back out onto the road, so to expect them to transition from ‘you can do it here, but you can’t do it here,’ kind of thing, that’s just not how we train our people.”

In last fall, Attorney General Keith Ellison clarified that the ban didn’t restrict officers from using prone restraints in cases involving imminent harm or death, which offered assurances to many law enforcement agencies that agreed to return officers to schools. 

The special session that Republicans and police brass demanded didn’t come to fruition but the issue has become a top priority this year for Gov. Walz and his Democratic-Farmer-Labor Party, which controls both chambers of the state legislature. 

State officials and education leaders have sought to frame the debate as being not about prone restraint, but rather the need to get police back in schools. 

‘The voices of all stakeholders’

When Democratic Rep. Cedrick Frazier appeared before the House Education Policy Committee in mid-February, he acknowledged the timing of his testimony: “We are not far removed,” he said, “from the tragic murder of George Floyd.”&�Բ�����;

He pivoted to a state law passed in response that banned police from using chokeholds — rules that he said were critical to their discussions about school-based police. With the chokehold ban in place, he suggested the prone restraint prohibition was unnecessary. 

“The tension and anxiety that has been discussed, in large part, stems from the egregious visual of that tragic day,” Frazier testified. But even without a ban on prone restraints, he said that state law would continue to prohibit school-based officers from pinning students to the ground in ways that restrict breathing.

“Our only focus must be doing everything we can to ensure that while our young people are in our schools, that we ensure that their environment is safe from any type of harm,” Frazier said. “We must ensure our young people have the best environment to have the best possible outcomes.”&�Բ�����;

His testimony didn’t explicitly touch on prone restraints or why police needed greater autonomy around their use in classrooms. Representatives for Frazier and the governor didn’t respond to requests for comment and state Sen. Westlin’s office declined an interview request. 

In his testimony, Education Commissioner Willie Jett focused on schools’ need for campus police officers and the bill’s new training requirements. He, too, didn’t touch specifically on restraint procedures. 

“SROs are viewed by many as essential to maintaining safe and secure learning environments and data from the tells us that an overwhelming majority of students from all demographic areas value the SROs in their schools,” Jett said. 

In Minnesota, state education officials have sought to reduce schools’ reliance on restraint tactics for years. The reveal that students with disabilities were subjected to more than 10,000 physical restraints during the 2021-22 school year, with such holds disproportionately used on Black and Indigenous students. Frequently, , these holds result in injuries — and more often for adults than children. During the 2021-22 school year, districts reported 733 staff injuries from placing students in restraints — a rate that equates to about one staff injury for every 14 physical holds. That same year, 161 students were reported injured.  

Frazier’s work leading the reform bill appears to be at odds with his broader championing of policing and public safety. After Floyd’s murder, Frazier became known in the state as in favor or progressive police reforms, often drawing on his personal experiences with inequities growing up as a Black teen on Chicago’s South Side. In September, as police agencies statewide began pulling officers from schools, Frazier signaled his support for the new prone restraint ban. The House People of Color and Indigenous Caucus, which Frazier co-chairs, released a statement expressing that same sentiment.

“The provision in the education bill passed earlier this year related to school personnel is clear: School staff, including school resource officers, are not allowed to use prone restraints,” or other holds that restrict a student’s ability to breathe, the caucus wrote in the statement, which bore Frazier’s name. Given the attorney general’s opinion extending SROs’ authority to restrain kids in serious cases, the group wrote, “changes to the law are not needed.”

In Republican’s unsuccessful bid to force a special legislative session, they found common ground with Education Minnesota, the state teacher’s union, which noted that on how to protect themselves and students during potentially dangerous situations. In 2021, union spokesperson Chris Williams told ���˶��� the group was concerned about “the ongoing racial disparities that we know exist in the use of restrictive procedures,” and noted support for rules that prohibited prone restraint in classrooms. 

Williams didn’t respond to a list of questions about the pending legislation introduced by Frazier who, along with being a state representative, works as a . 

‘Prone kills kids’

When Matt Shaver testified at the House education committee last month, he opened with a grim warning: “Prone kills kids.”

“We are advocates for kids — and prone kills kids,” said Shaver, the policy director of the nonprofit EdAllies, which is a member of the Solutions Not Suspensions Coalition working to maintain the current prone restraint ban. “This is not about whether SROs belong in schools,” as lawmakers and state education officials have cast the conversation, he said. “This is about whether we believe holds that kill children belong in school.”&�Բ�����;

Shaver cited which examined childhood fatalities that stemmed from physical restraints over a 26-year period. Researchers identified 79 incidents where restraints led to deaths in settings including foster homes, psychiatric agencies and schools. Deaths were most common when children were held in the face-down prone restraints — and most often for benign childhood behaviors like failing to remain silent or sit without wriggling. Investigations into the fatalities found that adults routinely failed to follow proper restraint policies and laws. 

“In 15 fatalities, children vomited, urinated or turned blue during the restraint,” researchers concluded in the 2021 study, which was published in the academic journal Child & Youth Care Forum. “These signals should have been detected by an adult monitoring these events and immediately triggered a change in tactics or discontinuation of the restraint.”

Shaver told ���˶��� he believes the Democrats are reacting to the politics of the police “work stoppage” and a desire not to appear soft on crime ahead of the November election. That has placed them in the position, he said, of wanting to overturn the restraint restriction, but “not in a way that will freak out their base.”&�Բ�����;

“They may have failed at doing that,” Shaver said.

In about a third of Florida school districts, and concentrated in rural panhandle enclaves like Daniels’s Liberty County, corporal punishment as a form of student discipline remains deeply ingrained in the culture. It’s why on this morning in early December, school leaders instructed the 18-year-old to bend over a desk.

What came next — a paddling that left deep purple bruises and welts for a minor school offense that Daniels said stemmed from a misunderstanding about Christmas decorations on a campus door — was far beyond routine student discipline, the Liberty County High School senior told ���˶���.

It was, she alleges, sexual assault. 

“They were so eager to go in there and spank me,” said Daniels, who said she was struck by Assistant Principal Tim Davis, a former Major League Baseball player who pitched for the , while Principal Eric Willis observed and laughed. “They took their time, they watched me.”

Liberty County School District officials didn’t respond to multiple interview requests. Reached by ���˶��� on his cell phone, Davis declined to comment on the incident or allegations that his use of force was sexual assault.  

The incident, which has sparked controversy in Florida’s least populous county roughly 50 miles west of Tallahassee, comes as state lawmakers debate the fate of rules that have long permitted teachers to spank students as a disciplinary measure. A significant body of research suggests that corporal punishment has the opposite effect of improving student behaviors and a data analysis by ���˶��� shows in parts of Florida, it’s most often used to address minor infractions like “excessive talking,” “insubordination” and “horse play.”&�Բ�����;

where laws explicitly allow educators to use corporal punishment on students, and the practice is not expressly prohibited by laws in an additional seven states, according to by the U.S. Department of Education. In a letter last year, Education Secretary Miguel Cardona urged state lawmakers and school leaders “to move swiftly toward condemning and eliminating” a practice that “can lead to serious physical pain and injury,” is associated with heightened mental health issues, stunted brain development and hindered academic performance. Nationally, federal data show that corporal punishment is disproportionately used on students of color and those with disabilities. 

Prompted by the advocacy of two Florida college students, there is now , where roughly a third of districts use corporal punishment to discipline kids, that would require educators to get permission from parents each year before spanking their children. The measure would also ban the use of physical force on students with disabilities. The bill garnered unanimous support in a state House subcommittee last month. Yet a companion bill in the Senate has remained stalled and lawmakers worry the effort will falter this legislative session — as similar efforts have for years. 

Rep. Katherine Waldron, a Democrat who co-sponsored the bipartisan bill, said the subcommittee hearing was the furthest any effort to reform state corporal punishment rules has gotten to date. She credited the momentum to student advocacy, and specifically to the University of Florida students who launched a statewide campaign to change the law. 

“It’s great that we have this level of student involvement in the whole process and they’re really helping to push the bill and they’re learning a lot,” Waldron said. “Any time we have that kind of momentum for a good bill like this, I think representatives should pay attention and try to help.”&�Բ�����;

In Liberty County, Daniels said that school officials accused her of lying to a substitute teacher and using her position in the school honor society to get her friend out of class to help with the holiday decorating. When school administrators approached her about the incident a week later, they gave her two options: in-school suspension or corporal punishment — a choice she said left her feeling coerced. The entire incident stemmed from an honest misunderstanding, she said, and accepting in-school suspension would have required her to miss an exam for a dual-enrollment college class and to be late for work at Chick-fil-A. 

She chose to get spanked. 

“As soon as it happened, I really just felt sexually assaulted. I felt disgusted with myself that I even kind of gave them permission,” said Daniels, who transitioned to online-only instruction after the incident and fears she may someday run into Davis or Willis at their small-town grocery store. Daniels has spoken out against corporal punishment in Florida schools and her paddling . Her mother calling on lawmakers to ban the “systemic issue prevalent across 19 school districts in Florida.”&�Բ�����;

“I felt like they really just got off by it,” Daniels said, adding that a parent could face child protective services investigations for leaving similar bruises on their kid. “I don’t even think I could look them in the eyes now, not even now. And you know about my senior year, after the situation I really truly started realizing, I’m not going to have a senior year anymore.”&�Բ�����;

‘You can get a paddling’

In recent years there have been numerous cases in Florida that resemble the one involving Daniels. Yet even in districts where parents can opt their children out of being hit as a form of discipline — and even in incidents where parents accuse educators of going too far — law enforcement officials have pointed to a state law permitting the practice. Kristina Vann, Daniels’s mother, said she had not given Liberty County educators consent to hit her daughter.

That didn’t stop Assistant Principal Davis from drawing the paddle. 

Daniels reported the incident to the Liberty County Sheriff’s Office and, in an interview with ���˶���, Undersheriff Robert “Dusty” Arnold acknowledged the agency looked into the case but said they don’t plan to pursue criminal charges. He called the case “a non-issue” involving a permitted form of discipline that Daniels had consented to. The entire incident, he said, was “being blown out of proportion.”&�Բ�����;

“It’s the state law,” Arnold said in an interview. “And if you choose to take a paddling, you can get a paddling. My understanding is she was given options and she chose that.”

Sam Boyd, a supervising attorney at the nonprofit Southern Poverty Law Center, which has in Florida and nationally, said he’s aware of “a fact pattern” of corporal punishment incidents “that may be much more of a serious sexual assault than punishment.”&�Բ�����;

The case involving Daniels, who is an adult in the eyes of the law, presents its own set of complicated legal questions, he said. 

“To the extent that schools are stepping in for parents, if that’s the theory behind corporal punishment, it’s hard to see how that makes any sense in the context of people who are legally adults,” he said. “As a policy matter, it doesn’t make any sense to be using corporal punishment against adults, although of course it doesn’t in our view, make any sense to be using it against minors either.”&�Բ�����;

Florida’s law permitting corporal punishment in schools has been used in previous incidents to shield educators from criminal charges. In 2018, for example, against a Lake County bus monitor who was accused of using in ways that constituted child abuse, including grabbing children by their faces, twisting their heads and pushing them against a wall in the bus. Prosecutors concluded that the state law superseded a school district policy banning corporal punishment. 

Three years later, in 2021, an elementary school principal in Hendry County was caught on video spanking a 6-year-old girl with a wooden paddle despite a district policy prohibiting such actions. Although the state corporal punishment law requires educators to comply with local district rules, prosecutors declined to pursue charges and claimed the girl’s mother — an undocumented immigrant who filmed the encounter and shared the footage with a local television station — had consented to the beating and at no point spoke up to “raise any objection.”&�Բ�����;

The Hendry County incident prompted an investigation by ���˶���, which revealed numerous incidents where students had been subjected to corporal punishment in school districts across the country where that practice had been outlawed. 

For University of Florida student Graham Bernstein, that investigation served as a wake-up call. The Hendry County incident coincided with another failed legislative effort to ban corporal punishment and he felt that more needed to be done to stop the practice, he told ���˶���. He joined up with a classmate, Konstantin Nakov, and wrote the bill now pending in Tallahassee that the duo hopes will persuade state officials to view Florida’s history of corporal punishment in a different light. 

The business of hitting kids

First, Bernstein and Nakov set out to get a better understanding of corporal punishment in Florida which, according to state data, was used to punish 509 students last school year.

Through emails and public records requests with districts statewide, the students found that the practice was being used to discipline the same students repeatedly — about half of whom were in special education — and often for minor classroom infractions. In Columbia County, records shared with ���˶��� revealed, spanking was primarily reserved for elementary school students. Of the 824 incidents of corporal punishment in the north central Florida county between August 2018 and May 2022, 84% were attributed to minor infractions including the use of inappropriate language, disrupting the classroom environment and inappropriate use of electronic devices. Fewer than 13% of incidents were initiated after a student hit a classmate.

The practice was also used more than a dozen times at Pathways Academy, an alternative education program in Columbia County that it specifically serves students “with behavior, academic and attendance barriers” and those with disabilities who need additional support “to overcome their own barriers.”&�Բ�����;

Columbia County school district officials didn’t respond to requests for comment about their corporal punishment practices. 

While previous efforts to ban corporal punishment in Florida schools have focused on the research suggesting it’s an ineffective disciplinary tool and has negative consequences for students, Bernstein and Nakov used another tact to get support from Republicans, who represent the rural, predominantly conservative counties where the practice is primarily used. 

They took a page from GOP Florida Gov. Ron DeSantis’s playbook and presented the issue as one of parental rights.

“I don’t know what it is about conservative Republicans, but some of them just think that it’s a good disciplinary intervention to strike children,” Bernstein said. “A big emphasis has been recently on the whole idea of parental rights and making it so the government doesn’t have the ability to do something without a parent agreeing to it. And so we thought we can apply that here. … Especially with some of these more conservative legislators, who are really zealous supporters of this idea of parental rights, let’s test their rhetoric against them and see if it sticks.”&�Բ�����;

Still, getting buy-in from lawmakers wasn’t easy, said Nakov, who graduated from the University of Florida last year and now attends medical school in Bradenton, Florida. He and Bernstein have spent the last several years sending emails to legislative offices and taking road trips to the statehouse to speak with potential sponsors. 

Rep. Mike Beltran, a Republican from Apollo Beach who co-sponsored the bill, said the legislation fits in line with other efforts in Florida to bolster parental rights. 

“I don’t think the parents should spank the kids either, but certainly the school should not be doing it and certainly the school should not be doing it without the parents’ approval or knowledge,” Beltran said. “There’s no due process — there’s no due process at all — and you’re going to spank them?”

If Florida bans corporal punishment and educators fail to comply, Beltran said that students and parents should “sue their pants off.”&�Բ�����;

‘I took it very easy on her’

Back in Liberty County, Brooklynn Daniels’s mother used a school communication platform to confront Davis on the way he spanked her daughter. In a text chat on the app ParentSquare that she shared with ���˶���, Vann offered the assistant principal photographic proof that her daughter’s “butt is red all over,” from the paddling. Davis declined the photo and defended his actions. 

“I can assure you I took it very easy on her,” Davis wrote. “I’m teased by staff in the front office about how soft I swing a paddle and I took it especially easy on Brooklyn, as I do with any female.”&�Բ�����;

Vann was floored at his characterization, especially given Davis’s career in professional baseball in the 1990s, which also included stints with the Tampa Bay Devil Rays and . 

“That man went from swinging bats for a living to beating children,” she said. “So how do I know where he went to school to learn how to — instead of hitting a baseball out into the outfield — to gently swing a paddle to hit my kid?” 

Vann sees insular, hometown favoritism at the root of how school leaders handled her daughter and defended Davis, a Liberty County High School alumnus. The family moved to the rural county from urban Tallahassee — and longtime residents, Vann said, resented Brooklynn.

“She’s made homecoming twice, she’s a cheerleader, she’s well known in the community. She’s made her mark here and she’s not from Liberty County,” she said. “We have what they call the good ol’ boys system here. If you’re not born and raised here, they’re not going to protect you and they don’t like you. They don’t like outsiders.”&�Բ�����;

To Undersheriff Arnold, a fourth-generation Liberty County resident, the culture of school corporal punishment contributes to a polite community where people refer to others by “sir” and “ma’am.” He recalled the times when he was paddled inside the local schools, where he and other students were sternly punished “if you got out of line.”&�Բ�����;

“It’s a lot of what our country is missing now: Too many people get away with too many things and there’s no punishment for anything, there’s no accountability for anything anymore,” Arnold said. “When you’re held accountable, it keeps you in check.”&�Բ�����;

Arnold said he isn’t aware of any other instances in the county where a student reported school corporal punishment to law enforcement. He described the incident involving Daniels as one where a high school beauty pageant contestant has sought to rake in views and likes on social media. He offered a steadfast endorsement of local education leaders, adding that he’s “a little bit passionate when it comes to our school district.”&�Բ�����;

“I know what kind of school we have, I have children at that school, and I trust those individuals with my kids’ lives,” he said. “They are good people — they are really good people. They don’t want to do anything else in this county but help these children get an education.”

Yet for Daniels, she can’t get away from the thick wooden paddle and the bruises it left on her body.

“It was black and blue and purple and yellow and you could see where all the bruises had already started forming” in just minutes, she said, after she left the principal’s office and rushed into a school bathroom.

“It’s insane how hard they hit me.”

She had just taken her son out to target practice in what she described on social media as a “mom and son day testing out his new Christmas present:” a 9-millimeter pistol the high schooler referred to online as “My new beauty.”

The images were pivotal to an unprecedented conviction this week that legal scholars predict could create a new tool for prosecutors as the nation looks for ways to stem a record-setting uptick in mass shootings.

“This is the last picture we have of that gun until we see it murder four kids on Nov. 30, and the person holding it is Jennifer Crumbley,” Oakland County Prosecutor Karen McDonald said before a jury convicted the mother on four counts of involuntary manslaughter — one for each of the students her son gunned down at Oxford High School. 

“She’s the last person we see with that gun,” McDonald said. 

Crumbley is the first parent to be held directly responsible for a school shooting carried out by their child, turning on its head a bedrock legal principle: People cannot be held responsible for the actions of others.

“Look, I thought this case could go either way and still when the result came out I was a bit stunned because it’s such a deep legal principle,” Ekow Yankah, a University of Michigan law professor, told ���˶���.

And if other parents are charged in connection with shootings acted out by their children, Yankah said, the Crumbley conviction may make them more likely to accept a plea deal behind closed doors.

“Prosecutors will be tempted to use this power in ways that we don’t see,” he said. “A prosecutor is going to sit across from a parent when people are crying out for somebody to be held accountable and the prosecutor is going to be able to say, ‘I’m offering you three years to five years in prison, but if you don’t take this deal, I will prosecute for 15 years.’ ” 

For gun control advocates and the parents of children killed in their classrooms, the landmark trial’s outcome was welcomed. Craig Shilling, the father of Oxford shooting victim Justin Shilling, told a local TV station the conviction is “definitely a step towards accountability.” About three-quarters of school shooters obtain their guns from a parent or another close relative, according to a . In about half of cases, the guns had been readily accessible. 

The conviction is in many ways a watershed moment that hinged heavily on portrayals of Crumbley as a neglectful mom who paid more attention to her horses and an affair than to the son she’d gifted a gun to as he struggled with his mental health and exhibited violent behaviors. 

In this case, the gunman was charged as an adult while his mother was found guilty of crimes that stemmed from her role as an egregiously aloof and reckless parent. The gunman pleaded guilty in October 2022 to 24 charges, including first-degree murder and terrorism causing death, and was sentenced to life in prison without parole in December. 

The shooter’s father, James Crumbley, is scheduled to face a similar trial next month. 

Yankah, the UMichigan law professor, told ���˶��� he wasn’t aware of any other cases where a parent was held liable for the crimes of a child who was simultaneously considered “a legal agent” and therefore responsible for his own actions. 

It’s not the first time a parent has been held legally responsible for crimes committed by their children —including in helping their child secure a firearm later used in a mass shooting. Still, experts said the Crumbley case does present a significant escalation in a generations-long push to hold parents accountable for the misdeed of their kids.

One , published in the Utah Law Review in 2008, noted that such efforts appeared cyclical, noting that “every couple of decades or so” lawmakers claimed to “discover” the idea of holding parents to account for teenage crimes. 

Punishing parents

which impose civil or criminal liability on adults under the premise that their failures to take control as parents led to their kids’ bad acts. There is research that ties youth delinquency to poor parenting. 

One recent parental responsibility law, , specifically addressed guns. It imposed civil liability on parents for negligence or willful misconduct if they allow their minor children to use or possess guns if the child has been adjudicated delinquent, was convicted of a crime, has the propensity to commit violence or intends to use the weapon unlawfully. 

Efforts to hold parents accountable for their children’s behaviors are rooted in the very origins of the nation’s juvenile justice system in the early 1900s, which authorized the state to intervene when parents failed in their duties, and their constitutional implications. By the 1970s, the report notes, lawmakers began to place a greater emphasis on parents as a factor in juvenile crime and turned to

Little is known, however, about whether such efforts have been effective in reducing juvenile crime. Eve Brank, a professor of law and psychology at the University of Nebraska-Lincoln, told ���˶��� that she is unaware, after decades of researching the emergence of parental responsibility laws, of “any empirical research that shows that imposing punishments on parents because of the actions of the children will decrease juvenile crime.”

She is also unaware of any data indicating how frequently those laws are used. In 2015, she , who reported infrequent enforcement. Through her research, Brank has identified three types of such laws: civil liability, contributing to the delinquency of a minor and parental involvement. 

Under the statutes, parents can be held responsible for helping or encouraging their child to commit a crime and financially liable for damages. They can also be required to pay fines or attend parenting classes due to their children’s criminal acts. 

Among them are truancy laws, which require students to attend school. In New Jersey, for example, parents who don’t compel their children to attend school can face disorderly conduct charges and fines. Such efforts, however, have been heavily criticized — including during the 2016 presidential election when Vice President Kamala Harris was that imposed jail time and fines on parents in truancy cases while she served as state attorney general. 

In 2017, Pennsylvania lawmakers reformed state truancy rules and made them less punitive after a Reading County woman was found dead in 2014 while serving a two-day jail sentence for her children’s truancy because she was unable to pay a $2,000 fine. 

“Many of those statutes came under a lot of strain in the last say 15 years,” including ones around truancy, Yankah said, adding that people were skeptical about whether they addressed the root causes underlying the social problems they sought to address and could uphold long standing racial disparities in the judicial system. “Frankly, communities of color really learned that — as is so often the case — when we pass more criminal statutes the people who are in the crosshairs are politically vulnerable. It was a lot of Black mothers, and so those statutes kind of faded out of popularity.”&�Բ�����;

In some cases, parental responsibility laws have failed under court scrutiny. Among them is an ordinance in Maple Heights, Ohio, that for “failing to supervise a minor” if their child committed what would be considered a misdemeanor or a felony if it had been carried out by an adult. The in 2008 after a parent faced charges after her 17-year-old son was accused in juvenile court of carrying a concealed weapon, resisting arrest and failing to comply with a police officer. 

Meanwhile, officials have also sought to hold parents responsible when their children bully other kids. In 2016, the city council in Shawano, Wisconsin, passed an ordinance that on parents who failed to address their child’s harassment directed at other kids. 

In a high-profile cyberbullying case from 2013, a Florida sheriff bemoaned his of a girl who was charged criminally for harassing a 12-year-old classmate so relentlessly online that it led the girl to die by suicide. Among the harassment was an online message encouraging the 12-year-old to “drink bleach and die,” yet the parents continued to give the bully access to social media. 

“I’m aggravated that the parents aren’t doing what parents should do,” Polk County Sheriff Grady Judd told reporters at the time. “Responsible parents take disciplinary action.”&�Բ�����;

A new category of parental responsibility

Crumbley’s conviction, Brank said, “doesn’t fit into any of these categories” of traditional parental responsibility laws and is instead a first-of-its-kind extension of the manslaughter statute. 

As officials seek to crack down on mass shootings, the Crumbley case is one of several recent examples where prosecutors sought to hold parents accountable when their children carried out what once were unthinkable acts of violence.

In December, a Virginia mother was for felony child neglect after her 6-year-old son brought a gun to his Newport News elementary school and shot his first-grade teacher. In a separate prosecution, the mother pleaded guilty to using marijuana while owning a firearm and for making false statements about her drug use. 

In a separate prosecution that may have laid the groundwork for the Crumbley case, to misdemeanor reckless conduct on charges that stemmed from a shooting carried out by his son at a 2022 Highland Park Independence Day parade, which left seven people dead. That case centered on how his son, who was 19 at the time, obtained a gun license. 

At the time of the massacre, the gunman was too young to apply for a firearm license so his father sponsored his application despite knowing his son had a history of behaving violently. Several months before the attack, a relative reported to police that the teenager had a large collection of knives and had threatened to “kill everyone.”&�Բ�����;

In the Highland Park case, was explicit: The father’s guilty plea, he said, should be a “beacon” to others that parents can be held accountable for the actions of their children. 

“We’ve laid down a marker to other prosecutors, to other police in this country, to other parents, that they must be held accountable,” Lake County State Attorney Eric Rinehart said. “The risk of potentially losing this innovative prosecution — and not putting down any marker — was too great for our trial team.”&�Բ�����;

Yankah said it’s important to look at new parental accountability efforts through their historical contexts. 

“Looking back at history,” he said, “shows us that our historical experiments with this kind of liability for parents has rarely solved the underlying problem,” he said. “Maybe this kind of case will have an effect, maybe parents will be more attentive. But to speak honestly, I think what a case like this shows is how many different things we as a society have to work on if we really want to be free of this violence.”

In response to an inquiry by ���˶���, the nonprofit Future of Privacy Forum said last week it would review Raptor Technologies’ status as a Student Privacy Pledge signatory after a maintained by the company were readily available without any encryption protection despite Raptor’s claims that it scrambles its data. 

“We are reviewing the details of Raptor Technologies’ leak to determine if the company has violated its Pledge commitments,” David Sallay, the Washington-based group’s director of youth and education privacy, said in a Jan. 24 statement. “A final decision about the company’s status as Pledge signatory, including, if applicable, potential referrals to the [Federal Trade Commission] and relevant State Attorneys General, is expected within 30 days.”&�Բ�����;

Should the privacy forum choose to take action, Raptor would become just the second-ever education technology company to be removed from the pledge. 

Texas-based , which counts roughly 40% of U.S. school districts as its customers, offers an extensive suite of software designed to improve campus safety, including a tool that screens visitors’ government-issued identification cards against sex offender registries, a management system that helps school leaders prepare for and respond to emergencies, and a threat assessment tool that allows educators to report if they notice “something a bit odd about a student’s behavior” that they believe could become a safety risk. This means, according to a Raptor guide, that the company collects data on kids who appear ‘unkempt or hungry,” withdrawn from friends, to engage in self-harm, have poor concentration or struggle academically. 
Rather than keeping students safe, however, cybersecurity researcher Jeremiah Fowler said the widespread data breach threatened to put them in harm’s way. And as cybersecurity experts express concerns about , they’ve criticized the Student Privacy Pledge for lackluster enforcement in lieu of regulations and minimum security standards. 

Fowler, a cybersecurity researcher at and a self-described “data breach hunter,” has been tracking down online vulnerabilities for a decade. The Raptor leak is “probably the most diverse set of documents I’ve ever seen in one database,” he said, including information about campus surveillance cameras that didn’t work, teen drug use and the gathering points where students were instructed to meet in the event of a school shooting. 

vpnMentor in December and Fowler said the company was responsive and worked quickly to fix the problem. The breach wasn’t the result of a hack and there’s no evidence that the information has fallen into the hands of threat actors, though Fowler in the last several months. 

The situation could have grown far more dire without Fowler’s audit. 

“The real danger would be having the game plan of what to do when there is a situation,” like an active shooting, Fowler said in an interview with ���˶���. “It’s like playing in the Super Bowl and giving the other team all of your playbooks and then you’re like, ‘Hey, how did we lose?’”

David Rogers, Raptor’s chief marketing officer, said last week the company is conducting an investigation to determine the scope of the breached data to ensure “that any individuals whose personal information could have been affected are appropriately notified.”&�Բ�����;

“Our security protocols are rigorously tested, and in light of recent events, we are committed to further enhancing our systems,” Rogers said in a statement. “We take this matter incredibly seriously and will remain vigilant, including by monitoring the web for any evidence that any data that has been in our possession is being misused.”&�Բ�����;

‘Maybe this is a pattern’

Raptor is currently among more than 400 companies that , a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children. 

Raptor and the other companies have vowed against selling students’ personally identifiable information or using it for targeted advertising, among other commitments. They also agreed to “maintain a comprehensive security program that is reasonably designed to protect the security, confidentiality and integrity” of student’s personal information against unauthorized or unintended disclosure. Cybersafeguards, the pledge notes, should be “appropriate to the sensitivity of the information.”&�Բ�����;

Raptor touts its pledge commitment on its website, where it notes the company takes “great care and responsibility to both support the effective use of student information and safeguard student privacy and information security.” The company that it ensures “the highest levels of security and privacy of customer data,” including encryption “both at rest and in-transit,” meaning that data is scrambled into an unusable format without a password while it is being stored on servers and while it’s being moved between devices or networks. 

Its , however, offers a more proscribed assurance, saying the company takes “reasonable” measures to protect sensitive data, but that it cannot guarantee that such information “will be protected against unauthorized access, loss, misuse or alterations.”&�Բ�����;

Districts nationwide have spent tens of millions of dollars on Raptor’s software, according to GovSpend, a government procurement database. Recent customers include the school districts in Dallas, Texas, Broward County, Florida, and Rochester, New York. Under , education technology companies that collect student data are required to maintain a cybersecurity program that includes data encryption and controls to ensure that personally identifiable information doesn’t fall into the hands of unauthorized actors. 

Countering Raptor’s claims that data were encrypted, Fowler told ���˶��� the documents he accessed “were just straight-up PDFs, they didn’t have any password protections on them,” adding that the files could be found by simply entering their URLs into a web browser. 

Officials at the Rochester school district didn’t respond to requests for comment about whether they had been notified about the breach and its effects on their students or if they were aware that Raptor may not have been in compliance with state encryption requirements. 

Doug Levin, the national director of the nonprofit K12 Security Information eXchange, said the Raptor blunder is reminiscent of a 2022 data breach at the technology vendor Illuminate Education, which exposed the information of at least 3 million students nationwide, including 820,000 current and former New York City students. Levin noted that both companies claimed their data was encrypted at rest and in transit — “except maybe it wasn’t.”&�Բ�����;

A decade after the privacy pledge was introduced, he said “it falls far short of offering the regulatory and legal protections students, families and educators deserve.”

“How can educators know if a company is taking security seriously?” Levin asked. Raptor “said all of the right things on their website about what they were doing and, yet again, it looks like a company wasn’t forthright. And so, maybe this is a pattern.”&�Բ�����;

State data breach rules have long focused on personal information, like Social Security numbers, that could be used for identity theft and other financial crimes. But the consequences of data breaches like the one at Raptor, Fowler said, could be far more devastating — and could harm children for the rest of their lives. He noted the exposure of health records, which could violate federal privacy law, could be exploited for various forms of fraud. Discipline reports and other sensitive information, including about student sexual abuse victims, could be highly embarrassing or stigmatizing. 

Meanwhile, he said the exposure of confidential records about physical security infrastructure in schools, and district emergency response plans, could put kids in physical danger. 

Details about campus security infrastructure have been exploited by bad actors in the past. After Minneapolis Public Schools fell victim to a ransomware attack last February that led to a large-scale data breach, an investigation by ���˶��� uncovered reams of campus security records, including campus blueprints that revealed the locations of surveillance cameras, instructions on how to disarm a campus alarm system and maps that documented the routes that children are instructed to take during an emergency evacuation. The data can be tracked down with little more than a Google search. 

“I’ve got a 14-year-old daughter and when I’m seeing these school maps I’m like, ‘Oh my God, I can see where the safe room is, I can see where the keys are, I can see the direction they are going to travel from each classroom, where the meetup points are, where the police are going to be,” Fowler said of the Raptor breach. “That’s the part where I was like, ‘Oh my God, this literally is the blueprint for what happens in the event of a shooting.”&�Բ�����;

‘Sweep it under the rug’

The Future of Privacy Forum’s initial response to the Raptor breach mirrors the nonprofit’s actions after the 2022 data breach at Illuminate Education, which was previously listed among the privacy pledge signatories and became the first-ever company to get stripped of the designation. 

The forum’s decision to remove Illuminate followed an article in ���˶���, where student privacy advocates criticized it for years of failures to enforce its pledge commitments — and accused it of being a tech company-funded effort to thwart government regulations. 

The pledge, which was created by the privacy forum in partnership with the Software and Information Industry Association, a technology trade group, was created in 2014, placing restrictions on the ways ed tech companies could use the data they collect about K-12 students. 

Along with stripping Illuminate of its pledge signatory designation, the forum referred it to the Federal Trade Commission, which the nonprofit maintains can hold companies accountable to their commitments via consumer protection rules that prohibit unfair and deceptive business practices. The company was also referred to the state attorneys general in New York and California to “consider further appropriate action.” It’s unclear if regulators took any actions against Illuminate. The FTC and the California attorney general’s office didn’t respond to requests for comment. The New York attorney general’s office is reviewing the Illuminate breach, a spokesperson said. 

“Publicly available information appears to confirm that Illuminate Education did not encrypt all student information” in violation of several Pledge provisions, Forum CEO Jules Polonetsky told ���˶��� at the time. Among them is a commitment to “maintain a comprehensive security program” that protects students’ sensitive information” and to “comply with applicable laws,” including New York’s  “explicit data encryption requirement.”&�Բ�����;

After the breach and before it was removed from the pledge, the Software and Information Industry Association recognized Illuminate with the sector’s equivalent of an Oscar. 

Raptor isn’t the only pledge signatory to fall victim to a recent data breach. In December, a cybersecurity researcher disclosed a security vulnerability at Education Logistics, commonly known as EduLog, which offers a GPS tracking system to give parents real-time information about the location of their children’s school buses. A statement the forum provided ���˶��� didn’t mention whether it had opened an inquiry into whether EduLog had failed to comply with the pledge commitments. 

Despite the forum’s actions against Illuminate Education, and its new inquiry into Raptor, the pledge continues to face criticism for having little utility, including from Fowler, who likened it to “virtue signaling” that can be quickly brushed aside. 

“Pledges are just that, they’re like, ‘Hey, that sounds good, we’ll agree to it until it no longer fits our business model,” he said. “A pledge is just like, “whoops, our bad,” a little bit of bad press and you just sweep it under the rug and move on.”&�Բ�����;

Chad Marlow, a senior policy counsel at the American Civil Liberties Union focused on privacy and surveillance issues, offered a similar perspective. Given the persistent threat of data breaches and a growing number of cyberattacks on the K-12 sector, Marlow said that schools should take a hard look at the amount of data that they and their vendors collect about students in the first place. He said Raptor’s early intervention system, which seeks to identify children who pose a potential threat to themselves or others, is an unproven surveillance system that could become a vector for student discrimination in the name of keeping them safe. 

Although he said he has “a great deal of admiration” for the privacy forum and the privacy pledge goals, it falls short on accountability when compared to regulations that mandate compliance.

“Sometimes pledges like this, which are designed to make a little bit of progress, actually do the opposite because it allows companies to point to these pledges and say, ‘Look, we are committed to doing better,’ when in fact, they’re using the pledge to avoid being told to do better,” he said. “That’s what we need, not people saying, ‘On scout’s honor I’ll do X.’”  

Disclosure: The Bill & Melinda Gates Foundation and the Chan Zuckerberg Initiative provide financial support to the Future of Privacy Forum and ���˶���.

The Senate Judiciary Committee hearing in Washington, D.C., was the latest act in a bipartisan effort to bolster federal regulations on social media platforms like Instagram and TikTok amid a growing chorus of parents and adolescent mental health experts warning the services have harmed youth well-being and, in some cases, pushed them to suicide. 

In an unprecedented moment, Meta founder and CEO Mark Zuckerberg, at the urging of Missouri Republican Sen. Josh Hawley, stood up and turned around to face the audience, apologizing to the parents in attendance who said their children were damaged — and in some cases, died — because of his company’s algorithms. 

“I’m sorry for everything you’ve all gone through,” said Zuckerberg, whose company owns Facebook and Instagram. “It’s terrible. No one should have to go through the things that your families have suffered.”

Senators argued the companies — and tech executives themselves — should be held legally responsible for instances of abuse and exploitation under tougher regulations that would limit children’s access to social media platforms and restrict their exposure to harmful content.

“Your platforms really suck at policing themselves,” Sen. Sheldon Whitehouse, a Rhode Island Democrat, told Zuckerberg and the CEOs of X, TikTok, Discord and Snap, who were summoned to testify. Section 230 of the Communications Decency Act, which allows social media platforms to moderate content as they see fit and generally provides immunity from liability for user-generated posts, has routinely shielded tech companies from accountability. As youth harms persist, he said those legal protections are “a very significant part of that problem.”&�Բ�����;

Whitehouse pointed to a lawsuit against X, formerly Twitter, that was filed by two men who claimed a sex trafficker manipulated them into sharing sexually explicit videos of themselves over Snapchat when they were just 13 years old. Links to the videos appeared on Twitter years later, but the company allegedly refused to take action until after they were contacted by a Department of Homeland Security agent and the posts had generated more than 160,000 views. The by the Ninth Circuit, which cited Section 230. 

“That’s a pretty foul set of facts,” Whitehouse said. “There is nothing about that set of facts that tells me Section 230 performed any public service in that regard.”

In an opening statement, Democratic committee chair, Sen. Dick Durbin of Illinois, offered a chilling description of the harms inflicted on young people by each of the social media platforms represented at the hearing. In addition to Zuckerberg, executives who testified were X CEO Linda Yaccarino, TikTok CEO Shou Chew, Snap co-founder and CEO Evan Spiegel and Discord CEO Jason Citron.

“Discord has been used to groom, abduct and abuse children,” Durbin said. “Meta’s Instagram helped connect and promote a network of pedophiles. Snapchat’s disappearing messages have been co-opted by criminals who financially extort young victims. TikTok has become a, quote, ‘platform of choice’ for predators to access, engage and groom children for abuse. And the prevalance of [child sexual abuse material] on X has grown as the company has gutted its trust and safety workforce.”&�Բ�����;

Citron testified that Discord has “a zero tolerance policy” for content that features sexual exploitation and that it uses filters to scan and block such materials from its service. 

“Just like all technology and tools, there are people who exploit and abuse our platforms for immoral and illegal purposes,” Citron said. “All of us here on the panel today, and throughout the tech industry, have a solemn and urgent responsibility to ensure that everyone who uses our platforms is protected from these criminals both online and off.”&�Բ�����;

Lawmakers have introduced a slate of regulatory bills that have gained bipartisan traction but have failed to become law. Among them is the Kids Online Safety Act, which would require social media companies and other online services to take “reasonable measures” to protect children from cyberbullying, sexual exploitation and materials that promote self-harm. It would also mandate strict privacy settings when teens use the online services. Other proposals would to report suspected drug activity to the police — some parents said their children overdosed and died after buying drugs on the platforms — and a bill that would hold them accountable for hosting child sexual abuse materials. 

In their testimonies, each of the tech executives said they have taken steps to protect children who use their services, including features that restrict certain types of content, limit screen time and curtail the people they’re allowed to communicate with. But they also sought to distance their services from harms in a bid to stave off regulations. 

“With so much of our lives spent on mobile devices and social media, it’s important to look into the effects on teen mental health and well-being,” Zuckerberg said. “I take this very seriously. Mental health is a complex issue, and the existing body of scientific work has not shown a causal link between using social media and young people having worse mental health outcomes.”&�Բ�����;

Zuckerberg by the National Academies of Sciences, Engineering and Medicine, which concluded there is a lack of evidence to confirm that social media causes changes in adolescent well-being at the population level and that the services could carry both benefits and harms for young people. While social media websites can expose children to online harassment and fringe ideas, researchers noted, the services can be used by young people to foster community. 

In October, 42 state attorneys general , alleging that the social media giant knowingly and purposely designed tools to addict children to its services. U.S. Surgeon General Vivek Murthy warning that social media sites pose a “profound risk of harm” to youth mental health, stating that the tools should come with warning labels. Among evidence of the harms is which found that Instagram led to body-image issues among teenage girls and that many of its young users blamed the platform for increases in anxiety and depression. 

Republican lawmakers devoted a significant amount of time during the hearing to criticizing TikTok for its ties to the Chinese government, calling out the app for collecting data about U.S. citizens, including in an effort to surveil American journalists. The Justice Department is reportedly investigating allegations that ByteDance, the Chinese company that owns TikTok, used the app to surveil several American journalists who report on the tech industry. 

In response, Chew said the company launched an initiative — dubbed “Project Texas” — to prevent its Chinese employees from accessing personal data about U.S. citizens. But employees claim the company has . 

YouTube and TikTok are by far the platforms where teens spend the most hours per day, according to a 2023 Gallup survey although Neal Mohan, the CEO of Google-owned YouTube, was not called in to testify.

Mainstream social media platforms have also been exploited for domestic online extremism. Earlier this month, for example, a teenager accused of carrying out a mass shooting at his Iowa high school reportedly maintained an active presence on Discord and, shortly before the rampage, commented in a channel dedicated to such attacks that he was “gearing up” for the mayhem. Just minutes before the shooting, the suspect appeared to capture a video inside a school bathroom and uploaded it to TikTok. 

Josh Golin, the executive director of Fairplay, a nonprofit devoted to bolstering online child protections, blasted the tech executives’ testimony for being little more than “evasions and deflections.”&�Բ�����;

“If Congress really cares about the families who packed the hearing today holding pictures of their children lost to social media harms, they will move the Kids Online Safety Act,” Golin said in a statement. “Pointed questions and sound bites won’t save lives, but KOSA will.”&�Բ�����;

The safety act, known as KOSA, has faced pushback from civil rights advocates on First Amendment grounds, arguing the proposal could be used to censor certain content and . Sen. Marsha Blackburn, a Republican from Tennessee and KOSA co-author, said last fall the rules are important to protect “minor children from the transgender in this culture” and cited the legislation as a way to shield children from “being indoctrinated” online. The Heritage Foundation, a conservative think tank, endorsed the legislation, that “keeping trans content away from children is protecting kids.”&�Բ�����;

Snap’s Evan Spiegel and X’s Linda Yaccarino both agreed to support the Kids Online Safety Act.

Aliya Bhatia, a policy analyst with the nonprofit Center for Democracy and Technology, said that although lawmakers made clear their intention to act, their directives could end up doing more harm than good. She said the platforms serve as “peer-to-peer learning and community networks” where young people can access information about reproductive health and other important topics that they might not feel comfortable receiving from adults in their lives. 

“It’s clear that this is a really tricky issue, it’s really difficult for the government and companies to decide what is harmful for young people,” Bhatia said. “What one young person finds helpful online, another might find harmful.”

South Carolina’s Sen. Lindsey Graham, the committee’s ranking Republican, said that social media companies can’t be trusted to keep kids safe online and that lawmakers have run out of patience.

“If you’re waiting on these guys to solve the problem,” he said, “we’re going to die waiting.”&�Բ�����;

It wasn’t until after 7 p.m. that evening when the boys, 5-year-old William and 8-year-old Joseph, arrived on a school bus unharmed.Their delayed return was the result of what officials at Kentucky’s Jefferson County Public Schools a “transportation disaster”: A tech-enabled bus routing system implemented to improve efficiency backfired and some kids didn’t make it home until nearly 10 p.m. 

“I was wondering, ‘Is my son safe?’ ” Bramel told ���˶���. “Are they safe? Are they OK? Did anything happen?”

Months later, Bramel is once again upset and concerned that his kids had been left vulnerable. Again, technology is the culprit. After the bus delay fiasco, school officials in Louisville signed up for a GPS tracking system offered by the Montana-based company Education Logistics, commonly known as Edulog. Through an app, the system gives parents real-time information about the location of their children’s school buses. 

The service offers parents valuable updates about bus arrivals and departures and tools like it have been embraced by families and heralded by school officials across the country, especially when there are busing snafus. Bramel said he now regularly relies on the Edulog service. Yet in Louisville and at districts nationwide, cybersecurity researchers found, vulnerabilities could have left sensitive data open to exploitation by bad actors. 

James Sebree, a senior staff research engineer at Maryland-based cybersecurity company Tenable, said his inquiry into Edulog’s Parent Portal began after a friend voiced security concerns as it was being rolled out at his child’s school. . Because the Edulog apps lacked sufficient authentication and access controls, anybody could access a large swath of sensitive information about students and families with little more than a free account. Among the exposed records were the real-time location of school buses, pick-up and drop-off times, information about scheduled delays, logs of students who were assigned to specific routes and their parents’ contact information. 

“It was startling to see the extent to which we were able to access information by bypassing the client-side restrictions, particularly when that information involved minors,” Sebree said in an email to ���˶���. Sebree said his firm isn’t aware of any instances where the data was actually exploited by bad actors and that Edulog worked quickly to patch the vulnerabilities once Tenable alerted them to the issues in early September. But the bug while it existed, he said, was relatively easy to exploit. 

“GPS data in conjunction with parental contact information, if compromised,” he said, “ could lead to scary situations for parents and students.”

School districts nationwide have increasingly turned to GPS tracking systems to help keep parents in the loop about arrival and departure times, particularly amid a national that’s led to chaos in many places and education leaders having to rethink their transportation logistics. 

In Louisville, the school bus woes forced leaders to cancel classes for several days right at the beginning of the new academic year. Last March, Chicago Public Schools to address widespread transportation hurdles of its own, including canceled routes and unreliable service. In some instances, the district has called on taxis and paid $500 transportation stipends to parents to get kids to and from school. 

As school districts increasingly turn to thousands of third-party education technology vendors to streamline instruction and across all parts of their operations, the Edulog vulnerability highlights how such arrangements can introduce new privacy and security risks, especially when for-profit companies collect sensitive information like real-time location data involving students. 

Edulog claims more than 6 million students are transported on school buses equipped with its software. Recent customers include the school districts in Wichita, Kansas, Newport News, Virginia, and Greenwich, Connecticut, according to data from GovSpend, which tracks government procurement. 

In , the company acknowledged that it had been notified of “a potential vulnerability” and that they had “researched the issue and resolved it in the next build of the product.” Yet the company is not contractually obligated to notify their customer districts or parents that the weakness was uncovered, Lam Nguyen-Bull, Edulog’s chief experience officer and general counsel, told ���˶��� in an interview. At the same time, she recognized the student safety risks involved in the potential breach of real-time GPS data is “certainly a concern.”&�Բ�����;

“That’s something that districts have to weigh, as it is any time you get into a service like this: What are you willing to risk and is it worth the cost?” she said. “You can take as many cautions as possible, but a creative and dedicated person will always be able to find a vulnerability.”&�Բ�����;

Mark Hebert, the Jefferson County Public Schools spokesperson, said in an email the Louisville district relies on Edulog’s “Lite” version, which offers parents bus location information “but little else.”&�Բ�����;

Yet for Bramel, news that the bus tracker that he found so handy carried privacy risks brought newfound anxiety. Bramel said that he had heard rumors about a Edulog security lapse but hadn’t received formal outreach from the district, leaving him to wonder about the types of information that could have been exposed. 

He said school transportation in Louisville remains so erratic that he’s considered moving out of the district boundaries altogether. Allowing anyone access to real-time school bus information, he said, could have been catastrophic. 

“That’s infuriating because that puts my child at risk, that’s their life in danger,” he said. “A perpetrator could be meeting up or something like that. Human trafficking is still going on.”&�Բ�����;

The privacy implications of bus trackers

Edulog’s Nguyen-Bull noted that privacy issues have been present ever since GPS services were first introduced to consumers in the late 1980s. Such implications are perhaps amplified in the context of students and schools, but ultimately, she said, they take a back seat for most people.

“The truth is, we generally are lazy beings, right?” Nguyen-Bull said. “We go for convenience.”&�Բ�����;

Edulog has been providing school districts with bus routing services since 1977, but Nguyen-Bull said it was consumers who ultimately began to push for real-time GPS tracking about a decade ago. 

Numerous companies now offer such services for school buses, including in big urban districts like , which just launched its long-awaited tracker last week; and Los Angeles. The services, however, haven’t always lived up to the expectations of parents or school bus drivers, with both reporting accuracy concerns. The power of real-time information has also introduced new safety risks, Nguyen-Bull said. If the app says a bus is expected to arrive five minutes late, she said that “personal optimizers” will use that information to delay their trek to the bus stop. 

“That creates problems where kids are rushing across streets or they’re not being careful in how they approach the bus,” she said, adding that the issue is compounded in instances when the GPS information is inaccurate. “We’ve become so reliant on our phones that we don’t actually look up and see what the reality is.”&�Բ�����;

Meanwhile, over the last year the federal government has placed a heightened emphasis on cybersecurity risks introduced to the education sector through third-party technology vendors like Edulog. In September, the federal Cybersecurity and Infrastructure Security Agency to sign a voluntary pledge and commit to building products with robust security protections. Companies that sign the pledge agree to “radical transparency” and to “take ownership of customer security outcomes.”&�Բ�����;

In a December blog post, the federal cybersecurity agency noted that school districts should not be required to “bear the cybersecurity burden alone,” and advocated for shifting many responsibilities to vendors. 

“Cybersecurity issues facing K-12 could be much more effectively and cheaply dealt with earlier in the supply chain, by focusing on a relatively smaller number of linchpin companies serving very large numbers of students and educators instead of school district by school district, school by school,” the post noted. 

But Nguyen-Bull said her company was uninterested in signing the pledge, calling it meaningless without any clear cybersecurity standards. Yet she also balked at the idea of regulations that would set specific cybersecurity requirements. 

“We’re not just going to sign random pledges that ask for slightly different things if we don’t know if we can track those things,” she said. “As a small family-run business, we don’t have five compliance people tracking all of the different pledges and ensuring that we check all of the boxes.”

Sebree, of the cybersecurity firm Tenable, said that transparency about security lapses is key, telling ���˶��� in an email that vendors “have an ethical responsibility” to inform customers in a timely manner so they can make knowledgeable decisions. 

“Notifying their customers that a vulnerability had been discovered and fixed, even if no evidence of a breach was found, would have been the most transparent action here,” he said. “Customers deserve to know when their data has been at risk so they can make decisions in the future with all of the information in hand.”&�Բ�����;

Louisville father Bramel said that he and other parents should also have been notified — either by the district or the company itself — about the extent that information had been exposed to preserve trust.

“When you’ve got to rely on this system to cover your kids and they can’t have open communication, what other issues are going on besides that issue?” Bramel asked. “I’m honestly shocked there aren’t lawsuits and stuff like that happening right now … because this is completely uncalled for.”

Nearly 44% of public K-12 schools were staffed with school resource officers at least once a week during the 2021-22 school year, by the Education Department’s National Center for Education Statistics. Between Floyd’s murder in May 2020 and June 2022, ended their school resource officer programs or cut their budgets following widespread Black Lives Matter protests and concerns that campus policing has detrimental effects on students — and Black youth in particular. 

The data reflect an 11% decrease in school policing from the 2019-20 school year, when more than 49% of schools had a regular police presence, according to the nationally representative federal survey. That year, schools underwent an increase in campus policing after the 2018 mass school shootings in Parkland, Florida, and Santa Fe, Texas, prompted a surge in new security funding and mandates, a pattern that could repeat itself when future federal numbers capture the nation’s reaction to the 2022 school shooting in Uvalde, Texas.

“This is the George Floyd effect,” said criminal justice researcher Shawn Bushway, who pulled up a calculator during a telephone interview with ���˶��� and crunched the federal survey data against that removed cops from their buildings, which collectively served more than 1.7 million students. 

“It’s not seismic, but I think what’s most interesting about it is that it’s the reversal of a trend in a fairly dramatic way,” said Bushway, a University at Albany in New York professor. “It’s been going up quite a bit and now it’s dropped.”

The new federal data were published the same week as Thursday’s release of a damning U.S. Department of Justice report that cited “critical failures” by police during the May 2022 mass shooting at Uvalde’s Robb Elementary School in which 19 students and two teachers were killed. During the shooting, 376 law enforcement officers responded to the scene but waited more than an hour to confront the 18-year-old shooter, a botched reaction that disregarded established police protocols and, investigators said, cost lives.

“Had law enforcement agencies followed generally accepted practices in an active shooter situation and gone right after the shooter to stop him, lives would have been saved and people would have survived,” U.S. Attorney General Merrick Garland said in Uvalde.

“Their loved ones deserved better,” he said. 

Chris Chapman, the associate commissioner of the National Center for Education Statistics, said on a press call Tuesday that the survey data didn’t make clear a definitive reason for the decline in school-based officers. Experts said that several other factors, including campus closures during the pandemic, budget constraints and a national police officer shortage, may have also contributed. 

Either way, the downward trend may be short-lived. 

Multiple districts that cut their school resource officer programs after Floyd’s murder, including those in Denver, Colorado, and Arlington, Virginia, reversed course after educators reported an uptick in classroom disorder after COVID-era remote learning. Mass school shootings have long driven efforts to bolster campus policing, a reality that has played out in the last several years as the nation experienced an unprecedented number of such attacks. 

Despite officers’ grievously mishandled response in Uvalde, the shooting led to renewed efforts in Texas and elsewhere to strengthen police presence in schools. A similar situation played out after the mass shooting at Parkland’s Marjory Stoneman Douglas High School. Federal data show national growth in campus policing even after the school resource officer assigned to the Broward County campus failed to confront the gunman, who killed 17 people. 

The now-former officer, Scot Peterson, was acquitted of criminal negligence and perjury charges but faces a new trial in a civil lawsuit by shooting victims’ families, who allege his failure to intervene during the six-minute attack displayed a “wanton and willful disregard” for students’ and teachers’ safety. Qualified immunity generally protects officers from liability for mistakes made on the job. 

After Parkland, a new Florida law required an armed security presence on every K-12 campus. The Uvalde shooting led to similar . In both states, a police officer labor shortage, which experts said may have contributed to the 2021-22 decline in schools, has hindered officials’ efforts to comply. In Kentucky, more than 40% of schools lack school resource officers, a reality that school officials have blamed on a lack of funding and a depleted applicant pool. 

“It wouldn’t surprise me if, when that data comes back out, we see that spike go back up,” said Mo Canady, executive director of the National Association of School Resource Officers, which offers a training program for campus cops. “It’s not the way I want to gain business, but some of the busiest years we’ve had training wise are 18 months after a school massacre. I can tell you that 2019 was the biggest year in our association’s history by far — and that’s coming right off the Marjory Stoneman Douglas massacre.”

Advocates for police-free schools recognize the headwinds they face. Tyler Whittenberg, the deputy director of the Advancement Project’s Opportunity to Learn initiative, said that while advocates “are proud of the victories that were won” after George Floyd’s murder, educators who removed police from schools “are fighting really hard to hold onto those gains,” some of which face in districts that don’t want them. 

“We’re not really rushing to a conclusion that this represents an overall reduction in police in schools, especially because for many of our partners on the ground this is not their day-to-day experience,” he said. “They’re having to fight back — especially at the state level — against efforts to increase the number of police in their schools.”&�Բ�����;

Safety threats on the decline

In the 1970s, just 1% of schools were staffed by police. Decades of efforts since then to swell their ranks have coincided with a marked improvement in campus safety. 

During the 2021-22 school year, 67% of schools reported at least one violent crime on campus, totaling some 857,500 violent incidents. Federal data show the nation’s schools experienced a violent crime rate of 18 incidents per 1,000 students in 2021-22. That’s a steep decline from 1999-00, when schools recorded a violent crime rate of 32 incidents per 1,000, and 2009-10, when the violent crime rate was 25 per 1,000. 

Police officers’ contributions to making schools safer over the past two decades, however, remain the subject of ongoing research and heated debate. In a study last year, which was published in the peer-reviewed Journal of Policy Analysis and Management, Bushway and his colleagues found that placing . And although researchers were unable to analyze officers’ effects on mass school shootings because such tragedies are statistically rare, they were associated with an uptick in reported firearm offenses — suggesting an increased detection of guns. The officers were also associated with a stark uptick in student disciplinary actions, including suspensions and arrests, particularly among Black students and those with disabilities. 

“There’s a cost-benefit here and everybody’s calculus on how you weigh these different things is going to be different,” Bushway said. “There’s no pure answer to that question, different people are going to answer that question differently.”

Previous research suggests that suspensions or improve school safety, but have detrimental effects on punished students’ academic performance, attendance and behavior. Their effects on non-misbehaving students remain unclear. 

Other researchers have reached a much more critical conclusion about the effects of school-based police on students. In in November on the existing literature into school officers’ efficacy, researchers failed to identify evidence that school-based law enforcement promoted safety in schools but reinforced concerns that their presence “criminalizes students and schools.”&�Բ�����;

“I think the evidence is increasingly supporting the notion that police don’t belong in schools,” report author Ben Fisher, an associate professor of civil society and community studies at the University of Wisconsin-Madison, told ���˶���. Removing officers who have been there for years, he said, may cause problems of its own. “If we’re going to get police out of schools, which I think is the right long-term vision and short-term vision, I think we need to do it thoughtfully with plans in place to make schools welcoming and supportive.”&�Բ�����;

The federal survey, which was conducted between Feb. 15 and July 19, 2022, also found large geographical differences in the types of tools that school-based police use on the job. Across the board, officers in urban areas were less likely than their rural and suburban counterparts to carry guns and pepper spray or to be equipped with body-worn cameras. 

Beyond data on campus policing, the new federal survey offers a comprehensive look at the state of campus safety and security, reflecting school leaders’ responses to the pandemic and record numbers of mass school shootings. Other findings include: 

• In 2021-22, about 49% of schools provided diagnostic mental health assessments to evaluate students for mental health disorders. This is a decline from 2019-20, when 55% conducted assessments. Meanwhile, 38% provided students with treatments for mental health disorders in 2021-22, down from 42% in 2019-20. 

• Restorative justice, a conflict resolution technique, was used in 59% of schools in 2021-22, which was similar to 2019-20 but an increase from the 42% that used the approach in 2017-18. 

• The latest data indicate a decline in campus drug and alcohol incidents. In 2021-22, 71% of schools reported at least one incident involving the distribution, possession or use of illegal drugs, down from 77% in 2019-20. Meanwhile, 34% reported at least one alcohol-related incident in 2021-22, down from 41% in 2019-20. 

Amid reports of heightened antisemitism and Islamophobia in schools and colleges since the start of the Israel-Hamas war, a senior Education Department official said the agency has received a “huge, huge influx” of civil rights complaints that have led to a surge in federal investigations. 

Since the Oct. 7 attack by Hamas terrorists on Israel and the subsequent bombing and invasion of Gaza by the Israeli military, the into schools’ and colleges’ responses to complaints of discrimination based on shared ancestry, which includes antisemitism and Islamophobia. 

Of the new investigations, the senior official told ���˶���, 19 are in response to conduct that unfolded in schools in the last two months alone. Of the incidents since Oct. 7 that are now under investigation, 17 took place on college campuses. 

Last fiscal year, by contrast, the office opened 28 shared ancestry investigations over the entire 12-month period. The year before, there were just 15. Such inquiries seek to determine whether schools adequately respond to incidents that create hostile learning environments in violation of Title VI of the Civil Rights Act, which prohibits discrimination based on race, ethnicity or national origin. 

“We are deeply concerned about the incidents that we’ve seen reported in schools all over the country, and about the safety of students, and the protection of non-discrimination rights for students in P-12 schools as well as in institutions of higher education,” Catherine Lhamon, the department’s assistant secretary for civil rights, said in an interview Wednesday with ���˶���. “We’re very, very concerned about what we’re seeing in schools.”

Though officials declined to comment on the specifics of active federal investigations, a spike in reported antisemitic and Islamophobic incidents in and outside of schools have convulsed the nation and elevated student safety concerns. 

Near Louisiana’s Tulane University, a clash between pro-Palestinian and pro-Israel and police are investigating a as a potential hate crime targeting an Arab Muslim student. At Rutgers University, officials chapter following claims the group disrupted classes and vandalized campus. At Harvard University, a rabbi to hide the campus menorah each night of Hanukkah due to vandalism fears. In California, a with involuntary manslaughter and battery after an alleged physical altercation broke out at a demonstration that led to the death of a Jewish protester. 

Outside of schools, police said a 6-year-old Chicago boy was in an alleged anti-Muslim attack, and in Burlington, Vermont, three college while walking down a sidewalk over Thanksgiving weekend. 

The escalating confrontations have embroiled school leaders, who have been criticized for failing to clamp down on hate speech and discrimination. Just days after in Washington about rising antisemitism on college campuses, Elizabeth Magill resigned as University of Pennsylvania president. She and the presidents of Harvard University and the Massachusetts Institute of Technology were accused of being equivocating and evasive after giving carefully worded replies to repeated questions about whether calling for the “genocide of Jews” violated their schools’ code of conduct. Magill responded that it’s “a context-dependent decision,” underscoring school leaders’ obligations to ensure safe learning environments while protecting people’s free speech rights. 

Harvard University President Tuesday after facing similar scrutiny for her testimony at the congressional hearing and unrelated plagiarism allegations.

Of the 29 active federal Title VI investigations opened since Oct. 7, just eight are focused on incidents in K-12 schools — including at three of the nation’s 10 largest districts. Among them are the New York City Department of Education, the Clark County School District in Las Vegas, Hillsborough County Schools in Tampa, Florida, and the Cobb County School District in suburban Atlanta.

Though the circumstances prompting the investigations remain unknown, many of the institutions included on the Education Department’s list of active investigations have experienced high-profile incidents involving discrimination. 

In New York City, a raucous, and prompted a lockdown after a teacher posted a picture of herself at a pro-Israel rally on social media. Also turning to social media, one student said the teacher “is going to be executed in the town square,” and another promoted “a riot” against her. 

In suburban Atlanta, the Cobb County School District sparked controversy following the Hamas attack to the school community that warned of an “international threat,” noting that “while there is no reason to believe this threat has anything to do with our schools, parents can expect both law enforcement and school staff to take every step to keep your children safe.” Because of the message, several Muslim parents said their children had become the targets of Islamophobic bullying. 

In , the civil rights office highlighted hypothetical instances that put school districts at odds with their Title VI obligations. Among them: A Jewish student is targeted by his peers with swastikas and Nazi salutes but his teacher tells him to “just ignore it” without taking steps to address the harassment. Another example involves school officials failing to remedy a Muslim student’s complaints that she was called a “terrorist” and told “you started 9/11.”

Even before the most recent conflict between Hamas and Israel, law enforcement agencies across the U.S. have reported an uptick in hate crimes over the last several years, including on campuses. 

Reported hate crimes surged 7% between 2021 and 2022, released by the Federal Bureau of Investigation in October, including a 36% increase in anti-Jewish incidents — which accounted for more than half of incidents based on religion. Among all reported hate crimes, 10% occurred at K-12 schools and colleges.

The Education Department last month released its most recent Civil Rights Data Collection, the first since the pandemic. Students reported 42,500 harassment allegations during the 2020-21 school year, including bullying on the basis of sex, race, sexual orientation, disability and religion. Of those, 29% involved harassment or bullying on the basis of race while only a sliver — 3% — involved students saying they were targeted because of their religion. 

The current climate has put Jewish college students on edge, according to , a nonprofit focused on eradicating antisemitism. Since the beginning of the academic year, 73% of Jewish college students said they’ve been witness to antisemitism. Prior to this school year, 70% reported experiencing antisemitism throughout their entire college experience. Yet just 30% of Jewish college students said their college administration has taken sufficient steps to address anti-Jewish prejudice. 

During a televised interview on MSNBC Friday, Jonathan Greenblatt, the national director and CEO of the Anti-Defamation League, said he thought conditions would improve on college campuses for Jewish students because the Title VI investigations now being launched by the Education Department would force college administrators to take action. 

Muslim Americans of all ages have similarly . In a two-week period between Oct. 7 and Oct. 24, reports of bias incidents and requests for help at the Council on American-Islamic Relations surged 182% from the average 16-day period in 2022. 

As lawmakers call on school leaders to take a stronger stance against hate speech, they’ve faced pushback from free speech advocates. Earlier this month, New York of “aggressive enforcement action” if they failed to discipline students “calling for the genocide of any group of people.” In a statement, the Foundation for Individual Rights in Education, a right-leaning nonprofit focused on students’ free speech rights, said Hochul’s admonition “cannot be squared with the First Amendment.”&�Բ�����; 

“Colleges and universities can and should punish ‘calls for genocide’ when such speech falls into one of the narrowly defined categories of unprotected speech, including true threats, incitement and discriminatory harassment,” the group said in the statement. “But broad, vague bans on ‘calls for genocide,’ absent more, would result in the censorship of protected expression.”

The senior Education Department official said that schools must “navigate carefully” their obligations under Title VI and the First Amendment. Even if a student’s speech is protected, the official said, school leaders still have an obligation to uphold all students’ nondiscrimination rights.

“What concerns me is when a school community throws up its hands and says, ‘This speech is protected and so there’s nothing more for us here,’” said Lhamon, the assistant secretary for civil rights. “That may be true, but that’s only true where a hostile environment isn’t created that the school needs to respond to.”

It was early August when teacher Heather Vidrine first heard about a cyberattack on her former school district in St. Landry Parish, but she didn’t think much about it — even after her Facebook got hacked. 

Now, she’s left to wonder whether the two are connected. 

Her Social Security number and other personal information were stolen in a ransomware attack against her former employer, the St. Landry Parish School Board, an investigation by ���˶��� and The Acadiana Advocate revealed. The reporting included a data analysis by ���˶��� of some 211,000 files that a cybercrime syndicate leaked online in August after the district refused to pay a $1 million ransom. 

The some 63 miles west of Baton Rouge told the public in August that its hacked computer servers did not contain any sensitive employee or student information, but the stolen files analysis tells a different story. 

Four months after the attack, the joint investigation revealed that Vidrine was among thousands of students, teachers and business owners who had their personal information exposed online. More than a dozen victims said they were similarly unaware those details were readily available, leaving them vulnerable to identity theft.

The number of cyberattacks on K-12 school districts and breaches of their sensitive student and employee data have reached critical levels — enough to prompt the Biden White House to convene an August summit on how to tackle the threat — and in multiple instances, districts have been accused of withholding information from the public.

“They want to brush everything under the rug,” said Vidrine, who worked for St. Landry schools for eight years before leaving in 2021. “The districts don’t want bad publicity.”

Among the district’s breached documents are thousands of health insurance records with the Social Security numbers of at least 13,500 people, some 100,000 sales tax records for local and out-of-state companies and several thousand student records including home addresses and special education status.

A failure to notify families and educators such personal information was leaked, experts said, could run afoul of Louisiana’s data breach notification rules.

and other entities notify affected individuals “without unreasonable delay,” 60 days after a breach is discovered. 

Breached entities that fail to alert the state attorney general’s office within 10 days of notifying affected individuals can face fines up to $5,000 for every day past the 60-day mark. 

The St. Landry district discovered the cyberattack in late July and reported it to state police and the media within days. District administrators dispute that the hack led to a breach of sensitive information, but also acknowledged last week they haven’t taken steps to understand the scope of what was stolen or to notify individual victims. 

In some circumstances, entities can delay their notice to victims if doing so could compromise the integrity of a police investigation, and law enforcement sources confirmed an active criminal probe. , the state attorney general’s office must approve such disclosure delays. 

Reporters filed a public records request with the state attorney general’s office Oct. 23 asking for any breach notices from the St. Landry district. The office responded Nov. 2 that the request did not yield any results, indicating such a disclosure was never made. The office didn’t respond to further questions about whether it was looking into St. Landry’s apparent failure to file a breach notice or if the district had requested an extension on its notification obligations based on the ongoing state police investigation.

As time drags on, breach victims remain unprotected and unaware of their heightened risk of identity theft. James Lee, the chief operating officer of California-based said a four-month delay is “a long time to not notify somebody of that level of sensitive information.”

“Because the school district hasn’t issued a notice, then it’s hard to know exactly what happened and why,” Lee said. “That’s important because that also leads you to, ‘Well, what does the individual need to do to protect themselves now that their information has been exposed?’”

‘Double extortion’

Ransomware attacks have become a growing threat to U.S. schools and breaches in some of the largest districts have attracted scrutiny. But experts said that small- and mid-sized districts are even more vulnerable to attacks and leaders there face political pressures that could lead them to downplay their far-reaching consequences. 

The first indication of a problem with St. Landry’s computer network came in late July, when an employee in the district’s central office reported spyware on their device, Superintendent Milton Batiste III said in August following the attack.

The ransomware group Medusa, believed by cybersecurity experts to be Russian, has taken credit for the St. Landry Parish leak. The syndicate has leveled multiple school district attacks, including a massive breach in Minneapolis earlier this year.

A district spokesperson confirmed last week that it refused to pay the ransom, in line with what federal law enforcement advises. By mid-August, the trove of stolen files was publicized on a website designed to resemble a technology news blog — a front of sorts — and became available for download on Telegram, an encrypted social media platform that’s been used by terror groups and extremists. 

The threat actors appeared to employ a tactic that’s grown in popularity in recent years called “double extortion.” Hackers gain access to a victim’s computer networks, often through phishing emails, download compromising records and lock them with encryption keys. Criminals then demand the victim pay a ransom to regain access. When victims fail or refuse to pay, the files are published online for anyone to exploit. 

Current and former students were affected by the attack, though the number of exposed records that contain personal information about young people is far narrower than those of current and former district staff. 

One St. Landry mother, who is also a district employee, was outraged when she learned that her son’s information was leaked — especially because he hasn’t attended a district public school for two years. The woman, who asked not to be identified for fears she could lose her job, was livid that the district had claimed employee and student records had been kept safe. She said she was offered free credit-monitoring services after a recent cyberattack on the state Office of Motor Vehicles led to a statewide data breach. 

“If they’re lying about it and our information did get out there, then that’s a whole other situation,” she said. “They’re telling all their employees all of our information did not get messed with.”&�Բ�����;

She implored district leaders to notify the parents of children who had their information exposed, including those whose kids are no longer in the school system. If she had known her 17-year-old son was caught up in the breach, she said, she could have already taken steps to protect him.

District officials said they were unaware of the extent of the breach. Tricia Fontenot, the district’s supervisor of instructional technology, said after notifying state police about the attack the board was never told the nature of the data that was stolen or if any data was stolen at all. She said when the board asked state police for updates, it was told an active investigation was in progress and no information could be released. It did not give a timeline for when its investigation would be completed.

“We never received reports of the actual information that was obtained,” she said. “All of that is under investigation. We have not received anything in regards to that investigation.”

The board, Fontenot said, decided to “trust the process.”

As seen in other school district cyberattacks across the country, however, law enforcement’s responsibility is to try and apprehend the cybercriminals not to determine the extent of a breach or provide information needed to notify or protect district employees and students. That work is done by the school districts, who often hire cybersecurity consultants to help carry out those complex tasks.

Byron Wimberly, St. Landry’s computer center supervisor, maintained that the compromised servers had not been used to store personal information. He used the frequency of cyberattacks as grounds to question whether St. Landry was the source of the breached data.

“You know how many people get hacked a year? Can you point that to the school board 100%?” Wimberly said.

However, evidence that the leaked sensitive data is a result of the July cyberattack is overwhelming, namely the more than 200,000 files posted to Telegram that link back to St. Landry schools. In fact, folders that were breached and uploaded to the web point in part to a central office clerk, who saved many of the most sensitive files to one of the least secured places: her computer’s desktop. 

The records identify more than 2,700 current and former St. Landry Parish students, including their full names, race and ethnicity, dates of birth, home addresses, parents’ phone numbers and login credentials for district technology. Spreadsheets listed students who were eligible for special education services and those who were classified as English language learners.

The health records that include Social Security numbers and other personally identifiable information for at least 13,500 people far exceed the number of individuals currently employed by the district. That’s because the records also encompass former employees, retirees and those who have since died, as well as their dependents, including spouses and children. Attached to the records are scanned copies of formal documents about major life events: Births, marriages, divorces and deaths. 

Thousands of people who have received retirement benefits from the school district had their full names published, along with Social Security numbers and health insurance premiums.

Also included are some 100,000 sales tax records for local and out-of-state companies that conducted business in St. Landry Parish, with affected individuals extending far beyond Louisiana borders. Local victims include the owners of a diner, a gun store and an artist who makes soap with goat milk. It also includes a metal pipe company in Alabama, an Indianapolis-based cannabis company and a senior official at Ring, the Amazon-owned surveillance camera company headquartered in Santa Monica, California.

Unlike most states, Louisiana lacks a central sales tax agency. Instead, there are 54 different collection agencies that range from sheriff’s offices to parish governments to school boards. St. Landry Parish’s sales tax collection office is overseen by the St. Landry Parish School Board. Louisiana schools’ is derived from sales taxes. 

Thousands of other files appeared to get captured at random: a limited set of files with student disciplinary records, a collection of wedding photographs, documentation for campus security cameras and artistic renderings of Jesus Christ.

Amelia Lyons, the co-owner of a St. Landry Parish glass business whose information was exposed, said a call from a reporter was the first time she had heard about the breach — a reality she called “alarming.”&�Բ�����;

“I feel like I should have gotten a more formal notification about this,” Lyons said.

‘A soft target’

The St. Landry Parish breach is part of a disturbing increase in cyberattacks targeting school districts nationally in the past few years, with victims ranging from rural school systems to those in major metropolitan areas such as Los Angeles, Las Vegas, Minneapolis and suburban Washington, D.C. 

Ransomware in the past year alone, according to a recent report by the nonprofit Institute for Security and Technology. Earlier this year, hackers waged attacks on seven Louisiana colleges over four months, among them Southeastern Louisiana University, which also with the public. 

It’s also not the first time St. Landry schools have fallen victim. , the school board took its system offline for at least two weeks following a similar cyberattack.

While hacker groups have grown more sophisticated, school districts routinely maintain outdated technology and lack expertise and dedicated staff to thwart threats, said Kenny Donnelly, executive director of the Louisiana Cybersecurity Commission, which was created to help schools and other entities bolster their defenses. As a result, schools are “low-hanging fruit,” said Donnelly, who said that educators should expect to see even more attacks in the coming years. 

“Educational entities are going to be a soft target,” he said. “If they’re not being hit, they’re going to be hit if they’re not doing the things they need to do to get their networks and their security in order.”&�Բ�����;

Still, experts say leaders at small and mid-sized districts are often surprised when they become the targets of international cybercriminals.

“They’re such a small fish in the ocean, (they think) why would anybody bother with them?” said Doug Levin, the national director of the nonprofit K12 Security Information eXchange. It’s improbable that hackers targeted St. Landry specifically, he said, and more likely that a district employee opened a spam email and clicked on a phishing link. 

“It’s a question of them throwing their fishing hook in the barrel … and just waiting to see who bites,” Levin said. “They don’t know who their next victim is going to be and they don’t really care.”&�Բ�����;

When a small- or medium-sized district takes the bait, the impact can be substantial because they’re often among their communities’ largest employers. In the roughly 80,000-resident St. Landry Parish, the breached health insurance records represent roughly 1 in 6 residents.

‘A cause of action’

Data breach victims who were contacted for this story said the district should have taken more proactive steps to notify them that their sensitive information had been stolen. 

“I just want (the district) to be professional,” said Vidrine, the former science teacher. “A notification that this happened: ‘We’re tending to it and you need to protect yourself. We made a mistake.’”

The district also faces risks of civil liability, said Chase Edwards, an associate law professor at the University of Louisiana at Lafayette. A failure to notify affected individuals is “what class actions are made of,” Edwards said.  

The school district has a duty to protect any private information they collect, Edwards said, and are both legally and ethically obligated to notify breach victims. 

About are the victims of identity theft each year, according to a recent report by the research firm Javelin. Social Security numbers and other personal information about children are , who can use the records to obtain credit cards and loans without detection for years. 

Because children don’t typically have credit cards, they also don’t receive credit reports that can alert them when something is amiss, Lee said. Dark-web marketplaces that sell personal information often put a premium on children’s Social Security numbers, which Lee said are primarily used by fraudsters to apply for jobs. Once victims learn they’ve been compromised, the problem “is not easy to address and can have lifelong impacts,” he said. 

Death certificates and obituaries included in the St. Landry breach present their own unique set of risks. Even after death, Social Security numbers and other personally identifiable information that can be mined from obituaries is valuable to criminals who carry out a type of identity theft known as “ghosting.”

‘The hacker of today’

People whose information may have been compromised should assume that identity theft criminals will try to use it nefariously and take steps to protect themselves, Lee said. Such criminals, he said, are often part of “very sophisticated networks” based overseas.

“It’s not the Hollywood version of somebody sitting in a dark room in a hoodie with a can of Red Bull and Twinkies,” Lee said. “That’s not the hacker of today. They’re not sitting in their parents’ basement. They’re in call centers in Dubai and in Cambodia and in North Africa.”

It’s important that potential victims freeze their credit, Lee said, and implement robust privacy protections on their online accounts, including two-factor authentication and unique login credentials stored in password managers.

A finance and technology executive whose information was compromised in the St. Landry breach knows firsthand the headaches that come with identity theft: Following a previous incident, he said, someone used his information to file a false tax return. 

The executive, who asked not to be named because he wasn’t authorized to speak with the press, has never stepped foot in St. Landry parish. Yet his data was exposed because his former employer conducts business there. Having stringent security measures in place offered him peace of mind, he said, when he learned from a reporter that his information had again been exposed. 

Fontenot said efforts to notify will begin when state police wrap up their investigation and that district leaders, including the school board attorney, will identify a course of action.

But St Landry should take immediate steps to protect breach victims — including a notification to the state cybersecurity commission, said Donnelly, its executive director. 

“That they didn’t notify us of this, it’s disappointing,” said Donna Sarver, a math teacher who worked for the district for three years before leaving in 2020. She and other victims, she said, now have to fend for themselves. 

“But it’s a poor parish and I don’t think they do anything unless they really, really have to.”

This story was supported by a grant from the Fund for Investigative Journalism.

“I’m so sorry to tell you this but unfortunately your private information has been leaked,” read the email, sent to Hecht in the middle of the night Oct. 25 from an account tied to a school district in California. Attached were PDFs with personal information about her daughters including their names, photographs and the home address where they’d just spent the night asleep. 

“Be careful out there,” the cryptic message warned. “Don’t shoot the messenger!”

Some 200,000 similar student profiles had been leaked, the email claimed, following a recent cyberattack on Clark County School District, the nation’s fifth-largest district and where Hecht’s three daughters are enrolled. But the message, she’d soon learn, was not from a California student but from the student’s email account, which had also been compromised. An unidentified, publicity-hungry hacker was using it as a “burner” account to brazenly extort Clark County schools by frightening district parents directly.

“I put my child on the bus and then immediately called the district,” Hecht told ���˶���. “I called the school, they transferred me to the district, the district transferred me to their IT department, who then transferred me to the help desk. I have yet to hear anything back.”

The Clark County threat actors claim their in-your-face tactics, which apparently involve not just direct outreach to parents, but also to media outlets, is already being used against at least one other district. Also distinct from other recent K-12 ransomware attacks, including high-profile incidents in Los Angeles and Minneapolis, the Vegas school district hackers claimed to use weak passwords — in this case students’ dates of birth — and flimsy Google Workspace file-sharing practices. Deploying those relatively low-tech incursions allowed them to gain access to reams of sensitive files, including students’ special education records. 

Schools nationwide rely heavily on Google Workspace to create, and share records and the methods the hacker used to exploit district systems, a cybersecurity expert said, offer valuable lessons for all of them. 

“This is not going to qualify as sophisticated hacking,” said Doug Levin, the national director of the K12 Cybersecurity Information eXchange, and is perhaps a sort of brand-building exercise. “Given that they reached out to the media” and have demanded payments smaller than those typically leveraged by ransomware gangs, “it seems they may be more interested in publicity and reputation than they are money.”

For Las Vegas educators, the hack has already brought significant consequences, including a class-action lawsuit and to resign. 

Clark County school leaders on Oct. 16 that they became aware of a “cybersecurity incident” on Oct. 5, noting in that it was “cooperating with the FBI as they investigate the incident” and that such attacks against schools have become routine. “Rest assured that we will share information as it becomes available so everyone is informed and can respond to protect personal information.”

When contacted by ���˶���, a Clark County spokesperson declined to comment further and shared a copy of the district’s previous statement. 

Yet as Hecht and others accuse the district of failing to inform parents about the extent of records stolen, much of the information being revealed about the data breach has come from the threat actor themselves, including taunts that they were still in Clark County’s computer systems. In two follow-up emails shared with ���˶���, Hecht was sent web links that purportedly included troves of sensitive information about students including disciplinary records and test scores. 

In an Oct. 26 message to Hecht, threat actors this time used a Clark County student’s email address “to show how much of a joke their IT security is and to show how seriously they are taking this.”&�Բ�����;

Beyond outreach to parents, the hacker — which could be one or multiple people — on Oct. 25 without solicitation, first communicating with a reporter via Facebook. Identifying themselves as “SingularityMD (the hacker team),” the threat actor disputed Clark County’s statement that it had detected “a security issue” on its own and that district leaders had only become aware after the hackers sent an email “to tell them we had been in their network for a few months.”&�Բ�����;

A hack with TikTok origins

Perhaps between the hacker and a cybersecurity researcher at the blog DataBreaches.net, where the threat actor divulged their techniques and offered advice on how other districts can protect themselves. 

In recent years, cybercriminals have gravitated toward “double-extortion ransomware” schemes, where they gain access to a victim’s computer network, often through a download compromising records and lock the files with an encryption key. Criminals then demand the victim pay a ransom to unlock the files and stop them from being posted online. Yet in this case, the threat actors appear to have skipped past the first part and are employing an extortion strategy that centers exclusively on holding students’ sensitive information hostage. 

For years, the 325,000-student Clark County district, whose systems were also breached in 2020, has reportedly reset all students’ passwords to their birth date at the beginning of each academic year. Using a student’s date of birth as a password has . In the case of Las Vegas schools, hackers claim the breach began on TikTok, where a student shared their birth date. The student used their district email address to create a TikTok account and their student ID became their username on the social media platform. 

Once the hacker used that information to compromise the student’s account, they claim to have exploited poor data-sharing practices in the district’s Google Workspace to access the sensitive files. The compromised account was used to access information available to any student, which in turn offered records that allowed the hacker to escalate the breach until they were able to access administrative files. 

“Google groups and google drives, if not configured correctly will expose teachers and staff files and conversations,” the hacker told DataBreaches.net. “In rare instances teachers have created shared drives and given the google group access to this drive. So if one was to add themselves to the group, they can then also access the drive contents. Nothing fancy at all.”

Schools are particularly easy targets because so many students have access to a district’s computer network, the hacker noted, with a word of advice: “I would recommend school districts separate the student network from the teacher network to make this process harder for teams like us.”&�Բ�����;

The same technique, , was used recently to compromise records maintained by Jeffco Public Schools in suburban Denver. In Nevada, SingularityMD says it demanded a ransom of roughly $100,000 versus just $15,000 from the 77,000-student Colorado district.

Federal law enforcement officials generally advise cybersecurity victims against paying ransoms, which can embolden hackers and spur future attacks. In the last year, ransomware attacks against the , according to a recent report by the nonprofit Institute for Security and Technology, which observed an uptick in incidents immediately after hackers succeeded in securing payments. 

Levin said the hacker’s breach methods should set off alarm bells for educators nationwide, with “virtually every school in the U.S.” relying on cloud-based suites, like Google Workspace, to create and share content internally, with parents and with the public. 

“It’s very easy to overshare information and grant rights for people who shouldn’t be able to see this information,” Levin said. “That’s what it looks like happened in Clark County is they got access to some student accounts, found some shared folders and in the shared folders was more sensitive information that allowed them to escalate privileges and get to even more sensitive information.”&�Բ�����;

Google spokesperson Ross Richendrfer said in an email that as districts become “a top target” for cybercriminals, “there’s not just one way that attackers attempt to infiltrate schools.” This particular incident, he said, was “the result of compromised passwords and configuration issues at the user/admin level.”&�Բ�����;

He pointed to the company’s , which notes that while Google products “are built secure by default, it is critical that admins also properly use and configure networks and systems to ensure security.” The guidance also recommends that districts train teachers and staff on best practices around file sharing. 

In response to an email request, a Jeffco Public Schools spokesperson shared acknowledging the breach, which noted that staff members had received “alarming email messages from an external cybersecurity threat actor.” The district is working with outside cybersecurity experts and the police to determine the scope and credibility of the attack. 

With respect to the emails from the California student, it appears the hacker used a compromised account associated with the roughly 4,440-student Coalinga-Huron Unified School District in Fresno County merely to communicate with other victims. The threat actor said that compromised student email addresses are used as “burner accounts” when they are not useful in escalating permissions beyond the student level. 

Still, the district has conducted an assessment of its systems to ensure that it also hasn’t become the victim of a data breach, Superintendent Lori Villanueva told ���˶���. She said the student’s email address was used to send four emails, which were then deleted. 

“We canceled that email account, we set up a new one for the student, and we’re just running our own diagnostics to make sure there was no other unusual activity,” Villanueva said. Allowing students to choose their own passwords can have drawbacks, she said, if they settle on weak credentials. “My people have been in contact with the Clark County school district and are trying to cooperate with them as much as we can but we’re really limited to that one tiny piece of information.”&�Բ�����;

Never before had she experienced an incident where a student’s email address was compromised and exploited in such a major way, she said. 

“Nothing this widespread, nothing in another state, nothing this big,” she said. “For our little neck of the woods here, this was a little crazy.”&�Բ�����;

Reputational damage

For Hecht, the Las Vegas mom, the cyberattack in Clark County is deeply personal. In fact, she has a hypothesis about why she, in particular, received direct communication from the hackers. 

In 2021, of numerous news reports when she contracted COVID and never recovered. 

“The only thing I can think of is somebody knows that I’m not quiet, that I will talk,” she said. If the hacker’s goal was to get Hecht fired up, it worked. The district, she said, needs to be held accountable for a failure to protect her children. Still, she said she hasn’t been able to get any answers from school administrators. 

“I’ve emailed the superintendent and I just continue to call that helpline,” she said “Nothing. Nobody has responded. I can’t even get through, it just rings and rings and rings. To me, that tells me there are so many parents calling.”

Hecht said she has since retained a lawyer, and a pair of other parents have already filed a class-action lawsuit against the district. The Oct. 31 complaint accuses Clark County schools of negligence, particularly in the wake of the 2020 ransomware attack. The lawsuit alleges the district has refused “to fully disclose any details of the attack and what data were accessed and were available for third parties to exploit.”&�Բ�����;

“We think the district should be held accountable for their failures and ideally they will be able to make a more secure network in the future and anyone who has been subject to these data breaches will get the proper identity protection provided by the district at a minimum,” attorney Steve Hackett, who represents the families, told ���˶���.

Among those calling for Superintendent Yara to resign is Nevada Assembly Speaker Steve Yeager, who with nontransparency.

In an email, a district spokesperson said that individuals found to be affected by the breach will receive data breach notifications in the mail and declined to comment on whether it had, or planned to, pay the ransom. The after the 2020 breach led hackers to release Social Security numbers, student grades and other private information. 

“As the investigation continues, we are committed to cooperating with agencies responsible for finding the responsible party and holding them accountable,” the statement said. 

The district also offered a sharp rebuttal to calls for Jara’s resignation, specifically referring to with the local teachers union: “Superintendent Jara will remain superintendent as long as the Board of Trustees desires him to do so,” the statement continued “No bullying pressure, harassment or coordination with the leadership of the Clark County Education Association will deter him from his job to educate over 300,000 students and protect taxpayer resources from those who wish to harm the district or its finances.”&�Բ�����;

Hecht said the release of sensitive files, like medical records and special education reports, is particularly concerning, with implications extending far beyond those of Social Security numbers and financial records. She offered a message of her own directly to the hackers. 

“It worries me because this stuff is going to follow them for life,” she said. “Look, I know that our district is not great, but if you’re going to go against the district, don’t take our kids down with you. They did nothing wrong.”

As artificial intelligence rapidly expands its presence in classrooms, President Biden signed an executive order Monday requiring federal education officials to create guardrails that prevent tech-driven discrimination. 

The , which the White House called “the most sweeping actions ever taken to protect Americans from the potential risks of AI systems,” offers several directives that are specific to the education sector. The order dealing with emerging technologies like ChatGPT directs the Justice Department to coordinate with federal civil rights officials on ways to investigate discrimination perpetuated by algorithms. 

Within a year, the education secretary must release guidance on the ways schools can use the technology equitably, with a particular focus on the tools’ effects on “vulnerable and underserved communities.” Meanwhile, an Education Department “AI toolkit” released within the next year will offer guidance on how to implement the tools so that they enhance trust and safety while complying with federal student privacy rules. 

For civil rights advocates who have decried AI’s potentially unintended consequences, the order was a major step forward. 

The order’s focus on civil rights investigations “aligns with what we’ve been advocating for over a year now,” said Elizabeth Laird, the director of equity and civic technology at the nonprofit Center for Democracy and Technology. Her group has called on the Education Department’s Office for Civil Rights to open investigations into the ways AI-enabled tools in schools could have a disparate impact on students based on their race, disability, sexual orientation and gender identity. 

“It’s really important that this office, which has been focused on protecting marginalized groups of students for literally decades, is more involved in conversations about AI and can bring that knowledge and skill set to bear on this emerging technology,” Laird told ���˶���. 

In to federal agencies on Wednesday, the Office of Management and Budget spelled out the types of AI education technologies that pose civil rights and safety risks. They include tools to detect student cheating, monitor their online activities, project academic outcomes, make discipline recommendations or facilitate surveillance online and in-person.  

An Education Department spokesperson didn’t respond to a request for comment Monday on how the agency plans to respond to Biden’s order. 

Schools nationwide have adopted artificial intelligence in divergent ways, including in to provide students individualized lessons and with the growing use of chatbots like ChatGPT by both students and teachers. It’s also generated heated debates over technology’s role in exacerbating harms to at-risk youth, including educators’ use of early warning systems that mine data about students — including their race and disciplinary records — to predict their odds of dropping out of school. 

“We’ve heard reported cases of using data to predict who might commit a crime, so very Minority Report,” Laird said. “The bar that schools should be meeting is that they should not be targeting students based on protected characteristics unless it meets a very narrowly defined purpose that is within the government’s interests. And if you’re going to make that argument, you certainly need to be able to show that this is not causing harm to the groups that you’re targeting.”&�Բ�����;

AI and student monitoring tools

An unprecedented degree of student surveillance has also been facilitated by AI, including online activity monitoring tools, remote proctoring software to detect cheating on tests and campus security cameras with facial recognition capabilities. 

Beyond its implications on schools, the Biden order requires certain technology companies to conduct AI safety testing before their products are released to the public and to provide their results to the government. It also orders new regulations to ensure AI won’t be used to produce nuclear weapons, recommends that AI-generated photos and videos be transparently identified as such with watermarks and calls on Congress to pass federal data privacy rules “to protect all Americans, especially kids.”

In September, The Center for Democracy and Technology released a report that warned that schools’ use of AI-enabled digital monitoring tools, which track students’ behaviors online, could have a disparate impact on students — particularly LGBTQ+ youth and those with disabilities — in violation of federal civil rights laws. As teachers punish students for using ChatGPT to allegedly cheat on classroom assignments, a survey suggested that children in special education were more likely to face discipline than their general education peers. They also reported higher levels of surveillance and subsequent discipline as a result. 

In response to the report, a coalition of Democratic lawmakers penned a letter urging the Education Department’s civil rights office to investigate districts that use digital surveillance and other AI tools in ways that perpetuate discrimination. 

Education technology companies that use artificial intelligence could come under particular federal scrutiny as a result of the order, said consultant Amelia Vance, an expert on student privacy regulations and president of the Public Interest Privacy Center. The order notes that the federal government plans to enforce consumer protection laws and enact safeguards “against fraud, unintended bias, discrimination, infringements on privacy and other harms from AI.”&�Բ�����;

“Such protections are especially important in critical fields like healthcare, financial services, education, housing, law and transportation,” the order notes, “where mistakes by or misuse of AI could harm patients, cost consumers or small businesses or jeopardize safety or rights.”

Schools rely heavily on third-party vendors like education technology companies to provide services to students, and those companies are subject to Federal Trade Commission rules against deceptive and unfair business practices, Vance noted. The order’s focus on consumer protections, she said, “was sort of a flag for me that maybe we’re going to see not only continuing interest in regulating ed tech, but more specifically regulating ed tech related to AI.”

While the order was “pretty vague when it came to education,” Vance said it was important that it did acknowledge AI’s potential benefits in education, including for personalized learning and adaptive testing. 

“As much as we keep talking about AI as if it showed up in the past year, it’s been there for a while and we know that there are valuable ways that it can be used,” Vance said. “It can surface particular content, it can facilitate better connections to people when they need certain content.”&�Բ�����;

AI and facial recognition cameras

As school districts pour billions of dollars into school safety efforts in the wake of mass school shootings, security vendors have heralded the promises of AI. Yet civil rights groups have warned that facial recognition and other AI-driven technology in schools could perpetuate biases — and could miss serious safety risks. 

Just last month, the gun-detection company Evolv Technology, which pitches its hardware to schools, acknowledged it was the subject of a Federal Trade Commission inquiry into its marketing practices. The agency is reportedly probing whether the company employs artificial intelligence in the ways that it claims. 

In September, New York became the first state to , a move that followed outcry when an upstate school district announced plans to roll out a surveillance camera system that tracked students’ biometric data. 

A new Montana law bans facial recognition statewide with one notable exception — . Citing privacy concerns, the law adopted this year prohibits government agencies from using facial recognition, but with a specific carveout for schools. One rural education system, the 250-student Sun River School District, employs a 30-camera security system from Verkada that uses facial recognition to track the identities of people on its property. As a result, the district has a camera-to-student ratio of 8-to-1. 

In an email on Wednesday, a Verkada spokesperson said the company is in the process of reviewing Biden’s order to understand its implications on the company.

Verkada offers a cautionary tale about the potential security vulnerabilities of campus surveillance systems. In 2021, the company suffered a massive data breach and hackers claimed to expose the live feeds of 150,000 surveillance cameras — including those in place at Sandy Hook Elementary School in Newtown, Connecticut, the site of a mass shooting in 2012. A conducted on behalf of the company found the breach was more limited, affecting some 4,500 cameras.

Hikvision has similarly made inroads in the school security market with its facial recognition surveillance cameras — including during a pandemic-era push to enforce face mask compliance. Yet the company, owned in part by the Chinese government, has also faced significant allegations of civil rights abuses and in 2019 was placed on a U.S. trade blacklist after being implicated in the country’s “campaign of repression, mass arbitrary detention and high-technology surveillance” against Muslim ethnic minorities. 

Though multiple U.S. school districts continue to use Hikvision cameras, a recent investigation found the company’s software despite claiming for years it had ended the practice.

 In an email, a Hikvision spokesperson didn’t comment on how Biden’s executive order could affect its business, including in schools, but offered a letter it shared to its customers in response to the investigation, saying an outdated reference to ethnic detection appeared on its website erroneously.

“It has been a longstanding Hikvision policy to prohibit the use of minority recognition technology,” the letter states. “As we have previously stated, that functionality was phased out and completely prohibited by the company in 2018.“

Data scientist David Riedman, who built a national database to track school shootings dating back decades, said that artificial intelligence is at “the forefront” of the school safety conversation and emerging security technologies can be built in ways that don’t violate students’ rights. 

Riedman became a figure in the national conversation about school shootings as the creator of the K12 School Shooting Database but has since taken on an additional role as director of industry research and content for ZeroEyes, a surveillance software company that uses security cameras to ferret out guns. Instead of using facial recognition, the ZeroEyes algorithm was trained to identify and notify law enforcement within seconds of spotting a firearm. 

The — as opposed to facial recognition — can “evade privacy and bias concerns that plague other AI models,” and internal research found that “only 0.06546% of false positives were humans detected as guns.”&�Բ�����;

“The simplicity” of ZeroEye’s technology, Riedman said, puts the company in good standing as far as the Biden order is concerned.

“ZeroEyes isn’t looking for people at all,” he said. “It’s only looking for objects and the only objects it is trying to find, and it’s been trained to find, are images that look like guns. So you’re not getting student records, you’re not getting student demographics, you’re not getting anything related to people or even a school per se. You just have an algorithm that is constantly searching for images to see if there is something that looks like a firearm in them.”

However, false positives remain a concern. Just last week at a high school in Texas, from ZeroEyes prompted a campus lockdown that set off student and parent fears of an active shooting. The company said the false alarm was triggered by an image of a student outside who the system believed was armed based on shadows and the way his arm was positioned. 

Publicly traded Evolv Technology acknowledged that the Federal Trade Commission had “requested information about certain aspects of its marketing practices” in last week, of its technology in promotions that could give customers, including schools, a false sense of security. 

Citing two anonymous sources, is the subject of an FTC investigation into whether its scanners — essentially next-generation metal detectors with a — employ artificial intelligence to identify weapons in the ways that it claims.

It’s unclear whether Massachusetts-based Evolv’s sales pitches to the education sector are part of the federal probe. An FTC spokesperson declined to comment Tuesday. In its Oct. 12 disclosure form with the Securities and Exchange Commission, and in a statement this week to ���˶���, Evolv said the company was “pleased to answer” regulators’ questions. 

“When Evolv receives inquiries from regulators, our approach is to be cooperative and educate them about our company,” the statement continued. “The company stands behind its technology’s capabilities and performance track record.”

The company has that it uses AI to scan for the unique “signatures” of tens of thousands of weapons, allowing it to distinguish “all the guns, all the bombs and all the large tactical knives” out there from everyday items like keys and laptops. 

Yet the — including its — has faced pushback for several years, particularly by IPVM, an independent security and surveillance industry research group that tests and evaluates products. Conor Healy, the group’s director of government research, said that false and misleading marketing claims have been “a pattern with the company” for years. Among the inaccurate assertions, he said, is that the tool “eliminates the friction” that students experience when they pass through security everyday. 

“That has been shown to be just simply not true at all,” Healy told ���˶��� this week. “There’s quite a lot of friction. The schools that we’ve looked at have .”&�Բ�����;

Districts have increasingly turned to “weapons detection” systems from Evolv and competing security vendors in response to fears of school shootings — anxiety that the company says “keeps both students and staff from doing their best work.”

Evolv “combines powerful sensor technology with proven artificial intelligence” to identify threats like guns in hundreds of U.S. schools. Capable of scanning more than 4,000 people an hour, Evolv says its devices are “10X faster than metal detectors,” and “help reduce opportunities for bias” by decreasing secondary screenings by humans.

Evolv extols the benefits of its scanners well beyond schools’ physical safety. While frequent false alarms by traditional metal detectors lead to “security anxiety” and “inconvenient delays,” according to the company’s website, Evolv scanners offer “a more effective and dignified solution, fostering a safer, more inclusive environment that bolsters academic achievement and staff retention.”&�Բ�����;

IPVM has accused the company of is 10 times faster than traditional metal detectors, and found the scanners . Meanwhile, IPVM has documented instances where false alarms were by water bottles, binders and laptops.

In a statement to Pennsylvania-based IPVM last month, Evolv said “we understand if any of our past statements appeared to generalize our capabilities,” which may violate an FTC rule that requires company claims to be evidence-backed. 

With AI a constant, if little understood, buzzword across many sectors right now, the FTC in February the capabilities of their artificial intelligence offerings, adding that “false or unsubstantiated claims about a product’s efficacy are our bread and butter.”&�Բ�����;

“The minute you hear the word AI in marketing, alarm bells should go off in your head,” said Healy, whose group has also done and the routinely installed in schools. 

“As far as [Evolv’s] artificial intelligence goes, it does not appear to be very intelligent,” he said, because it routinely fails to differentiate everyday school supplies like Chromebooks from weapons like guns. “What AI is actually in the system? That is something that Evolv has not told us very much about.”&�Բ�����;

Evolv has resisted calls to disclose additional information about the ways its scanners function. While scanners’ sensitivity settings can alter their performance, a company spokesperson previously told ���˶��� that publicly sharing information about those settings “is irresponsible and puts people at greater risk.”&�Բ�����;

“We must assume any published information regarding details of a physical screening system will be studied and leveraged by a bad actor seeking to do harm,” the statement continued. The company declined to comment on the false alarm rates reported by its customer districts, which include ,, and

 “Our systems are designed to detect many types of weapons and components of weapons, but there is no perfect solution that will stop 100% of threats, including ours, which is why security must include a layered approach that involves people, process and technology.”&�Բ�����;

Knives became a point of conflict last year after the school district in Utica, New York, spent nearly $4 million to install Evolv scanners across 13 of its campuses. The scanners were ultimately removed after a student was stabbed multiple times with a knife during a fight in a high school hallway. The knife-wielding student had passed through an Evolv scanner with the blade in his backpack, a later investigation revealed. 

While the detectors had false alarms, including on a student’s lunch box, an Evolv scanner failed to alarm when an off-duty police officer accidentally brought a service revolver to a Utica district open house.

Meanwhile, in Buffalo, New York, Evolv scanners were credited for keeping a high school safe. Earlier this month, an to a criminal weapons possession charge after he was caught trying to bring a handgun into a high school. A school security officer reportedly found the disassembled “ghost gun” in the teenager’s backpack as he passed through a weapons detector. Buffalo schools earlier this year. A Buffalo schools spokesperson declined to comment.

As companies increasingly market products with artificial intelligence capabilities to schools, school security consultant Kenneth Trump predicts — or at least hopes — that regulation is imminent. He pointed to new rules in . The ban was adopted after an upstate school district’s decision to install surveillance cameras with facial recognition capabilities prompted an outcry. 

“The marketing claims are so off the charts by many vendors that there’s really no chance for the average school administrator to know what’s true, what’s false and really the gaps and the limitations that these products have,” said Trump, president of Cleveland-based National School Safety and Security Services. Though he expects regulators to soon reign in security companies, “up until that happens, how many school districts are going to fall victim to questionable marketing and grandiose ideas that don’t come to fruition?”

, the coalition expressed concerns that AI-enabled student monitoring tools could foster discrimination against marginalized groups, including LGBTQ+ youth and students with disabilities. The Education Department’s Office for Civil Rights should issue guidance on the appropriate uses of emerging classroom technologies, the lawmakers wrote, and crack down on practices that run afoul of existing federal anti-discrimination laws. 

“While the expansion of educational technology helped facilitate remote learning that was critical to students, parents and teachers during the pandemic,” the lawmakers wrote, “these technologies have also amplified student harms.”&�Բ�����;

Lawmakers asked the Education Department’s civil rights office whether it has received complaints alleging discrimination facilitated by education technology software and whether it has taken any enforcement action related to potential civil rights violations. 

The letter comes in response to a recent national survey of educators, parents and students, the findings of which suggest that schools’ use of digital tools to monitor children online have based on their race, disability, sexual orientation and gender identity. The survey, conducted by the nonprofit Center for Democracy and Technology, found that while activity monitoring has become ubiquitous in schools and is intended to keep students safe, it’s used regularly as a discipline tool and routinely brings youth into contact with the police.

Findings from the CDT survey, lawmakers wrote, “raise serious concerns about the application of civil rights laws to schools’ use of these technologies.” Letter signatories include Democratic Reps. Lori Trahan of Massachusetts, Sara Jacobs of California, Hank Johnson of Georgia, Bonnie Watson Coleman of New Jersey and Adam Schiff of California. Trahan, who serves on the House Energy and Commerce Committee’s Innovation, Data and Commerce Subcommittee, has previously called for tighter student data privacy protections in the ed tech sector. 

The monitoring tools, such as those offered by for-profit companies GoGuardian and Gaggle, rely on artificial intelligence to sift through students’ online activities and flag school administrators — and sometimes the police — when they discover materials related to sex, drugs, violence or self-harm. 

Two-thirds of teachers reported that a student at their school was disciplined as a result of activity monitoring and a third said they know a student who was contacted by the police because of an alert generated by the software. 

Children with disabilities were more likely than their peers to report being watched, and special education teachers reported heightened rates of discipline as a result of activity monitoring. The findings, researchers argue, that entitle children with disabilities equal access to an education. Even beyond the technologies, students with disabilities are subjected to disproportionate levels of school discipline, including restraint and seclusion, when compared to their general education peers. 

Half of all students said their schools responded fairly to alerts generated by monitoring software, a sentiment shared by just 36% of LGBTQ+ youth. In fact, LGBTQ+ youth were more likely than their straight and cisgender peers to report that they or someone they know was disciplined as a result of monitoring. And nearly a third of LGBTQ+ youth reported that they or someone they know was outed because of the technology. 

More than a third of teachers said their school monitors students’ online behaviors outside of school hours — and sometimes on their personal devices. 

In a similar student survey, released this month by the American Civil Liberties Union, a majority of respondents expressed worries that the monitoring tools — despite being designed to keep them safe — could actually cause harm and a third said they “always feel” like they’re being watched. 

���˶��� has reported extensively on schools’ use of digital surveillance tools to monitor students’ online behaviors, and the tools’ implications for youth civil rights. The company Gaggle previously flagged to administrators student communications that referenced LGBTQ+ keywords like “gay” and “lesbian.” The company says it halted the practice last year in the wake of pushback from civil rights activists. 

Given the survey findings, the lawmakers urged the Education Department to clarify “how educators can fulfill their civil rights obligations” as they develop policies related to artificial intelligence, whose rapidly evolving role in education more broadly — including students’ use of tools like ChatGPT — has become a topic of debate. 

“This research is particularly concerning due to linkages between school disciplinary policies and incarceration rates of our nation’s youth,” the coalition wrote, adding concerns that the tools can create hostile learning environments. 

Reeled in by deceptive, fear-based marketing and an influx of federal cash, school leaders have purchased and pervasively deployed student surveillance tools while failing to consider their detrimental consequences to young people’s civil rights, a new ACLU report concludes. 

In a youth survey accompanying the , a majority of students expressed worries that the tools — designed to keep them safe — could actually cause harm and a third said they “always feel” like they’re being watched. 

The 61-page report, titled “Digital Dystopia,” also offers an in-depth look at the rise of schools’ reliance on surveillance technology over the last few decades, arguing the tools have failed to improve campus safety while subjecting students — particularly students of color and those who are undocumented, LGBTQ or from low-income households — to discrimination. 

“The ed tech surveillance companies, after fanning the flames of fear, were making these broad statements about the efficacy of their products, about their ability to keep students safe” from threats like school shootings and suicide, despite a lack of evidence to back up their claims, report lead author and ACLU senior policy counsel Chad Marlow told ���˶���. 

Rather than making kids safe, Marlow said, the tools could be damaging to their development and well-being. “The harm is actually significant and, by not acknowledging the harms that are caused, there’s less incentive to look at other interventions,” he said.

Three-quarters of students worry about at least one negative consequence of student surveillance, which includes the widespread proliferation of digital tools that monitor their online communications for references to sex, drugs, violence or self-harm, according to the online survey. Commissioned by the ACLU, the polling firm YouGov queried 502 teens throughout the country in October 2022. Nearly a quarter of respondents said that digital monitoring tools limit the resources they feel they can access online while a similar percentage worried the information collected about them could be shared with the police or be used against them in the future by a college or an employer. Some 27% feared the tools could be used for disciplinary purposes.

As a result, students alter their behaviors due to fears that “deviating from expectations is punishable in the world that they’re growing up in,” Marlow said. “What does that tell them about innovation or exploring new ideas?”

Survey findings , released last month by the nonprofit Center for Democracy and Technology, which found that while a majority of parents and students still embrace digital tools that monitor students’ online behaviors, their support has dwindled over the last year. 

Both reports identified detrimental effects of digital surveillance that researchers said run counter to federal civil rights laws that protect students from discrimination based on race, disability, sexual orientation or gender identity. 

In the student survey conducted by the Center for Democracy and Technology, researchers found that while districts bought digital monitoring tools to keep students safe, they are used regularly as discipline tools that routinely bring youth in contact with the police. LGBTQ+ youth and those with disabilities were significantly more likely to experience the harms of surveillance. For example, 65% of LGBTQ+ youth said they or someone they knew got into trouble due to online activity monitoring, compared to 56% of their straight and cisgender peers. Meanwhile, nearly a third of LGBTQ+ students said that they or someone they know has been “outed” by the technology.

In the absence of rigorous, independent research on the efficacy of school surveillance tools to improve campus safety, the ACLU report argues that schools are left to make purchasing decisions based on what the group called fear-based marketing tactics. Security companies hype the risks of school violence and student self-harm while overstating the utility of their products, the report says. Security industry lobbying efforts, meanwhile, have successfully steered hundreds of millions of dollars in government school safety spending toward unproven technologies. 

“It would be like going to buy a car and the only source of information is the car salesperson,” Marlow said. “That’s probably not the best way to make a car purchasing decision, but that’s what’s happening with student surveillance.”&�Բ�����;

The Security Industry Association, a trade group that represents security companies and lobbies on their behalf, didn’t immediately respond to a request for comment. 

The ACLU survey results suggest, however, that students have a complicated relationship with school surveillance: While recognizing its potential harms, many also believe it serves its intended purpose. Specifically, 40% of students reported that surveillance technology makes them feel “safe” and 43% said it makes them feel “protected.” Meanwhile, just 14% said it makes them feel “anxious” and a fraction of respondents, 7%, said the tools made them feel “unsafe.”&�Բ�����;

Marlow said this support may be the result, at least in part, of successful marketing and a belief that few other options exist. 

“​​When you talk about keeping students safe, I think students are smart enough to realize that in too many places in this country, gun control is off the table,” he said. “Because of the dominance of money and power of the ed tech surveillance industry,” that’s used in marketing and lobbying, “the discussion is almost entirely centered around, ‘Do we use or do we not use student surveillance technologies?’ while alternatives like mental health screenings fail to receive similar consideration. “In that option, between a highly questionable, harmful protection or nothing at all, no one wants to pick nothing at all.”&�Բ�����;

While the report focuses largely on digital tools that monitor students’ behaviors online, it also questions the efficacy of surveillance cameras in creating physical safety for students in schools. Cameras have become nearly ubiquitous, with them in the 2019-20 school year, according to the most recent data included in a U.S. Department of Education report released last month. 

Meanwhile, just 55% of schools offered students mental health assessments, according to the most recent federal data, and 42% offered mental health treatment services. 

Despite a sharp rise in schools’ reliance on surveillance and other tools in the last two decades, the number of school shootings has grown. 

There were a record 188 school shootings resulting in injuries or deaths in the 2021-22 school year, according to the federal report. That’s twice as many shootings on campus than the previous record — set just one year earlier. Placing security cameras in schools, Marlow argues, has failed to deter the very crimes they were installed to prevent. In an ACLU analysis of the 10 deadliest school shootings in the last two decades, for example, researchers found that surveillance cameras were present for eight, including in Parkland, Florida, and Uvalde, Texas. 

Along with scrutiny from researchers and civil rights groups, schools’ use of digital monitoring tools has led to several lawsuits alleging they’re ineffective and violate students’ civil liberties. 

In one class-action lawsuit, filed this year in California, the parents of two students claim the student surveillance company and sold the information to targeted advertising vendors without their knowledge or consent. 

A separate federal negligence lawsuit, filed in 2021 in Oklahoma, of being ineffective at keeping kids safe from self-harm. The lawsuit, filed by the parents of a 15-year-old boy who died by suicide, accuses the surveillance company and the state’s third-largest school district of failing to act on warning signs that could have prevented the teenager’s 2019 death. 

The student submitted a “personal odyssey” essay in his freshman English class that was riddled with references to self-harm and suicide, but his teacher failed to act, the complaint alleges, giving him a grade of 100%. The district used Gaggle to identify and flag troubling student digital communications, including references to self-harm and suicide. Yet the lawsuit alleges the company “failed to notify school administration” about the student’s warning signs, including the essay titled “Running Out of Reasons” and an email with a classmate where the two contemplated a plan to “go out at the same time.”

A Gaggle spokesperson didn’t immediately respond to a request for comment. Securly spokesperson Josh Mukai called the lawsuit “baseless and uninformed.”

“Securly has never sold student data to third parties, nor have we ever used student data to target advertisements,” Mukai said in an email. “Securly’s suite of student safety solutions upholds the highest standards for student data privacy and complies with all international, federal and state privacy regulations.”

Half of teachers say they know a student at their school who was disciplined or faced negative consequences for using — or being accused of using — generative artificial intelligence like ChatGPT to complete a classroom assignment, , a nonprofit think tank focused on digital rights and expression. The proportion was even higher, at 58%, for those who teach special education. 

Cheating concerns were clear, with survey results showing that teachers have grown suspicious of their students. Nearly two-thirds of teachers said that generative AI has made them “more distrustful” of students and 90% said they suspect kids are using the tools to complete assignments. Yet students themselves who completed the anonymous survey said they rarely use ChatGPT to cheat, but are turning to it for help with personal problems.

“The difference between the hype cycle of what people are talking about with generative AI and what students are actually doing, there seems to be a pretty big difference,” said Elizabeth Laird, the group’s director of equity in civic technology. “And one that, I think, can create an unnecessarily adversarial relationship between teachers and students.”&�Բ�����;  

Indeed, 58% of students, and 72% of those in special education, said they’ve used generative AI during the 2022-23 academic year, just not primarily for the reasons that teachers fear most. Among youth who completed the nationally representative survey, just 23% said they used it for academic purposes and 19% said they’ve used the tools to help them write and submit a paper. Instead, 29% reported having used it to deal with anxiety or mental health issues, 22% for issues with friends and 16% for family conflicts.

Part of the disconnect dividing teachers and students, researchers found, may come down to gray areas. Just 40% of parents said they or their child were given guidance on ways they can use generative AI without running afoul of school rules. Only 24% of teachers say they’ve been trained on how to respond if they suspect a student used generative AI to cheat. 

The results on ChatGPT’s educational impacts were included in the Center for Democracy and Technology’s broader annual survey analyzing the privacy and civil rights concerns of teachers, students and parents as tech, including artificial intelligence, becomes increasingly engrained in classroom instruction. Beyond generative AI, researchers observed a sharp uptick in digital privacy concerns among students and parents over last year. 

Among parents, 73% said they’re concerned about the privacy and security of student data collected and stored by schools, a considerable increase from the 61% who expressed those reservations last year. A similar if less dramatic trend was apparent among students: 62% had data privacy concerns tied to their schools, compared with 57% just a year earlier. 

Those rising levels of anxiety, researchers theorized, are likely the result of the growing frequency of cyberattacks on schools, which have become a primary target for ransomware gangs. High-profile breaches, including in Los Angeles and Minneapolis, have compromised a massive trove of highly sensitive student records. Exposed records, investigative reporting by ���˶��� has found, include student psychological evaluations, reports detailing campus rape cases, student disciplinary records, closely guarded files on campus security, employees’ financial records and copies of government-issued identification cards. 

Survey results found that students in special education, whose records are among the most sensitive that districts maintain, and their parents were significantly more likely than the general education population to report school data privacy and security concerns. As attacks ratchet up, 1 in 5 parents say they’ve been notified that their child’s school experienced a data breach. Such breach notices, Laird said, led to heightened apprehension. 

“There’s not a lot of transparency” about school cybersecurity incidents “because there’s not an affirmative reporting requirement for schools,” Laird said. But in instances where parents are notified of breaches, “they are more concerned than other parents about student privacy.”&�Բ�����;

Parents and students have also grown increasingly wary of another set of education tools that rely on artificial intelligence: digital surveillance technology. Among them are student activity monitoring tools, such as those offered by the for-profit companies Gaggle and GoGuardian, which rely on algorithms in an effort to keep students safe. The surveillance software employs artificial intelligence to sift through students’ online activities and flag school administrators — and sometimes the police — when they discover materials related to sex, drugs, violence or self-harm. 

Among parents surveyed this year, 55% said they believe the benefits of activity monitoring outweigh the potential harms, down from 63% last year. Among students, 52% said they’re comfortable with academic activity monitoring, a decline from 63% last year. 

Such digital surveillance, researchers found, frequently has disparate impacts on students based on their race, disability, sexual orientation and gender identity, potentially violating longstanding federal civil rights laws. 

The tools also extend far beyond the school realm, with 40% of teachers reporting their schools monitor students’ personal devices. More than a third of teachers say they know a student who was contacted by the police because of online monitoring, the survey found, and Black parents were significantly more likely than their white counterparts to fear that information gleaned from online monitoring tools and AI-equipped campus surveillance cameras could fall into the hands of law enforcement. 

Meanwhile, as states nationwide pull literature from school library shelves amid a conservative crusade against LGBTQ+ rights, the nonprofit argues that digital tools that filter and block certain online content “can amount to a digital book ban.” Nearly three-quarters of students — and disproportionately LGBTQ+ youth — said that web filtering tools have prevented them from completing school assignments. 

The nonprofit highlights how disproportionalities identified in the survey could run counter to federal laws that prohibit discrimination based on race and sex, and those designed to ensure equal access to education for children with disabilities. In a letter sent Wednesday to the White House and Education Secretary Miguel Cardona, the Center for Democracy and Technology was joined by a coalition of civil rights groups urging federal officials to take a harder tack on ed tech practices that could threaten students’ civil rights. 

“Existing civil rights laws already make schools legally responsible for their own conduct, and that of the companies acting at their direction in preventing discriminatory outcomes on the basis of race, sex and disability,” the coalition wrote. “The department has long been responsible for holding schools accountable to these standards.”

Yet even before the first class started, the 133,000-student district in Prince George’s County, Maryland, faced an assault on its security — one carried out completely online. 

Rather than barge through the front entrance of a school, threat actors appeared to break in through a backdoor in the district’s computer network. The mid-August intrusion meant the high-performing school system — among the nation’s 20 largest — joined a growing list of school district ransomware victims, another proof point that the education sector is now a primary target of cyber gangs. 

“Schools have this delicious trove of data and do not have the same protections” as banks and other for-profit businesses, said Jake Chanenson, lead author of a recent University of Chicago report on school district cyber risks. 

In the case of Prince George’s County Public Schools, the attack appeared to enter its final stage on Tuesday when the Rhysida gang posted to its leak site a collection of data it purportedly stole nearly a month ago. A cursory review of the files suggest they date back two decades. 

The back-to-school season, already a particularly busy period for school technology leaders, has become a prime time for district ransomware attacks, according to cybersecurity experts. In August alone, ransomware gangs claimed new attacks on 11 K-12 school systems, according to an analysis by ���˶��� of the cyber group’s dark web leak sites. Among them are three New Jersey districts, two in Washington state, a Denver charter school network and a district in remote Alaska. Several additional districts have disclosed cyberattacks since the start of the new year, including news of a breach last week against Florida’s Hillsborough County Public Schools, the seventh-largest district in the U.S. 

In Chambersburg, Pennsylvania, district officials said for three days in just the second week of the academic year. 

At the Lower Yukon School District in Alaska, technology director Joshua Walton said a hack and subsequent data breach by the burgeoning ransomware gang NoEscape was first initiated in late July, before the fall semester began. 

“Your confidential documents, personal data and sensitive info has been downloaded,” the group wrote in a ransom note obtained by ���˶���. “Published information will be seen by your colleagues, competitors, lawyers, media and the whole world.”&�Բ�����;

Ultimately, the district refused to pay the group’s $300,000 ransom demand, leading to a small data breach that doesn’t appear to include sensitive information about educators or students. Rather, an analysis of the leak suggests stolen files center primarily on campus maintenance work. 

Previous data breaches following district ransomware attacks, such as the ones in Los Angeles and Minneapolis, have led to widespread disclosure of sensitive information, including student psychological evaluations, reports of campus rape cases, student discipline records, closely guarded files on campus security, employees’ financial records and copies of government-issued identification cards. 

Though Walton was confident that similarly sensitive records had not been stored on the breached computer server, he told ���˶��� the Lower Yukon hack could have been far more disruptive had it been carried out just a few weeks later. Instead, they had a few remaining weeks of summer to restore their systems before their returned. 

“It was an inconvenience for sure, but I’ve seen a lot of data breaches over the years and ours is nothing comparable,” Walton said. “I couldn’t imagine that happening when school starts because we’re all rushing to get all of the support tickets taken care of and making sure that school is starting off on the right foot. If it would have happened then, it would have been a whole different ball game.”&�Բ�����;

This year, the return-to-school season kicked off with a warning from federal law enforcement about the growing threat that cyberattacks pose for school districts. During a cybersecurity summit at the White House in early August, federal officials warned the coming months could be particularly volatile. Harm isn’t limited to victim districts but rather encompasses their employees, students and families whose sensitive records, including financial information, are vulnerable to data breaches. 

WIth “Social Security numbers and medical records stolen and shared online,” such attacks have left “classroom technology paralyzed and lessons ended,” First Lady Jill Biden said. “So if we want to safeguard our children’s futures, we must protect their personal data.”

There isn’t any hard data on the frequency that ransomware groups exploit back-to-school season compared to other times, said Doug Levin, the national director of the K12 Security Information eXchange. He said it’s also difficult to identify when attacks first begin, with threat actors sometimes infiltrating district servers months before the ransomware attack is initiated. That said, the existing evidence suggests about a quarter of cyber incidents affecting school districts appear to occur during those first few weeks and months of school. He said the chaos of getting technology into students’ hands and setting them up with new online accounts creates an ideal opportunity for criminals to catch district tech officials off guard. 

“With all of these new devices being deployed with all sorts of new tools and applications coming online, I certainly have heard reports of upticks in against school districts already,” Levin said. “It’s definitely a time where you know people are more likely to make mistakes.”

Similar concerns were included in by the New Jersey Cybersecurity and Communications Integration Cell, where officials warned that cybercriminals routinely exploit holiday breaks to target schools. 

“Threat actors take advantage of this pastime when staff is away or just prior to busy seasons, such as the beginning of the school year, long weekends or before the end of a marking period when final grades are due,” the warning notes. “Within the last few weeks, publicly announced ransomware attacks sharply increased.”

‘Exclusive, unique and impressive’

Following a common ransomware playbook in Prince George’s County, the Rhysida gang claimed the theft of sensitive documents, posting screenshots online showing birth certificates, passports and other records purportedly stolen from the district. Unless the district agreed to pay the group 15 bitcoin worth some $375,000, Rhysida threatened to publish the “exclusive, unique and impressive” data on its leak site. 

Such negotiations appeared to expire by Tuesday morning: A trove of files purportedly stolen from the district were published to the cyber group’s leak site, suggesting education leaders had refused to pay the ransom. The development comes after a ticker on the gang’s leak site, meant to signify the district’s approaching ransom payment deadline, was paused or delayed on several occasions. 

A day after the district detected the breach on Aug. 14, it said in a statement that some 4,500 user accounts out of 180,000 were affected, forcing district employees to reset their passwords. Impacted individuals, the district said, “will be contacted in the coming days.”&�Բ�����;

The school system is “offering free credit monitoring and identity protections to all staff,” district spokesperson Meghan Gebreselassie said in an email Tuesday morning but declined to comment further. In a Sept. 1 update, the district said staff, students and their families would receive a year of free credit monitoring and identity protection services, acknowledging the attack “may result in unauthorized disclosure of personal information.”&�Բ�����;

“We are working diligently to confirm the extent of information that was impacted by this incident, and we will move quickly to provide direct notice to those who are impacted once this determination is made,” the statement says.

Yet special education advocate Ronnetta Stanley said the Prince George’s district hasn’t done enough to keep the community in the loop about the attack and its potential effects on students and parents. The types of information that may have been breached, she told ���˶���, “has not been clearly communicated.” Special education records, which have been exposed in previous attacks like the one against the Los Angeles Unified School District near the start of the 2022-23 school year, could be at risk in Prince George’s County, she fears.

“There have not been any specific details about exactly what was breached, who may have been affected by it and, then what is the remedy for what should be happening with compromising information?” said Stanley, founder of the special education advocacy group “Not knowing what was leaked and who was affected, it’s difficult to say what the ramifications will be.”&�Բ�����;

The by the University of Chicago researchers found that district leaders are frequently unaware of the peril that cyber gangs pose, often implement education technology tools without considering privacy implications and routinely endorse digital tools that present potential privacy issues. While banks and large corporations have become harder targets as they bolster their cybersecurity defenses, schools have fallen behind, said lead author Chanenson, a doctoral student studying computer science. 

“This is only going to get worse,” he said, “until we give schools the resources they need to up their defensive game.”&�Բ�����;

Ransomware’s long tail

Among the school districts listed on ransomware gang leak sites in August is the one in Edmonds, Washington — a development that for locals may feel like déjà vu. The Akira group named Edmonds as being among its latest victims on Aug. 24, just six months after district officials announced that a “data event” was to blame for a two-week internet blackout in late January. 

Data stolen in the winter 2023 breach, the district warned in February, could include names, Social Security numbers, student records, financial information and medical documents. The district is still analyzing the extent of the attack and plans to notify affected individuals once their review is finalized, district spokesperson Harmony Weinberg said in a Sept. 8 email to ���˶���. 

It’s unclear, however, whether the district was victimized a second time this summer, a development officials deny. Cybercriminals routinely target victims on multiple occasions — especially those that pay ransoms to retrieve stolen files. In Edmonds, the district recently became “aware of a public allegation by the group believed to be responsible for our winter 2023 data security incident,” Weinberg said. 

“We reviewed the district’s network systems in relation to this data security incident, and found no evidence that any systems were infected with ransomware,” Weinberg continued. “Further, we are not aware of any malicious activity occurring within our network systems since the winter 2023 event.”&�Բ�����;

Meanwhile, the Los Angeles and Minneapolis school districts continue to grapple with the fallout from cyberattacks that crippled their systems last school year and led to the widespread data breaches of sensitive records about students and educators. After the Los Angeles district was targeted in a back-to-school ransomware attack over Labor Day weekend last year, the nation’s second-largest school system kicked off this school year by announcing to bolster its cybersecurity defenses. 

Seven months after Minneapolis Public Schools fell target to a cyberattack that it euphemistically called an “encryption event,” tens of thousands of individual victims are just beginning to learn their sensitive records were compromised as community members blast education officials for leaving them in the dark about key details. 

On numerous occasions over the last several months, educators have complained to district officials that they were being targeted by fraudsters, obtained by The Daily Dot. “I had my bank account drained last week and had $3 to my name,” one person wrote in an email to Minneapolis schools. Another individual reported getting hit with a fraudulent $2,500 charge on a credit card, while parents reported receiving emails from unverified senders related to their children’s college financial aid. 

In a Sept. 1 update on the Minneapolis district website, said school officials undertook a “time-intensive” review to determine what information had been stolen, which included names, Social Security numbers, financial information and medical records. 

“Although it has been difficult to not share more information with you sooner, the accuracy and the integrity of the review were essential,” the district notice notes. Meanwhile, by the law firm Mullen Coughlin stated that the district had provided written notices to more than 105,000 people whose personal information had gotten caught up in the attack. 

The documents were Minneapolis Public Schools’s first public comments on the attack since April 11.  

Such disclosures often fall short in providing victims enough information to keep themselves safe, said Marshini Chetty, a University of Chicago associate professor focused on privacy and cybersecurity. 

“Disclosure is not enough because people may not fully realize what could actually happen and how their data can be misused,” Chetty said. While victim districts routinely offer credit monitoring and other tools to mitigate financial crimes and fraud, she said it’s more challenging to remedy situations where sensitive information, like medical records or student disciplinary records, are disclosed. 

“A lot of times schools are reactive rather than proactive,” she said.  If district leaders aren’t doing enough to protect the data from being stolen in the first place, “then it’s almost too late.”

There were a record 188 school shootings resulting in injuries or deaths in the 2021-22 school year, according to the latest available data included in . That’s twice as many shootings on campus than the previous record — set just one year earlier. 

The annual report, in its 25th iteration, leverages data from across federal agencies, including the Justice Department, to provide the public and policymakers with comprehensive insight into the safety conditions of the country’s school campuses, including cyberbullying and weapons possession. The new data offer fresh fodder in the ongoing political debate about how to thwart gun violence in schools. 

In some ways, the policy outcomes from such attacks are apparent in the data itself. As high-profile shootings and other campus safety incidents drive divisive discussions about gun control and policing, they’ve also led to a surge in — and near-universal adoption of — numerous physical security measures. By 2019-20, 97% of public schools controlled access to their campuses, 91% used surveillance cameras and 77% required district employees to wear badges. The number of campuses with security staff ballooned from 43% in 2010 to 65% by 2020. 

The spike in parental concerns over school safety seen in the aftermath of high-profile school shootings in Parkland, Florida, in 2018 and last year in Uvalde, Texas, dipped slightly this year, . Among surveyed parents, 38% reported that they fear for their child’s safety, down from 44% in 2022. Still, the percentage of people who fear for their children’s safety is still among the highest it’s been since Gallup began to poll parents on the topic in 1977. Gallup’s historical high, at 55%, was measured shortly after the 1999 Columbine High School shooting in suburban Denver. 

For the purpose of the federal report, “school shootings” include “all incidents in which a gun is brandished or fired or a bullet hits school property for any reason, regardless of the number of victims” and motive, including planned attacks, accidents and domestic violence. The methodology and collection methods used by the Education Department differ from those of other groups and media outlets that track school shootings. For example, the lists 250 school shootings in 2021 and 305 in 2022. , which only includes incidents where someone is struck by a bullet, counts 35 school shootings in 2021 and 51 in 2022. 

The federal report doesn’t include school-shooting data from the 2022-23 academic year. 

While the federal data on school gun violence incidents “is of course extremely striking,” it is just “one piece in the puzzle of our understanding of school shootings,” Véronique Irwin, an associate education research analyst with the National Center for Education Statistics, said on a press call Tuesday. “It’s important for us to examine other dimensions as well.”&�Բ�����;

Despite the recent uptick in campus firearm incidents, the number of violent deaths of students in schools hasn’t followed a similar trendline and remains rare, the new federal report reveals. Nor have “active shootings,” a specific subset of campus gun violence, like the Parkland and Uvalde attacks, where an individual is “actively engaged in killing or attempting to kill people in a populated area.” Fourteen people were wounded or killed in active school shootings in 2021, the report revealed, compared to a high of 81 in 2018. 

Between 2000 and 2021, there were 46 active shooting incidents, resulting in 108 deaths and 168 injuries. Of the 47 people who carried out the active shootings, all but one was male. 

Beyond school shootings, the new federal report offers a mixed bag on various campus safety metrics, and at times that have sounded the alarm about an uptick in student misbehavior since the pandemic. 

Between the 2009-10 school year and 2019-20, the number of students who reported campus bullying decreased from 23% to 15% and reported gang activities dropped by more than half. School fights, weapons possession and alcohol use also declined. For some metrics, the most recent data are from 2019 and don’t capture the disruptive nature of COVID campus closures. Data captured after the pandemic began should be interpreted with these destabilizing forces in mind. 

Educators also experienced improved safety conditions in schools between 2011 and 2021, the report suggests. Six percent of teachers reported that a student had threatened to injure them in 2020-21, a decrease from 10 percent a decade earlier. Similar declines were observed in the number of teachers who fell victim to attacks. 

Still, the research revealed that educators have observed an uptick in disrespect from students, verbal abuse and overall classroom disorder. 

Such unrelenting attacks — this time against a Bergen County, New Jersey, district —are what brought the first lady as well as some 200 federal cybersecurity officials, school district leaders and tech company executives together for a first-ever White House summit on strengthening school district defenses.

“It’s going to take all of us,” Biden said. 

The breaches have grinded school technology systems nationwide “to a halt,” the first lady said at the East Room gathering, forcing some districts to cancel classes as reams of sensitive student, parent and educator data were stolen and leaked online. In March, a Medusa attack on Minneapolis Public Schools exposed records about child abuse inquiries, student mental health crises and campus physical security details. 

“If we want to safeguard our children’s futures, we must protect their personal data,” she said. “Every student deserves the opportunity to see a school counselor when they’re struggling and not worry that these conversations will be shared with the world.”

Among the new strategies announced Tuesday is the creation of a Government Coordinating Council that will provide “formal, ongoing collaboration” between all levels of government and school districts to prepare for and respond to data breaches. Officials with the Cybersecurity and Infrastructure Security Agency said the agency would provide individualized assessments and cybersecurity training to 300 K-12 education entities over the next year. 

Tuesday’s cybersecurity event didn’t come with the announcement of any new federal regulations but was instead positioned as the first step in a new-found federal urgency around cybersecurity in schools. The Federal Communications Commission in late July proposed a $200 million pilot program to enhance cybersecurity in schools and libraries that still needs to be approved.

“When schools face cyber attacks, the impacts can be huge,” Education Secretary Miguel Cardona said. “Let’s be clear, we need to be taking these cyber attacks on schools as seriously as we do the physical attacks on critical infrastructure.”

In released by the Education Department and the Cybersecurity and Infrastructure Security Agency, the agencies recommended that school districts implement multi-factor authentication, enforce minimum password strength standards and ensure software is kept up to date. They should also consider moving on-premises information technology services to cloud-based systems. 

“Do not underestimate the ruthlessness of those who wish to do us harm,” Homeland Security Secretary Alejandro Mayorkas said. “They have proven their willingness to steal and leak such private student information as psychiatric hospitalizations, home struggles and suicide attempts. Do not wait until the crisis comes to start preparing.”&�Բ�����;

School cybersecurity expert Doug Levin, who attended the summit, said it was a positive development to see the federal government, and the Education Department in particular, focus on the effects of ransomware on schools. The Education Department has been “mostly absent from these conversations” in the past, said the national director of The K12 Security Information eXchange.

Meanwhile, several companies, including education technology vendors, unveiled new commitments to help facilitate digital security in schools. Amazon Web Services announced a new $20 million grant program to bolster K-12 school cybersecurity while Cloudflare committed to providing free cybersecurity tools to small districts with 2,500 or fewer students. 

Schools are now the single leading target for hackers, outpacing health care, technology, financial services and manufacturing industries, according to a global survey of IT professionals released last month by the British cybersecurity company Sophos.

In the U.S. school district cyber attacks reached a record high of 37 in the month of June alone, , but Tuesday’s event centered largely on a crisis that unfolded in Los Angeles nearly a year ago. 

Last September, a notorious ransomware group carried out an attack on the Los Angeles Unified School District, the nation’s second largest, that resulted in some 500 gigabytes of district data being published to the Russian-speaking group’s dark-web leak site. 

A major theme of the White House summit was the politically connected superintendent’s swift outreach to federal agencies, including the U.S. Department of Education and the Federal Bureau of Investigation. That collaboration, Superintendent Alberto Carvalho and federal education officials said, set into motion a response plan that mitigated the attack, limited the number of files breached and avoided class cancellations. 

Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, called it “the Harvard Business School case study on how to get this right.”&�Բ�����;

Other school districts should respond similarly, said FBI Deputy Director Paul Abbate. When school leaders suspect they’ve been the target of an attack, he said, it’s incumbent that they “please call us immediately.” In L.A.’s case, the FBI was able to have a team of agents on the ground in less than 24 hours, he said, enabling them to freeze vulnerable accounts and secure sensitive information that had been sought out by the threat actors. 

That coordinated response didn’t prevent some 2,000 current and former students’ highly sensitive psychological evaluations from being leaked on the dark web, an investigation by ���˶��� revealed. Carvalho initially denied that such records were exposed in the attack, but the district acknowledged they were after the story was published. The district also initially said the attack began and ended on Sept. 3 — the Saturday of Labor Day weekend — but a follow-up investigation determined that an intrusion began as early as July 31, the .

While Carvalho didn’t comment Tuesday on the leak of sensitive psychological information, he said the number of stolen files “could have been much worse,” adding that the hackers “encrypted and exfiltrated very little thanks to our actions.” Among the actions they didn’t take, the schools chief said, was paying the undisclosed ransom demand because “we don’t negotiate with terrorists.”

First Lady Jill Biden, senior administration officials, school district heads and technology company executives will convene at the White House Monday to kick off a new cybersecurity defense initiative as schools increasingly fall victim to crippling ransomware attacks. 

The Education Department will launch a coordinating council to provide formal collaboration between government officials and district leaders to help schools strengthen their cybersecurity capabilities in the face of attacks that have closed campuses and exposed highly sensitive student and educator information online. The effort was announced by senior Biden administration officials on a press call Sunday evening. 

The council is being billed as the department’s “key first step” in a renewed focus on cybersecurity after multiple districts — including in Los Angeles and Minneapolis — were targeted by cyber gangs. 

At the White House event, federal officials will hear from school district leaders who navigated attacks, including Los Angeles Unified School District Superintendent Alberto Carvalho, who led America’s second-largest school system through a hack last September. That breach, an investigation by ���˶��� revealed, exposed thousands of current and former students’ highly sensitive psychological evaluations on the dark web.

In addition to the first lady, others expected to attend the 4 p.m. White House summit include Education Secretary Miguel Cardona, Homeland Security Secretary Alejandro Mayorkas and Federal Communications Commission Chairwoman Jessica Rosenworcel. 

Anne Neuberger, the deputy national security advisor for cyber and emerging technologies, said the administration seeks to help school districts protect sensitive information about students, parents and educators. In March, a ransomware attack against Minneapolis Public Schools led to a data breach that exposed more than 189,000 files, including records related to sexual misconduct investigations, child abuse reports and district physical security information that’s typically kept private. 

Neuberger called the Minneapolis breach “a particularly vicious example,” citing the disclosure of closely held school security information, which was first revealed in an investigation by ���˶���. 

Teams of federal cybersecurity experts will visit schools and help them create incident response plans, said Neuberger, adding that districts — particularly small ones — often lack the money and resources to adequately prepare for attacks. 

Schools are now the single leading target for hackers, outpacing health care, technology, financial services and manufacturing industries, according to a global survey of IT professionals released last month by the British cybersecurity company Sophos.

Cindy Marten, the deputy secretary of education, said that government officials and school leaders must make school cybersecurity a priority at the same level as physical infrastructure. She said she experienced firsthand how districts and the federal government can work together to mitigate the harm from attacks. Carvalho reached out to the Education Department after the Los Angeles district was hacked, Marten said, making clear the importance of partnerships.

It can take as long as nine months for districts to recover from cyberattacks, , and can cost them as much as $1 million to respond. 

Several technology companies have also committed to offer schools “free and low-cost resources.” Amazon Web Services pledged to provide $20 million for a K-12 cyber grant program, free security training and incident response help. Meanwhile, will offer free cybersecurity tools to small districts with 2,500 or fewer students. 

Other federal commitments announced Monday include a guide from the Federal Bureau of Investigation and the National Guard Bureau to help schools report cybersecurity incidents and tap into federal cyber defense expertise. 

Last month, the Federal Communications Commission proposed a $200 million grant program to help districts bolster cybersecurity. 

Last year, a startling 80% of schools suffered ransomware attacks, according to and released last month. That’s a surge from 2021, when 56% claimed they were victims. The rate has doubled over two years, making ransomware “arguably the biggest cyber risk facing education providers today,” researchers found.

 The victimization rate against schools was higher than all other surveyed industries, including health care, technology, financial services and manufacturing. 

While the Sophos survey included responses from 400 IT professionals working in education globally, U.S. institutions are “the prime target for many of these gangs,” particularly since Russia invaded Ukraine, said Chester Wisniewski, field chief technology officer of applied research at Sophos. 

Yet even among American institutions, he said two factors have made schools particularly vulnerable to threat actors. Costly cybersecurity safeguards in schools often fail to rival those in place at major businesses like banks and technology companies. And schools aren’t just easy to hack, they’re also easy to exploit for profit, he said. Nearly half of attacks against schools last year — 47% — led to ransom payments, researchers found, and their willingness to shell out cryptocurrencies to retrieve stolen files may have backfired. 

“If a given sector pays more often than another sector, then they get targeted more often and if a given sector is really insecure and it’s super easy to break in, they’ll also get targeted more,” he said. “In the case of education, unfortunately, it’s a double whammy because they do pay very often and they also are really easy to break into.”

The rise in ransomware attacks on schools coincides with the growth in double-extortion schemes, researchers found. In double-extortion ransomware attacks, threat actors gain access to a victim’s computer network, download compromising records and lock the files with an encryption key. Criminals then demand their victim pay a ransom to regain control of their files. If victims don’t pay, the criminals sell the data or publish it to a leak site. 

Files contained in those data breaches routinely contain sensitive and confidential information about students, their parents and educators. After an attack last year against the Los Angeles Unified School District, threat actors published highly sensitive psychological evaluations of some 2,000 current and former students. Following a computer breach this spring at Minneapolis Public Schools, a cyber gang uploaded to the internet a trove of stolen files including ones detailing campus rape cases, child abuse inquiries, student mental health crises and suspension reports. 

While both incidents were large-scale attacks, many others likely unfold on a much smaller scale, Wisniewski said. Of the 80% of districts reporting attacks, he said the figure likely includes instances of a single student’s or educator’s computer being compromised. 

“The sophistication is very low, it’s smash-and-grab stuff,” he said. “They literally are just encrypting a laptop and saying, ‘Pay us $500 for the keys,’ and they don’t have the time nor the skills to bother exfiltrating data and stuff like the big groups do.”&�Բ�����;

Scott Elder, the superintendent of Albuquerque Public Schools, knows firsthand the challenges that education leaders face when their districts become the targets of cyber criminals. A r last year, forcing the district to cancel classes. Ultimately, the district and law enforcement were able to resolve the attack without paying a ransom. He told ���˶��� he was surprised that schools have become the top ransomware target because “we don’t have any money.” But he’s well aware that districts are vulnerable. 

“The reality is, we have incredibly dedicated people who are working incredibly hard to keep our data safe, but we  just can’t pay as much as the private sector,” Elder said. “I’d imagine there are a lot of districts that are struggling to attract top-tier talent to do this type of work.”&�Բ�����;

Last year, stolen data was encrypted in 81% of cases against schools and attacks were stopped in just 18% of cases before district information was locked, according to the Sophos report. Of schools that had their documents locked behind an encryption key, threat actors made their own copies of the information in 27% of cases. 

While schools may be tempted to pay ransoms to retrieve stolen data quickly and minimize harm, the Sophos report offers counterintuitive findings. Recovery costs were higher in districts that shelled out ransoms, even before factoring in the cyber gang’s financial demands. It also took those districts longer to get back up and running, according to the report. While 35% of districts that relied on file backups for their data recovered within a week, the same was true for 32% of those that paid ransoms. The report doesn’t explore the number of school districts which didn’t pay ransom demands and then had their confidential data leaked online. 

The confidential nature of compromised data, and the potential damage of its public release, influence districts’ decisions to pay ransom, Elder said. 

“This is highly confidential information, some of it can be harmful, and we’re educators: We like to take care of people,” Elder said. “But I do think sometimes we have to draw a hard line to manage our property. It’s a hard decision. I doubt there’s any single answer for anyone.”

Insurance appears to be a motivating factor in districts’ decisions to pay ransoms, Wisniewski said. In school systems with standalone cyber insurance, 56% of victims paid the ransom compared to 43% with broad insurance policies that included cybersecurity coverage. Ransom demands are often covered by insurance, Wisniewski said, and companies who have to pay off the claims are likely to have significant influence over which districts come across with the money.

“The only conclusion I can draw from that is the insurance companies think that paying the ransom is going to save them money because in the end the insurance company is on the hook for helping you recover,” he said, despite emerging data to suggest the contrary. “The insurance companies are constantly playing catchup trying to figure out how they can offer this protection because they see dollar signs while everybody wants this protection, but they’re losing their butts on it.”

A three-year pilot program announced by Rosenworcel earlier this month could invest up to $200 million to enhance cybersecurity in schools and libraries, yet the full proposal hasn’t been released publicly and education experts said far more would be needed to make a meaningful difference. And it could be months — if not more than a year — before the help makes its way to schools as education groups demand a more urgent federal response. 

As districts become “a prime target for cyberattacks,” the proposed pilot “will give us valuable insight about whether and how the FCC can leverage its resources to help address the cybersecurity threats that schools and libraries face,” Rosenworcel said in a July 12 speech before AASA, The School Superintendents Association and the Association of School Business Officers International. 

Education groups and school leaders have been calling for several years on the federal government to help schools bolster their cyber defenses and the pilot deviates from what many had suggested. The allowing districts to spend federal E-Rate funding on cybersecurity, a move that more than 1,100 school districts endorsed in a joint letter last year. 

Yet officials at the national superintendents’ association worried that using E-Rate funds was a diversion from the program’s mission of helping schools and libraries connect to the internet, said Noelle Ellerson Ng, the group’s associate executive director of advocacy and governance. She said the group supports the pilot because it remains separate from E-rate while still giving districts more money to protect their data. 

“All signs point towards we’re going to need a federal response so hopefully we can get some congressional acknowledgement of that during the same three-year timespan to start thinking about what something more sustainable might look like,” Ellerson Ng said. “That way when this three-year pilot is up and we can get some of the evaluated data, we can move forward.”

A found that K-12 education was the most popular target for ransomware gangs last year, with 8 in 10 districts reporting getting hit with attacks — a marked 43% increase from 2021. The average recovery cost for victim districts, which agreed to pay ransoms in nearly half of incidents, exceeded $1.5 million, excluding financial demands from cyber gangs. 

Recent high-profile ransomware incidents include an attack last year on the Los Angeles Unified School District, the country’s second-largest school system, that resulted in the public release of students’ highly sensitive psychological records. An attack on Minneapolis Public Schools this spring led to the public release of a trove of sensitive district documents, including files that outline campus rape cases, child abuse inquiries, student mental health crises and suspension reports. 

Last month, New York City Public Schools, the country’s largest district, in a massive cyber attack on the file-sharing software MOVEit. The MOVEit attack has resulted in and organizations, including universities in at least a dozen states. The National School Clearinghouse has acknowledged it was caught up in the breach, a development that school cybersecurity experts said could affect many — if not most — students nationally. 

“Cybersecurity is definitely something that has just stormed into the forefront” as districts nationwide grow increasingly alarmed by attacks, Rosenworcel said. The federal government hasn’t previously provided money to schools for cybersecurity but the pilot program, she said, offers a first step. 

The five-member FCC commission must vote on the proposal before its full details are made public, the agency said, and it must go through a formal public comment and rulemaking process. Education experts predict it could be a year or more before the money is available to districts. 

“I’ve told our superintendents that it’s realistic that it could take 10 months — best case scenario — before they’re able to apply,” Ellerson Ng said. 

School cybersecurity expert Doug Levin said the communications commission “has been slow-pedaling” on the issue for years and that the $200 million proposal is just “a drop in the bucket” of what districts nationwide would need to counter this online enemy. The pilot could be used to generate lessons learned and to set the stage for more robust federal investments, he said, but only a small number of districts are likely to receive grants under it. 

But the threat that districts face from cyber attacks is so great, Levin said, that even a much more significant investment in digital safeguards is unlikely to thwart the problem.

“It’s hard for me to imagine that, even if they were wildly successful and every school district was able to put in place a next-generation firewall, that that’s going to make a meaningful difference in the number of successful attacks against school districts,” he said. “You know, maybe they shouldn’t be collecting all this data that’s so sensitive in the first place.”