Keeping It off the Record: Student Social Media Monitoring and the Need for Updated Student Records Laws
2019 I 22 Vand. J. Ent. & Tech. L. 155 I Alice Haston
For full article with citations, please visit: https://scholarship.law.vanderbilt.edu/jetlaw/vol22/iss1/7
"Im [sic] going to be a professional school shooter." This YouTube video comment was likely the first time that authorities learned of the threatening demeanor of Nikolas Cruz, the student responsible for killing seventeen high school students and staff in Parkland, Florida, in February 2018. After the tragedy, community members and media criticized federal and local authorities for not reacting to Cruz's social media-a digital footprint riddled with racist slurs, violent messages, and photos of guns. Many wondered whether this tragedy would have occurred if someone responded to the social media threats sooner.
An increasing number of serious school safety incidents are foreshadowed by online student communication. In an effort to prevent these unsafe situations, many school districts have adopted procedures for monitoring students' social media. Some schools rely on students or school resource officers to monitor and report worrisome posts. An increasing number of school districts contract with private companies that monitor public social media and provide administrators with records of potential threats that may relate to their schools.
Social media monitoring companies comply with federal law and offer an answer to challenging safety situations. Student rights advocates, however, fear that disciplining students for information found in monitoring reports may compromise students' rights to free speech, privacy, and due process. Moreover, if an educational entity retains monitoring reports after a threat assessment, then a student's educational record may contain information that the Family Educational Rights and Privacy Act of 1974 (FERPA) likely does not protect from disclosure." As a result, third parties may access student information that has been taken out of its original context and inaccurately depicts a student's online presence.
This Note analyzes social media monitoring within the context of statutory privacy frameworks. It argues that states should follow California's lead by updating student records laws with guidance on handling information gleaned from social media monitoring services and that the Department of Education (DOE) should issue guidance on the storage of student social media information. Part I discusses student social media use, popular monitoring methods, and schools' abilities to respond to online student speech. Part II examines how FERPA and privacy pledges fail to safeguard student privacy within the context of social media monitoring. Part III explains why states should adopt policies similar to recent California legislation and why the DOE should issue new guidance. Part IV offers concluding remarks.
I. Today's Student: Social Media, Surveillance, and Privacy Frameworks
A. Social Media Use
Social media continues to be a popular medium of expression, with young users communicating through Snapchat, Instagram, and Twitter with smartphones and laptops. Many hail social media use in schools for its ability to foster positive student-to-student communication, promote creative expression, and facilitate information exchanges. However, studies suggest that social media promotes anxiety and harassment, with young students increasingly expressing concerns about online bullying. Many negative online interactions lead to physical fights in school. Many educators have begun teaching digital citizenship-responsible uses of digital media-as well as strategies to help parents monitor students' social media use.
School threats spiked on social media after the shooting in Parkland, Florida. Every day, students are taken into custody for threatening to bring a bomb or a gun to school. These incidents have prompted school districts to ask teachers or school resource officers to stay abreast of school-related social media posts. Students may also use their social media accounts to show a school administrator something posted by a classmate.
B. Social Media Monitoring
Many school districts contract with companies that specialize in social media monitoring. These companies monitor public social media communication that occurs within a certain radius of an educational institution by using machine-learning algorithms and keywords that relate to conflict, violence, or school. Companies will then send any flagged posts within a daily report to school administrators.
For example, Social Sentinel creates a virtual boundary called a geofence around an educational institution and scans public social media within that geofence. The company can adapt its keyword search for "unique characteristics" of the community and adjust the scope of its search to social media posts beyond the institution's geofence. If a social media post contains a "threat indicator," then Social Sentinel's staff reviews the language and sends a copy of the post to a school administrator through a text message or an email. School administrators may access this data, manage notification settings, update the geofence, and assign community terms from their Social Sentinel account.
Other social media monitoring services, such as Geo Listening, have similar business models. Although these companies do not offer specific recommendations on how to store social media reports, they recommend factors to consider when determining who within the school community should receive the flagged social media posts. Both Geo Listening and Social Sentinel respond to concerns about student privacy by explaining that they only access social media posts that are already public.
Because federal law requires schools to protect students from harmful online content by using filters, many districts also subscribe to services that allow school leaders to monitor student internet use generally. For example, GoGuardian allows administrators and teachers to monitor students' school-issued devices. This software provides an overview of total student body data usage and individual student data usage, such as the most commonly visited sites and applications and the amount of time spent online. Schools may then export this data into an individual report. GoGuardian justifies concerns about student privacy by emphasizing that it complies with federal law and abides by industry student privacy pledges. GoGuardian does not offer specific recommendations to schools on how to retain or share student information
C. Schools' Regulation of Online Student Speech
Although the US Supreme Court has not addressed a school's ability to regulate student internet activity, courts consider Tinker v. Des Moines Independent Community School District when analyzing an educational entity's ability to limit student speech. In Tinker, the Court held that an educational entity could limit student speech if the expression presented a risk of substantial disruption or material interference with school activities. Courts extend this holding to online off campus expression when the communication created a risk of substantial disruption or material interference with school activities. For example, the US Court of Appeals for the Ninth Circuit held that a school could expel a student for threatening other students on Myspace with a school shooting. Because the Myspace messages related to future violence within the school, the school could respond. Similarly, the Fifth Circuit held that a school could discipline a student for posting threatening rap lyrics on Facebook and YouTube because the lyrics included threats to shoot a school employee and because it was reasonably foreseeable that someone would alert the school about the song. Although courts generally agree that Tinker's standard may apply to online speech outside of school, courts differ on what constitutes a substantial disruption and to what extent the online speech must relate to the educational entity. Some free speech advocates fear that educational entities' abilities to monitor public student social media may chill expression, and they argue that the Tinker standard should be carefully considered before disciplining a student for content found through any social media monitoring report.
D. Regulating Student Privacy
The federal government primarily regulates student privacy through FERPA. FERPA aimed to address concerns about government access to personal data by limiting third-party access to school records. Today, FERPA conditions the receipt of federal funds upon compliance with rules governing the availability of individual student educational records. An education record is defined as information that directly relates to a student that is maintained by an educational institution. It may also include records of disciplinary action taken against the student for conduct posing a safety risk. This definition excludes daily classwork, teacher materials, records maintained by law enforcement, or other records made by an employee during the normal course of business.
Under FERPA, educational institutions may disclose information from a student's record to third parties in three limited circumstances: the school official exception, the studies exception, and the audit and evaluation exception. The school official exception allows schools to disclose personal information to third parties who have a "legitimate educational interest" in the information, such as teachers, counselors, and attorneys. The studies exception allows school officials to share student information with certain researchers. The audit and evaluation exception permits schools to disclose personal information to third parties that have been authorized to use the information to develop a federal program.
Other than these three exceptions, FERPA prohibits educational institutions from disclosing personal information from a student's educational record unless they receive written consent from the student's parent or guardian. Every year, the school must notify guardians of their right to inspect their student's education records and to seek amendment of any information the family believes to be inaccurate, misleading, or in violation of the student's privacy rights. Upon a parent or guardian's request for amendment, a school must decide whether to comply and must inform the family of their right to a hearing within a reasonable timeframe.
Since FERPA's passage, the DOE, courts, and state officials have clarified the scope of a student's education record. For example, a student's record likely would not include peer-reviewed papers because they were not solely "maintained" by the teacher. Also, educational institutions may disclose noninstructional media, such as surveillance footage, to law enforcement without implicating an education record. Neither the DOE nor the judiciary commented on social media's relationship to education records, but two state officials recently opined that student social media, alone, is probably not part of a student's record because it is directly created and maintained by the student, not by the educational institution.
Two federal laws address student privacy outside the context of an education record. The Children's Online Privacy Protection Act (COPPA) prohibits online services from knowingly marketing to or collecting data from children under thirteen unless limited exceptions apply. The Protection of Pupil Rights Amendment (PPRA) requires written consent before any student participates in an exercise that reveals information concerning a student's psychological problems or illegal behavior. Many states have also enacted laws that address students' online privacy. In the last five years, several states prohibited educational institutions from requiring students to allow observation of or provide passwords to personal social media accounts. These laws do not, however, regulate educational institutions that monitor student social media that already exists in the public domain.
As of now, California is the only state to explicitly address student privacy within the context of social media monitoring. In 2013, a California school district, Glendale Unified Schools, hired Geo Listening to monitor student social media for signs of suicide, violence, and substance abuse. Many parents and privacy advocates were concerned by this decision, and the California legislature responded by passing new legislation in 2015. Now, school officials who plan to gather information from social media must first notify students and guardians. The school must allow the student to amend or delete collected data and must destroy the data within a year after the student leaves the institution or turns eighteen. Educational entities must also ensure that their contracts with social media monitoring companies contain provisions that (1) prohibit the vendor from using the student information for another purpose; (2) prohibit the vendor from sharing information to anyone other than the school district, guardian, or student; and (3) require the company to destroy the information after a contract ends.
II. The Privacy Patchwork: Little Guidance for Social Media Reports
No state's government, except California's, has addressed public social media monitoring through legislation. Although social media monitoring companies comply with current law and profess to self-regulate, their practices do not help educational entity clients robustly protect student privacy because they do not offer guidance on how to store or share social media reports.
A. Social Media Reports and FERPA's "Education Records"
As described above, FERPA does not explicitly address whether student social media records could become part of an education record. One could argue that FERPA's definition of an education record includes reports produced by companies such as Social Sentinel, because these reports contain social media that directly relate to individual students and are generated by an educational institution's agent. However, educational entities and social media monitoring companies do not maintain student data in the manner that FERPA envisioned. Although school districts collect information about student social media activity, there is no expectation that a school official will save the report. School officials may elect to print out the social media report, share it with others, and preserve it in a student file. Then again, administrators may choose to take no action, delete the report, or simply store the report in their online service profile. Moreover, the DOE has not updated FERPA's definition of "education record" since 1974; the DOE has updated some regulations to include social media, but it has not updated "education record" to include social media.
In fact, social media monitoring reports are similar to records that are explicitly excluded from FERPA's framework. FERPA's definition of an education record excludes both administrative notes and law enforcement records. Similar to administrative notes, social media monitoring reports are delivered to school administrators or superintendents and may remain in their sole possession. Similar to law enforcement, companies like Social Sentinel and Geo Listening assess the threat level of communications to help school members, such as school security officers, prevent future violence. Although social media monitoring companies do not initiate enforcement proceedings, they may provide school security officers with investigative tools and findings. Thus, one could characterize social media reports as records maintained by an agent of a law enforcement agency of an educational institution.
Because social media monitoring reports are likely not education records, they are not protected from disclosure under FERPA. In other words, school administrators may share information about a student's public social media activity with third parties without first securing parental or guardian consent. School administrators often claim that this is permissible, given that students choose to make the information available to the public and because the school's safety interest overwhelms any individual student's privacy interest. School officials may also assert that Tinker and its progeny suggest that schools may respond to threatening off campus speech despite implications for individual student interests.
These justifications are shortsighted. First, Tinker addressed a school's ability to limit student speech when that speech substantially interfered with school safety, but it did not consider how the speech could be used after the fact. Moreover, social media monitoring reports create an electronic record of a student's online activity. Even if the student decides to delete an alarming social media post, a copy remains with the school administrator through an online account. In this way, schools retain ownership of student speech even after the student attempts to disassociate herself. FERPA does not dictate how long educational entities should store student records, but the DOE encourages entities to destroy most data in a timely manner. Under FERPA, school districts are usually required to destroy student information within a short time frame. Although monitoring reports likely fall outside of FERPA's scope, school districts may treat these reports similarly to how they treat other records. Therefore, it is unlikely that school districts should be allowed to indefinitely retain student social media information without explicit statutory authorization or agency guidance instructing them to do so.
Last year, a Florida school district responded to a public records request for information relating to Social Sentinel by providing two months of Twitter postings that Social Sentinel had flagged for the school district. In California, a school printed off its social media reports and used them to persuade students that their activity reflected poorly on the school. These stories are worrisome, considering that many students adapt their online presences by deleting old posts or by adjusting their privacy settings. Because schools retain a record of old student messages, their social media monitoring databases may not accurately depict a student's current online presence and may associate that student with a past potential threat that the student has since deleted or that represents an impulsive thought from many years in the past.
Since FERPA does not protect this information from disclosure, college admissions officers, potential employers, journalists, and other private citizens may petition a school and receive information that has been taken out of its original context. This is problematic considering that the information may no longer be publicly available. Moreover, social media monitoring algorithms are imperfect because of the biases of their creators and users, and some experts fear that their keywords may disproportionately affect students who are already at risk of being subjected to harsher school discipline. Thus, allowing third parties to access student information that is no longer publicly available may perpetuate implicit biases present in the monitoring algorithm at the time of collection.
B. Industry Privacy Pledges and Self-Regulation
Social media monitoring companies profess to self-regulate student privacy by accessing only public social media, not private or closed social networks. However, these companies lack industry privacy pledges or vendor contracts that guide schools on how to store information found in social media monitoring reports.
In 2014, the Future of Privacy Forum (FPF) and the Software Information Industry Association (SIIA) introduced a Student Privacy Pledge (the "Pledge") for K-12 educational technology ("edtech") vendors. Signees agree to collect information only for authorized educational purposes, to disclose the types of information and their purpose to families, and to facilitate access and correction of student data between the school and the family. To date, almost four hundred edtech vendors have taken the Pledge, and noncompliant signees face the threat of civil enforcement by the Federal Trade Commission (FTC). Social Sentinel, Geo Listening, and other social media monitoring companies have not signed FPF's Pledge, and they are likely ineligible. Only "school service providers" may take the Pledge.' This label excludes tools that do not aid content instruction, including social media monitoring services.
Although FPF's Pledge may help keep student privacy at the forefront of educational entities' conversations with certain classroom technology providers, such as GoGuardian, its requirements do not encourage social media monitoring companies to guide schools on how to store and share student social media reports. Even if a pledge specifically addressed the collection of student information from the public domain, it would not provide an adequate avenue of recovery for students and parents. Pledges are voluntary, and few educational social media monitoring companies have developed national marketing strategies or public policy platforms. Therefore, companies may not feel economically motivated to sign industry privacy pledges. Even if they did, the FTC may decide not to bring an enforcement action against a company for violating a pledge.
Most importantly, a privacy pledge for social media companies would regulate only the companies' actions with student social media reports-not school administrations' actions. Although industry pledges and norms may help school districts find edtech providers who will engage in discussions on privacy, they do not ensure that districts develop best practices for retaining and sharing student data that other tech providers cultivate.118 Instead, privacy pledges refer educational entities to FERPA, which, as described above, does not protect this information from disclosure
III. The Need for Updated State and Federal Student Records Laws
Because a student's education record may contain information from social media monitoring services that is not protected from disclosure, third parties may petition schools for student information that may have been taken out of its original context. Educational entities who use social media monitoring services should ensure that their policies mirror the practices required in California Education Code section 49073.6. The DOE should also issue guidance on social media's relationship to education records under FERPA.
A. Access, Amendment, and Deletion: California's Example
After Glendale Unified community members protested Geo Listening in 2013, California became the first and only state to pass legislation regarding public school social media monitoring. California Education Code section 49073.6 applies to any school district that adopts a program "to gather or maintain in its records any information obtained from social media of any enrolled pupil." The statute defines social media broadly as any "electronic content," including videos, photographs, blogs, podcasts, messages, and online services. Notably, the policy makes no distinction between private and public social media. The provisions do not apply to any electronic services that are used exclusively for educational purposes, such as edtech services described above.
Districts must provide students and their families with access to any information obtained from social media and give that student an opportunity to correct or delete that information. The district must also destroy all of the information gathered from the social media within a year after the student turns eighteen, or within a year after the student is no longer enrolled at the institution. The district must communicate to each student's parent or guardian regarding the social media monitoring system's general use, when the school district will destroy the data, how to access any social media reports, and how to request the removal or correction of such information.
- Positive Effects on the School-Student Relationship
States should follow California's lead and pass similar legislation for several reasons. First, the law's access and amendment provisions help prevent schools from disseminating old copies of student speech. Although the law does not expressly ban social media monitoring reports from incorporation in a student's education record or from disclosure to third parties, it allows students to respond to narratives that could be associated with their profiles, minimizing the chance of a social media report's use for a purpose other than ensuring school safety. Although the DOE has promulgated regulations that allow students and their families to inspect and request the amendment of education records, reiterating these principles in state law would connect these rights specifically to student social media information.
These mechanisms can also act as positive reinforcements for students who develop better digital citizenship habits as they grow older. If a student regrets an alarming Facebook post and deletes that information or makes her account private, then surely she deserves an opportunity to ensure that the old message does not persist in her educational file or become available during a records request. California's requirement that educational entities destroy the digital information after a student turns eighteen or moves out of the school district ensures that this information is associated with a student for a limited amount of time and reinforces the notion that educational entities should only monitor students' online presences to ensure the safety of their student population.
One could argue that ongoing public safety concerns should overwhelm any privacy interest in destroying social media reports because the old data may be relevant in assessing threats that occur in the future. Although old reports may be relevant, they are likely not needed to gain insight into a student's past. Schools who use social media monitoring services, as well as the monitoring companies themselves, often contact law enforcement when a report contains serious information. When law enforcement already has an incident report or a copy of the original communication, requiring the school to retain and provide that information is not necessary. Moreover, authorities may petition the social media application or the monitoring company to gain social media information on the student in question.
Another advantage of California's scheme is that it could cultivate conversations about digital citizenship and emotional health among educational entities, families, and students. The notice and opportunity to review requirements increase families' awareness of their student's online presence. Both parents and students may review a student's online statements, consider what they convey to present and future audiences, and reflect on what motivated the threatening speech. Today, a good digital status is considered critical for college admission, job offers, and healthy offline relationships. By providing formal reflective opportunities for students and their families, states would recognize the need to cultivate positive digital citizenship habits in their schools.
Because California only recently adopted this law, it has not faced much controversy. Nonetheless, the law is not without potential criticisms. First, section 49073.6 does not provide an opportunity for parents or students to opt out of a social media monitoring program. This perpetuates a sense of mandatory surveillance and may concern students, families, and other privacy advocates. However, an opt-out provision is not necessary. Social media monitoring services only scan social media accounts and posts that are already publicly available, so students always retain an ability to opt-out by making their accounts private.
One could criticize section 49073.6 for not specifying a private right of action for students or their parents. This concern is not unique, given that educational policies often do not provide private rights of action. Regardless, states who adopt California's model should consider which remedies should be available to students and their families and how each state could incentivize educational entities to comply with these provisions. For instance, states could require local school boards to adopt principles that mirror the values set forth in privacy pledges and adopt an administrative hearing process to investigate allegations of noncompliance. School board policies that profess a student's right to amend information, limit data collection, and access clear privacy practices would help guide discussions about social media monitoring within the context of FERPA and would attach broader concerns associated with social media monitoring, such as chilling speech and unreasonable searches, to local policy. - Positive Effects on the School-Vendor Relationship
States should also adopt California's model to ensure that their school districts enter into protective service agreements with social media monitoring companies. Section 49073.6 mandates that service agreements expressly prohibit the monitoring company from selling or sharing social media information with anyone other than the affected educational entities, the students, and their guardians. The social media monitoring company must destroy the information immediately after the vendor agreement's expiration and destroy information related to a student after that student turns eighteen or moves out of the school district.
These provisions are important for school districts to require in their contracts because they encourage student privacy discussions during contract negotiations. Today, at least two Social Sentinel service agreements do not contain these provisions. Instead, the company limits its discussion of student social media information to a single paragraph in their company-wide privacy policy, which school districts must find through the company's website. Neither the privacy policy nor the individual service agreements require the company to destroy information after a certain period of time. In contrast, Geo Listening now incorporates the provisions necessitated by section 49073.6 into its company-wide privacy policy. This policy provides a mailing address and an email address that students and families may contact to access and amend curated information, and it states that it will destroy all information after the contract's expiration.
Admittedly, Geo Listening's additions are minor. Without communication from school administration, it is unlikely that students and families would know their district's specific social media monitoring vendor or investigate that vendor's website for a privacy policy. Section 49073.6 also does not seem to have influenced Geo Listening's individual service agreements, suggesting that the new state law may not directly influence individual service negotiations. Nonetheless, minor additions to the company-wide privacy policy can help students and their families become aware of their rights under state law. States who adopt laws similar to California's could require vendors to provide contact information directly to students and families or require educational entities to provide students and their families with a copy of the vendor's privacy policy and service agreement.
B. Nondisclosure Under FERPA: The Need for Agency Guidance
As described above, the DOE has not updated FERPA's definition of education record since 1974, and many privacy advocates criticize the law for not explicitly addressing electronic information that relates to students. Although the DOE has updated the definition of an education record to exclude certain documents, it has not addressed electronic student information. These factors could suggest that the DOE intends to exclude social media from FERPA's scope, prefers that Congress legislates the issue, or does not believe it is institutionally equipped to regulate student social media information. Admittedly, it is possible that the DOE is reluctant to regulate student social media. However, the agency has not expressed this sentiment.
Federal agency action would be very helpful to educational entities because it would help ensure that student data are treated uniformly when a student transfers to a school in a new district or a new state. Guidance, specifically, would allow the term "education record" to retain definitional flexibility. Social media is an amorphous concept, and it is difficult to predict what platforms might exist in the future and whether schools and vendors will seek to monitor that information. Guidance could address today's concept of social media, recognize the growing popularity of social media monitoring tools, and be issued more quickly than a definitional update within a larger legislative package or the notice -and-comment rulemaking process. Although guidance would not confer any additional rights on students or families or impose any additional requirements for educational entities, it would help school districts make quick decisions regarding the storage of social media and other electronic student information.
Guidance on FERPA's "education record" provision should clarify that schools may not disclose any information retained from student social media to third parties without parent or guardian consent. School administrators should rarely include social media in a student's education file, so guidance should also include direction on when to destroy and when to retain social media threat reports. It should also provide procedures for students and families to access, amend, and request the destruction of any reports that are retained after a threat assessment. Overall, including student social media in FERPA's definition of education record and providing guidance on the destruction on social media information would help ensure that schools do not disseminate old, inaccurate speech to third parties. This is especially important given the increasing number of people who demand access to student records under public records laws and the increasing confusion that school administrators face when balancing the protection of student electronic information and school safety inquiries.
Admittedly, DOE guidance would not address some of FERPA's other shortcomings. FERPA does not provide a private right of action for students or parents, and the federal government rarely rescinds funds from noncompliant school districts. Also, school districts are not always motivated to comply with FERPA since most of their funding comes from local and state governments. These limitations demonstrate why both state and federal government should address social media monitoring and student privacy: State policies would ensure that school districts address data access, destruction, and remedies. New federal guidance would inject life back into FERPA and help prevent saved social media information from being shared with third parties. Together, new state and federal frameworks would ensure that schools neither store old online student speech, nor use it in the future for purposes other than ensuring safety.
IV. Conclusion
A year later, Parkland community members continue to grieve. School districts continue to reflect on their campus safety policies, with many hoping to catch the next serious threat by contracting with social media monitoring companies. Services like Social Sentinel and Geo Listening are well-intentioned and can play a vital role in school safety. By scanning public social media, monitoring companies help school administrators focus their energy and resources on other internal governance issues.
Admittedly, recordkeeping is only one of several issues raised by social media monitoring, as students' rights to free speech, privacy, and due process are necessarily implicated when schools discipline students for information found in these reports. Student rights advocates must monitor the development and the effectiveness of social media monitoring practices and consider how these practices comport with jurisprudence on students' constitutional rights.
California's model gives states an opportunity to reiterate a student's right to access, amend, and delete data gleaned from their public social media. At the same time, the DOE must clarify FERPA's framework to account for schools' increasing awareness and collection of online student speech. Together, new state and federal initiatives would help ensure that schools destroy social media reports in a timely manner and honor individual privacy as students mature into more responsible digital citizens.
