Read on Twitter
For the last few weeks, I've been part of a team looking at data collection, data sharing, privacy policies, and consent. It's a pretty regular part of my work; I've been doing it for a while.
The latest site we looked at was the College Board.
Thread.
The latest site we looked at was the College Board.
Thread.
In our research we observed some things that probably shouldn't have been happening.
For example, the terms of the College Board say that usernames are Personally Identifiable Information, and that they don't share PII with third parties for advertising purposes.
For example, the terms of the College Board say that usernames are Personally Identifiable Information, and that they don't share PII with third parties for advertising purposes.
We ran some tests in early July, and reran them through July. We consistently saw usernames (which the College Board defines as PII) shipped off to multiple third parties, including Google, Facebook, Snapchat, Yahoo, and Adobe.
In addition to sending PII (the username), we also observed student activity on the College Board site getting shared with third parties. This sharing was tied to a unique identifier that the College Board allowed to be set and read on the College Board site.
On July 22, @thomasgermain reached out to the College Board with some questions and a summary of our findings. The responses, among other things, are detailed in the article Thomas wrote here: https://www.consumerreports.org/colleges-universities/college-board-is-sharing-student-data-once-again/
On July 28, we re-ran tests on the College Board site, and lo and behold, the only third party vendor still getting student usernames was Adobe (as part of College Board's use of Adobe Marketing Cloud Device Co-op). https://docs.adobe.com/content/help/en/device-co-op/using/about/overview.html
This slight improvement brings the College Board closer to not sharing usernames, but it doesn't address the fact that students (or more precisely, student browsers) are identified by multiple unique identifiers when they use the College Board site.
One of the biggest myths people collecting and exploiting data try to push: unique identifiers (or hashed values, or anonymized data) protect privacy, by default.
This myth sounds good, but it's a lie.
This myth sounds good, but it's a lie.
A computer doesn't care if my name is "Bill" or "0xcg35vG" as long as I'm called that consistently.
Unique IDs are confusing to humans, but are great for machines.
And on the CB site - like most sites - humans are tethered to multiple unique IDs set by multiple third parties.
Unique IDs are confusing to humans, but are great for machines.
And on the CB site - like most sites - humans are tethered to multiple unique IDs set by multiple third parties.
But back to the College Board site. When a student adds a college to their list of schools they might be interested in?
This is what the student sees.
This is what the student sees.
This is what Google, Facebook, Yahoo, and Microsoft see. The student activity is tied to a unique identifier connected to that student's browser.
When a student leaves the College Board site, these same third party vendors (Facebook, Google, etc) continue to use these cookies for tracking -- and, potentially, for other advertising purposes.
For example, this is the Facebook cookie being shared on Huffington Post.
For example, this is the Facebook cookie being shared on Huffington Post.
Of course, because many adtech vendors offer both analytics and advertising services, it is difficult to tell exactly what is happening just from observed traffic.
It's worth highlighting that data collected for "analytics" looks pretty similar to data collected for advertising.
It's worth highlighting that data collected for "analytics" looks pretty similar to data collected for advertising.
But I digress. Here is the cookie value set in a student browser on the College Board being read as an ad for Grammarly is placed.
And here's what it looks like for a cash management app.
These ads are placed on third party sites - ie, NOT the College Board site. But the tracking cookies read on these third party sites are the same tracking cookies set and accessed on the College Board site.
The full technical writeup contains additional details, and a more precise breakdown of the testing before and after July 28. https://medium.com/cr-digital-lab/student-tracking-and-the-college-board-512a94d60ec3
But the tl/dr version:
Unique identifiers are the thing to watch, and they matter more than PII.
PII has some very limited legal protection, but it's often used a red herring. Unique IDs make PII irrelevant.
/fin
Unique identifiers are the thing to watch, and they matter more than PII.
PII has some very limited legal protection, but it's often used a red herring. Unique IDs make PII irrelevant.
/fin
And: besure to check out @thomasgermain 's article on this. It does a great job distilling these details. https://www.consumerreports.org/colleges-universities/college-board-is-sharing-student-data-once-again/
