…Facebook, Google all got your kids data
…Education Ministry ran away from responding-report
Has your child ever used the Ministry of Education EdTech elearning during the pandemic? Millions of Malawian children data is floating on the world wide Web, thanks to the carelessness of the Ministry of Education.
The Ministry of Education in Malawi abused rights of children by intruding their privacy with its education technology e-learning, a global human rights body has claimed.
Human Rights Watch has reported Malawi to the United Nations in submission to the 72nd session to the United Nations Committee on Economic, Social and Cultural Rights regarding the country’s compliance with the International Covenant on Economic, Social and Cultural Rights.
The report, says the Ministry of Education did not comment when asked, which is typical of Malawi Government departments who are reactive only when such damaging allegations are put in global platforms.
“In a global investigation of education technology (EdTech) products endorsed by the world’s most populous countries for children’s education during the pandemic, Human Rights Watch found that the Malawian government violated children’s right to privacy and other rights,” claims the report.
Human Rights Watch analyzed Notesmaster, an EdTech website that was used by Malawi’s Education Ministry as its primary means of delivering online education to secondary school students during the pandemic.
The website which was developed in partnership with Notesmaster, its parent company of the same name. As most Malawian children were not likely to have access to affordable, reliable internet, access to the website was provided to students at no cost through a partnership with Telekom Networks Malawi, a major telecommunications provider in the country.
“Notesmaster was found surveilling children not only within its online learning platform, but also tracking them across the internet, outside of school hours, and deep into their private lives,” charges Human Rights Watch which could open a pandora of legal cases against the providers.
Human Rights Watch says it observed that 14 ad trackers and 15 third-party cookies sending children’s data to a combined 16 advertising technology (AdTech) companies.
“In most instances, Notesmaster transmitted this data to domains owned by these companies that are intended to receive and process incoming data for commercial or advertising purposes,” claims the report.
Among these, Human Rights Watch adds that it detected Notesmaster transmitting children’s data to Oracle’s BlueKai Data Management Platform, a data broker that has amassed one of the world’s largest troves of data on people online.
“In June 2020, TechCrunch reported that BlueKai had left one of its servers unprotected, spilling data on billions of records on people—names, home addresses, other personally identifiable data—out onto the open web for anyone to find, resulting in one of the most significant data security incidents of 2020. Human Rights Watch detected Notesmaster sending children’s data to Oracle’s BlueKai, both before and after the reported data breach,” reads the chilling report.
The Investigator Magazine is analysing the data of Malawian children and will report accordingly.
The Human Rights Watch further charges that Notesmaster collected and sent children’s data to Meta (formerly Facebook) through Facebook Pixel, an AdTech tool that could not only be used by Notesmaster to later target its child users with ads on Facebook and Instagram, but also allowed Meta to retain and use this data for its own advertising purposes.
It also says Notesmaster sent children’s data to Google’s advertising platform, and through its use of Google Analytics’ “remarketing audiences,” an AdTech tool that allowed Notesmaster to target its users with ads across the internet.
“In doing so, Notesmaster permitted these companies the opportunity to stitch together and analyze the data they received to guess at a child’s personal characteristics and interests (“profiling”), and to predict what a child might do next and how they might be influenced. Access to these insights could then be sold to anyone—advertisers, data brokers, and others—who sought to target a defined group of people with similar characteristics online,” claims the human rights body.
The body warns that, “Profiling and targeting children on the basis of their actual or inferred characteristics not only infringes on their privacy, but also risks abusing or violating their other rights, particularly when this information is used to anticipate and guide them toward outcomes that are harmful or not in their best interest.”
Human Rights Watch says the Committee on the Rights of the Child has warned that such processing and use of children’s data “may result in violations or abuses of children’s rights,”and has called on states to “prohibit by law the profiling or targeting of children of any age for commercial purposes on the basis of a digital record of their actual or inferred characteristics, including group or collective data, targeting by association or affinity profiling.”
Notesmaster, claims Human Rights Watch also deployed “key logging,” a particularly invasive procedure that surreptitiously captures personal information that people enter on forms before they hit submit, much less consent. Human Rights Watch detected Notesmaster using key logging to send child users’ names, usernames, passwords, and other information to YouTube.
Children were compelled to give up their privacy for their learning. Human Rights Watch finds that these tracking techniques, designed for advertising and commercial purposes, are neither proportionate nor necessary for Notesmaster to function or to deliver educational content. Their use on children in an educational setting arbitrarily interferes with children’s right to privacy.
Children who relied on Notesmaster as their primary source of education during school closures could not reasonably object to such surveillance without opting out of compulsory education and giving up on formal learning during the pandemic. Notesmaster did not allow children to decline to be tracked. As these tracking technologies were invisible to the user, children had no reasonably practical way of knowing the existence and extent of these data practices, much less the impacts on their rights.
Human Rights Watch did not find evidence that Malawi’s Education Ministry took measures to prevent or mitigate children’s rights abuses through Notemaster’s data practices, or that the Education Ministry checked whether Notesmaster was safe for children to use. As a result, children whose families were able to afford access to the internet and connected devices, or who made hard sacrifices in order to do so, were exposed to the risks of misuse or exploitation of their data.
The Education Ministry did not respond to Human Rights Watch’s request for comment, denying the country an opportunity to give the nations version of the events.
HRW says Notesmaster denied that it shares children’s data with third-party advertising companies and stated that it does not display advertising on its site.
In its response, Oracle confirmed the data leak, and said that an investigation it conducted in 2020 did not uncover evidence that data relating to children were involved. Oracle stated that any receipt of data related to children would be a violation of Oracle’s agreements and policy, and did not address whether it had nonetheless received child users’ data from six EdTech websites, including Notesmaster. The company did not address whether data received from Notesmaster were exposed as part of the 2020 security breach, and whether it had informed Notesmaster or the other EdTech websites about the security breach.
Meta did not address whether it was receiving children’s user data from Notesmaster and said that it was their customers’ responsibility to comply with their policies and applicable laws that prohibit the collection of children’s data.
The HRW has asked Malawi Government the following questions;
- Does the government have plans to amend its proposed draft data protection law to incorporate comprehensive protections for children?
- What recourse or remedy does the government provide, or is planning to provide, to children who have experienced infringements of their rights as a result of their use of Notesmaster and whose data remain at risk of misuse and exploitation?
Human Rights Watch recommends that the Committee call on the government of Malawi to:
- Amend and adopt its proposed draft data protection law to incorporate comprehensive protections for children. Such protections should require that any processing of children’s data meet strict requirements of necessity and proportionality, regardless of consent.
- Provide remedies for children whose data were collected through their use of Notesmaster. To do so, the Education Ministry should:
- Require Notesmaster to immediately remove all ad tracking technologies from its website, and delete any children’s data collected during the pandemic.
- Immediately notify and guide affected schools, teachers, parents, and children to prevent further collection and misuse of children’s data.
- Require AdTech companies to identify and immediately delete any children’s data they received from Notesmaster during the pandemic.
- Ensure that any services that are endorsed or procured to deliver online education are safe for children. In coordination with data protection authorities and other relevant institutions, the Education Ministry should:
- Require all actors providing digital educational services to children to identify, prevent, and mitigate negative impacts on children’s rights, including across their business relationships and global operations.
- Require child data protection impact assessments of any educational technology provider seeking public investment, procurement, or endorsement.
- Ensure that public and private educational institutions enter into written contracts with EdTech providers that include protections for children’s data.
- Define and provide special protections for categories of sensitive personal data that should never be collected from children in educational settings.
