New research has found that 96 percent of apps used in K-12 schools send student data to third parties, including advertisers.

Nonprofit organization, Internet Safety Labs (ISL) released new research, which found that K-12 apps sending student data to third parties are typically done without the knowledge or consent of the users or the schools. As part of the research, ISL found that 82 percent of schools provide personal computing devices to students. ISL argues that this means schools “need to have much more robust IT, cybersecurity, and overall technology support capabilities to keep students safe while using technology.”

On top of so many K-12 apps sharing student data, the report also found that 28 percent of apps used by schools were non-education specific, such as The New York Times, YouTube, or Spotify, effectively providing no limits or guardrails for children.

Concerningly, 79 percent of apps accessed location information based on permission analysis. More than half – 52 percent – of apps accessed calendar and contact information.

Additionally, 23 percent of apps exposed kids to digital ads. ISL notes that this exposure creates a risk that personal student data is being sent into advertising networks, with no way for the public to inspect where it goes or how it’s used. Additionally, more than half of those apps use retargeting ads. ISL further notes that this means even more personal student data is being sent to advertising networks.

ISL also looked at technologies that schools are recommending, but not required, to students. 40 percent of schools examined by ISL provide a list of recommended technologies with an average of 125 technologies listed per school. For schools that do engage in some type of vetting, this increased to 172 technologies per school. At school, the event recommended 1,1411 technologies. “Schools are no doubt trying to be helpful to students by recommended technology, but in this case, given the poor scores of apps in this research, more isn’t better,” ISL concludes.

In terms of who is dominating the K-12 app market, ISL found that 68 percent of apps were observed sending data to Google and 38 percent of apps sent data to Apple.

ISL offered recommendations for both schools and local educational agencies (ELAs) and EdTech developers.

Schools and LEAs need:

  • Substantial additional support, including financial, to better navigate the increasingly complicated and unsafe EdTech.
  • Better awareness that app publishers are behaving in an unsafe manner and exercise caution about adopting new technologies. Until there is better safety culture, schools and LEAs need to take a “less is more” approach.

EdTech developers must:

  • Join the conversation on software product safety for students.
  • Make custom apps safer for students. “Being both mandatory and commissioned directly by schools, these should be among the safest apps for students, but that isn’t the case,” ISL says in the report. Promisingly, ISL notes that a handful of key developers provide most of the custom apps to schools across the country, so they should be able to readily make the necessary safety improvements.
  • Remove all advertising from EdTech apps recommended or required by public schools.
  • Use unique domains when the developer also owns advertising-related technologies. ISL uses Google to provide an example. ISL argues Google should create a new domain, such as, for use in their products that will be used by K12 students.
Read More About
Kate Polit
Kate Polit
Kate Polit is MeriTalk SLG's Assistant Copy & Production Editor, covering Cybersecurity, Education, Homeland Security, Veterans Affairs