Trust, Because You Can't Verify:Privacy and Security Hurdles in Education Technology Acquisition Practices

TL;DR

This study explores privacy and security challenges in EdTech acquisition in higher education, highlighting the complexities, vendor accountability issues, and the need for improved protective measures.

Contribution

It provides an empirical analysis of HEI-EdTech vendor dynamics and uncovers key privacy and security hurdles in the acquisition process.

Findings

HEIs face significant privacy and security challenges in EdTech procurement.

Vendors often lack transparency, making accountability difficult for HEIs.

HEIs struggle with visibility and power asymmetry in vendor relationships.

Abstract

The education technology (EdTech) landscape is expanding rapidly in higher education institutes (HEIs). This growth brings enormous complexity. Protecting the extensive data collected by these tools is crucial for HEIs as data breaches and misuses can have dire security and privacy consequences on the data subjects, particularly students, who are often compelled to use these tools. This urges an in-depth understanding of HEI and EdTech vendor dynamics, which is largely understudied. To address this gap, we conducted a semi-structured interview study with 13 participants who are in EdTech leadership roles at seven HEIs. Our study uncovers the EdTech acquisition process in the HEI context, the consideration of security and privacy issues throughout that process, the pain points of HEI personnel in establishing adequate protection mechanisms in service contracts, and their struggle in holding vendors accountable due to a lack of visibility into their system and power-asymmetry, among other reasons. We discuss certain observations about the status quo and conclude with recommendations for HEIs, researchers, and regulatory bodies to improve the situation.