Applying for a federal student loan should be safe for visitors to the U.S. Department of Education (DOE) website studentaid.gov, and in no way should personally identifiable information be shared with corporate entities that could use the information to derive content for use in targeted marketing without their knowledge or consent.
As early as January 2022, the U.S. Department of Education sent personally identifiable information from website visitors, including their last names, countries of residence, phone numbers, and email addresses to Facebook, even if the visitor did not have a Facebook account, via its use of Meta Pixel. We must take measures to protect the private information of students and educators from Big Tech.
This data is valuable to higher education providers. Undergraduate enrollment fell 3.6 percent in 2020 and 3.1 percent in 2021, representing a loss of around a million students. During the past decade, there has been a decline of undergraduate enrollment of 13 percent.
To exacerbate the problem, the number of high school graduates is projected to decrease from 2027 to 2037. Those colleges without large endowments will struggle to survive and there is fierce competition for students, particularly those willing and able to pay full tuition.
Knowing which students are likely to take out federal student loans is a competitive market advantage. With fewer teenagers signing up for accounts and the company now being subject to new privacy rules that allow users to opt out of ad-tracking -- and with dropping share prices -- Facebook faces greater incentives to use that data.
As an information security practitioner supporting the federal government for the past 20 years, I know a thing or two about information security.
When designing an information system, one of the first actions to perform is a privacy threshold assessment (PTA), which assesses the data types collected, stored, processed, and transmitted if it contains personally identifiable information.
The E-Government Act of 2002 requires the Department of Education to perform a Privacy Impact Assessment (PIA) to demonstrate that its systems incorporate privacy protections.
The DOE does not seem to have conducted an analysis of how information in identifiable form is collected, stored, protected, shared, and managed on its website that collected information on visitors before they had even logged onto StudenAid.gov.
The Department of Education must also comply with the Federal Information Security Management Act of 2014 and is required to follow the Risk Management Framework, whose best practices are promulgated by the National Institute of Standards and Technology. Just by following the basics, the Department of Education should have directed the system owner of the application to implement security controls to protect private information.
Education is big business in the United States, where the government offers more than $100 billion in funds for postsecondary education alone. When including K-12, Americans spend more than $1.1 trillion on education, more than 7 percent of the GDP.
Major tech companies such as Facebook, Amazon, and Google all see opportunities in this market. Amazon has been criticized for using public schools as a potential source of cheap employee training by influencing career and technical education courses taught at a high school in San Bernardino, Calif. Google for Education provides collaborative learning tools for students. Facebook’s "Meta for Education" markets Facebook tools and programs in both the K-12 and higher education pipelines.
What many online users fail to realize when it comes to cyber hygiene and safety is that when an online service is free, the user is the product they are after.
When Facebook made its Meta Pixel code available for free, it was to disseminate a product that would track user activity on websites and send personally identifiable information back to Facebook to enable the company to develop derivative products, develop targeted advertisements, and potentially share that information with third parties.
Several months of data were collected by Facebook when student college acceptance letters begin coming in. Facebook now has information regarding millions of students who are now college-bound, and can correlate that data with what they already have on the user if they have a Facebook account, as well as non-Facebook users on whom they also collect and track information.
The company would not comment to confirm if the data collected made its way into Facebook algorithms. Office of Management and Budget Memorandum-17-06 requires the Dept. of Education to provide a link to the Privacy Impact Assessment, if one was ever done for the system. The public has a right to know the full extent of the privacy breach.
Officials at the Department of Education must be held accountable for their actions, or lack thereof. Measures must be taken to protect the information of applicants applying for federal student loans as well as to ensure that Facebook has purged the information from its algorithms.
Personal privacy is an American value we hold dear. It gives us power, freedom, and protection. What others do not know about you, they cannot target for ruin.
Dr. Harry Jackson is a parent advocate at Parents Defending Education. He is a National Intelligence University assistant professor and spent 20 years as an information security practitioner supporting the federal government.