How does one of the world’s most well-funded and successful education technology companies go the way of the dodo? For inBloom, much of the consternation and backlash and, ultimately, the death knell stemmed from concerns about children’s privacy. But inBloom’s story does not reside in solitude on a remote and distant island; rather, there are lessons that can be gleaned from their shuttering of doors that should inform plenty of other technology companies, privacy professionals, software and app developers, start-ups, legislators and regulators.
The story of inBloom brings together hazy lines separating the data controller from the data processor, the double-edged sword of transparency and the consequential, post-inBloom equity gap for less well-funded schools across the country.
These were just some of the many issues discussed last week at the IAPP Privacy Academy and CSA Congress in San Jose, CA. Panelists during “Educating the Educators: Privacy Lessons” passionately examined the backstory, rigors, complexities and lessons from this well-publicized incident of the company’s unraveling. Moderated by IAPP VP of Research and Education Omer Tene, the session included insight from inBloom Chief Privacy Officer Virginia Bartlett, CIPP/US, CIPT, and FunnyMonkey Founder and edtech blogger Bill Fitzgerald.
InBloom was a cloud-based, open-sourced platform that helped solve tech and software interoperability issues for school districts, schools, teachers, students and parents, said Bartlett. “This was a back-end solution,” she added, “we had no access to student data, no access to the encryption keys. This could be a cloud-based storage solution or an operator model.”
Tene suggested that inBloom was a data processor, not controller, but was blamed as though it was a controller.
“In most cases,” Bartlett added, “the data controller is an elected official.” Still, inBloom was constantly answering questions from parents, Bartlett said, adding, “even as we couldn’t see the data.”
Bartlett said, “One thing we heard frequently was: ‘What type of information was inBloom storing on me? I want access.’ That is absolutely their right, but who is responsible for making that information available?”
“It’s a huge question,” Fitzgerald pointed out.
Responsibility varies district by district, state by state and by regional authorities, he said.
“The data flow goes from student to teacher to school to district, which then stores student data for every kid in school. Plus classrooms integrate with different apps which have their own data trail, some covered by FERPA but others not. Then beyond the district level, data then goes to regional education agencies that provide tech assistance,” Fitzgerald explained. “Then it flows to the state for accountability reporting.” But that’s not all, he said. States then go to the federal level for accountability “and there’s data storage at each level. So you have warehousing and security needs at multiple levels, so it gets very complex.”
From the start, inBloom had tried to be up front about the complexity and nature of its services. So it is perhaps ironic that in an age when transparency is presented as a silver bullet, the beginning of the company’s downfall came as a result of that very transparency. Early on, inBloom disclosed which states it had closed deals with as well as the nature and limits of its privacy and security obligations. Consequently, in a March 3 report for Reuters, reporter Stephanie Simon wrote, “While inBloom pledges to guard the data tightly, its own privacy policy states that it ‘cannot guarantee the security of the information stored … or that the information will not be intercepted when it is transmitted'.”
Referring to companies from every sector of the economy, Bartlett said, “We all know we can’t guarantee security … We were just transparent about it.
Fitzgerald went further, saying perhaps the company was too transparent. “You can learn a lot about an organization’s mission, intent, growth and strategy through its privacy policy. It’s incredibly revealing. What inBloom did was good," providing "useful and accurate information for other people already in the space.” But, he said, “there wasn’t the scaffolding in place” to help people understand what information was and was not there.
It didn't help inBloom that critics associated it with the roll out of the controversial Common Core education policy. Fitzgerald mentioned this was, in part, due to the funding trifecta of Gates, Carnegie and Joel Klein, all staunch Common Core supporters.
Bartlett, who joined inBloom after the “firestorm” had already started, said, “The tragedy of what we did was we became less and less transparent” because of the outcry. “As a CPO, that really hurt. We wanted to be transparent.”
She also said that what happened to inBloom is not unique to the tech sector. “There is a moment when public understanding and privacy policies need to catch up with the technology,” Bartlett said. Clearly, this was one such case.
Bartlett discussed her personal relationship with edtech. “I have adopted children with special needs,” she said. “They have tons of data and I have no way to track that data or who’s handling it. I think there is a lifetime of opportunity here for technology engineers to design for districts and partners to design data flows and access.” She added, “It’s a leap of faith trusting all these personalized learning services.” But, she pointed out, the benefits are significant.
There’s irony here too, as Tene pointed out, since the New York law that eventually expelled inBloom from the state prohibited the provision of data dashboards by vendors.
And the loss of such benefits will be felt more acutely by lesser-funded schools, Tene said: “There’s an equity gap. Richer schools have already acquired technological solutions, and inBloom was going to provide lesser-funded schools with such technology.” This was one demonstrable loss for communities across the country.
Fitzgerald said inBloom could have done things differently. “If you’re serious about an open-sourced component to your services,” he said, “reach out to developers, prepare explanations and talk to your clients.” He noted that inBloom’s clients were the school districts and not the parents who were complaining. “The most affected were the kids and parents,” he said, so they should have gotten out there and talked with them and committed to some market research. “Have a PR team that is versed in quick reaction with tools that can counter misinformation.”
He was stunned by inBloom’s silence during the height of the campaign against it, and that vacuum, he pointed out, was filled by others. “There were things they did wrong,” he added, “but the things they’re getting criticized for are not wrong.”
Bartlett continued, “Having been in the firing line, it’s hard for me to not say that inBloom did everything right. There are things inBloom could have done better and there are lessons learned that all of us can take back.”
Ultimately, she said, “We need to design to the sense of the loss of control of data. The right people need to be in the room when designing something.”
Advice, perhaps, that can be taken by any organization designing new products and services.