Data Security Gaps in an Industry Student Privacy Pledge

Of the approximately 60 companies that have signed the student privacy pledge and have websites with logins for students, teachers or parents, about one-fifth of them did not use basic encryption -- called Secure Socket Layer or SSL -- during the login process, according to an investigation by Tony Porterfield, a software engineer in Los Altos (CA). While these vulnerabilities do not appear to have been exploited by hackers, cybersecurity experts said they potentially exposed student, parent and teacher accounts to snooping or hijacking by unauthorized users. Although the pledge does not require specific security measures, it does require the companies that sign to use security practices appropriate for the kinds of services they provide and the sensitivity of the student data involved.