Update– Please see follow-on posts addressing changes since this post:
Piazza is a collaborative question-and-answer platform that is “completely free” and can easily integrate into an institutional LMS, or in some cases replace the LMS. In our interviews for e-Literate TV, we have heard several glowing reviews about student engagement increasing thanks to the nature of the collaborative discussions. But in a case study of the aphorism that “if you’re not paying for the product, you are the product”, there are some significant privacy concerns around student data being sold, and several universities are pushing back.
The source of the dispute is not one of a vendor getting caught selling or sharing data behind the scenes, however. Piazza is quite open about their ongoing usage of student data to generate revenue – in their privacy policy, in their click-through terms of service, and throughout their web site. The source of the dispute is Piazza’s lenient interpretation of privacy concerns and their apparent unwillingness to comply with institutional policies or guidance on student data privacy.
Piazza Careers
In early 2014 Piazza announced a $8 million round of financing led by Khosla Ventures and simultaneously announced Piazza Careers, the service based on selling student data. Corporate recruiters can see student profiles that:
- Target students using rich coursework data exclusive to Piazza
- Engage with students where they spend 3 hours a night
The company claims that their data usage is above board by stating:
The recruiting product is opt-in, so companies can view a student’s profile data only with the student’s explicit approval. We never expose the number or types of questions students are asking or answering.
What does that opt-in look like in practice? Faculty assign usage of the platform, and during setup students see a pre-checked box labeled “Sign me up” for opting into the Careers service.
When students click on “Learn more”, they see pages that show how recruiters use their profile data (which includes courses taken and other information that students enter), how students are performing in various classes, and additional indicators.
Piazza boasts that only 1% of students opt-out of the service and that the majority of these are doctoral students planning to stay in academia. The end result, therefore, is that faculty assign usage of Piazza, often as required course tool. Students sign up and almost none of them take the step to opt-out (and it is opt-out and not opt-in, as users have to take an action to uncheck the box). And thus Piazza sells student profile data, including courses taken and general course performance, to corporate recruiters.
Privacy Policy and Terms of Service
Piazza provides easy-to-find privacy policy and terms of service that describe two levels of disclosure:
- For any users of the service, their full profile is viewable by anyone within the same school. Piazza appears to simply use domain names to check who is in an institution.
- For those students who do not opt-out of the Careers service (the vast majority of them as described above), they agree to provide a subset of their profile and other data to outside companies.
In the description of FERPA compliance, the company states [emphasis added]:
Piazza acknowledges that certain information about the School’s students is contained in records maintained by Piazza and that this information can be confidential by reason of the Family and Educational Rights and Privacy Act of 1974 (20 U.S. C. 1232g) and related School policies unless valid consent is obtained from the School’s students or their legal guardians. Both parties agree to protect these records in accordance with FERPA and School policy.
The interpretation of “valid consent” and “FERPA and School policy” is that Piazza interprets this as availability of the pre-checked box and “Learn More” information as well as the student’s management of their Profile.
There is a real problem, in my opinion, with Piazza claiming FERPA compliance when that regulation is based on the institution and the student. When software applications take in student data, the school is responsible for knowing who has the data, how it is being used, and answering students requests about how their data has been shared.
Institutional Responsibilities and Pushback
Where does that leave the institution – do they have a say in privacy policies and whether these unilateral determinations by Piazza are acceptable? For UC Berkeley, UC Davis, and the University of Toronto, the answer appears to be no, and that situation is not acceptable. In a phone interview Jenn Stringer, Associate CIO for Academic Engagement at Berkeley, described how that school has tried for a long time to come to an agreement with Piazza on the opt-in/opt-out process, but the two parties have not been able to agree. Given the lack of agreement, Stringer pointed out that with the lack of agreement that Piazza is using school logos and trademarks without permission. At this point UC Berkeley is considering what their next step should be.
At UC Davis they have gone further and disapproved usage of Piazza. A page on ed tech tools specifies that the school “engaged Piazza for contract negotiations. Piazza was non-responsive to all attempts at contact.”
At the University of Toronto, the issue led to a letter from the provost office last December to all faculty and students sharing its concerns with the privacy issues, but they did not tell faculty they could not use the service. In a Varsity student newspaper article:
“The company has publicly said that they do not sell student data without the student’s permission,” [Vice Provost] McCahan said. “But their documents, their agreements, the click-through that you do when you create a Piazza account, does not make that clear at all. It’s not clear that there is an opt in.”
Rather, McCahan interprets those documents as allowing the company to “do what they want” with student data. “Anyone they sell it to can do what they want with your data as well,” says McCahan. “It frees up a whole chain of data transfer from any kind of oversight.”
Piazza Response
I made multiple attempts to contact Piazza for an interview or statement with no response. When the subject has come up in public, however, Piazza has provided what I consider misleading answers. In the Varsity article:
The Varsity contacted Piazza Technologies, the parent company that developed the platform, and who denied any wrongdoing is taking place. “We don’t sell student data,” said John Knight, of the Piazza User Operations Team. “We were built on trust and take that trust seriously.”
In a Twitter conversation last year:
We don’t, and will never, sell student data.
In their FERPA statement on the web site:
At Piazza, we take students’ privacy very seriously. Universities have verified our compliance with Family Educational Rights and Privacy Act (FERPA) regulations, and of course we never sell students’ information to third parties.
But they do sell student data, if you include student names, email addresses, courses taken, and networking information as data. I do not get the language parsing that they are using here, and at the least these statements are confusing, if not outright misleading. Consider this video:
https://www.youtube.com/watch?v=CwANnca3gOw
At the end:
Now you or they can logon to view their classes and see a comprehensive list of fellow students organized by class, scan their network to get a list of their strongest classmates that you then pursue.
How can Piazza in any good conscience claim that they “don’t sell student data”? As we see in the video above, providing a list of students based on coursework and faculty ratings is providing student data.
And contrast the claims of the video, specifically around “see a comprehensive list of fellow students”, with this statement from their FERPA page:
With Piazza: Students’ email addresses and course enrollment information are only accessible to instructors of the class.
The shame of the situation is that Piazza appears to be a valuable platform that can enhance student learning, and helping students find jobs is a noble goal as well. But there are responsibilities that come with participation in the ed tech community, and student privacy protection that complies or aligns with institutional policies is part of being a responsible community member in ed tech. As is being straightforward in policies that actually represent practices. I hope that Piazza responds eventually and that there are good answers regarding privacy and cooperating with institutions, even if the explanation is based on sloppy mistakes that can be fixed.
It remains to be seen whether more schools join in the pushback on Piazza’s approach to privacy and selling student data. I have heard of at least two others but did not get permission to use their name in this context. We’ll keep watching.
I will continue to try and get Piazza’s side of the story through an interview or statement, and I’ll update with additional posts as new information comes in.
Update (11/11): Piazza exec contacted me, and we have discussion scheduled for later today.
Rob Abel says
Good coverage on this Phil. We are hearing similar things and this issue is being discussed a lot in IMS as well, in particular the role the integration standards might play in helping institutions address privacy and security of data.
Peter Hess says
I’d like to know this, for starters. Is Piazza so confident (or arrogant) in defense of their business model that they won’t even consider a licensing agreement where they could negotiate a fair price, or are the universities seeking those negotiations unable or unwilling to offer a fair price? There does seem, from the excerpts cited here, to be a fair amount of deception coming from Piazza, but I have to say that when we met with them a year or so ago, their representative was absolutely forthright about how they made their money, and we passed on the opportunity to work with them. Here’s the rub: I’m pretty sure that had they offered us a price for the service, we would have passed on that too, because the process of vetting and justifying contracts is so arduous and because once a few people start to build pedagogy around a resource, it is even more difficult to terminate it than it was to adopt it. It’s a problem that continues to plague even some of the best companies in ed tech. Piazza is trying their own way around it, and, it seems, beginning to run into some major headwinds.
GalleryP says
If memory serves, Piazza originally believed they could monetize their service by licensing it to institutions.
More generally, in ed tech, small companies selling to higher ed institutions face a steep climb as the process is opaque, slow, unlikely to generate significant revenue. Further, as illustrated above, selling customer data for advertising or lead generation, while catnip for consumer services, often violates campus policies or privacy rules.
Phil Hill says
Rob – thanks for note and more power to you. If there is support from standards-based body, I think that would go a long way to improving the emerging ed tech app privacy (and accessibility) issues.
Phil Hill says
Peter – great points that could be a blog post. Nudge, nudge.
As you can tell, I do not know the answer to your question on confident/arrogant vs. universities being difficult. I would point out, however, that much of the disagreement is *not* over pricing. Even for free usage, two universities that I talked to are simply trying to get operating agreement that addresses privacy and data usage. I do not believe (but am not 100% sure) that pricing is even under discussion. This is where I would really like to get Piazza’s input. So I’ll keep trying, but it would help if institutions talking to Piazza would pressure the company to be more forthright and public. Not on the Careers usage (which I agree they seem to be quite forthright), but on the privacy and institutional agreement issues.
Phil Hill says
GallerP – yes, I heard the same thing about previous business models. I think that changed in early 2014 with the funding round and introduction of Piazza Careers. I have no numbers, but the product is getting very good reviews in the HR community.
As for the opaque, difficult process, it will be interesting to keep an eye on the UNC commons approach, as it aims squarely at solving / improving this issue.
https://eliterate.us/unc-learning-technology-commons-easing-the-procurement-problem-with-ngdle/
Ian Linkletter says
Thank you for this post. I’ve done a lot of digging into Piazza’s practices over the past couple of months and this is important work you have done. There are major concerns around student privacy that must be addressed, and I think talking about this in our community is the best way to make this happen.
Here’s my experience:
1) I registered for Piazza in 2014 to evaluate the technology. The Careers product launched later, and I received a “one-time” email in November 2014 about it.
2) In September 2016 I received spam from Piazza Careers. I know for a fact I never opted in. They retroactively opted me in, and I’m angry about that.
3) Piazza sells student data. Not just access to the data, but the data itself.
This page, from the Piazza Careers FAQ, talks about how to export student data (including email address) to an Excel file: http://support.piazzacareers.com/customer/portal/articles/2525878-can-i-message-students-off-your-platform-
This is very troubling if it’s true they retroactively opted people into Piazza Careers. How do you opt out once your data has been exported?
4) You can search for Piazza Careers users from any institution. Try searching for me.
5) I believe the level of personal information Piazza makes available is more than students can reasonably expect, because of how they use metadata. Recruiters using Piazza Careers can search and filter by courses taken (taught by specific instructors), gender (using names analysis), and engagement/performance (based on participation metrics, like how often someone marked your response helpful). Students are being ranked by Piazza’s algorithms and that isn’t right.
Piazza needs to switch to an opt in model, and reverse any retroactive opting in that has been done. Piazza also needs to prevent the export of student information, particularly email addresses. Until they’ve done these two things I can’t recommend anyone use their service and won’t be quiet about it.
Ian Linkletter says
Piazza has broken the “Can I message students off your platform?” link I posted above. I had a feeling this might happen, but not so quickly. Fortunately, I took a screenshot: http://imgur.com/a/rvxII
NoChildExploited$ says
Clearly, there is creative interpretation of FERPA going on that isn’t even clever enough to pass the legal sniff test.
From an HR perspective, having been in talent analytics myself, this is an equal employment opportunity (EEO) nightmare as well. The integrity is lacking in those who leverage such a tool from a recruiting perspective. I ask myself whether the recruiters/end-users of ‘Piazza Careers’ would like to have had the recruiters who reached out to them knowing every detail about their classes, performance, etc.
On an anonymous note, I can state that the experienced conversion rate from a piazza student into a hire is very slim. This could correlate directly to the fact that most students likely don’t realize they’ve been opted in and quickly reject interest in being solicited.
Unsure if Piazza has international universities engaged and I’m not well versed in the international data privacy and rights policies, but I imagine foreign exchange students with citizenship in areas that have such data privacy protection and rights are being violated to an even further extent.
Sadly, I’m not too surprised this is surfacing… it leaves me with a feeling of disdain, though. Corporations are already exploiting our PII in the data brokerage market (think Experian Mosaic household and even individual level data for purchase amongst so much more; https://www.youtube.com/watch?v=_Cty7ctycsI).
Our young adults and children, those who have hardly yet had the chance to experience and decide for themselves how their internet presence will go down in history, are stuck in the middle of an unfair dilemma –
First choice is to use this product, opt out, and hope Piazza actually adheres to and respects that opt out (curious on the process to opt out after you’ve already opted in/ not opted out on first OOBE flow.. how many clicks in the flow to adjust to opt-out, etc.).
The alternate and second choice is one in which unbeknownst to the student, Piazza begins building a profile about their deeply rooted, personal education data that will follow their internet identity for the rest of their lives without a clear path to owning your own educational representation.
P.S. Final note: the “We’re at 1,500 schools in 90 countries Click a school to see classes and professor stories” portion of the homepage now does not let you click through by use of the institution’s logos (worked just recently). Their lack of formal response to address the concerns speaks loudly, but these website changes as complaints come in, are screaming that their only available strategy at this point will be to ask for forgiveness as they clearly did not ask for permission. (and that they know it…)
Phil Hill says
Ian, thanks for update (and screen shot).
NoChild – if that is your real name 🙂 – great observations and update on web site change. I should know a lot more and have new post based on interview later today.
NoChildExploited$ says
Yes Phil, it is indeed my real name, of choice. 🙂
Thank you for your response and further coverage, I will post some of this on your article with Piazza.com’s response. I am happy to hear they have come forward to discuss this with you.
While the response was humble, many questions still stand out for me personally. Inherently, trust is something that will not come back in a swift fashion for such a scenario.
Still missing as far as factual insight into the following:
– Are the contracts they are negotiating with these universities for use of endorsement and logos on piazza.com? Or are these agreements for standards of data privacy and handling? If data privacy and handling, this would be a good time for them to take a full transparency approach and share this to their entire user base publicly.
– Why are they receiving sales requests for a separate product, Piazza Careers to [email protected]? For conflict of interest reasons I would think these would remain separately (maybe a bit nit picky but none the less something to consider). See https://recruiting.piazza.com/packages for this.
– After admitting fault in existing and historical practices with further mention of intent to reform, how will the downstream share of the unintended opt-in data be handled? Can it truly be handled in a way that fully restores them to a state of proper data share procedure?
The following appears to be a common scenario that they have acknowledged occurring:
1. Student required to sign up for piazza.com as a part of their coursework
2. While signing up for a purely academic tool, piazza.com, the student was opted into something of which they weren’t fully informed on that is a not purely academic tool, piazzacareers.com
3. Student coursework interactions and other data was made visible in the application of a not purely educational nature subsequently opening the students up to career marketing in a talent market that has always dreamed of having such close access to student data as soon as possible to gain competitive advantage while they’re impressionable.
The even deeper, non-user facing and underlying challenge with the above scenario is the downstream flow of that data they are selling access to…
Visit: https://recruiting.piazza.com/packages
Read Specifically the below feature that is available in both their “Full Access” and “Diversity Add-On (Limited)” packages:
“Share and discuss candidates across your entire team
Ensure a seamless candidate experience with advanced workflows and ATS integrations.”
An ATS integration means they are sending data to the applicant tracking systems of these companies that are paying for piazzacareers.com. That data is then likely being downloaded into reports and sent to business intelligence systems and data warehouses. How is piazza going to get the data of the people who were opted in through an unethical process out of all of those downstream systems that they allow the customers of piazzacareers.com to integrate with? I can confidently say, it won’t happen.
Please also visit: https://recruiting.piazza.com/BestPractices
On the final page, page number 14, it explains how to “Keep your activity on the platform and outside of it, in sync.”
This page further states:
“We’ve seen companies have numerous data sources – their ATS, digital resume books, paper resumes collected from career fairs, and applications from other sources or job boards. Our goal is to help streamline your workflow as best as possible.
Export is enabled from folders. Whether they’re students you already interacted with through the platform, or students you intend to message off the platform, add them to folders and with a simple click, export the folder of students to get their names, emails, academic information, and a zip file of resumes.”
These are just some initial thoughts as I think more about the implications here. I find myself very humbly aware of my prior comment’s statement of “Their lack of formal response to address the concerns speaks loudly, but these website changes as complaints come in, are screaming that their only available strategy at this point will be to ask for forgiveness as they clearly did not ask for permission. (and that they know it…)”.
One thing further I will be looking into is some of the things noticed in the Best Practices catalog. Such as on page 13 – I’m unsure if it is inline with Equal Employment Opportunities (EEO) to sell the ability to recruiting teams to “Connect with other minority groups – African Americans, LGBTQ, first-generation college students, and more.” and “Run targeted searches using our diversity filters.” I will take a bit of a further look into the extent to which demographic consideration is legal within the recruiting process.
NoChildExploited$ says
In Piazza’s response article, Pooja, Piazza’s CEO, stated, Piazza has “ongoing engagement with Stanford”. It appears Piazza was served with a cease and desist letter from Stanford University. Piazza no longer has Stanford’s logo on their website, and any testimonials provided from Stanford professors no longer display the Stanford name or logo next to the professor’s testimonial.