Update- Please see follow-on posts addressing changes since this post:
Piazza is a collaborative question-and-answer platform that is “completely free” and can easily integrate into an institutional LMS, or in some cases replace the LMS. In our interviews for e-Literate TV, we have heard several glowing reviews about student engagement increasing thanks to the nature of the collaborative discussions. But in a case study of the aphorism that “if you’re not paying for the product, you are the product”, there are some significant privacy concerns around student data being sold, and several universities are pushing back.
In early 2014 Piazza announced a $8 million round of financing led by Khosla Ventures and simultaneously announced Piazza Careers, the service based on selling student data. Corporate recruiters can see student profiles that:
- Target students using rich coursework data exclusive to Piazza
- Engage with students where they spend 3 hours a night
The company claims that their data usage is above board by stating:
The recruiting product is opt-in, so companies can view a student’s profile data only with the student’s explicit approval. We never expose the number or types of questions students are asking or answering.
What does that opt-in look like in practice? Faculty assign usage of the platform, and during setup students see a pre-checked box labeled "Sign me up" for opting into the Careers service.
When students click on “Learn more”, they see pages that show how recruiters use their profile data (which includes courses taken and other information that students enter), how students are performing in various classes, and additional indicators.
Piazza boasts that only 1% of students opt-out of the service and that the majority of these are doctoral students planning to stay in academia. The end result, therefore, is that faculty assign usage of Piazza, often as required course tool. Students sign up and almost none of them take the step to opt-out (and it is opt-out and not opt-in, as users have to take an action to uncheck the box). And thus Piazza sells student profile data, including courses taken and general course performance, to corporate recruiters.
- For any users of the service, their full profile is viewable by anyone within the same school. Piazza appears to simply use domain names to check who is in an institution.
- For those students who do not opt-out of the Careers service (the vast majority of them as described above), they agree to provide a subset of their profile and other data to outside companies.
In the description of FERPA compliance, the company states [emphasis added]:
Piazza acknowledges that certain information about the School's students is contained in records maintained by Piazza and that this information can be confidential by reason of the Family and Educational Rights and Privacy Act of 1974 (20 U.S. C. 1232g) and related School policies unless valid consent is obtained from the School’s students or their legal guardians. Both parties agree to protect these records in accordance with FERPA and School policy.
The interpretation of “valid consent” and “FERPA and School policy” is that Piazza interprets this as availability of the pre-checked box and “Learn More” information as well as the student’s management of their Profile.
There is a real problem, in my opinion, with Piazza claiming FERPA compliance when that regulation is based on the institution and the student. When software applications take in student data, the school is responsible for knowing who has the data, how it is being used, and answering students requests about how their data has been shared.
Institutional Responsibilities and Pushback
Where does that leave the institution - do they have a say in privacy policies and whether these unilateral determinations by Piazza are acceptable? For UC Berkeley, UC Davis, and the University of Toronto, the answer appears to be no, and that situation is not acceptable. In a phone interview Jenn Stringer, Associate CIO for Academic Engagement at Berkeley, described how that school has tried for a long time to come to an agreement with Piazza on the opt-in/opt-out process, but the two parties have not been able to agree. Given the lack of agreement, Stringer pointed out that with the lack of agreement that Piazza is using school logos and trademarks without permission. At this point UC Berkeley is considering what their next step should be.
At UC Davis they have gone further and disapproved usage of Piazza. A page on ed tech tools specifies that the school "engaged Piazza for contract negotiations. Piazza was non-responsive to all attempts at contact."
At the University of Toronto, the issue led to a letter from the provost office last December to all faculty and students sharing its concerns with the privacy issues, but they did not tell faculty they could not use the service. In a Varsity student newspaper article:
“The company has publicly said that they do not sell student data without the student’s permission,” [Vice Provost] McCahan said. “But their documents, their agreements, the click-through that you do when you create a Piazza account, does not make that clear at all. It’s not clear that there is an opt in.”
Rather, McCahan interprets those documents as allowing the company to “do what they want” with student data. “Anyone they sell it to can do what they want with your data as well,” says McCahan. “It frees up a whole chain of data transfer from any kind of oversight.”
I made multiple attempts to contact Piazza for an interview or statement with no response. When the subject has come up in public, however, Piazza has provided what I consider misleading answers. In the Varsity article:
The Varsity contacted Piazza Technologies, the parent company that developed the platform, and who denied any wrongdoing is taking place. “We don’t sell student data,” said John Knight, of the Piazza User Operations Team. “We were built on trust and take that trust seriously.”
In a Twitter conversation last year:
We don't, and will never, sell student data.
In their FERPA statement on the web site:
At Piazza, we take students' privacy very seriously. Universities have verified our compliance with Family Educational Rights and Privacy Act (FERPA) regulations, and of course we never sell students' information to third parties.
But they do sell student data, if you include student names, email addresses, courses taken, and networking information as data. I do not get the language parsing that they are using here, and at the least these statements are confusing, if not outright misleading. Consider this video:
At the end:
Now you or they can logon to view their classes and see a comprehensive list of fellow students organized by class, scan their network to get a list of their strongest classmates that you then pursue.
How can Piazza in any good conscience claim that they "don’t sell student data"? As we see in the video above, providing a list of students based on coursework and faculty ratings is providing student data.
And contrast the claims of the video, specifically around "see a comprehensive list of fellow students", with this statement from their FERPA page:
With Piazza: Students’ email addresses and course enrollment information are only accessible to instructors of the class.
The shame of the situation is that Piazza appears to be a valuable platform that can enhance student learning, and helping students find jobs is a noble goal as well. But there are responsibilities that come with participation in the ed tech community, and student privacy protection that complies or aligns with institutional policies is part of being a responsible community member in ed tech. As is being straightforward in policies that actually represent practices. I hope that Piazza responds eventually and that there are good answers regarding privacy and cooperating with institutions, even if the explanation is based on sloppy mistakes that can be fixed.
It remains to be seen whether more schools join in the pushback on Piazza's approach to privacy and selling student data. I have heard of at least two others but did not get permission to use their name in this context. We'll keep watching.
I will continue to try and get Piazza’s side of the story through an interview or statement, and I’ll update with additional posts as new information comes in.
Update (11/11): Piazza exec contacted me, and we have discussion scheduled for later today.