Parent Investigates EdModo, Finds Data Security Lacking

With objective analysis of student achievement becoming more widely-embraced by school districts and states, individual student data is a critical issue. Many schools collect massive amounts of data  and then use it not only to assess student outcomes and teacher effectiveness, but also to draw conclusions about the best way in which students learn. Data, however useful, can bring unintended consequences.

It seems only logical that sharing this information across district and state lines makes sense, and with that in mind, a number of districts in California have signed up for Edmodo – part free classroom management software, part social network for teachers and educators – which brings together millions of instructors and all the data they collect from their students.

While Edmodo provides a number of valuable tools to their members, one thing that they lack according to Tony Porterfield, whose sons are enrolled in one of the districts using the software, is a solid understanding of cyber security. According to Natasha Singer of The New York Times, when Porterfield tried to probe how well the site is set up to protect the information about its users, he constantly came across problems that, in the wrong hands, would result in massive breaches and data losses.

Mr. Porterfield, an engineer at Cisco Systems, examined Edmodo’s data security practices by registering himself on the site as a fictional home-school teacher. As he went about creating imaginary students — complete with cartoon avatars — for his fictitious class, however, he noticed that Edmodo did not encrypt user sessions using a standard encryption protocol called Secure Sockets Layer.

Using a rather rudimentary networking toolkit, Porterfield was able to monitor the activities of a student profile he created. Although later the company claimed that there’s no evidence that the software has ever been attacked in this way, Porterfield still took his concerns to the district.

This isn’t the first time Porterfield has pointed out the security shortcomings of a site that handles personal information. He performed a similar analysis of the image site Shutterfly last year, finding that the site didn’t use encryption everywhere that would eliminate its vulnerability to an exploit.

“It’s not good to trade performance for security when you are talking about people’s personal information,” says Michael Clarkson, an assistant professor of computer science at George Washington University who teaches an annual course on software security. “I can’t think of a good reason not to keep the entire session encrypted.”