Designing and engineering a messaging system that is used by 6.8 million students and half a million teachers in K-12 schools is no easy feat. While the typical threats against online systems from unauthorized and unauthenticated access to sensitive information remain, the school environment compounds privacy challenges as additional entities such as guardians, co-teachers, and service providers all play a role.
The challenges arise in implementing a strict security mechanism to ensure sensitive data and messages between students and teachers are encrypted and protected, while maintaining that only authorized personnel, whether teachers, guardians, or co-teachers, can access messages. In this paper, we discuss privacy challenges we faced while creating the Clever Messaging product, and the security, privacy, and technical aspects of three key product features to address those challenges.
Figure 1: Overview of how a teacher logs in to use Clever Messaging.
Section-based Announcements
One of the most popular feature requests from teachers is messaging multiple students at once. Thus, in Clever Messaging, the teachers, and only the teachers, can create announcements to the same groups and can make as many announcements as they need. If a student replies to the announcement, the teacher can respond in a one-on-one manner.
When students receive messages from their teachers, it is of the utmost importance to have it be genuine and authentic. Unauthorized individuals accessing teacher accounts and creating an announcement to reach many students could pose real harm, including Child Sexual Abuse Material (CSAM) and grooming. Likewise, we also know that on the receiving side of things, it is vital that students and guardians are properly scoped to the school section, and only those people receive the announcement from the teacher. Maintaining an updated roster of the section is vital to ensure that only the correct student, teacher and guardians are connected.
Messaging Attachments
A related but distinct feature of the messaging system is the ability for teachers to send images and other files, such as homework. The storage and retrieval of such files becomes pivotal as files can include information that should be only scoped for a few individuals. Additionally, the nature of the usage of the messaging product makes it a prime target to spread malicious files. In 2020 alone, the cybersecurity posture of K-12 institutions saw a drastic increase in terms of cyber incidents, with ransomware attacks being a significant contributor, 12% of total reported 408 incidents. Such concerns factor directly into the threat model of the file attachments in the messaging product.
To address this concern, we ensure that every time a teacher uploads a file via messages, the system asynchronously detects virus and malware in real-time on demand, as shown in Figure 3. A file that is identified as malicious is automatically quarantined and removed altogether, while alerting relevant engineers of the actions taken to help monitor and detect large scale targeted activities.
Translations
Language barriers between teachers and parents are increasingly common and detrimental to students’ learning. Over 22% of families in the U.S. don’t primarily speak English at home. In a survey conducted by ClassDojo, 75% of teachers reported that non-English speaking parents were less engaged in classroom activities. In order to meet the needs of teachers and guardians, Clever implemented our in-product message translations.
WAt first , we identified a data subprocessor that could power auto-translation of messages into multiple languages at scale with the heightened data security constraints imposed on student data. The data that is sent for translation must remain within the U.S. territory and, as the user generated messages as per the terms of service for Clever..
The Clever’s messaging services correspond with translation service, which in turn sends requests to AWS Translate. Throughout the entire translation request process, the message data is guaranteed to remain within the United States, because our services house data and operate within the U.S. regions of AWS cloud, and none of the inbound and outbound communication with AWS Translate falls outside of the U.S. Thus, the translation feature of Clever Messaging complies with the guarantees we provide in our terms of service..
Other Considerations
Much of the security and privacy design for this product aligned well with our desired user experience. However, there were instances where our security practices created limitations for users. For example, we know there are teachers who regularly interact with students who aren’t explicitly in their classes – for extracurricular clubs, sports, mentorship, and more. Our messaging product often could not accommodate these use cases, choosing overall safety over possibly higher risk use cases. Our privacy and security design also created some limitations for our internal teams. Notably, we chose not to make the content of student and teacher messages available via our existing analytics tools to preserve user privacy. This made it difficult to iterate on the product, since the way to learn what kind of conversations users were having was via user interviews. Ultimately, we solved this problem by building an internal tool that randomly selects and anonymizes a small number of conversations each day. Access to the tool is available to a select group of internal researchers and is maintained by the security team to ensure role-based access control using allowlists. Moving forward, we are exploring a number of new features to improve the messaging experience from allowing teachers to create arbitrary groups for group messaging and allowing teachers to share application links via messaging, to teacher-to-teacher messaging. As with our previous features, we plan to thoroughly analyze the risk of harm and how to mitigate it as we allow greater functionality. In conclusion, when designing products for children within online school environments, thorough thought experiments and beta testing should be done in potential risk areas to fully create a secure messaging product that respects privacy. With the multifaceted nature of online education, the threat models should reflect not only the concerns of students and teachers, but also those of many other participants, like guardians and teaching staff, that make online learning possible.
For more information on Clever’s commitment to student data privacy and security, visit https://www.clever.com/security or read our white paper about Clever messaging published in Workshop on Kids’ Online Privacy and Safety (KOPS) 2022.