Parents/students do not have a private right of action under applicable federal law (FERPA). The US Dept of Education could theoretically hold the school district to account, but that would be extraordinary (speaking of the current context, but also historically).
I track US public school cybersecurity incidents and this represents a change in tack for ransomware attackers vis-a-vis schools. Clark County (Las Vegas) is only 1 of 3 school districts since the start of the school year compromised with ransomware alongside the exfilitration of student/employee data. The others include Fairfax County (VA) and Haywood County (NC). Overall, I count 35 instances of ransomware (K-12 districts) for all of 2020; 15 of those publicly disclosed since August 1, 2020.
PS The latest incident, with commentary from the district superintendent: "Got to work this morning, powered up my computer and the first message I got was you’ve been encrypted. Basically, you know, the same old thing…you’ll have to pay us in bitcoin, we’re holding your data ransom, you need to contact this email address."
They left Wi-Fi enabled on their cell phones, which automatically connected to the school network when within range. IT staff then associated the log-ins with individual students - allowing them to be identified and caught. Original article (via Washington Post): "A black principal, four white teens and the ‘senior prank’ that became a hate crime"
They boys are clearly tech-savvy to a degree (they build their own PCs, mined crypto, understood Windows user permissions, etc.), but I seriously doubt that they would or could have broken into the district's systems without two things: 1/ an admin password left on a sticky note and 2/ clear text storage of other user passwords in an excel file published in a shared folder on the first machine they accessed (a public machine in the middle school library!). Other issues: old user accounts left still active; no review of access logs or logs of server usage (which would have spotted Monero mining). Note: the boys reported that passwords on sticky notes was routine throughout the district (and how they got access to the security cameras, too).
Education technology companies are tracking students' feelings & mindsets with wearables, facial recognition,'empathy tech' & 'high-dimensional psychometric profiling' in an effort to nudge them to better performance.
Unlike how other instructional materials are adopted by schools, educational software operates in secrecy - it remains essentially a black box to educators, parents, and students. There is no mechanism for independent reviews/audits of content or code, no insight into the instructional approach, checks for factual accuracy, or evaluations of potential bias.
The money quote (for me): “That sounds like a low bar [that their apps did not harm students’ educational results],” Ms. Woolley-Wilson said. “But with the history of education technology, it is not.”
So, some of this is about mode, input. But, a big factor in Chromebook adoption in schools has to do with the ease of enterprise deployment and management. Apple is far behind the curve here, and the amount of work to manage a school/class deployment (esp in the early days) was huge.
It is important that we address the need for changes to student data privacy/security policy and practice based on rigorous, replicable analysis and methods. The analysis underlying EFF's latest report, however, may not meet that standard. Important that the question has been called by EFF; more work clearly needs to be done to sort out the school technology ecosystem.
In many cases, these are minors. A criminal record will be a black cloud over their future educational and employment opportunities - and could negatively effect their life course. Perhaps they fully understand the consequences of their actions? Perhaps schools and law enforcement have the capacity to be nuanced in their actions? Based on my work on these issues, I question both premises.