iPads for kids program sets off password security alarms for parents

A U.S. federal digital literacy program providing kids with iPads has asked parents to send kids to school on orientation day with their child's name, Apple ID, password, and the answers to three Apple ID security questions -- on a piece of paper.

As you'd expect, putting this information on paper and providing it to the school program is ringing alarms for some tech-savvy parents.

Right now at Knoxville's Bearden and Carter Middle Schools every student is getting iPad Air 2 tablets with 5GB per month data plans under the Verizon Innovative Learning Schools (VILS) program (with help from Apple and federal nonprofit Digital Promise).

To use the iPads students need Apple IDs, which requires parental consent. Packets were mailed to parents early this month with a double-sided last page consisting of a consent form and an "Apple ID Worksheet" (.pdf) currently linked from the Bearden Middle School website.

It explains, "As part of the process of creating an Apple ID for your student, we will ask you to provide us with the following information: your student's full name, birthdate, password, and the answers to three security questions."

Worried parents talked to Bearden Middle School staff and told ZDNet, "They apologised about the lack of clarity in the forms we were sent, and said that the security portion is only to expedite the Apple ID setup process, which is going to happen in homeroom orientation. They wanted kids to have their answers ready."

Parents who followed up with the school also discovered another detail not made clear in the packet: While signing the Apple ID consent form is required for program participation, providing their child's password and security questions on paper is not.

A school rep told ZDNet via email, "Password and personal information will reside with parents of course." Parents we spoke with said they were assured that only one side of the form will be scanned and stored, and not the side with security information.

Bearden Middle School Executive Principal Sonya Winstead said she wasn't able to elaborate on "reasoning and procedure around the Apple ID." She told ZDNet via email, "Our Technology folks have been working with Apple on how to go about this process as well as how to keep personal information secure."

The procedure is raising questions about where this lands in Apple's policy. Apple's Security and your Apple ID guidelines state, "Don't share your password with anyone, even family members."

Apple confirmed to ZDNet that it's customary for Apple to work with schools or programs that deploy iPads and Apple IDs, but didn't comment on the password security concerns raised by parents, instead pointing us to documentation from which Knox County's Apple ID consent from language appears to have been copied.

Knox County likely had to figure out this part of deployment on their own. Apple's Deployment Programs: Apple ID for Students: Parent Guide notes that each school will contact parents directly "about the process for providing such consent and creating your student's Apple ID."

The forms from Knox County also seem to bear the weight for streamlining password management. Just before the document's parental consent signature line it reads, "You further agree that your student's school has the right to reset the Apple ID for Students password on your student's behalf."

The Apple ID For Students Parent Privacy Disclosure appears to be where most of the school's copy-paste "Worksheet" sent to Bearden parents comes from -- except for the section about writing down passwords and security answers, and bringing it all to school.

Deployment is the devil in the details

This bizarrely analog security quandary is at odds with a school district known for being at the forefront of using technology in the classroom (and having an enviable STEM academy, among other accomplishments).

Yet the risks posed by having kids walk around with their most sensitive digital security information on a piece of paper is actually the twisted byproduct of a solution ... in the program's attempt to bridge the digital divide.

Like many across America, the Knox County middle schools receiving iPads through Digital Promise include a good number kids from low-income families. Many don't have computers. One Knox County parent explained to us via email that it's exactly this part of the divide which resulted in the on-paper parental consent packets. "When parents were directed to do this online very few did it, hence the [paper] handouts."

So it seems this packet of paperwork would also have been a great opportunity for one of the entities involved in the "Apple ID Worksheet" to provide guidance on protecting their child's security information -- something that's also absent in Apple's documentation.

One parent still blames Apple. Commenting on the current Knoxville iPad deployment via email, "Apparently in the rush to get Apple gear in edu Apple has some pretty bad security notions -- until they can create proper admin tools."

Other worries

A closer read of the Knox County "Apple ID Worksheet" reveals details that are ringing a second round of alarms for parents tuned-in to privacy and surveillance issues -- and make no mistake, one parent was told by the school that the kids' activities can be tracked and monitored.

The form reads, "We may also disclose personal information about you or your student if we determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate. We may also disclose personal information about you or your student if we determine that disclosure is reasonably necessary to enforce our terms and conditions or protect our operations or users."

The form also details Apple's parental consent as obtained under the Children's Online Privacy Protection Act (COPPA).

It reads, "We may collect other information from your student that in some cases has been defined under COPPA as personal information. For example, when your student is signed in with his or her Apple ID, we may collect device identifiers, cookies, IP addresses, geographic locations, and time zones where his or her Apple device is used. We also may collect information regarding your student's activities on, or interaction with our websites, apps, products and services. ... We may use, transfer, and disclose non-personal information (data that does not, on its own, permit direct association with your student's identity) for any purpose."

It's important to note that the program behind all this, working with schools across America to hand out tablets, is an entity with good intentions. The goal of federal nonprofit Digital Promise is "to close the digital learning gap by 2020," and the organization advocates competency-based learning (instead of credit for time spent), expanding coding education, getting more girls into STEM, and talking about gender inequality in education.

So what does Verizon have to do with it? Verizon's VILS, a Digital Promise partner, is a program participating with the Obama administration's public-private partnership ConnectED initiative (.pdf) which provides tech and training for K-12 students. Verizon committed in 2014 to invest up to $100 million in cash and in-kind contributions over three years -- and are likely getting a hell of a tax break in return.

In total, Verizon is giving students and teachers a donation of 5,000 tablets (not limited to iPads) and 2-year, 5GB/mo. data plans to Digital Promise -- who in turn distribute and deploy them to 21 partner schools.

Yep, still worried

In our conversations with Knox County parents, some expressed continuing disquiet about the process, mentioning that when it comes to kids there's a lot of room for something to go wrong during that piece of paper's journey to school and back.

It remains to be seen what will happen with the kids' Apple ID security information on the orientation days, planned before Bearden Middle's October 12 and 13 Fall Break.

The whole thing could be completely uneventful. Or, something might happen that could've been avoided if critical security information had not been on a piece of paper. Say, like when a selfie was taken, or when a backpack was accidentally left at a bus stop.

As every security professional knows, this risk scenario will repeat unless it's solved in a way that works for every school and every user, despite access and affordability.

Opportunity shouldn't equal risk. Perhaps companies like Apple need to go deeper into bridging the digital divide, and include language that clearly states best practices for protecting passwords and security information with kids -- as well as what parents should never do with that information.

Nonprofits like Digital Promise could roll up their sleeves and trailblaze in a new area -- bridging the security and privacy divide -- and get security best practices and basic security education baked into their deployment protocols.

If something doesn't change, schools will continue to look like they're left flapping in the wind when trying to reach people who aren't yet versed in digital security -- or worse, have it seem like they had to make a choice between efficiency and security by the time hundreds of little boots hit the ground on orientation day.