Pick up any student iPad, and you’ll most likely have access to their files. Same is true for many staff members.
Passcodes aren’t currently required on the student or staff devices, which often means that anyone could pick up an iPad and see open email accounts, grades, and assignments. Because the devices store passwords, programs like email, PowerSchool and Google Classroom are almost always automatically logged in.
During an age where digital security is a rising global issue, USD 497 has yet to implement a required passcode for student or staff iPads — an issue that came to light as USD 497 has transitioned to iPads from password-protected MacBooks at the high school level.
“Having passcodes on every device would make students more comfortable with all their information being on there,” senior Harrison Kirkwood said. “Having your friends or classmates be able to just mess with your assignments or information is scary.”
After logging into their new devices for the first time this summer, many students noticed that they weren’t required to set a passcode. Not only that, they didn’t initially have the option to set a passcode.
As questions about device security arose, by late August, the district modified its high school device policy and extended the option for students to set a passcode on devices. Staff members have always had the ability to set passcodes. But the system doesn’t currently require anyone to set passcodes.
Lawrence USD 497 is an outlier among area districts for a lack of a passcode requirement. Of the five area districts reached by The Budget, all require student and staff devices to have passcodes or passwords.
USD 497 Director of Technology David Vignery said unsecured devices won’t compromise the district’s network.
“We are not requiring a passcode for students at this time. This is for the reason that some [people] do not want to have a passcode, and as far as a security risk to our network, there is none,” Vignery said in an email response to questions. “The damage that can be done to a student iPad if they do not have a passcode is related to the student files and not the network.”
The issue stems from the device’s profiles. High school iPads were originally logged in using the district’s middle school iPad profile, which didn’t require a passcode.
“This profile does not have a passcode on it and has never had a passcode on it,” Vignery said. “This was an oversight on our part and now has been corrected.”
Some worry about personal information being too accessible for others to see, including counselor and mental health team member Jennifer Hare.
“The iPads should be required to lock because there’s a lot of personal information that not every student should have access to,” Hare said. “Anybody could just get in to even mess with your assignments. If you were meeting with your counselor to discuss mental health issues, that might not be something you want someone to be able to find so easily.”
The same problem arises for teachers, who also have no set requirements to set a passcode on their iPads. According to Vignery, the district is “working on a process” for a staff requirement. As of now, many teachers have expressed concerns relating to a broader picture of cyber security as well as student privacy. Teachers routinely receive emails with sensitive information.
“It’s your personal place to store things, even if it’s a school device,” Hare said. “Part of teaching kids to be good digital citizens is giving them the tools to keep their information safe.”
With a worldwide increase of cyber security attacks, districts have shown they are vulnerable to attack. Minneapolis Public Schools had 300,000 student files breached, exposing private information, such as case files, attendance and other confidential information, including about traumatic experiences like sexual assault, according to the Associated Press.
In Kansas, a recent audit of government agencies (July 2023) found that security risks were common. The Kansas Legislative Division of Post Audit reported that nine of 15 government entities did not meet IT security standards such as being inadequately prepared for security breaches. School districts may be further behind in building strong security processes because they are not required to adopt the same general security policies followed at the state level.
“Various IT security standards, including the state’s Information Technology Security Policy, require the use of unique information system authentication such as passwords,” Legislative Post Audit manager Katrin Osterhaus said. “Not requiring such passwords to lock devices could lead to a potential exposure of someone’s private information being exposed and potentially misused by an unauthorized individual.”
According to the same official, passcode protected devices are “universally accepted as best practices” at the state level. While school districts are not required to follow the state’s same security policies for their devices, Osterhaus expressed concern for student’s information.
“In the case of school-issued devices, this could include educational records, health information,” she said. “Some of that may be sensitive data governed by federal laws. I would be concerned that these controls aren’t mandatorily enforced on school-issued devices.”
The state auditors recommended in their report this summer that the Kansas State Department of Education “require all school districts to adopt basic security standards based on current industry standards.” That includes requirements about setting adequate passwords.
Knowing that student and even teacher information is potentially exposed on unlocked devices raises concerns, Hare said.
“That type of information getting out there, even just the possibility, could be detrimental,” Hare said. “Even just a student playing a prank. How far could that joke go? The devices need to be locked. For everyone.”