Last year, like many new parents, I was walking the extreme tightrope of keeping my young child healthy and happy. When my daughter left the stages of infancy into becoming a much more aware toddler, I decided it was high time to put her in preschool. It was better than her staring at the same four walls of the living room while I contemplated the health risks over and over. After a few internet searches and some phone calls, I chose one that was close and had spots open (which was pretty hard to obtain). When I started the enrollment process, I saw a flyer in the huge packet that immediately threw me into a new set of worries I didn’t want to deal with: “We also use Brightweela mobile application to log attendance, share milestones, and keep parents up to date on daily interactions. ‘”
I don’t know what goes through other parents’ minds at this point, but I do privacy- and security-oriented work as my day job at the Electronic Frontier Foundation, so I couldn’t help myself from looking at the security controls Brightwheel gave to me as a parent. This was my child’s data left up to some company. Don’t get me wrong, the app provided some comfort, allowing me to see my baby smiling, making friends, and enjoy riding bikes during outside playtime. Especially in that first week when you are not there to oversee every aspect of their life for the first time. But looking at my account, I saw very few settings that said anything about security. There was a PIN code to check them in and out, but that was about it.
Over several months, I looked at the gigantic amount of data that was being shared and stored by this app every day. Diaper changes, story time pictures, nap times, etc. The more data about my daughter I saw, the more my worry grew.
By October 2021, I couldn’t sit on this any longer. I wouldn’t call myself a hacker by definition in most people’s heads. But in this case, for my daughter’s sake, being a mother means doing everything in my power to keep her safe. So I began a months-long dive into the early education landscape of apps — and didn’t like what I found.
I am lucky in where I work. Some cold emails and a little networking later, a coworker (also a new parent being asked to use Brightwheel) and I finally got a meeting with an actual person at the company. The meeting was productive in the sense that Brightwheel seemed to understand the concerns but confirmed how woefully behind the entire industry was in privacy and security protections.
For example, a very basic and well-known protection measure is two-factor authentication. You know how some services now require you to enter a one-time code in addition to your password? That’s two-factor authentication, which gives an enormous bang for your buck in terms of security. It’s been spreading rapidly, and at least offering it is pretty much an industry standard these days.
Brightwheel now has two-factor authentication available for all school or day care administrators and parents, but it is the only one to have done so. Which is bullshit.