Last year, like many new parents, I walked on the extreme tightrope to keep my young child healthy and Merry. As my daughter moved out of the stages of childhood to become a much more conscious toddler, I decided it was high time to take her to preschool. It was better than her staring at the same four walls of the living room while I kept thinking about the health risks. After a few internet searches and some phone calls, I picked one that was close to me and had spots open (which was quite hard to come by). When I started the enrollment process, I saw a flyer in the huge package that immediately threw me into a new set of concerns that I didn’t want to deal with: “We also use Brightweel, a mobile application to track attendance, share milestones, and keep parents informed of daily interactions.’”
I don’t know what’s going through other parents’ minds right now, but I do privacy and security oriented work as my day job at the Electronic Frontier Foundation, so I couldn’t resist looking at the security checks Brightwheel gave me as a parent. This was my child’s records that had been left to a company. Don’t get me wrong, the app provided some comfort, allowing me to watch my baby smile, make friends, and enjoy riding a bike while playing outside. Mainly in that first week when you are not there for the first time to oversee every aspect of their lives. But when I look at my account, I see very few settings that say anything about security. There was a pin to check them in and out but that was about it.
For several months I looked at the massive amount of data shared and stored by this app every day. Diaper changes, photos of stories, naps, etc. The more data I saw about my daughter, the more worried I became.
In October 2021 I couldn’t sit on this anymore. I wouldn’t call myself a hacker by the definition in most people’s minds. But in this case, for the sake of my daughter, being a mother means doing everything in my power to protect her. So I started a months-long dive into the early education landscape of apps — and I didn’t like what I found.
I am lucky in where I work. A few cold emails and a bit of networking later, a co-worker (also a new parent who was asked to use Brightwheel) and I finally got to meet a real person at the company. The meeting was productive in that Brightwheel seemed to understand the concerns, but confirmed how hopelessly behind the entire industry was on privacy and security protections.
For example, a very simple and well-known security measure is two-factor authentication. Did you know that some services now require you to enter a one-time code in addition to your password? That’s two-factor authentication, which is tremendous value for money in terms of security. It’s spreading fast, and at least sacrifice it’s pretty much an industry standard these days.
Brightwheel now has two-factor authentication available to all school or daycare centers and parents, but it is the only one that has done so. Which is bullshit.