More than 4 million Australian school students were at risk of unprecedented tracking and surveillance during remote learning as corporations exploited their access to children.
The findings come from the most comprehensive global study into the murky world of student data during COVID-19 lockdowns, and the privacy risks for both students and their families as education shifted from schools to homes.
The global advocacy group Human Rights Watch (HRW) analysed 164 educational apps and websites used in 49 countries, running tests on the code and attempting to track where the data of hundreds of millions of children worldwide ended up.
The HRW findings show that 89 per cent of the educational technology, or "EdTech", products used globally could put children's privacy at risk.
Despite international privacy obligations, the products requested access to students' contacts and locations and monitored their keystrokes. The data was sent to nearly 200 ad-technology companies.
Parents and schools had little choice but to adopt these products to ensure their children kept up with classmates. Opting out could mean repeating a year.
In Australia, it is alleged a number of companies did not meet the promises made in their privacy statements.
ABC News shared the findings with students in years 11 and 12 at a Sydney school where the products were used.
"It's pretty shocking," said year 12 student Liam, whose last name has been withheld for privacy reasons.
"When you're at school, you have the right to feel protected and feel safe. And school ensures that you're protected and safe. So to have this going on, you don't expect it."
The products of concern
The HRW investigation began a year after remote learning began in March 2021 — well beyond the first chaotic months of the pandemic.
Many Australian schools were still using the Adobe Connect app for videoconferencing and screen sharing.
The application had access to students' cameras and microphones, and HRW identified code allowing it to collect phone numbers.
A software development toolkit (SDK) was also detected, which allowed Google to access the same data in real time.
Chris Cooper, the Executive Director of Reset Australia, said tech companies like Adobe had "opaque" business models and were not subject to the same regulations as other companies operating in Australia.
"Teachers, students and parents are left really in the dark with what's happening with the data the company is collecting on young people," he said.
ABC News engaged Mr Cooper for expert technical analysis and independent review of the HRW findings. Reset Australia is part of a global, apolitical advocacy group pushing policy solutions to data privacy issues as well as countering digital threats to democracy.
"The big tech companies like us to believe that any kind of regulation is going to break their products and break the internet, but there is a range of sensible, reasonable, appropriate regulations that we can introduce," Mr Cooper said.
Adobe made clear in its privacy policy that it uses users' personal data to target them with behavioural advertising and that data is shared with third parties.
Adobe was approached for comment but declined, citing an unpublished response to HRW.
Another global giant
After Microsoft spent $US2.5 billion ($3.5 billion) purchasing the popular Minecraft adventure game, it leveraged its investment by creating a new education spin-off, Minecraft: Education Edition.
The purchase came just before remote learning — a once in a lifetime opportunity to push the product as schools relied on software rather than teachers.
But HRW has accused the company of breaching its privacy policy, which reassured parents with promises that it would not collect or use children's personal data for non-educational purposes.
The investigation found code in the app making it possible to track children's precise locations and times they were at those locations, as well as embedding seven SDKs which gave other giant corporations like Google, Twitter and Facebook the same access.
"We know that the tracking built into these apps is very comprehensive and collecting a wide range of data, including real-time GPS location data, as well as information sometimes from the contact lists on people's phones. As well as things like who they're hanging out with, where they go to school," Mr Cooper said.
A Microsoft spokesman declined to address questions about the discrepancies in its privacy policy but said the company was investigating further.
"We take reports of this nature seriously and are investigating these allegations: however, Human Rights Watch has not provided sufficient information on the configurations they tested for us to verify their findings. We're reaching out to them to get more information so that we can conduct any further investigation needed," a Microsoft spokesperson said.
The local company
A smaller company that started in New Zealand is among those seeking a future in the rapidly expanding EdTech industry.
It is accused, though, of violating its own privacy policies.
Education Perfect: Science, an online learning platform, is used around the world.
The global private equity giant Kohlberg Kravis Roberts purchased a majority stake in June last year in a deal that valued the company at $US318.82 million.
In Australia, the educational product is in fact licensed to a company called EPL Marketing Services Pty Ltd.
Despite the company's pledge to protect student data, the HRW analysis shows the presence of ad trackers from Google and Facebook. It also shows keystroke logging was used to monitor students' work and send it to a third-party American company.
"The parents, teachers and students that are using this platform will have signed a privacy policy consent form that neglects to talk about the 11 or so trackers that the report identified that is collecting a wide range of data on these young people," Mr Cooper said.
In a statement, Education Perfect acknowledged those trackers and keystroke monitoring are used on its home page but said they were no longer in use once students and teachers logged in.
"We only use Appcues, Mixpanel, Google Tag Manager and Sentry in the logged-in teacher and student accounts. All tools mentioned above do not capture student data and only track anonymous behavioural user data," the statement said.
The company said it used a different version of Google Tag Manager after login to ensure student data was not captured.
Overseas-based companies analysed in a similar way, through the login page rather than truly replicating the student experience, said this approach was "flawed" as students may enter the site another way.
HRW said five of the 12 companies analysed in this way were "clean" and able to operate without privacy concerns, including a product used in Australia called Stile Education.
Privacy review
With the Privacy Act currently under review, Mr Cooper says governments should ignore lobbying from the EdTech industry and apply to them the proposed new laws designed to protect children's data.
"Our Privacy Act is woefully outdated for the digital age and so its current review is really important," he said.
"But we also need specific rules on the use of children's data, rules that ensure their data is only used in ways that are in their best interests, not the best interests of companies."
Year 12 student Liam and his friend in year 11 Sofia were the first people in Australia to be briefed on the findings.
The students were particularly concerned about "persistent identifiers", an anonymised number given to students to track their behaviour and create profiles.
Liam noticed an increase in targeted personal advertisements after remote learning.
"It's pretty nerve-racking, knowing that sometimes you're just going to be speaking about something and that it's then being advertised to you later. And I think it's definitely going to become a big, big issue in the future," Liam said.
Sofia said that despite her generation being more aware of tracking than others, the fact it could be happening through school worried her.
"It's really frightening when you realise that you're being watched all of the time and everything that you search up can be turned against you," she said.
"Who knows — if this data came into the wrong hands, what could happen? It's really scary."
Legal analysis
As well as technical analysis, ABC News briefed UTS data expert and former Australian human rights commissioner Edward Santow to understand how students could be better protected in the future.
Like HRW, Professor Santow believes the state governments responsible for education should have been more aware of the risks of remote learning and were "naive".
"There's been years of experience here where tech companies have been offering what looked like very discounted products and services," Professor Santow said.
"But there's a reason for that. There's some other value they're deriving from it. Governments really need to be awake to that."
The HRW investigation focused on Australia's two biggest states, New South Wales and Victoria, but the products described were used across the country.
The ABC briefed both state education ministers on the findings.
Victorian Education Minister James Merlino said the products HRW highlighted had been through a "rigorous privacy impact assessment" and while the companies had reassured government about their conduct, he was having this reviewed independently.
"Any misuse of sensitive student information is extremely concerning," Mr Merlino said.
"We won't take any chances on the safety of our students and I have asked the Department of Education and training to undertake a review to ensure these tech companies are staying true to their Privacy Policies and not compromising any student data."
The New South Wales Education Department is also now investigating.
"The findings of the report are concerning, and the Department is liaising directly with the three platform providers to ensure that student data is protected as agreed," said the department's chief operating officer, David Withey.
Professor Santow warned of the risk of the commercialisation of the classroom.
"Our laws set out special protections to keep young people safe. And so that means that companies that are really trying to exploit personal information of kids really need to be pushed back on very firmly," Professor Santow said.
'We're failing all young Australians'
As EdTech becomes a part of Australian schools beyond the pandemic, the upcoming review of the Privacy Act will be crucial in determining the protection students have.
"These practices pose serious harms for all young people but the impact on individual children varies depending on socio-economic background, ethnicity, race, gender and more," Mr Cooper said.
"When these companies are allowed to collect and use the data of our young people wholesale, we're failing all young Australians, but particularly those who are marginalised."
ABC News was among 13 international media outlets in 16 countries given exclusive access to the raw data and findings, as part of a consortium called EdTech Exposed.
The consortium was coordinated by non-profit group The Signals Network, which coordinates global media investigations and assists whistleblowers. For two months, journalists have independently sought to test the findings with technical experts.
The reporting will reach an estimated audience of 185 million people in seven different languages.
Human Rights Watch will release its raw data and technical analysis globally on June 8.