Last year, like many new parents I went on the extreme line to keep my toddler healthy and happy. When my daughter left the infant stages to become a much more conscious little child, I decided it was high time to put her in kindergarten. It was better than her staring at the same four walls in the living room while I considered health risks over and over again. After a few internet searches and some phone calls, I chose one that was close and had open spots (which was pretty hard to get). When I started the sign-up process, I saw a flyer in the huge package that immediately threw me into a new set of concerns that I did not want to deal with: “We also use Brightweela mobile application to log attendance, share milestones and keep parents updated on daily interactions. ‘”
I do not know what is going through other parents’ heads at the moment, but I do privacy and security-oriented work as my daily job at the Electronic Frontier Foundation, so I could not help but look at the security check Brightwheel gave me as a parent. This was my child’s data left to some company. Don’t get me wrong, the app provided some comfort so I could watch my baby smile, make friends and enjoy cycling outside of playtime. Especially in the first week where you are not there to review all aspects of their lives for the first time. But when I looked at my account, I saw very few options that said anything about security. There was a PIN to check them in and out, but that was it.
Over the course of several months, I looked at the gigantic amount of data shared and stored by this app every day. Diaper changes, story time pictures, trick times, etc. The more data about my daughter I saw, the more my concern grew.
In October 2021, I could not sit on this anymore. I would not call myself a hacker by definition in most people’s heads. But in this case, for my daughter’s sake, being a mother means doing everything in my power to protect her. So I started a month-long dive into the early learning landscape of apps – and did not like what I found.
I’m lucky where I work. Some cold emails and a little networking later, a colleague (also a new parent who was asked to use Brightwheel) and I finally got a meeting with an actual person in the company. The meeting was productive in the sense that Brightwheel seemed to understand the concerns, but reaffirmed how saddened the entire industry was in terms of protecting privacy and security.
For example, a very basic and well-known safeguard is two-factor authentication. Do you know how some services now require you to enter a one-time password in addition to your password? It is two-factor authentication which gives a huge bang for the buck in terms of security. It has spread rapidly, and at least offer it’s pretty much an industry standard these days.
Brightwheel has now two-factor authentication available to all school or day care leaders and parents, but it is the only one that has done so. Which is bullshit.