![](\"https:\/\/media.wired.com\/photos\/62b3a4dc403df153e676029d\/master\/pass\/ideas-daycare-app.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Alexis Hancock| Date: Thu, 23 Jun 2022 11:00:00 +0000<\/strong><\/p>\n Alexis Hancock<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n Last year, like<\/span> many new parents, I was walking the extreme tightrope of keeping my young child healthy and<\/em> happy. When my daughter left the stages of infancy into becoming a much more aware toddler, I decided that it was high time to put her in preschool. It was better than her staring at the same four walls of the living room while I contemplated the health risks over and over. After a few internet searches and some phone calls, I chose one that was close and<\/em> had spots open (which was pretty hard to obtain). When I started the enrollment process, I saw a flyer in the huge packet that immediately threw me into a new set of worries I didn\u2019t want to deal with: \u201cWe also use Brightweel<\/a>, a mobile application to log attendance, share milestones, and keep parents up to date on daily interactions.'\u201d<\/p>\n Alexis Hancock<\/strong> is director of engineering at the Electronic Frontier Foundation.<\/p>\n I don\u2019t know what goes through other parents\u2019 minds at this point, but I do privacy- and security-oriented work as my day job at the Electronic Frontier Foundation, so I couldn\u2019t help myself from looking at the security controls Brightwheel gave to me as a parent. This was my child\u2019s data left up to some company. Don\u2019t get me wrong, the app provided some comfort, allowing me to see my baby smiling, making friends, and enjoy riding bikes during outside playtime. Especially<\/em> in that first week when you aren\u2019t there to oversee every aspect of their life for the first time. But looking at my account, I saw very few settings that said anything about security. There was a PIN code to check them in and out, but that was about it.<\/p>\n Over several months, I looked at the gigantic amount of data that was being shared and stored by this app every day. Diaper changes, story time pictures, nap times, etc. The more data about my daughter I saw, the more my worry grew.<\/p>\n By October 2021, I couldn\u2019t sit on this any longer. I wouldn\u2019t call myself a hacker by the definition in most people\u2019s heads. But in this case, for my daughter\u2019s sake, being a mother means doing everything in my power to keep her safe. So I began a months-long dive into the early education landscape of apps\u2014and didn\u2019t like what I found.<\/p>\n I am lucky in where I work. Some cold emails and a little networking later, a coworker (also a new parent being asked to use Brightwheel) and I finally got a meeting with an actual person at the company. The meeting was productive in the sense that Brightwheel seemed to understand the concerns but confirmed how woefully behind the entire industry was in privacy and security protections.<\/p>\n For example, a very basic and well-known protection measure is two-factor authentication. You know how some services now require you to enter a one-time code in addition to your password? That\u2019s two-factor authentication, which gives an enormous bang for your buck in terms of security. It\u2019s been spreading rapidly, and at least offering<\/em> it is pretty much an industry standard these days.<\/p>\n Brightwheel now has two-factor authentication<\/a> available for all school or day care administrators and parents, but it is the only one to have done so. Which is bullshit.<\/p>\n Several of these companies don\u2019t disclose what data they collect and where it goes. And what we\u2019ve found is that what they do is, in some cases, track and share information in the way Facebook is also known to. That\u2019s bad enough when it\u2019s data about adults on a public social media site, but it\u2019s horrifying when it\u2019s information about a preschooler.<\/p>\n Figuring out the privacy and security issues around the app your child\u2019s day care uses isn\u2019t like researching how to sleep-train a baby or what high chair to use, where parents can easily find trusted sources of information. This information isn\u2019t out there. Parents and administrators are being sold on convenience, but they aren\u2019t given even the most basic tools to choose a secure app.<\/p>\n And for those of us who have the know-how to find these vulnerabilities and fix them, we\u2019ve run into the problem of the companies not wanting to hear about it. As an ethical hacker, the thing I planned<\/em> to do was disclose what I found and wait 90 days for a response (a common security industry practice). Even there, I hit roadblocks.<\/p>\n Beyond not finding a way to contact them on their websites, I discovered that researchers based in Germany<\/a> released a paper in March 2022 identifying security and privacy problems with 42 early education and day care management applications. In addition to outlining the vulnerabilities, the paper also explained that the researchers did their due diligence by ethically reporting the issues and had almost no response from the companies.<\/p>\n That\u2019s unacceptable. If your company handles sensitive information, and researchers do the work of figuring out how to make your product more secure for you, not responding to them is a terrible practice.<\/p>\n