Last year, com many new parents, I was walking the extreme loose rope to keep my little son healthy i happy. When my daughter left the early stages of childhood to become a much more conscious child, I decided it was time to put her in preschool. She was better than her looking at the same four walls of the living room as she contemplated the health risks over and over again. After a few internet searches and a few phone calls, I chose one that was close i it had open places (which was pretty hard to get). When I started the registration process, I saw a brochure in the huge package that immediately launched me into a new set of concerns that I did not want to deal with: “We also use Brightweel, a mobile app to register “Attendance, share milestones, and keep parents up to date on daily interactions.”
I don’t know what’s going on in other parents ’minds right now, but I do a privacy and security-oriented job like my daily job at the Electronic Frontier Foundation, so I couldn’t help but look at the Brightwheel security checks. he gave me as a father. This was my son’s data left in some company. Make no mistake, the app provided me with some comfort, allowing me to see my baby smiling, make friends, and enjoy cycling while playing outdoors. Above all in that first week when you are not there to supervise every aspect of your life for the first time. But looking at my account, I saw very few configuration options that said anything about security. There was a PIN code to check in and out, but that was it.
For a few months, I looked at the gigantic amount of data that this app shared and stored every day. Diaper changes, pictures of story time, nap hours, etc. The more data I saw about my daughter, the more my concern grew.
By October 2021, I could no longer stay there. I wouldn’t call myself a hacker by definition of most people’s heads. But in this case, for the sake of my daughter, being a mother means doing everything in my power to protect her. So I started immersing myself for months in the early education application panorama, and I didn’t like what I found.
I’m lucky where I work. A few cold emails and a bit of networking later, a co-worker (also a new dad who was asked to use Brightwheel) and finally had a meeting with a real person from the company. The meeting was productive in the sense that Brightwheel seemed to understand the concerns, but confirmed how sadly the whole industry was in the protections of privacy and security.
For example, a very basic and well-known measure of protection is two-factor authentication. Do you know how some services require you to enter a unique code in addition to your password? This is a two-factor authentication, which gives you a huge benefit in terms of security. It has spread rapidly, and at least offering it’s pretty much an industry standard these days.
Brightwheel now has two-factor authentication available to all administrators and parents of school or daycare, but it is the only one that has done so. That sucks.