Latest news with #PowerSchool
The Hill
30 minutes ago
- Business
- The Hill
How zero-knowledge tools can help us verify age and protect privacy online
In June, French President Emmanuel Macron declared that he'll ban social media for children under 15, stating, 'Platforms have the ability to verify age. Let's do it.' We've all seen what that 'verification' actually looks like: 'I'm over 18.' One click, and you're in. This is how the internet currently 'protects' minors. It's laughable, until you realize that this system is failing millions of children and teens every day. In the U.S., Federal Trade Commission Chair Andrew Ferguson also highlighted this profound inadequacy, calling simple date-of-birth entries 'little to no barrier' for underage access. This admission from a top regulator underscores what many have long known: Current systems throughout the world are failing our children. The other extreme can be even worse. Platforms requiring actual age verification often demand personal documents and store them in databases that have become high-value targets for bad actors. In December, Signzy, a major know-your-customer provider, suffered a malware attack exposing customer data, including scans of IDs and selfie biometrics. Similarly, in January, a massive data breach at education technology provider PowerSchool compromised the sensitive information of 60 million students. Such events are clear indicators of systemic vulnerabilities. Exposing personal identifiable data could lead bad actors right to the doorstep of children, youth and family members, the exact opposite of what age verification requirements are supposed to accomplish. Today's age verification tools were not designed for the digital age. Applying financial-focused risk management procedures (like 'know-your-customer') to social platforms or gaming sites is invasive and dangerous. When sensitive documents are uploaded and stored on third-party servers, data breaches aren't a matter of if, only when. For kids and families, this is unacceptable. For developers and platforms, it creates massive legal and regulatory challenges. For society, we're missing an opportunity to implement real protection that respects privacy. We're caught in a false choice: either no protection at all or too much vulnerable surveillance. But we no longer have to choose between these two failures. Zero-knowledge identity protocols remove this mutual exclusivity with enhanced security, privacy and user experience. Zero-knowledge cryptographic technology allows someone to prove something is true without revealing the underlying information. Think of it as showing you're old enough to enter a venue without showing your ID or revealing your name. The mathematical proof confirms that you meet the requirement. This approach enables users to cryptographically prove their age without exposing other sensitive information. For instance, they can confirm they are over 18 without revealing their exact birthdate or other identifiable features beyond what's necessary. The process generally involves a few key stages. Initially, a user interacts with their government-issued ID through a secure application, often on a smartphone. This interaction permits the extraction of necessary data directly from the document's secure elements. Next, a cryptographic proof is generated. This proof is a mathematical assertion that the user meets a specific age criterion (e.g., over 18). Crucially, this proof contains no personally identifiable information itself; it only confirms the truth of the age claim. This privacy-preserving proof can then be shared with an online service or platform. The platform verifies the proof's authenticity and validity using cryptographic techniques, confirming the user's age qualification without ever accessing or storing the underlying personal data from the ID. The platform learns only if the user is old enough. Major tech companies are already recognizing the potential. Google announced that it's integrating zero-knowledge proof technology into Google Wallet for age verification, with partners like Bumble already on board. Developers can integrate zero-knowledge age verification into their applications through open-source libraries and verification contracts. These systems check the cryptographic proof and confirm whether a user meets the defined minimum age threshold, all without storing or even seeing the user's full identity. The programmability of these systems is crucial for global deployment. Zero-knowledge protocols can automatically adjust to local regulations (e.g., age 16, 18 or 21) while maintaining the same privacy guarantees. Consider how this technology transforms real-world platforms. Gaming sites verify users meet age requirements without collecting ID copies. Dating apps confirm users' real ages without accessing other personal information. Content platforms gate mature content based on cryptographic proof rather than self-reported information or vulnerable document storage. This is privacy-first protection, enforceable by code and leveraging proven cryptographic technologies. Users maintain full control over their information, choosing what to disclose in each online interaction. We shouldn't accept that verifying a child's age online requires sacrificing privacy, or that doing nothing is acceptable either. The regulatory landscape is already shifting. New York's SAFE for Kids Act began requiring platforms to use age determination technology and restrict 'addictive' feeds to minors without parental consent. Other legislation, like the federal Take It Down Act and state-level App Store accountability acts, also signals a move towards stricter online safety, though some raise privacy concerns about mass data collection. Current age verification methods are also proving unreliable. The United Kingdom's Office of Communications recently fined OnlyFans operator Fenix International approximately $1.4 million for providing inaccurate information about its age verification, highlighting how even 'advanced' biometric systems can fail. As legislation aimed at protecting minors online continues to evolve, the technology industry should lead by example. We can protect vulnerable users without exposing their most sensitive information to bad actors. We can continue with systems that either don't work or create massive privacy risks, or we can embrace cryptographic solutions that protect both children and privacy. Platforms now have access to privacy-preserving tools that respect both user autonomy and legal responsibility. There's no excuse not to build better. Parents deserve peace of mind, kids deserve safety and we all deserve a more thoughtful internet. With increasing regulatory scrutiny and growing public demand for better protections, the impetus to shift away from ineffective checkboxes and invasive data collection toward genuinely workable solutions is clear: It is time to move on from the checkbox era. Rene Reinsberg is an entrepreneur who has co-founded multiple ventures including Celo, Self and Locu (acquired by GoDaddy). Jane Khodarkovsky is a former trial attorney and human trafficking finance specialist in the Money Laundering and Asset Recovery Section, Criminal Division, in the U.S. Department of Justice. She is currently a partner at Arktouros.
CTV News
6 hours ago
- CTV News
Federal probe ends into cybersecurity breach that impacted school systems, including SMCDSB
The federal privacy watchdog has ended its investigation into a cybersecurity breach involving a student information system used across Canada, including the Simcoe Muskoka Catholic District School Board (SMCDSB). In January, the Simcoe Muskoka Catholic board issued a letter to families notifying of a cybersecurity breach of the PowerSchool portal - the Student Information System. 'We use this system to store our student-related data. The breach occurred on PowerSchool's server and has impacted many school districts across North America and even internationally,' the SMCDSB January 8 letter stated. The breach exposed personal data such as names, contact information, birth dates, and, in some cases, medical details and Social Insurance Numbers of students, educators, and parents. Pauline Stevenson, communications manager for SMCDSB, confirmed to CTV News in May the board had been told all its student data had been deleted and that the board had not received any ransom requests from hackers. The board said while hackers had accessed a PowerSchool support portal, its network had not been compromised. 'PowerSchool is confident that this situation is resolved and they believe your child's data is secure,' the January letter added. On Tuesday this week, the Office of the Privacy Commissioner of Canada said it was satisfied with PowerSchool's response to the incident, including actions to contain the breach and improve security. While the federal investigation has ended, provincial privacy offices in Ontario and Alberta are continuing their own reviews. With files from The Canadian Press
Global News
a day ago
- Global News
Federal probe into massive PowerSchool data breach is being discontinued
Canada's privacy commissioner said Tuesday that he has discontinued his investigation into the PowerSchool data breach after the education software company agreed to take measures to improve its cybersecurity. The December 2024 hack accessed the personal data — including medical information and social security numbers — of millions of current and former students and thousands of staff across Canada. The office of privacy commissioner Philippe Dufresne (OPC) said in a news release that PowerSchool 'took measures to contain the breach, notify affected individuals and organizations and offer credit protection, and has voluntarily committed to additional actions to support its security safeguards.' Those actions include 'strengthened monitoring and detection tools,' the OPC release said. 'In light of the actions that PowerSchool has already implemented, and those that it will implement over the coming months, Privacy Commissioner of Canada Philippe Dufresne has decided to discontinue the investigation that he launched in February but will be monitoring to ensure that all of PowerSchool's commitments are fully met,' it continued. Story continues below advertisement 'I welcome PowerSchool's willingness to engage with my Office to achieve a timely resolution that will result in stronger protections for the personal information of students, parents, and educators across Canada,' Dufresne said in a statement. 'Federal privacy law requires that organizations protect personal information with security safeguards appropriate to the sensitivity of the information. This is particularly important when dealing with children's personal information.' 2:08 Calgary law firm files lawsuit over massive PowerSchool data breach Dufresne's investigation began more than a month after the company began to notify PowerSchool users about the data breach, which impacted school boards across most of North America and other countries that PowerSchool serves. Get daily National news Get the day's top news, political, economic, and current affairs headlines, delivered to your inbox once a day. Sign up for daily National newsletter Sign Up By providing your email address, you have read and agree to Global News' Terms and Conditions and Privacy Policy Global News contacted every school board across the country early this year to determine how many were impacted. Of those that responded, at least 87 were affected. Data from those that provided numbers showed that more than 2.77 million current and former students were confirmed to have been affected. In addition, 35,951 staff members, including teachers, were confirmed impacted, with one Nova Scotia school board advising that 3,500 parents' data was also accessed. Story continues below advertisement Some Canadian school boards informed families in May that they had received new ransom demands involving the stolen data. A Massachusetts college student, 19-year-old Matthew Lane, agreed in May to plead guilty to criminal charges related to the data breach, including cyber extortion, according to U.S. prosecutors. Sources close to the investigation told The Associated Press and Reuters that PowerSchool was the company identified as 'Victim 1' in the criminal complaint. 0:38 Teen charged in mass school data breach tied to PowerSchool What did PowerSchool agree to? According to a letter of commitment with the OPC signed last week and released Tuesday, PowerSchool has until the end of July to provide any additional information related to the data breach to the commissioner, and to confirm if it plans to implement any additional authentication process in its affected PowerSource platform. Story continues below advertisement The company will need to provide evidence by the end of this year that it has strengthened its monitoring and detection tools, that those tools can 'identify patterns of irregular activity,' and that it has thoroughly reviewed and readjusted its system access privileges for both security and operational needs. By March 2026, PowerSchool will need to show that it has obtained recertification of the global information security standard known as ISO/IEC 27001. It must also provide an independent, third-party security assessment and report to the OPC on PowerSchool's updated safeguards to protect personal information, prevent and respond to potential breaches, and other cybersecurity measures. If the report includes recommendations for PowerSchool to implement, the company must show the OPC whether it has accepted them and provide an implementation plan and timelines, or provide reasons why it has not accepted them. The commissioner will have to review and approve those submissions. PowerSchool also agreed to continue supporting affected clients and carry out its regular reporting and notification obligations under federal and provincial privacy laws. The OPC letter said PowerSchool's commitments are 'a fair and reasonable response to the complaint' that sparked Dufresne's investigation in February. Global News has asked the office of the Information and Privacy Commissioner of Ontario if its investigation into the PowerSchool data breach remains ongoing. Story continues below advertisement 'We take the privacy and security of student, educator, and family data extremely seriously,' a PowerSchool spokesperson told Global News in an emailed statement responding to the OPC's announcement. 'Following the 2024 security incident, we worked closely with the Office of the Privacy Commissioner of Canada to respond swiftly, transparently, and responsibly. We're grateful for the Commissioner's collaboration in helping us strengthen our safeguards even further. PowerSchool remains fully committed to making continual investments in our security infrastructure and the ongoing support of our education partners across Canada.' — with files from Global's Sean Previl
CBC
a day ago
- CBC
Federal privacy watchdog discontinuing investigation into student data breach
The federal privacy watchdog says it has discontinued the investigation into a cybersecurity breach involving a student information system used across Canada, citing its satisfaction with the company's response and commitment to added security measures. Privacy Commissioner Philippe Dufresne says the probe was launched in February after his office received a breach report from U.S.-based PowerSchool, which provides the affected software, and a complaint about the incident. The commissioner's office says a hacker had obtained data such as names, contact information, birth dates and, in some cases, medical information and Social Insurance Numbers of current and former students, current and former educators, and parents across several provinces and territories. It says PowerSchool took measures to contain the breach, notified affected individuals and organizations and offered credit protection, and has voluntarily committed to additional actions including strengthened monitoring and detection tools. The commissioner's office says those steps have prompted Dufresne to discontinue the investigation into the breach, but the office will monitor PowerSchool's commitment to its strengthened security measures. It says the decision to stop its probe won't impact ongoing investigations into the breach by provincial privacy watchdogs in Ontario and Alberta. "I welcome PowerSchool's willingness to engage with my office to achieve a timely resolution that will result in stronger protections for the personal information of students, parents, and educators across Canada," Dufresne said in a news release Tuesday. The Toronto District School Board, the largest school board in Canada, said in a letter to parents and caregivers in May that it had recently learned data stolen in December 2024 was not destroyed and that a "threat actor" had demanded ransom. PowerSchool had said it paid the ransom in hopes of preventing public release of the stolen data. "We made the decision to pay a ransom because we believed it to be in the best interest of our customers and the students and communities we serve," it said in a statement in May. PowerSchool said in a letter to the commissioner Tuesday that it will confirm any further forensic and authentication steps it will take by the end of this month, and the company will provide evidence that it has strengthened its security monitoring tools by the end of this year. It said PowerSchool will provide the commissioner with an independent security assessment and report of its information safeguards by March 2026.
Winnipeg Free Press
a day ago
- Winnipeg Free Press
Federal privacy watchdog discontinues investigation into student data breach
The federal privacy watchdog says it has discontinued the investigation into a cybersecurity breach involving a student information system used across Canada, citing its satisfaction with the company's response and commitment to added security measures. Privacy commissioner Philippe Dufresne says the probe was launched in February after his office received a breach report from U.S.-based PowerSchool, which provides the affected software, and a complaint about the incident. The commissioner's office says a hacker had obtained data such as names, contact information, birth dates and, in some cases, medical information and Social Insurance Numbers of current and former students, current and former educators, and parents across several provinces and territories. A man uses a computer keyboard in Toronto, Monday, Oct. 9, 2023 in this photo illustration. THE CANADIAN PRESS/Graeme Roy It says PowerSchool took measures to contain the breach, notified affected individuals and organizations and offered credit protection, and has voluntarily committed to additional actions including strengthened monitoring and detection tools. The commissioner's office says those steps have prompted Dufresne to discontinue the investigation into the breach, but the office will monitor PowerSchool's commitment to its strengthened security measures. It says the decision to stop its probe won't impact ongoing investigations into the breach by provincial privacy watchdogs in Ontario and Alberta. 'I welcome PowerSchool's willingness to engage with my office to achieve a timely resolution that will result in stronger protections for the personal information of students, parents, and educators across Canada,' Dufresne said in a press release Tuesday. The Toronto District School Board, the largest school board in Canada, said in a letter to parents and caregivers in May that it recently learned data stolen in December 2024 was not destroyed and that a 'threat actor' had demanded ransom. Winnipeg Free Press | Newsletter Jen Zoratti | Next Wednesdays Columnist Jen Zoratti looks at what's next in arts, life and pop culture. Sign Up I agree to the Terms and Conditions, Cookie and Privacy Policies, and CASL agreement. PowerSchool had said it paid the ransom in hopes of preventing public release of the stolen data. 'We made the decision to pay a ransom because we believed it to be in the best interest of our customers and the students and communities we serve,' it said in a statement in May. PowerSchool said in a letter to the commissioner Tuesday that it will confirm any further forensic and authentication steps it will take by the end of this month, and the company will provide evidence that it has strengthened its security monitoring tools by the end of this year. It said PowerSchool will provide the commissioner with an independent security assessment and report of its information safeguards by March 2026. This report by The Canadian Press was first published July 22, 2025.
