Student Tracking and the College Board

A recent review of the College Board website shows how students using the site are tracked, and how details of student activity on the College Board site are shared with multiple third party vendors. Some of the tracking and sharing appears to be violating the College Board’s own privacy policies.

On July 22, we contacted the College Board with a summary of our findings, and some questions. While we did not receive precise answers to these questions, on July 28, we did observe a minor change on the College Board site that reduced the information sent to some third parties. However, this change did not affect the majority of the tracking and data sharing we observed.

This writeup documents the main items found in our review. It is broken up into 10 sections.

Sections 1–3 provide background for this piece, including methodology.

Sections 4–7 cover different types of tracking and data sharing. Section 4 is the only section affected by the change made by the College Board, and it is split into two parts: before July 28, and on July 28.

Sections 8–10 cover the College Board’s privacy policy, and coverage from 2018 and 2019 about the College Board’s handling of student information.

1. Introduction

This summer, the College Board really wants to talk to kids.

The College Board is texting kids on their personal phones.

Image 01

(The shortened URL in this text message resolved to this page on the College Board site, but as an aside regarding basic information security: never click on shortened links in text messages or shortened links or buttons in emails. Sending shortened URLs to rogue sites is a common approach in phishing, malware, and ransomware attacks.)

The College Board is emailing students at their school emails.

Image 02

The College Board is promoting a scholarship lottery on social media.

Image 03

One common theme runs through these offers: join the College Board website and start planning your future. What the College Board omits from these messages is a clear disclosure that joining the College Board also means sharing private details with multiple third party advertising and data tracking companies, including Snapchat, Facebook, Google, Adobe, and Microsoft. Some of the data sharing we observed appears to violate the College Board’s own privacy policy.

1A. Timeline

Early July: initial issues observed.

Early July to mid-July: run additional tests with additional accounts to verify initial findings.

July 13 — July 21: review, evaluate, and document findings.

July 22: share a summary of findings with the College Board and request comment

July 28: re-test the College Board site and observe minor improvements

On July 22, we contacted the College Board and shared a summary of our findings and asked specific questions about the data the College Board shared with third parties. The College Board responses largely referred us to their commitment to privacy, and also pointed us to Facebook’s Business policies.

On July 28, we re-examined the College Board site and observed that the College Board had stopped sending usernames and a hashed unique identifier to some adtech vendors. At the time of our re-test, we still observed the username and a unique hashed identifier being sent to Adobe. As of this writing, the College Board has not informed us that they made this change, and they have not informed us of any additional changes they may or may not be considering.

In Section 4, we discuss how usernames were shared with multiple third party vendors, including Facebook, Google, Snapchat, Microsoft, and Adobe.

In Section 8, we discuss how sharing usernames with third parties is potentially a violation of the College Board’s own privacy policy.

1B. Methodology

To run the tests and obtain the results documented in this report, we used three separate accounts and performed similar tasks with each account.

The review included completing different activities highlighted in the College Board marketing materials, and highlighted via the user interface on the College Board site. These activities included searching for test centers, beginning the process of registering for a test, and creating a list of colleges of interest.

Prior to running each test, the testing browser was cleared of all cookies and all history, and the first page loaded in every test was from within a collegeboard.org domain or subdomain.

During testing, we captured traffic using OWASP ZAP, an intercepting proxy.

2. Background

The College Board is perhaps best known for the tests it administers: the PSAT, the SAT, and the AP Exams. As administrator of these tests, and as the maintainer of the AP curriculum (which is the closest thing to a national curriculum in the United States), the College Board is in a unique position as both a gatekeeper between high school students and a college education, and as a data collector about every high school student that interacts with one of their services.

Currently, on Twitter, the College Board is advertising lotteries for scholarships, and the way to enter the lottery is by joining the College Board site and completing tasks assigned by the College Board. The College Board is explicitly targeting Spanish speakers via a partnership with Telemundo and a Spanish language onboarding page.

Image 04

However, the act of joining the College Board site sends sensitive — and in some cases, personal — information about students to major adtech vendors.

Before July 27, 2020, after a student logs in to the College Board site, their username was sent to Snapchat, Google/Doubleclick, Adobe, Facebook, Yahoo, and Microsoft. After the College Board appeared to implement a minor fix detected on July 28, 2020, only Adobe was continuing to receive the student’s username. However, all students that log in to the College Board site have a tracking cookie with a unique identifier set in their browser. These unique cookie values are read repeatedly as the student uses the College Board site, and when a student visits other sites on the internet, these unique cookie values appear to be read by vendors placing advertisements.

Adtech vendors are also informed when users interact with specific features on the College Board site. For example, Facebook, Google, Yahoo, and Microsoft get information when a student visits a college information page in the College Board site, or when a student adds a college to a list of schools.

The College Board appears to be violating their own privacy policies by sending personal information (the username) to third party vendors. Their change on July 28 reduced the number of third parties still receiving the username, but even after the update, two domains controlled by Adobe are still sent the username of students. Additionally, cookie values set on the College Board website — accessed by third parties when students are logged in to the College Board website, and mapped to specific actions like adding a college to a personal list — are both accessed and appear to be used to place ads on other sites.

The College Board is also a signatory to the Student Privacy Pledge, and they appear to be violating the terms of the Privacy Pledge.

This is not the first issue the College Board has had related to data privacy. In 2018, the NY Times described mishandling of student data by the College Board, and in 2019, the Wall Street Journal covered similar breaches of trust and user expectations in describing how the College Board sold access to student data. Given the College Board’s recent problems related to inappropriate sharing of student information — paired with the College Board’s outsized control over students moving from high school to college — it is reasonable to expect that the College Board would make protecting student privacy a priority. Unfortunately, this is not what we observed in our testing.

3. College Board Outreach

Over the summer, the College Board has been using text messages, email, and social media to market its services directly to students. Recent marketing on Twitter and Facebook highlights a scholarship lottery. Students enter the lottery by signing up on the College Board website and completing tasks assigned by the College Board.

The College Board markets the lottery to both English and Spanish speakers. A sample of the English language outreach is shown below:

Image 05

A sample of the Spanish language outreach is shown below:

Image 06

The Spanish language landing page on the College Board website is shown below:

Image 07

For both the English and Spanish language versions of the scholarship lottery, the first step is to create a list of six colleges that are of interest.

English:

Image 08

Spanish:

Image 09

The marketing materials shared by the College Board do not contain any obvious or conspicuous language that discloses how student participation in the scholarship lottery and related activities could be shared with third party adtech vendors. Also, despite the targeted outreach to Spanish speakers, the privacy policies and terms of service do not appear to be readily available in any obvious location in Spanish.

4. Data sent to third parties after login

This section is split into two parts: results observed before July 28, and results from testing on July 28.

It is possible that our tests performed on July 28 captured a snapshot of development in progress. As noted above, the College Board was informed of our findings on July 22. We will re-test the College Board site shortly after this piece publishes, and if this subsequent follow up shows additional changes made by the College Board we will update this writeup, and/or do a follow up report.

4A. Testing Results Prior to July 28

In our testing prior to July 28, multiple adtech vendors were informed when a student logged in to the College Board site. In many cases, the calls to these adtech vendors include the username of the student logging in, and is connected to a tracking cookie set in the student’s browser.

When a user logs in to collegeboard.org, the College Board website returns this url:

https://www.collegeboard.org/?TST=Unique_Hashed_Value&userName=the_student_account_username

The “TST” value appears to be a unique hashed value for each login; the “userName” value is the user name of the student, sent in the URL.

The College Board site makes calls to the following third party domains, and these calls include the username and the unique hashed value. All calls include precise details about the operating system, browser version; many include additional technical information; for example, in one case a vendor was informed about the type of video driver installed on a computer. These technical details could be incorporated into a device fingerprint that could be used to precisely identify students over time.

4A1. Doubleclick/Google

The username and the unique hashed value are included both in the referer and the URL of the request.

Image 10

4A2. Adobe, through demdex.net and omtrdc.net

Two calls get made to domains affiliated with Adobe; these calls contain the username and the unique hashed value. The username and the unique hashed value are included in the referer for both requests.

Image 11

Image 12

In the second screenshot, in the payload of the request, we highlight that the tracking includes information about the manufacturer of the video card (webGLRenderer), which could be used as part of a device profile to track people around the web.

The College Board does disclose in their privacy policy that they use the Adobe Marketing Cloud Device Co-op.

The description from the Device Co-op landing page linked in the College Board’s privacy policy includes language that states that a core use of the service is to tie multiple devices (a phone, a tablet, a computer) to a specific person.

“The Device Co-op helps save marketing budgets by focusing display advertising on people, not devices. Because frequency caps typically apply to a single device, a limit of 5 ads per consumer can easily turn into 5 ads per device. With the Device Co-op, marketers can boost their ROI by targeting the person, not the device.

4A3. Snapchat

The username and the unique hashed value are sent to Snapchat. In the call to Snapchat, the username and unique hashed value are included in the body of the initial request.

Image 13

4A4. Facebook

The username and the unique hashed value are sent to Facebook, with the call mapped to a unique tracking cookie set by Facebook. The username and the unique hashed value are included both in the referer and the URL of the request.

Image 14

4A5. Yahoo

The username and the unique hashed are sent to Yahoo, with the call mapped to a unique tracking cookie set by Yahoo. The username and the unique hashed value are included in the URL of the request.

Image 15

4A6. Microsoft

The username and the unique hashed value are sent to Bing, part of Microsoft, with the call mapped to a unique tracking cookie set by Microsoft. The username and the unique hashed value are included both in the referer and the URL of the request.

Image 16

4A7. Admedia

Admedia receives data about students using the College Board site when students perform specific activities defined by the College Board.

When a student goes to the College Board site, a javascript file over 20,000 lines long is loaded. This file contains multiple defined events, including the one shown below.

Image 17

The event listed above appears to be for when a student registers for the SAT, but the types of events can be flexibly defined, and data can be sent to multiple vendors. By looking through the file, you can see different events for different adtech vendors by searching for different vendor names (Facebook, Snapchat, Admedia, etc). The events defined in this file also include cash transactions — to see some of these events, do a search for “currency” within the file.

The screenshot below shows when an AdMedia event defined by the College Board is triggered.

Image 18

The screenshot below shows the username, hashed identifier, and IP address being sent to Admedia.

Image 19

4B. Updated Results from July 28

The College Board received specific questions based on our findings on Wednesday, July 22. These questions included a description that we had seen usernames and unique hashed identifiers being shared with third parties, and that this appeared to violate the College Board’s own privacy policy (this is discussed below in Section 8: College Board appears to be violating their own privacy policy). Follow up tests run on Thursday, July 23 and Friday, July 24 confirmed that usernames were still being sent to third parties as documented above.

Our tests on July 28 showed that student usernames were still being sent to Adobe, as documented in Section 4A2, and shown in Images 11 and 12, above. In our testing on July 28, usernames were no longer being sent to other third parties. It is possible that our test on July 28 caught a snapshot of work in progress on the College Board site and that future development could address sharing of usernames with Adobe. However, because the College Board has not publicly communicated any timeline or rationale for any potential changes, the reasons behind any observed changes are speculation.

All of the other tracking outlined in these findings are not affected by the change in the College Board site that we observed on July 28.

If we run future tests and those tests show meaningful changes, we will either update this post and/or write a follow up post.

4B1. Other event triggers

As noted above, different events for different adtech vendors are defined in the javascript file loaded by the College Board at their website. Some of these events appear to include cash transactions. This event is defined in the javascript file loaded (archived copy available) in our testing from July 28.

Image 20

Our testing did not include paying money to sign up for services.

The event shown below was also included in the javascript file on July 28. Based on the code and comment, it appears to indicate that Google Adwords might get information about whether or not a student used a fee waiver.

Image 21

5. Tracking that occurs when students create a list of colleges

The tracking observed in this section is not affected by the minor changes observed in our testing on July 28.

The first requirement to be eligible for the scholarship lottery requires students to create a list of six colleges.

Because of the tracking technology that the College Board embeds in their site, third party vendors are informed when students visit pages. In addition, Facebook is informed when a student adds a college to their list. The third party tracking is tied to the unique cookie ID values that are accessed after a student logs in to the College Board site.

In this test, our student added Monroe College to their list. This is what the student saw in their web browser.

Image 22

This is how Google is informed of this event:

Image 23

This is how Bing/Microsoft is informed of this event:

Image 24

This is how Yahoo is informed of this event:

Image 25

This is how Facebook is informed of this event:

Image 26

In the screenshot for Facebook, note the “SubscribedButtonClick” event. This text describes specific events within the College Board website. Facebook is also notified when a student removes a college from their list; the language for the event changes to reflect the specific actions of the user.

As shown in the screenshots, these calls to third party adtech companies are all unified by a unique tracking cookie set and accessed by the company. In the next section, we demonstrate how these third party tracking cookies are read after the student leaves the College Board site.

6. Tracking on third party sites tied to tracking IDs set on the College Board site

The tracking observed in this section still occurs after the minor changes observed in our testing on July 28.

After planning for their future and trying to win money for college, our hypothetical student wanted to check the weather, read some news, and check for information related to Coronavirus, so they went to weather.com, huffpo.com, webmd.com, and some local news sites.

While visiting each of these sites, the tracking cookies set while the student was on collegeboard.org were read and shared with additional adtech vendors. In the examples shown in this section, cookie values that are accessed and read on third party sites by adtech vendors were:

  • set on the College Board site;
  • connected to calls detailing the student’s college search and/or SAT registration process;
  • in the case of Adobe/Demdex, the unique identifiers are connected to calls to third parties that included our student’s username.

6A. Facebook tracking

Shortly after our student logs in to the College Board site, Facebook sets a cookie in the student’s browser with a unique value. Here is the cookie value being sent to Brandlift (a Facebook service) on weather.com:

Image 27

Here is the Facebook cookie being accessed on huffpo.com:

Image 28

6B. Google tracking, and synching the Adobe/Demdex tracking cookie value

The cookie value set on the College Board site is read as part of multiple calls on third party sites. Interestingly, the Google tracking cookie also passes the Demdex cookie value on at least two occasions.

Here is the Google cookie being read on a call from weather.com:

Image 29

The cookie is also read on the Huffington Post.

Image 30

And the cookie is also read on WebMD.

Image 31

Calls initiated by Google also contain the Demdex cookie value. Because the cookie values are long strings of letters and numbers, the chance of this happening randomly are incredibly small.

In the screenshot below, taken from the proxy logs when our student was on the Huffington Post site, a call to an adtech vendor named Flashtalking contains the Demdex/Adobe tracking ID set on the College Board site. The referrer for the call is Doubleclick/Google.

Image 32

In the screenshot below, taken from the proxy logs when our student was browsing WebMD, the Demdex/Adobe tracking ID is included in a call to Doubleclick that also contains the Doubleclick cookie value set on the College Board site.

Image 33

6C. Additional ID synching via Adobe/Demdex

Demdex, controlled by Adobe, is one of the adtech vendors that sets a unique tracking ID on the College Board site, and has that unique ID tied to a request that contains the student’s username.

As noted above, the unique ID from the Demdex tracking cookie is included in a call to Doubleclick. This indicates that the unique tracking ID set that the College Board allows Demdex to set on their site is shared with other third party vendors. The screenshot below shows different calls to multiple third parties that contain the unique Demdex tracking ID. The unique values are highlighted in blue.

Image 34

The URLs used to connect to Demdex appear to contain the company name as the subdomain of the call; based on that it appears that the Demdex tracking ID is synched with Kohls, NBC Universal, Subaru, and Wells Fargo. A short list of adtech companies receiving the Demdex tracking ID include Rubicon Project, Scorecard Research, Everest Tech, and Yahoo. Approximately 15 different third parties were sent the unique Demdex tracking ID that was initially set on the College Board site.

The usage of the unique Demdex tracking value is opaque, at best. The one observation that can be made with absolute certainty is that multiple third parties access and share a unique identifier, tied to a student, set on the College Board site.

7. Ads on third party sites tied to tracking IDs set on the College Board site

As noted above, we shared a summary of our findings, along with some questions, on July 22. We re-tested the College Board site on July 28, and observed some minor changes. The tracking observed in this section is not affected by the minor changes observed in our testing on July 28.

7A. Yahoo tracking, tied to delivery of a specific ad

While browsing the Huffington Post, our hypothetical student saw this ad for a financial advice service.

Image 35

Examining the proxy logs for when this ad was delivered shows that the immediate request for the ad was tied directly to the Yahoo ID set on the College Board site. This screenshot shows a request that is part of the display of the ad:

Image 36

The screenshot below shows a section of the response. Note the name and domain of the ad are highlighted in the response.

Image 37

7B. Google/Doubleclick Tracking Cookie, connected to a specific ad, example 1

This ad was displayed to our student on weather.com.

Image 38

This request preceded the display of the ad. This request sends the unique tracking ID that the College Board allows to be set by Google on the College Board website.

Image 39

The response to this request includes information served with the ad.

Image 40

7C. Google/Doubleclick Tracking Cookie, connected to a specific ad, example 2

This ad was displayed to our student on a local news site.

Image 41

This request preceded the display of the ad. This request sends the unique tracking ID that the College Board allows to be set by Google on the College Board website.

Image 42

The response to this request includes information served with the ad.

Image 43

7D. Google/Doubleclick Tracking Cookie, connected to a specific ad, example 3

This ad was displayed to our student on weather.com.

Image 44

This request preceded the display of the ad. This request sends the unique tracking ID that the College Board allows to be set by Google on the College Board website.

Image 45

The response to this request includes information served with the ad.

Image 46

7E. Google/Doubleclick Tracking Cookie, connected to a specific ad, example 4

This ad was displayed to our student on the Huffington Post.

Image 47

This request preceded the display of the ad. This request sends the unique tracking ID that the College Board allows to be set by Google on the College Board website.

Image 48

The response to this request includes information served with the ad.

Image 49

7F. Google/Doubleclick Tracking Cookie, connected to a specific ad, example 5

This ad was displayed to our student on a local news site.

Image 50

This request preceded the display of the ad. This request sends the unique tracking ID that the College Board allows to be set by Google on the College Board website.

Image 51

The response to this request includes information served with the ad.

Image 52

8. College Board appears to be violating its own privacy policy

In the privacy policy for the College Board website, the College Board states that they collect the following pieces of personally identifiable information directly from students.

“When students create an online account, we ask for the following personally identifiable information: first name, middle initial, last name, zip code, gender, date of birth, high school, email address, mailing address, mobile phone number, username, and password.

Note that the College Board clearly states that they consider a username to be personally identifiable information. In many cases, the College Board has already collected some of this information via administering a test (the PSAT, the SAT, the AP, or other tests controlled by the College Board).

The privacy policy also has this language about online advertising:

“Third Parties and Online Advertising: We do not display any advertising on our site. We do use third parties, such as Facebook, to provide information about our educational products. Only hashed, nonidentifiable information is provided to these third parties. Only individuals that have independently created an account on our site and opted in to receive marketing communications from us may receive College Board interest-based advertising on such third-party sites. No personally identifiable information is shared with those third parties.

Two claims merit additional attention.

One: “We do use third parties, such as Facebook, to provide information about our educational products. Only hashed, nonidentifiable information is provided to these third parties.”

Two: “No personally identifiable information is shared with those third parties.”

In the testing prior to July 28, 2020, our analysis identified multiple examples where these claims appear to be false. The College Board passed usernames and unique identifiers to multiple third parties, including Facebook, Google, Microsoft, Adobe, Yahoo, and Snapchat. These usernames and identifiers are mapped to cookie values that can enable additional tracking. Our testing observed — and this writeup documents — when usernames are passed to third parties; when cookies are set by these third parties; and how these cookies are read both on College Board sites, and on other popular sites as part of ad networks.

Our testing on July 28 showed a minor change in the behavior of the College Board site. Usernames and a unique hashed identifier are shared with Adobe (via demdex.net and omtrdc.net, two domains controlled by Adobe). In its privacy policy, the College Board does disclose that it “participates in the Adobe Marketing Cloud Device Co-op to better understand how you use our website across various devices.” However, this disclosure does not include that the College Board shares personal information with Adobe.

In our testing before and on July 28, the practice of allowing third parties to set unique tracking cookies in student’s browsers, and the sharing information about student activities on the College Board with multiple third parties, remained unchanged. The College Board also lists several “Privacy Principles” — these principles include “Notice” and “Transparency.”

In our testing before and on July 28, students were not informed that, when they added a college to a list or searched for a test center for the SAT that third party companies were informed about their activity, tied to a unique tracking ID. The College Board’s privacy policy does not contain meaningful or precise information about the various third parties that are informed about student activities on the College Board site.

9. College Board appears to be violating the Student Data Privacy Pledge

The College Board is a signatory to the Student Data Privacy Pledge.

The College Board appears to be violating multiple Pledge Principles.

Specifically, the College Board appears to be violating these elements of the pledge:

Pledge claim: The vendor will “Not collect, maintain, use or share student personal information beyond that needed for authorized educational/school purposes, or as authorized by the parent/student.”

Sharing user actions on the site with Facebook, Google, Snapchat (among others) is not needed for the student to get any benefit from the site. Additionally, the student is not notified when their actions are being shared with these third parties, so authorization or consent from the student is not possible.

Pledge Claim: The vendor will “Not use or disclose student information collected through an educational/school service (whether personal information or otherwise) for behavioral targeting of advertisements to students.”

When a student visits the College Board site, tracking cookies for multiple third party ad vendors are placed on the student’s browser. These ad vendors engage in targeted advertising. When the student visits a different site that displays targeted advertising, these tracking cookies are read by these ad vendors. While it is not fully clear exactly if or how the advertisers use data they receive about student activity when students are using the College Board site, the terms of the College Board and the third party vendors receiving data do not provide any clear, concise descriptions of limits placed on use of that data.

Pledge Claim: The vendor will “Disclose clearly in contracts or privacy policies, including in a manner easy for parents to understand, what types of student personal information we collect, if any, and the purposes for which the information we maintain is used or shared with third parties.”

The College Board shares information about student activities on their sites, and the nature of the sharing is not clearly defined for the student. In particular, the College Board’s terms state that they do not share personally identifiable information, such as a username. Our testing shows multiple occasions where usernames are shared with third party services, and tied to tracking cookies controlled and accessed by these third parties.

The creators of the pledge maintain that the pledge is a legally enforceable document and that violating the pledge can and should lead to FTC action. However, given that the College Board is a non-profit, it appears that the FTC would not have jurisdiction. Many states, however, have laws that extend coverage for unfair and/or deceptive practice to non profits.

10. The College Board has mishandled student data multiple times in the recent past.

The College Board has multiple recent examples that illustrate a track record of sloppy data handling. In 2018, the New York Times reported that the College Board was one of several vendors selling or inappropriately sharing access to student survey data.

The NYT reporting led to the review and subsequent resolution of the College Board’s status as a Pledge signatory. However, several months after the College Board was reinstated as a signatory of the Student Privacy Pledge, the Wall Street Journal reported on the College Board selling access to student information.

This recent history illustrates that the College Board is in a position where they have responded multiple times to specific questions and issues related to student data handling and student data privacy. Therefore, it is reasonable to assume that their systems have been through a detailed review as part of regular and ongoing privacy and security assessments. Their privacy policy makes the same claim, and highlights certifications they have received:

“We follow industry-recognized security practices and standards to protect the personally identifiable information submitted to us, both during transmission and once it’s received. College Board has ISO 27001 and SOC-2 certifications and is certified by third-party auditors annually to help us proactively manage risks and controls. If you have any questions about the security of your personally identifiable information, email us at privacy@collegeboard.org.

Based on the recent history of the College Board, and the statements they make in their privacy policy regarding their commitment to student privacy and data security, it would be reasonable to assume that any behavior we observe with the web properties controlled by the College Board is the result of intentional choices. If the behavior we observed is not the result of intentional choices, that raises additional questions around why the issues we observed in our testing exist. In any case, in the interest of transparency and maintaining the trust of the students, families, and schools who are required to use College Board services, the College Board should provide clear and accurate information about the tracking they allow on their site.

Get the latest on Innovation at Consumer Reports

Sign up to stay informed

We care about the protection of your data. Read our Privacy Policy