Following the Children's Internet Protection Act (CIPA), districts receiving federal E-Rate funding for internet access are required to filter or block obscene content and content harmful to minors, and to monitor students' online activity. That's a narrow federal mandate about content filtering. What's grown up around it, driven by vendors like Gaggle, GoGuardian, Securly, Bark for Schools, and Lightspeed, is a much broader category of software that goes well past filtering into continuous activity logging, keystroke capture, screen-content scanning, and in some deployments, browsing history retention that persists off school networks and outside school hours if the device is signed into the same account.
What These Tools Actually Capture
The exact feature set varies by vendor and by how a district configures it, but the common architecture is a browser extension or device-level agent that has visibility into: every URL visited, search queries entered into any search engine, the content of documents and emails composed inside the district's Google Workspace or Microsoft 365 tenant, screenshots or screen-content snapshots triggered by keyword matches, and in several widely deployed products, live human or AI review of flagged content before it reaches a counselor or administrator. Some products extend this to the student's personal Google account if the device stays signed in, and several have documented behavior of continuing to monitor after school hours and off the school's network, because the agent runs at the OS or browser-extension level rather than being scoped to the school's network perimeter.
Ask whether monitoring is network-scoped (active only on district Wi-Fi, during school hours) or account-scoped (active anywhere the student is signed into their school account, including at home, on weekends, and during summer). The second is far more common than most parents assume, and it's the configuration decision, not the vendor's default marketing claim, that actually determines exposure.
The Legal Framework Is Thinner Than You'd Expect
The primary federal law governing this data is FERPA, the Family Educational Rights and Privacy Act, which protects "education records" and gives parents rights to inspect and, in some cases, correct them. FERPA was written in 1974 for paper transcripts and disciplinary files. It was not written with continuous behavioral surveillance in mind, and there's a genuine, unresolved legal question in a lot of these deployments about whether logs generated by a third-party monitoring vendor even qualify as an "education record" the district controls, versus data the vendor holds under its own commercial terms of service. This matters because FERPA's access and correction rights only clearly apply to records the school itself maintains. Data sitting in a vendor's own analytics pipeline, aggregated across districts for product improvement, sits in a considerably grayer zone.
This is a different gap than the one covered in our piece on COPPA, which explicitly carves out school use under a legitimate educational purpose from its own consent requirements, on the assumption that FERPA is doing the regulatory work instead. When both laws defer to the other's coverage at the boundary, the practical result is that the boundary itself is thinly regulated.
| Question | Typical answer |
|---|---|
| Can a parent request the full monitoring log for their child | Varies by district and vendor contract, often no clear process |
| Does monitoring stop when the device leaves school Wi-Fi | Often no, if account-scoped rather than network-scoped |
| Is flagged content reviewed by a human before escalation | Depends on vendor, some use AI-only triage |
| Is aggregated, de-identified usage data sold or shared for product analytics | Permitted under most vendor contracts unless the district specifically restricts it |
The Documented Real-World Failure Modes
A recurring finding in independent audits and journalism covering these platforms over the past several years is that keyword-based self-harm and violence detection produces a large volume of false positives, particularly around LGBTQ-related search terms, creative writing assignments touching on sensitive topics, and health research, all of which have led to documented cases of students being outed to school staff or parents through a monitoring alert before they'd chosen to disclose anything themselves. That's a materially different harm than "we caught a genuine crisis early," and both outcomes come from the same detection pipeline; the tool can't easily distinguish a student researching a school health assignment from a student in genuine distress, which is exactly the kind of false-positive-heavy surveillance pattern we've written about in the context of workplace monitoring software, where the incentive to over-flag is similarly structural rather than a vendor oversight.
A student typing "how do I know if I'm depressed" into a search bar for a health class assignment and a student in an actual crisis produce the same keyword match. The monitoring pipeline treats them identically, and the downstream consequence, a call home or a counselor visit, is not equally welcome to both.
What Families Can Actually Do
Districts are generally required to disclose which monitoring vendor they use, and most publish this in an acceptable-use policy or a board-meeting record if it isn't on the district website directly; asking for the name of the product is a reasonable, specific request that usually gets answered, unlike a general "what do you collect" inquiry. From there, checking whether the deployment is network-scoped or account-scoped changes what actually matters for a family's own devices: a student who uses their personal phone, off the school account, for anything they'd rather not have logged is meaningfully better protected than one using the same school-issued device and account for everything. For the personal side of that split, our guide to mobile permissions covers the baseline hygiene that keeps a personal device from replicating the same exposure through a different vendor's app.
Haven doesn't have a role inside a school's monitoring stack and can't remove a district-mandated tool from a district-owned device. What it can do is give a family, or a student old enough to manage their own communication, an end-to-end encrypted channel for anything genuinely private that doesn't need to run through district infrastructure at all, on a personal device the student controls.