The Scholastic Corporation was founded in 1920. Across the United States, kids and families regularly come into contact with Scholastic marketing and sales within public schools in the form of book fairs and monthly sales pamphlets distributed by teachers directly to students. In 2017, according to Scholastic’s annual form 10-K (available at http://investor.scholastic.com/financial-information), Scholastic had revenue in excess of $1.7 billion dollars. In surveys of educators, the company is generally held in high regard.

However, despite the maturity and public perception of the company, Scholastic fails to provide even rudimentary security protections for some of its publicly available digital products directed to children under 13.

The Details

This analysis focuses on a sample of online-only games and services (including publicly visible forums and chat rooms) offered by Scholastic within the subdomains at *.scholastic.com, as well as related mobile-specific apps. All would appeal to – and are directed at – children under the age of 13. Many of the products are paired with Scholastic books that are marketed in schools to elementary-school-aged children (under the age of 13).

Notwithstanding the presence of a graphical lock icon on Scholastic websites that suggest otherwise, none of these services require encryption for log-in or account creation.

All also make misleading statements about the provision of reasonable security for children’s accounts in their privacy policies. In fact, the games that have both online and mobile app versions point to different privacy policies. The combination of linked accounts, shared branding, and multiple sets of terms creates a representation of a privacy and security practice that is highly likely to mislead a parent or child.

I. Account Creation/Authentication Security Deficiencies in Scholastic Online Games

Consider:

All titles are advertised by Scholastic as being for children younger than 13 years of age.

An account is required to play these Scholastic online games. Yet, none of these subdomains require encryption to create an account or to log-in. Account information – including a username and password – are transmitted in the clear.

These same unified accounts are used by Scholastic to send marketing newsletters and to purchase products (such as books) in their online store.

All of these services link to http://www.scholastic.com/privacy.htm from both the footer of the web page and the account creation dialogue. This privacy policy contains this statement:

“While we have policies and procedures in place and take reasonable measures to protect the confidentiality, security and integrity of Personal Information collected on our Kids Sites, we cannot guarantee that information will be absolutely safe from intrusion during transmission, while stored on our systems, or when otherwise in our care.”

Because Scholastic fails to require encryption on account creation and thereafter on log-in, Scholastic’s claims of taking “reasonable measures” are misleading at best, if not demonstrably false.

II. Unencrypted Public Chat Rooms

All chat rooms (a ‘Scholastic General’ chat room and multiple specific title/brand chat rooms) are available at this URL: http://plus.scholastic.com/chat. The TombQuest chat room, for example, can be accessed at http://tombquest.scholastic.com/chat. The Shadow House chat can be found at: http://shadowhouse.scholastic.com/chat, etc.

Chat rooms all require log-in or account creation (both unencrypted) to participate. These forums can be accessed with the same log-in created on any of the book- or game-related subdomains.

Of note, content shared in these chats is publicly viewable whether a user is logged in or not.

There appears to be some basic automated moderation in place to catch obvious issues; e.g., “f#ck” or “555 555 1212” get flagged as not acceptable, but “five five five one two twelve” gets published.

III. Unencrypted Public Forums

Scholastic offers a “Community” feature that can be accessed at http://plus.scholastic.com/forums

Forums all require log-in or account creation (both unencrypted) to post, and these forums can be accessed with the same log-in created on any of the book- or game-related subdomains.

Once logged in, a user can go to any of the 20+ forums available on the page. A random walk through each of the forums only revealed unencrypted connections, such as this example for the forum for Star Wars Jedi Academy fan forum: http://starwarsjediacademy.scholastic.com/forums

Of note, content shared in the forums is publicly viewable whether a user is logged in or not, and forum content is indexed and made available by popular search engines (such as Google).

IV. Certain Scholastic-Branded Online Games and Mobile Apps Share Log-Ins, but Point to Different Privacy Policies

Some Scholastic online (web-based) games share branding – and account log-ins/creation – with their corresponding mobile apps, but offer different privacy policies.

Consider Horizon: http://horizon.scholastic.com/ which is available online, but also for iOS and Google Play: https://itunes.apple.com/us/app/horizon-the-game/id1182514302 and https://play.google.com/store/apps/details?id=com.scholastic.Horizon&hl=en

Like its online-only version, the mobile version of Horizon is targeted to children. The download page for iOS defines the audience as age 9+ for the service and Google Play rates it as suitable for ‘Everyone.’

The privacy policy for the Horizon online (web) app is available here: http://www.scholastic.com/privacy.htm, while the privacy policy for the Horizon mobile app (linked from the download page) is available here: http://horizon.scholastic.com/privacypolicy. While the mobile app privacy policy references the web-version’s terms, the opposite is not true. The web application does not mention the privacy policy linked by the mobile application. For consumers, this creates a misleading situation where it is difficult to tell which terms have priority.

Even more concerning, accounts created via the web app are the same as the accounts created via the mobile app (i.e., the same username and password work on both services).

As a consequence, this statement (from the mobile app’s privacy policy) – “Security is extremely important to us. We use industry standard encryption and security practices to preserve the integrity of our users’ data.” – is demonstrably false and misleading. Even if the account created via the mobile application is protected via encryption (and encryption of the mobile app was beyond the scope of this investigation), this same account – with the same credentials – can be passed via the web interface, which sends the username and password without encryption.

This issue is not limited to Scholastic’s Horizon. Identical issues can be observed, e.g., with Scholastic’s ‘Shadow House’:

It appears, therefore, that Scholastic offers multiple sets of privacy terms that use the same branding for the same service delivered via different devices, yet tied together via a shared log-in. Even the most sophisticated, technologically adept consumer would be hard pressed to make sense of what they may be agreeing to, much less a child.

In Sum: Scholastic Makes Misleading Privacy, Security Claims in Services Directed to Children

All of the different services covered here appeal to and are explicitly targeted to children under 13. None require encryption for log-in or account creation. Usernames, passwords, and email addresses of under 13 year old users are passed without encryption. The terms for all services make claims about reasonable security that are misleading at best and, in some cases, demonstrably false. Additionally, because some of their mobile apps link to different terms than their web counterparts – and these additional terms also contain misleading statements – it is difficult to tell which terms cover which service, and what protections are actually offered to users.

Given this analysis, is it possible that parents’ and educators’ trust in one of the most venerable brands in education today may actually be misplaced? For me and my family, the question has certainly been called.