What the WiFi Knows

Students use district WiFi networks on their phones every day. Nothing they view is private— and the consequences are dire

Annie Smith* knows she’s the reason Discord is banned on school computers.

During the pandemic, falling into depression and spending all day online in her room, she met a boy in a group on the messaging app, who she talked to more and more as the months went on. She was isolated and lonely, but he paid attention. He made her feel special.

He told her that she was more mature and intelligent than other girls her age. He asked her to turn her location on so he could come to visit. He tried to convince her to participate in erotic roleplays over text. By the time he started pressuring her to send naked pictures of herself, she was already in too deep.

“My parents had taught me about the Internet, but I was always like ‘they’re just joking,’” Smith said. “I thought, ‘that’s never going to happen to me.’ And then it did.”

And then Ann Arbor Public Schools (AAPS) got involved.

The Ann Arbor Public Schools Wifi website blocker, “Securly,” is a straightforward system with a straightforward goal. When you connect to the public network AAPS-WiFi to visit a webpage or open an app, your request goes through something called a domain name server— DNS for short— that matches the name of the site you’re requesting with its IP address. “Securly,” a DNS blocker, filters those requests, acting like a ‘blacklist’ for websites that the school prohibits.

The thing is, though, that’s not all it does. While you’re retrieving something from the website, the website’s retrieving something back.

Let’s revise the above story. On that webpage visit or quick check of an app, your phone is constantly pinging the server with requests for content. The server complies — or doesn’t, if you’re asking for something on the banned list — but in checking your site against its list of addresses, it quietly collects data about you and what you’re doing. The type of device you’re using; your IP address; the webpage you’re asking for and exactly what you click on while you’re there: all the essentials of your web visit are captured and filed away into a megalith of logs from every connected device in the district. Whether you know it or not, whatever was on your phone is now out of your hands. Once it’s logged, it’s the property of the school district, and there’s no taking it back.

That’s not to say that your phone is being constantly watched. Dr. Heather Kellstrom, the Executive Director of AAPS Instructional Technology & Information Services, assures that the AAPS IT department is hardly scrutinizing each visit to Schoology or your student email. The majority of logs, according to Dr. Kellstrom, are unremarkable and unreviewed, disappearing into the vast sea of data that the WiFi collects each day.

“The only time that logs are consulted is if the network is experiencing an issue, i.e., slow internet connection throughout the district or if there is a request by an Administrator to solve a student or staff issue,” she wrote in an email addressing the topic. But though those “student or staff issues” are an exception, they are hardly infeasible. All the data is available for review, and the reviews have consequences.

Smith, whose correspondence with the boy was now coming up in meetings between her and the school, had used her school computer to contact him. The filtering and logging measures in place on the laptop had picked up every word she’d sent him and every word he’d sent her back. This was exactly what they had been designed to do. Her messages were recorded by software on a school-provided computer, as opposed to on the school WiFi, but both kinds of logging are a result of the same policy— one that the district, in fact, is legally mandated to uphold.

All public schools and libraries must follow the guidelines of the 2000 Children’s Internet Protection Act (CIPA), blocking “obscene or harmful” content and protecting student information from unauthorized disclosure. Notably, CIPA “does not require the tracking of Internet use by minors or adults.” But though tracking is not required, it’s unavoidable that logging content is the path of least resistance to tracking it. This is why web filtering services like “Securly” exist in the first place; it’s why schools use those services so extensively. This, in the end, is why the WiFi knows so much.

For Smith, the logs were a good thing. They showed the slow process of grooming over months, how she’d never fully given in to the boy’s demands. The district’s intervention was much-needed and the records in the messages showed that she had never done something explicitly illegal. In the end, Smith had never sent those pictures, so legal action didn’t need to be put in motion. Police intervention, which was initially threatened, didn’t happen. Annie, the school administrators said, was a good student who had made a terrible mistake: she would be able to move on. All would be well.

But though she was grateful for the intervention, the way it happened made Smith uneasy. She hadn’t even known such information was possible to access before the unthinkable had happened. Now, she’s warier around not only school computers, but around what she watches and reads while connected to school WiFi as well. She feels uncomfortable using her phone in school; she watches her friends browse through websites and wonders who’s seeing what they click.

“I think everybody takes for granted that whatever they do isn’t necessarily trackable,” Smith said. “Maybe they vaguely think ‘Oh, the teachers are saying this, it’s probably true’— but they don’t really believe it.”

Maybe logging on to computers and WiFi wasn’t unnecessary— but to her, it was blindsiding. If only she had known beforehand what could be tracked, she thinks, things might have been different. Maybe the paranoia of turning on her phone at school would have had time to settle in in a healthy way instead of all at once.

Maybe she never would have sent those messages at all.

* Names changed to protect anonymity.