Blog

2022 K-12 Edtech Benchmark Revisited: Unvetted Off-the-Shelf Apps Outnumber Licensed Apps 2-to-1

Written by Internet Safety Labs
August 6, 2025

A new school year is upon us and ISL wants to remind educators and school technologists that they need to take as much care scrutinizing safety risks in off-the-shelf (OTS) technologies recommended to students as they do for technologies licensed by the schools. 

We recently went back over the data from our 2022 benchmark and confirmed that most technologies pushed to K-12 students in the US are recommended (not required), and unvetted off-the-shelf technologies that students use completely independently of school privacy controls or oversight.   

Schools Recommend Too Many Technologies to Students 

One of the most striking findings from our 2022 US K12 EdTech Benchmark was seeing just how many technologies schools were pushing students to use.  

We ended up counting apps used in each school in three different ways. We initially looked for a single list of all the technologies that a school was either recommending or requiring. Ideally, we were looking for discrete lists of each type—recommended or required. However, most schools did not have clean, singular lists of apps, which meant we needed to hand count the number of all apps mentioned by the school and/or district websites as being used by students (“manual app count”). We hand-counted all 663 schools.  Some schools or more frequently school districts had full app lists maintained by their IT departments, and many districts maintained lists of technologies in the Student Data Privacy Consortium (SDPC) database. We called these lists “simple aggregated lists”. Finally, for many of the schools that had simple aggregated lists, they also indicated if an app was “approved” or not. We called these lists of approved apps “approved technology lists”. To summarize the types of app list counts: 

(1) Manual app count: Researchers hand counted the number of apps found across school and district websites1. This was                    performed for all 663 schools. 
(2) Simple aggregated list: For 222 schools we found simple aggregated lists of apps that were larger than the manual count.
(3) Approved technology list: For the 222 schools that had a simple aggregated list [larger than the manual count], 153 of them          distinguished approved from unapproved apps on those lists.


As can be seen in Table 1, the manual count yielded an average of 19 apps per school, but schools with simple aggregated lists averaged 191 apps, and strangely, the subset of schools with approved apps averaged 214 apps. Yikes.  

Table 1 
 LIST TYPE AVERAGE NUMBER OF APPS
Manual app count (n=663) 19
Simple aggregated list (n=222) 191
Approved technology list (n=153) 214


Do schools really need to recommend 200 different apps and websites for student use?
 

Recommended Versus Required Apps 

As mentioned earlier, in our manual counting of technologies we designated an app as either “required” or “recommended”. Apps were deemed “required” due to prominent presence on school websites, often with a login.2 Similarly, custom apps that were clearly branded for the school or district were also designated as required. Thus, required apps in our research were always licensed by schools. As such, these technologies were held to greater scrutiny and vetting, and student accounts were generally provisioned and managed by the schools3. In this way, the school had “joint data controller” responsibilities alongside the app developer.4

“Recommended” technologies, however, were always off-the-shelf (OTS) technologies, which students would access or download at their own discretion, creating their own accounts independent of the school. 

We knew that the percentage of required apps was small compared to the recommended apps. But what was the breakdown of “required” versus “recommended” apps? We thought the distribution might follow the 80-20 Pareto principle: that 20% of the apps were required, and 80% were recommended. We decided to go back and run the numbers.  

Table 2 below shows the numbers for the different types of app count lists. The manual app count method failed to account for the sometimes massive, aggregated lists. Similarly, the aggregated list numbers distorted the overall data set. The bottom-line row in the table, “Manual + Approved list”, combines the manual counts for schools without simple aggregated lists with the approved technology counts [for schools that had them] to best provide a number for the national results.  

As can be seen, it was closer to 70-30 than 80-20. On average, schools were pushing nearly 58 technologies to students, with 28.9% of them being required, and 71.1% being recommended.5 The vast number of apps schools are pushing on students are merely recommended unvetted off-the-shelf apps. Despite the apps being “approved” by the schools in the approved technology lists, we know that in many cases, the only vetting is whether or not a Privacy Policy exists. This is not a sufficient form of vetting to ensure student data privacy. Schools are subjecting students to unvetted and ungoverned technologies—sometimes more than 200 such technologies. Recall also that nearly 30% of the recommended technologies for students are neither strictly educational apps nor apps designed for children, and in the latter case, they are not covered by COPPA compliance. 

Table 2 
Type of App List #
Schools
Average Total # of Technologies Average # of Required / Licensed Technologies Required / Licensed Techs Average % of All Tech  Avg # of Recommended / OTS technologies  Recommended / OTS Techs Average % of All Tech  Max # of Technologies
Manual App Count 663  19.0  5.1  33.4%  13.9  66.6%  106 
Simple Aggregated List 222  190.7  5.5  9.7%  185.2  90.3%  1411 
Approved Technology List 153  214.3  5.3  6.3%  209.0  93.7%  1411 
Manual + Approved List 663  57.7  5.1  28.9%  57.8  71.1%  1411 


Conclusions 
 

When we consider “edtech” as the combination of licensed and OTS technologies as in our 2022 benchmark, a primary risk for students is the high—sometimes exceedingly high—number of unvetted off-the-shelf technologies that schools are recommending they use.6 Until technology is reasonably safe for children ISL recommends schools undertake the following:

  1. Minimize the number of technologies recommended to students. 
    a. Especially minimize the number of apps that are not specifically for children.
        i. ISL doesn’t propose (or support a paradigm of) age-gated versions of commonly recommended mixed-audience apps like         news, museum, zoo, and reference apps. These apps must be made safer for children of all ages (i.e. for all of us).
  2. Screen all OTS technologies recommended for student use. Ideally, these should be vetted as carefully as licensed technologies, though we know that’s not practical for all schools
    a. Use ISL’s App Microscope to learn more about privacy risks in commonly recommended apps. Can’t find your app? Contact us        at schools@internetsafetylabs.org.  
    b. Recommend only apps that are COPPA certified. This won’t stop all commercial surveillance and data sharing, but it at least             minimizes some data sharing.
    c. Put in place Data Privacy Agreements (DPAs) for all technologies recommended to students, i.e. for both licensed and OTS                technologies. This requires some dedicated personnel to administer, but Access4Learning’s Student Data Privacy Consortium          has agreement templates readily available here https://privacy.a4l.org/.  
    d. Annually audit DPAs against the actual technology behavior. This is a service that ISL has provided for one US state school board      and is more than happy to provide at reasonable rates. Contact us schools@internetsafetylabs.org.  

 

Footnotes:

  1. Note that the apps found via the manual count were the apps that were audited in the research. Due to the volume of listed apps, ISL did not audit all of the apps found in the simple aggregated lists. More discussion can be found in the first findings report.
  2. “2022 K-12 EdTech Safety Benchmark National Findings – Part 1”, Internet Safety Labs, December 13, 2022, Section 7.2.1, p. 89, https://internetsafetylabs.org/wp-content/uploads/2022/12/2022-k12-edtech-safety-benchmark-national-findings-part-1.pdf
  3. These required apps also more narrowly align with traditional “EdTech” categories, whereas the recommended technologies included a large percentage of apps not intended for children.
  4.  We wrote about this in a blog post from 2023 called, “Data Controller Confusion in EdTech”,   https://internetsafetylabs.org/blog/insights/data-controller-confusion-in-edtech/.
  5. NOTE that the average percentages shown in Table 1 reflect an average of each school’s percentage of required/recommended apps.
  6. Licensed technologies are also risky, especially the Community Engagement Platforms which shared data [on purpose] with the most third party entities and data brokers, like this app, no longer available on the app store: https://appmicroscope.org/app/1579/.