The shift to online learning in universities has been facilitated by remote learning software but these tools have resulted in increased privacy and security risks.
Many educational institutions were poorly positioned to understand let alone manage this threat.
A new Interdisciplinary study by researchers from the Center for Information Technology at Princeton University offers non-specialists insight into the security and privacy issues presented by the brave new world of remote learning.
A research paper (PDF), ‘Virtual Classrooms and Real Harms’, offers a threat model and advances recommendations for universities and policymakers.
The researchers surveyed 105 educators and 10 administrators who determine their expectations and concerns before running a privacy and security analysis of 23 popular platforms, including Zoom and Microsoft Teams. Technical work looking into the platforms was combined with sociological analysis of the privacy policies of US states in order to make recommendations.
The shift to online learning has made data collection much easier and popular platforms such as Canvas, Piazza, and Slack, have “taken advantage of this changed environment to act in ways that would be objectionable in the physical classroom – such as selling data about interactions to advertisers or other third parties,” the researchers warn.
The researchers found that 41% of 23 platforms assessed had policies that “permitted a platform to share data with advertisers, which conflicts with at least 21 state laws”. Around a quarter (23%) allowed a platform to share location data.
Universities use Data Protection Addenda (DPAs) for institutional licenses to supplement or even supplant the default privacy policies of platforms. These instruments cause platforms to significantly shift their data practices, including stricter limits on data retention and use, according to the researchers.
Syllabus for improvement
The study allowed the researchers to put forward a series of five recommendation to universities.
Academic institutions ought to realize the significant differences between free (or individually licensed) versions of software and institutional versions, argue the researchers. “Universities need to work on informing educators about those differences and encourage them to use institutionally-supported software,” they recommend.
Secondly universities “should use their ability to negotiate DPAs and institute policies to make platforms modify their default practices that are in tension with institutional value”.
The researchers behind the study cautioned against a complex vetting process before licensing software. “That path leads to significant usability problems for end users, without addressing the security and privacy concerns,” according to the researchers, who advocate a more interactive post-purchase software utility feedback process between the education sector and remote learning software developers.
Universities should ask developers for software that can be customized to suit their needs as educational institutions.
Lastly the Princeton University-based team argued that regulators should make “remote learning platforms more accountable for compliance with legal requirements”, supporting institutions in requiring baseline security practices.
Defending educational norms
Arvind Narayanan, one of the paper’s authors, commented on Twitter that “many online education platforms track and profit from student data, but universities are able to use their power to negotiate contracts with vendors to get much better privacy.”
In a blog post summarizing the study and these recommendations, the Princeton team conclude: “The shift to virtual learning requires many sacrifices from educators and students already. As we integrate these new learning platforms in our educational systems, we should ensure they reflect established educational norms and do not require users to sacrifice usability, security, and privacy.”
The Daily Swig asked the researcher for comment on what advice he had for the many organizations outside education who have also come to rely on video conferencing during the pandemic.
No word back as yet but we’ll update this story as and when more information comes to hand.
Source: https://portswigger.net/daily-swig/universities-urged-to-review-remote-learning-software-in-order-to-minimize-security-risks