How has this been slipping through the cracks, abusing student’s privacy?
https://reclaimthenet.org/the-school-spy-boom-nobody-asked-for
Somewhere between the biometric lunch lines and the 24/7 monitoring software, American education became a data hoarding operation with a teaching problem.
By Christina Maas
Instructure, the company that runs Canvas, the learning management system used by 41 percent of North American universities, would like you to know that it takes your privacy very seriously. It says so on its website, right next to the TrustEd Apps Data Privacy Certification Seal.
The company earned that seal while running a system that stored billions of private student messages on servers accessible through unverified free accounts, retained data for years without mandatory deletion schedules, and ultimately responded to the largest education data breach in history by wiring money to criminals in exchange for a text file claiming the stolen data had been destroyed.
The text file, for the record, is called a “shred log.” Instructure received it from ShinyHunters, the hacking group that breached Canvas twice in eight days this May, stole 3.65 terabytes of data across 8,809 institutions, defaced login pages at 330 universities during finals week, and then offered to pinky-promise the data was gone if Instructure paid up. Instructure paid. The amount is undisclosed. Rumors suggest $10 million.
“While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible,” Instructure wrote in its announcement.
The company bought peace of mind for 275 million people by taking the word of the criminals who robbed them. It’s a bold strategy. It’s also, according to every cybersecurity expert and law enforcement agency that has expressed an opinion on the subject, exactly what you’re not supposed to do.
But the real story is what was sitting on those servers, why schools keep shoveling more data onto them, and why nobody involved in this arrangement seems to think the students whose data it is should have any say in the matter.
What “some private messages” actually means
Instructure’s breach disclosure used careful language. Names, email addresses, student IDs, and “some private messages.” That phrasing is designed to make you picture a leaked school directory. It is not a leaked school directory.
Canvas is where students message professors about failing a class because a parent is dying. It’s where they request disability accommodations, which means disclosing their diagnosis. It’s where they report sexual harassment. It’s where they write things they would never put on social media, because they believe they’re talking to one person in confidence.
Instructure itself promotes Canvas as a portal for on-demand mental health support, advertising integrations that let students “connect with a mental health professional” directly through the platform. So students did. And now those conversations are part of a 3.65-terabyte data package that a criminal group claims to have deleted, based on the same trustworthiness that led them to hack a company twice in one week and replace university login pages with ransom notes.
ShinyHunters’ ransom letter said, “Several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other [personal identifying information].”
Whether the number is inflated or not, the category is accurate. These are the most private communications students generate, written under the assumption of confidentiality, stored indefinitely by a company the students never chose, never contracted with, and in most cases never heard of until the week their finals got canceled.
Nobody asked you
Here’s the part that makes the whole thing feel like satire. None of these 275 million people signed up for Canvas. Not one. You don’t create a Canvas account the way you create a Gmail or an Instagram account. You get enrolled by your university, usually before orientation, into a platform that immediately becomes mandatory for completing your degree. You can’t submit assignments without it. You can’t take exams. You can’t check your grades or communicate with professors through any other channel that the school will recognize. Opting out of Canvas means opting out of your education.
The privacy policy governing what happens to your data on this mandatory platform was not agreed to by you. Your university agreed on your behalf, through a procurement contract you’ve never seen and couldn’t negotiate if you wanted to.
Instructure is refreshingly honest about this arrangement, at least on paper. Its summary privacy notice states, “If you are an end-user of a school or company that uses our Products, your organization determines how your personal information is processed. This means that your organization’s privacy policy governs the use of your personal information, even when your personal information is shared with us.”
That means your data is Instructure’s problem, except it’s actually your school’s problem, except your school can’t access, secure, or even see the servers where your data lives.
The legal mechanism enabling this pass-the-buck privacy architecture is FERPA’s “school official” exception, which lets schools hand student records to third-party vendors without student consent, as long as the vendor is “under the direct control” of the school.
This is a situation where the school has no access to the vendor’s servers, no authority over the vendor’s security practices, and apparently no ability to prevent the same hacking group from breaching the vendor twice in eight months. But sure. Direct control.
Meanwhile, schools are collecting everything
Canvas lost messages. That’s what this particular breach took. But Canvas is just one slice of a much larger surveillance apparatus that American schools have been building with cheerful enthusiasm, and the next breach will be richer because of it.
Let’s start with bodies. Over two million students in 48 US states now scan their fingerprints every day at school, mostly to buy lunch. Lynchburg City Schools in Virginia rolled out fingerprint scanners across its elementary schools because, and this is the actual justification, the lunch lines were too slow. Kids fumbling with PINs were holding things up.
The obvious solution, of course, was to build a biometric database of children. Fayette County Schools in West Virginia has been fingerprinting students for building access for nine years and is now deploying Verkada cameras with facial recognition.
The superintendent explained that “the more technology and tools we have, I would have to say, the better off we are.”
Pearson, which runs 21 million certification exams a year, announced in January that it’s rolling out palm-print biometrics across its global testing network by mid-2026, layering palm-print scanning on top of the palm-vein system it has used since 2006.
Your hand is now a login credential, and the mathematical representation of your palm sits on a server somewhere. Vendors love to point out that they don’t store actual fingerprint images, just numerical templates. This is technically true and practically meaningless, because the templates are linked to student names and IDs, and they’re stored on servers defended by the same industry that just let ShinyHunters walk off with 3.65 terabytes of student data through an unverified free account.
Then there’s what students write, think, and search for. Gaggle, GoGuardian, Securly, Bark, and Lightspeed have built a multi-billion-dollar industry on the premise that every word a child types on a school-issued device should be read by an algorithm in real time.
Gaggle alone tracks approximately six million students across 1,500 school districts, scanning emails, documents, and chat messages around the clock.
According to the Center for Democracy and Technology, 81 percent of teachers say their schools use some form of student monitoring software, and only one in four say the monitoring stops when school hours end.
The rest of the time, these systems are watching students at home, on evenings and weekends, reading their Google Docs drafts and flagging their Canvas messages.
But here’s the part relevant to the Canvas breach. Every one of these surveillance systems generates data. Gaggle archives student communications for “compliance.” GoGuardian logs browsing histories. Securly builds behavioral profiles. All of it flows to vendor servers under the same FERPA “school official” exception that lets Instructure hold billions of private messages. All of it sits there, accumulating, because no one told anyone to delete it. And all of it will be part of the next breach.
Gaggle, to its credit, offers a wonderfully precise summary of what it does and doesn’t monitor. It “does not monitor students’ social media accounts, personal email accounts, personal devices, or web browsers.” It does monitor “content and activity, such as documents or chat messages, produced using a school-owned device, email address, or online tools within Google Workspace for Education, Microsoft 365, Google Chat, Microsoft Teams, and the Canvas learning management system.” So it doesn’t monitor your personal stuff. It just monitors everything you do on the device the school gave you, the email the school assigned you, and the learning platform the school requires you to use.
The hoarder’s paradise
Instructure’s privacy policy says it keeps your data “for as long as we have a legitimate business need to do so or as required by law.” If that sounds like it could mean anything, that’s because it can. “Legitimate business need” is whatever Instructure decides it is. The policy doesn’t specify how long your Canvas messages stick around, whether they get deleted when you graduate, or what happens to them if your school switches to a different LMS.
Instructure was acquired by KKR and Dragoneer Investment Group for $4.8 billion in November 2024. The company has a stated goal of reaching $1 billion in revenue by 2028.
Under private equity ownership, data is a balance sheet item. Minimizing data, holding less, deleting sooner, means destroying value. The company that couldn’t isolate free trial accounts from its production servers is being run on a growth timeline set by a private equity firm.
If you were looking for an explanation of why Instructure built a customer acquisition program that shared infrastructure with the private messages of 275 million students, you could do worse than look at who writes the checks.
Instructure will improve its security. ShinyHunters will find a new target. The lawsuits will settle and the fundamental architecture will remain: students conscripted into platforms they didn’t choose, surveilled by software they don’t know about, identified by biometrics they can’t revoke, generating data they can’t control, all of it stored by companies whose financial incentives point in the opposite direction from the students’ interests.
The 275 million people whose data was stolen from Canvas this month are trusting the word of a criminal hacking group that their private messages have been deleted.
At some point in the future, the breach won’t just be messages. It’ll be the fingerprints, the surveillance logs, the behavioral profiles, and the mental health disclosures that schools have been enthusiastically collecting ever since.
Every new data point a school adds to the pile is a gift to the next ShinyHunters. And right now, schools are giving very generously.