How has this been slipping through the cracks, abusing student’s privacy? <\/p>\n\n\n\n
https:\/\/reclaimthenet.org\/the-school-spy-boom-nobody-asked-for<\/a><\/p>\n\n\n By Christina Maas<\/p>\n\n\n\n Instructure, the company that runs Canvas, the learning management system used by 41 percent of North American universities, would like you to know that it takes your privacy very seriously. It says so on its website, right next to the TrustEd Apps Data Privacy Certification Seal.<\/p>\n\n\n\n The company earned that seal while running a system that stored billions of private student messages on servers accessible through unverified free accounts, retained data for years without mandatory deletion schedules, and ultimately responded to the largest education data breach in history by wiring money to criminals in exchange for a text file claiming the stolen data had been destroyed.<\/p>\n\n\n\n The text file, for the record, is called a \u201cshred log.\u201d Instructure received it from ShinyHunters, the hacking group that breached Canvas twice in eight days this May, stole 3.65 terabytes of data across 8,809 institutions, defaced login pages at 330 universities during finals week, and then offered to pinky-promise the data was gone if Instructure paid up. Instructure paid. The amount is undisclosed. Rumors suggest $10 million.<\/p>\n\n\n\n \u201cWhile there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible,\u201d Instructure wrote in its announcement.<\/p>\n\n\n\n The company bought peace of mind for 275 million people by taking the word of the criminals who robbed them. It\u2019s a bold strategy. It\u2019s also, according to every cybersecurity expert and law enforcement agency that has expressed an opinion on the subject, exactly what you\u2019re not supposed to do.<\/p>\n\n\n\n But the real story is what was sitting on those servers, why schools keep shoveling more data onto them, and why nobody involved in this arrangement seems to think the students whose data it is should have any say in the matter.<\/p>\n\n\n\n Instructure\u2019s breach disclosure used careful language. Names, email addresses, student IDs, and \u201csome private messages.\u201d That phrasing is designed to make you picture a leaked school directory. It is not a leaked school directory.<\/p>\n\n\n\n Canvas is where students message professors about failing a class because a parent is dying. It\u2019s where they request disability accommodations, which means disclosing their diagnosis. It\u2019s where they report sexual harassment. It\u2019s where they write things they would never put on social media, because they believe they\u2019re talking to one person in confidence.<\/p>\n\n\n\n Instructure itself promotes Canvas as a portal for on-demand mental health support, advertising integrations that let students \u201cconnect with a mental health professional\u201d directly through the platform. So students did. And now those conversations are part of a 3.65-terabyte data package that a criminal group claims to have deleted, based on the same trustworthiness that led them to hack a company twice in one week and replace university login pages with ransom notes.<\/p>\n\n\n\n ShinyHunters\u2019 ransom letter said, \u201cSeveral billions of private messages among students and teachers and students and other students involved, containing personal conversations and other [personal identifying information].\u201d<\/p>\n\n\n\n Whether the number is inflated or not, the category is accurate. These are the most private communications students generate, written under the assumption of confidentiality, stored indefinitely by a company the students never chose, never contracted with, and in most cases never heard of until the week their finals got canceled.<\/p>\n\n\n\n Here\u2019s the part that makes the whole thing feel like satire. None of these 275 million people signed up for Canvas. Not one. You don\u2019t create a Canvas account the way you create a Gmail or an Instagram account. You get enrolled by your university, usually before orientation, into a platform that immediately becomes mandatory for completing your degree. You can\u2019t submit assignments without it. You can\u2019t take exams. You can\u2019t check your grades or communicate with professors through any other channel that the school will recognize. Opting out of Canvas means opting out of your education.<\/p>\n\n\n\n The privacy policy governing what happens to your data on this mandatory platform was not agreed to by you. Your university agreed on your behalf, through a procurement contract you\u2019ve never seen and couldn\u2019t negotiate if you wanted to.<\/p>\n\n\n\n Instructure is refreshingly honest about this arrangement, at least on paper. Its summary privacy notice states, \u201cIf you are an end-user of a school or company that uses our Products, your organization determines how your personal information is processed. This means that your organization\u2019s privacy policy governs the use of your personal information, even when your personal information is shared with us.\u201d<\/p>\n\n\n\n That means your data is Instructure\u2019s problem, except it\u2019s actually your school\u2019s problem, except your school can\u2019t access, secure, or even see the servers where your data lives.<\/p>\n\n\n\n The legal mechanism enabling this pass-the-buck privacy architecture is FERPA\u2019s \u201cschool official\u201d exception, which lets schools hand student records to third-party vendors without student consent, as long as the vendor is \u201cunder the direct control\u201d of the school.<\/p>\n\n\n\n This is a situation where the school has no access to the vendor\u2019s servers, no authority over the vendor\u2019s security practices, and apparently no ability to prevent the same hacking group from breaching the vendor twice in eight months. But sure. Direct control<\/em>.<\/p>\n\n\n\n Canvas lost messages. That\u2019s what this particular breach took. But Canvas is just one slice of a much larger surveillance apparatus that American schools have been building with cheerful enthusiasm, and the next breach will be richer because of it.<\/p>\n\n\n\n Let\u2019s start with bodies. Over two million students in 48 US states now scan their fingerprints every day at school, mostly to buy lunch. Lynchburg City Schools in Virginia rolled out fingerprint scanners across its elementary schools because, and this is the actual justification, the lunch lines were too slow. Kids fumbling with PINs were holding things up.<\/p>\n\n\n\n The obvious solution, of course, was to build a biometric database of children. Fayette County Schools<\/a> in West Virginia has been fingerprinting students for building access for nine years and is now deploying Verkada cameras with facial recognition.<\/p>\n\n\n\n The superintendent explained that \u201cthe more technology and tools we have, I would have to say, the better off we are.\u201d<\/p>\n\n\n\nSomewhere between the biometric lunch lines and the 24\/7 monitoring software, American education became a data hoarding operation with a teaching problem.<\/h5>\n\n\n\n
What \u201csome private messages\u201d actually means<\/h2>\n\n\n\n
Nobody asked you<\/h2>\n\n\n\n
Meanwhile, schools are collecting everything<\/h2>\n\n\n\n