from the Big-Brother^W-Business-is-watching-you dept.
Hundreds of colleges and universities are suddenly shutting their doors and making a rapid switch to distance learning in an effort to slow the spread of novel coronavirus disease. Likewise, hundreds of K-12 districts nationwide have either already followed suit or are likely to in the coming days.
[...] Even when all of the immediate logistical and technical needs have been triaged and handled, though, there remains another complicating factor. While the United States doesn't have all that much in the way of privacy legislation, we do, in fact, have a law protecting some student educational data. It's called the Family Educational Rights and Privacy Act, or FERPA.
FERPA applies to both written and digital student records. For students under age 18, the provisions about what may (or must) be shared or not shared apply to their parents or guardians. Once a student turns 18, the protections transfer to them directly. The provisions also apply directly to any student enrolled in a college, even if that student is not yet 18 (such as in community college dual-enrollment programs for high school juniors and seniors).
The act prohibits "improper disclosure" to third parties of personally identifiable information (PII) derived from student records. Schools are not prohibited from allowing vendors access to information for the purpose of providing services—you can use third-party digital tools for administrative and educational purposes without being in violation of the law. But the school may then be held responsible if the vendors then do shady things with student data.
[...] Software platforms allowing videoconferencing, recording, and screen sharing have all seen a massive spike in use in recent weeks. Microsoft, Google, Slack, and Zoom are all offering discounts or extra features to businesses, groups, and individuals to help with the everything from home era in which we (hopefully temporarily) find ourselves. Not all of those tools, many of which are designed for enterprise use, are necessarily going to be compliant with educational regulations.
[...] In 2013, a group of students sued Google over its "creepy" data-mining from Google Apps for Education tools. Google ended the practice in 2014, only to be sued again in 2016 by a group of current and former university students alleging their data was collected and retained from their Google academic accounts in violation of the Electronic Communications Privacy Act.
Some local schoolboards have already rolled out full remote learning curricula, starting Monday (seems to me there have been plans in the works for years to make something like this happen this fast.) Others appear flat-footed and clueless. We did some homeschooling with our kids a couple of years ago, and the one website that really clicked with us was (shameless plug) https://ixl.com .
I know we had a Soylent story just over a week ago asking for alternatives to the ubiquitous (and well deserved first place recommendation) Khan. Now that it's a little less abstract, and looking more certain that the kids won't be returning to physical school buildings until the fall... what do you look for in online learning services?
Our criteria were: easy for the kids to self-learn the material as presented, easy to track progress and identify areas where extra instruction might help, clear documentation of subjects covered and relative mastery of each, easy for kids to self-select appropriate subject areas to study, reasonable cost.
Khan certainly presents material clearly, and the cost can't be beat, but we found IXL to be superior in the other areas, and when you think about the tremendous number of hours invested by you and your kids in the learning system, the cost isn't really significant ($20/month for one, $24 for two).
Has anybody else taken a serious plunge into online learning and found something "better than Khan" for your purposes?
[Ed. addition follows. --martyb]
See our previous story: Student Privacy Laws Still Apply if Coronavirus Just Closed Your School and take a close look at future provider's security and privacy practices. From the article linked to in the previous story https://arstechnica.com/tech-policy/2020/03/watch-out-for-privacy-pitfalls-if-your-school-is-suddenly-online-only/:
[...] In an email dated March 28, SpaceX told employees that all access to Zoom had been disabled with immediate effect.
"We understand that many of us were using this tool for conferences and meeting support," SpaceX said in the message. "Please use email, text or phone as alternate means of communication."
[...] NASA, one of SpaceX's biggest customers, also prohibits its employees from using Zoom, said Stephanie Schierholz, a spokeswoman for the U.S. space agency.
The Federal Bureau of Investigation's Boston office on Monday issued a warning about Zoom, telling users not to make meetings on the site public or share links widely after it received two reports of unidentified individuals invading school sessions, a phenomenon known as "zoombombing."
Also consider that one way to claim to have "end to end encryption" is to simply re-define the term. Zoom Meetings Aren't End-to-End Encrypted, Despite Misleading Marketing:
Zoom, the video conferencing service whose use has spiked amid the Covid-19 pandemic, claims to implement end-to-end encryption, widely understood as the most private form of internet communication, protecting conversations from all outside parties. In fact, Zoom is using its own definition of the term, one that lets Zoom itself access unencrypted video and audio from meetings.
With millions of people around the world working from home in order to slow the spread of the coronavirus, business is booming for Zoom, bringing more attention on the company and its privacy practices, including a policy, later updated, that seemed to give the company permission to mine messages and files shared during meetings for the purpose of ad targeting.
Over the past few weeks, Zoom's use has exploded since it became the video conferencing platform of choice in today's COVID-19 world. (My own university, Harvard, uses it for all of its classes. Boris Johnson had a cabinet meeting over Zoom.) Over that same period, the company has been exposed for having both lousy privacy and lousy security. My goal here is to summarize all of the problems and talk about solutions and workarounds.
In general, Zoom's problems fall into three broad buckets: (1) bad privacy practices, (2) bad security practices, and (3) bad user configurations.
Privacy first: Zoom spies on its users for personal profit. It seems to have cleaned this up somewhat since everyone started paying attention, but it still does it.
Now security: Zoom's security is at best sloppy, and malicious at worst. Motherboard reported that Zoom's iPhone app was sending user data to Facebook, even if the user didn't have a Facebook account. Zoom removed the feature, but its response should worry you about its sloppy coding practices in general:
"We originally implemented the 'Login with Facebook' feature using the Facebook SDK in order to provide our users with another convenient way to access our platform. However, we were recently made aware that the Facebook SDK was collecting unnecessary device data," Zoom told Motherboard in a statement on Friday.
Finally, bad user configuration. Zoom has a lot of options. The defaults aren't great, and if you don't configure your meetings right you're leaving yourself open to all sort of mischief.
In a statement late Friday, Zoom CEO Eric Yuan admitted to mistakenly routing calls via China.
"In our urgency to come to the aid of people around the world during this unprecedented pandemic, we added server capacity and deployed it quickly — starting in China, where the outbreak began," Yuan said. "In that process, we failed to fully implement our usual geo-fencing best practices. As a result, it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect."
He did not say how many users were affected.
During spells of heavy traffic, the video-conferencing service shifts traffic to the nearest data center with the largest available capacity – but Zoom's data centers in China aren't supposed to be used to reroute non-Chinese users' calls.
This is largely due to privacy concerns: China does not enforce strict data privacy laws and could conceivably demand that Zoom decrypt the contents of encrypted calls.
Separately, researchers at the University of Toronto also found Zoom's encryption used keys issued via servers in China, even when call participants were outside of China.
[...] Zoom has faced multiple high-profile security issues in recent weeks as it struggles to cope with an unprecedented surge in traffic and new users.
Zoom did not immediately respond to Business Insider's request for comment and clarification.