Apr 30 2020

Protecting Data Privacy in a Remote Learning Landscape

With students and faculty spending an increasing amount of time online, data privacy has never been more important — or more challenging.

Soon after colleges and universities around the nation announced they would transition to fully remote learning in response to COVID-19, technology giants like Google, Cisco and Microsoft announced they would provide discounted — and in some cases free —versions of many of their most popular collaboration platforms and software to help schools around the country weather the pandemic.

While many expressed gratitude over the ability to access tools they might otherwise not be able to afford, the gesture was also met with some degree of skepticism. After years of grappling over the data privacy sacrifices associated with social media participation and free software downloads, American consumers have largely come to the realization that, when it comes to the web, there is no such thing as a free lunch. But that doesn’t stop us from circling the free buffet.

Free Software Often Comes with Inadvertent Regulatory and Cybersecurity Costs

Universities have long struggled with how to manage students and faculty who veer beyond the technology boundaries set by their IT departments. It’s a problem that’s only grown as more and more internet-connected devices are introduced to campus networks — and with them, more applications and more traffic. “Information security used to be the office of ‘no,’” says Brian Kelly, director of the cybersecurity program at EDUCAUSE. “We would always be the ones saying, ‘No, you can’t do that. No, that’s not secure.’”

These days, Kelly says, IT teams strive to empower and enable learning through knowledge sharing and collaboration. Even so, there will always be users who, knowingly or unknowingly, circumvent IT policies. 

“In security, we always say that you have security and you have convenience,” Kelly says. “They’re always at opposite ends of the spectrum. The more secure you make something, the less convenient it becomes.”

Of course, at schools with student and faculty populations that could fill a small town, the reach of IT security pros only extends so far. There’s only so much that can be done to prevent a faculty member from using a free file sharing service or a student from downloading a free application.

When you’re using free tools, it’s important to realize that those tools aren’t actually free.

Sol Bermann CISO, University of Michigan.

Free, however, is a relative term.

“When you’re using free tools, it’s important to realize that those tools aren’t actually free,” says Sol Bermann, CISO at the University of Michigan. “Those free tools are using you and your data as the currency or payment.”

Once that data is handed over, it’s gone; there’s no demanding a refund. In the best-case scenario, it winds up in the hands of companies that might pepper your newsfeed with targeted advertisements. More concerning are those with more malicious intent: the hackers and scammers looking to steal data for nefarious reasons. 

Then there are regulatory concerns. The more time universities have students and faculty spending in the digital universe, the more opportunity there is to violate student privacy laws such as the Family Educational Rights and Privacy Act (FERPA). 

“Universities are obviously using technologies now that they may not have previously,” says LeRoy Rooker, director of the U.S. Department of Education’s Family Policy Compliance Office. It’s critical, he says, that the technology being used doesn’t create what could be considered private education records and then inadvertently disclose those records to unauthorized parties.

Cybersecurity Is a Shared Responsibility

Universities have a clear responsibility to safeguard the data of their students and faculty, Rooker says, by ensuring those solutions and the people using them comply with privacy regulations. 

To that end, Rooker says, it’s critical that university IT teams and faculty work with university contracting and compliance experts to ask the right questions and do their due diligence. “I’ve yet to come across a vendor who didn’t say they were FERPA compliant,” Rooker says. “And, as I tell institutions, some of them actually are.”

The cybersecurity burden, however, doesn’t fall only to the university, but also to the students and faculty themselves. “We are ever more reliant on individuals to understand that they have a shared responsibility to maintain security,” Bermann says. “Security is not just done for you. You have to do your part.”

MORE ON EDTECH: Learn the Difference Between Security, Privacy and Confidentiality

For students and faculty, often the best means of ensuring personal safety is by adhering to the guidelines of and adopting the software selected by the university’s IT department. 

“We strongly urge our faculty and students to make sure they’re using the software we provide, because our contracts provide specific assurances about how the data can be used and shared,” Bermann says. “That includes restrictions about it being used for advertising or other purposes beyond the scope of the service. Our contracts are, frankly, the greatest privacy guarantee we have.”

“Can we stop our community from downloading or accessing free software or using free services?” Bermann says. “No. But we certainly strive to make sure that they have the appropriate tools at their fingertips to do the job. We recognize it might not be exactly the perfect fit or what they want to use all the time, but part of that shared responsibility is to remember it is about more than just the individual. It’s about the community and institution.”

dusanpetkovic / iStock / Getty Images Plus