I raise this as a result of an interesting question from Ron Richard,of Meritus University, Canada. Ron asked Tony Vincent, who runs the excellent Learning in Hand site, and myself:

I have recently been researching some web-based resources for our faculty, who teach exclusively online, but who do not venture much outside the limited set of tools provided by our LMS. To this end I was pleased to read on Tony Bates’ web site …. about Learning in Hand and the many resources you have collected therein.

One of the issues that has come to my attention as I read about cloud computing and web applications (an area I am specifically looking into) is privacy and copyright. I would like your take on what I have found to be a pervasive component of many agreements that I see between the user and the web application when they sign that EULA. Here is a section, for example from the agreement with PaperRater, which you (Tony Vincent) have at the top of the list of recommended web apps:

‘By submitting Material to the Web Site, you agree to grant the Company, its agents, affiliates, representatives, licensors, and licensees, a worldwide, irrevocable, nonexclusive, perpetual, royalty-free right (including moral rights) and license to copy, modify, translate, publish, disclose, transfer, assign, sell, and distribute said Material in any form now known or hereafter developed, for any purpose without limitation, and without any obligation of notice, attribution, or compensation to you or another.’

Now I am not suggesting that you should be responsible for every EULA out there, not is it your responsibility to warn people who should occasionally read their own contracts about this sort of thing. Google has a very similar worded section buried in their EULA that grants them access to use in a similar way every email or Google doc you create or receive, which you agree to whenever you sign up for a new account.

What I am wondering, however, is, based on your far more extensive use of such tools than I, do you feel there is any danger or cause for alarm in using software that explicitly claims rights over student work the moment they use the software?

Tony Vincent replied:

Your concerns are certainly legitimate.  I just learned of PaperRater today and added it to my bookmarks (that list is not my top web apps, just my recently bookmarked). I was wondering as I was testing it out where the text I pasted into it would go. Would it appear elsewhere?  I was hoping not. With other web apps, like Blabberize for instance, student submissions can pop up all over the internet by others who embed it.  Usually this is what we want in education–students to create products that are of value to others.  I think the cause for alarm comes from when student work might be shared or copied when they don’t want it to be.  For instance, if a personal reflection typed into Google Docs was somehow made available publicly when the public was not the intended audience.

I haven’t heard of a web app or cloud computing solution cause copyright and privacy problems for schools (yet). I think that is in part because these sites use EULAs that are all encompassing “just in case” and don’t really intend to copy/modify/transfer/etc. the submitted work.  I also think teachers tend to be selective in what web apps they use.  The copyright and privacy implications are definitely things teachers and students need to know about.  I wonder how many teachers even know what a EULA is…?  This would be a good topic for a blog post. 🙂

Here is my reply:

Ron raises an excellent point. First, I should point out that I am not a legal expert. The best person on this topic in Canada is Professor Wesley Wark, Graduate school of Public and International Affairs, University of Ottawa. So my comments should be seen in this context.

The University of British Columbia requires faculty to warn their students  about security and privacy issues if their students are required to use web 2.0 or social media for study purposes. (In other words, it does not forbid faculty to use social media or web 2.0 tools – almost impossible to do in a university, anyway – but does place an obligation on them to advise students of the risks – I think this is correct – anyone from UBC willing to clarify or confirm this?). UBC also provides through a program called ‘Digital tattoo‘ education for students about their web footprint and the implications for security and privacy.

There is a particular issue for Canadian students here. Data located on ‘foreign’ servers are not subject to the same data privacy laws that protect Canadian students.  The U.S. Patriot Act cuts across many privacy requirements for Canadian students, so the concern is that if student data is held on a server in the USA as a result of requirements for study at a Canadian university, and the US government uses that information in a way that is contrary to Canada’s privacy laws, the university could be sued for breach of privacy.  What if a company running a server farm in India decided to sell student data to a commercial organization? There are also issues such as security of data (e.g., what happens to teaching materials or research results stored on an external server if the company hosting the server goes bankrupt?), and ‘quality control’, (e.g., ‘naive’ teachers exposing students to unreliable or educationally inappropriate applications of technology). Recently, there was a recent report on Avatar Rape in Second Life. Second Life is an ‘open’ community – so what happens when a student using Second Life for study purposes is abused by someone from outside the university’s community?

Many of these issues can be addressed by using common sense (not always prevalent though in faculty or students), and the same rules or procedures that apply to campus-based students can be applied just as well to online environments in most cases. Most universities have codes of conduct for online behaviour. However, as in the Second Life example, there are situations where on-campus or ‘within institution’ online policies and procedures won’t apply or work. Also no university wants to be the first ‘test case’ on an issue that is likely to go as far as the Supreme Court of Canada, with all the inherent costs and risks.

Security of student data and privacy is a growing issue and governments in Canada are beginning to take it seriously. For instance, Alberta’s Auditor-General has required the Alberta government to put in place in all its post-secondary educational institutions an IT management governance protocol that ensures that each institution has procedures and policies to protect student (and staff) data, and a clear line management responsibility for security. Vancouver Community College is currently negotiating with the BC Privacy Commissioner a set of protocols about what is and is not acceptable in terms of web 2.0 applications regarding student privacy, and the rest of the province’s educational institutions are watching this with considerable interest.

Another possible solution for safeguarding privacy is for institutions or government agencies to negotiate specific agreements with companies such as Google, exempting the institutions from some of the standard requirements in the EULA. Another is to have an ‘inner cloud’ where provinces or states run their own server farms that provide a security filter before connecting to external servers on the World Wide Web, although I don’t know of anyone that has done this yet (at least in North America – China has a similar system for the Internet as a whole, which is a pretty good indication of the likely opposition if this was tried in North America).

Ron added one more spin on the topic:

I was working at the University of Windsor a while back when they were evaluating new LMS systems to install campus-wide (they were the first in the country to go with Sakai, by the way), and one of the issues we had in the early stages of testing and evaluating was whether we would consider allowing an LMS provider to host the service for a year or two until we felt able to get the infrastructure and expertise in place to run it ourselves. Our legal counsel advised us that any such hosting had to ensure all student files and information had to be housed on Canadian soil, for the very same security and Homeland Security issues you mentioned.

The answer to the question posed in the heading is of course, yes – but there are risks. Now if we listened to lawyers nothing would probably ever get done. Their job is to point out risk, and decision-making requires risk to be balanced by potential benefits, and those of us who are using web 2.0 tools know the benefits are huge. I think Vancouver Community College is doing the right thing by working with the BC Privacy Commissioner to reduce risk and clarify the ground rules.

Ron and Tony and I would be really interested to hear more from others – particularly those with a legal background – about this issue. How can we use web 2.0 tools in a practical way while at the same time protecting student data and privacy? Let’s hear from YOU!

9 COMMENTS

  1. Good post Tony, I think the summary of the current situation is pretty accurate – basically, that while individual instructors can and do make use of some of these tools and take sensible steps to mitigate some of the issues, in general there remains a lot of fear and doubt surrounding their endorsement at any sort of “insitutional” level mostly because of uncertainty about the specific ramifications of FIPPA and the Patriot Act.

    At BCcampus where I work we are hoping we can help clarify these muddy waters here in BC (it is important to note that provincial privacy legislations DO differ across Canada) – we commissioned VIU to research and report back on this issue, something that should become available by early summer, and are also planning on hosting some sort of event late Spring/early Summer around this issue to both clarify it and share some ways people are addressing it. So more soon hopefully. I too very much applaud VCC for taking a leadership role in this and look forward to hearing more from them on their process and its results. Cheers, Scott

  2. I am certinly not a legal eagle but am generally aware of the subtleties of most EULAs that I sign up to. However, I think that there needs to be clarification between cloud computing and Web2.0.

    I can understand the dangers, particularly for minors, of those cloud-based sites where we have little control or ‘take-back’ of our artefacts. However, all the activities claimed as ‘Web2.0’ can be performed within the e-safe environment of an e-Portfolio system such as eFolio rather than blasting them into the unknown.

    Best Wishes,
    Ray T

  3. I see two issues here. The first is when the individual academic staff member starts to use an external service for teaching and learning and secondly when a university engages a third party to provide an externally hosted service for the entire institution.

    With regards to the former, academic staff do not have a good understanding of the privacy, security and copyright implications of using external services. Not to mention the requirement to disclose to students when and why their information will be stored in an external service and whether they have any choice in the matter. Many (most?) universities currently have great difficulty in providing adequate guidelines to academic staff about using such services. This is mainly because university administration doesn’t understand them and the sheer number of services available makes it difficult to assess the legal implications of all of them. It may take two months to do a privacy impact assessment of the service in question and longer to develop appropriate policies to allow their use within the requirements of local state or federal privacy legislation. Even then it is difficult to enforce policies which puts the university at risk.

    Institution-wide agreements with third party services are marginally easier to deal with although they are still problematic. Management of approvals is challenging. We can implement secure methods for data transfer but it is difficult to audit data management in third party providers who may be in different countries (incidentally the Patriot Act causes us a lot problems and we often can’t host data in US data centres because of it). Wht happens if the service is acquired by another organisation? What if they move their data centres (even to another state)? What happens to student data after the student leaves? How do we archive assessment artefacts? Does the external service have the same SLA as the internal ITS organisation (e.g. response times? fix times?). How mission critical is the service? I could go on.

    It seems that most of my work at the moment is in negotiating agreements with external service providers for my university and then working on the implications for the university when service providers don’t modify their agreements (often understandably).

    Obviously we are in a period of great flux and university policy and legislation are behind the times. In order to overcome the murkiness I think that we will eventually deinstitutionalise many university services. For example we may well say to students that, in order to assess you, the university needs to be able to view specific artefacts. How you do that is up to you. You may use one of many eportfolio or online collaboration systems of your choice just as long as you tell us what that is so we can find it and assess it. The same might go group work. The academic might say to student’s; here are a number of wiki systems (including one that the university runs). You guys choose one to develop your group wiki.

    I’ve written too much as usual.

  4. Although the discussion on this page is still valid and important, I would like to point out that the line referenced by this article from the PaperRater.com terms of service was actually removed 2 days before this article was published.

  5. Jay is absolutely right. The Terms of Use at this particular site have indeed changed, though if he is right about the timing, they would have changed the very evening that I noticed it and quoted this section from the version I saw.

    Still, the new agreement is far less onerous than what was there before, and I would have far fewer qualms about recommending sites with this sort of agreement to our students. So kudos to PaperRater.com for doing the right thing.

    And, indeed, it does not change the importance of this discussion in general.

    Ron Richard

LEAVE A REPLY

Please enter your comment!
Please enter your name here