I raise this as a result of an interesting question from Ron Richard,of Meritus University, Canada. Ron asked Tony Vincent, who runs the excellent Learning in Hand site, and myself:
I have recently been researching some web-based resources for our faculty, who teach exclusively online, but who do not venture much outside the limited set of tools provided by our LMS. To this end I was pleased to read on Tony Bates’ web site …. about Learning in Hand and the many resources you have collected therein.
One of the issues that has come to my attention as I read about cloud computing and web applications (an area I am specifically looking into) is privacy and copyright. I would like your take on what I have found to be a pervasive component of many agreements that I see between the user and the web application when they sign that EULA. Here is a section, for example from the agreement with PaperRater, which you (Tony Vincent) have at the top of the list of recommended web apps:
‘By submitting Material to the Web Site, you agree to grant the Company, its agents, affiliates, representatives, licensors, and licensees, a worldwide, irrevocable, nonexclusive, perpetual, royalty-free right (including moral rights) and license to copy, modify, translate, publish, disclose, transfer, assign, sell, and distribute said Material in any form now known or hereafter developed, for any purpose without limitation, and without any obligation of notice, attribution, or compensation to you or another.’
Now I am not suggesting that you should be responsible for every EULA out there, not is it your responsibility to warn people who should occasionally read their own contracts about this sort of thing. Google has a very similar worded section buried in their EULA that grants them access to use in a similar way every email or Google doc you create or receive, which you agree to whenever you sign up for a new account.
What I am wondering, however, is, based on your far more extensive use of such tools than I, do you feel there is any danger or cause for alarm in using software that explicitly claims rights over student work the moment they use the software?
Tony Vincent replied:
Your concerns are certainly legitimate. I just learned of PaperRater today and added it to my bookmarks (that list is not my top web apps, just my recently bookmarked). I was wondering as I was testing it out where the text I pasted into it would go. Would it appear elsewhere? I was hoping not. With other web apps, like Blabberize for instance, student submissions can pop up all over the internet by others who embed it. Usually this is what we want in education–students to create products that are of value to others. I think the cause for alarm comes from when student work might be shared or copied when they don’t want it to be. For instance, if a personal reflection typed into Google Docs was somehow made available publicly when the public was not the intended audience.
I haven’t heard of a web app or cloud computing solution cause copyright and privacy problems for schools (yet). I think that is in part because these sites use EULAs that are all encompassing “just in case” and don’t really intend to copy/modify/transfer/etc. the submitted work. I also think teachers tend to be selective in what web apps they use. The copyright and privacy implications are definitely things teachers and students need to know about. I wonder how many teachers even know what a EULA is…? This would be a good topic for a blog post. 🙂
Here is my reply:
Ron raises an excellent point. First, I should point out that I am not a legal expert. The best person on this topic in Canada is Professor Wesley Wark, Graduate school of Public and International Affairs, University of Ottawa. So my comments should be seen in this context.
The University of British Columbia requires faculty to warn their students about security and privacy issues if their students are required to use web 2.0 or social media for study purposes. (In other words, it does not forbid faculty to use social media or web 2.0 tools – almost impossible to do in a university, anyway – but does place an obligation on them to advise students of the risks – I think this is correct – anyone from UBC willing to clarify or confirm this?). UBC also provides through a program called ‘Digital tattoo‘ education for students about their web footprint and the implications for security and privacy.
There is a particular issue for Canadian students here. Data located on ‘foreign’ servers are not subject to the same data privacy laws that protect Canadian students. The U.S. Patriot Act cuts across many privacy requirements for Canadian students, so the concern is that if student data is held on a server in the USA as a result of requirements for study at a Canadian university, and the US government uses that information in a way that is contrary to Canada’s privacy laws, the university could be sued for breach of privacy. What if a company running a server farm in India decided to sell student data to a commercial organization? There are also issues such as security of data (e.g., what happens to teaching materials or research results stored on an external server if the company hosting the server goes bankrupt?), and ‘quality control’, (e.g., ‘naive’ teachers exposing students to unreliable or educationally inappropriate applications of technology). Recently, there was a recent report on Avatar Rape in Second Life. Second Life is an ‘open’ community – so what happens when a student using Second Life for study purposes is abused by someone from outside the university’s community?
Many of these issues can be addressed by using common sense (not always prevalent though in faculty or students), and the same rules or procedures that apply to campus-based students can be applied just as well to online environments in most cases. Most universities have codes of conduct for online behaviour. However, as in the Second Life example, there are situations where on-campus or ‘within institution’ online policies and procedures won’t apply or work. Also no university wants to be the first ‘test case’ on an issue that is likely to go as far as the Supreme Court of Canada, with all the inherent costs and risks.
Security of student data and privacy is a growing issue and governments in Canada are beginning to take it seriously. For instance, Alberta’s Auditor-General has required the Alberta government to put in place in all its post-secondary educational institutions an IT management governance protocol that ensures that each institution has procedures and policies to protect student (and staff) data, and a clear line management responsibility for security. Vancouver Community College is currently negotiating with the BC Privacy Commissioner a set of protocols about what is and is not acceptable in terms of web 2.0 applications regarding student privacy, and the rest of the province’s educational institutions are watching this with considerable interest.
Another possible solution for safeguarding privacy is for institutions or government agencies to negotiate specific agreements with companies such as Google, exempting the institutions from some of the standard requirements in the EULA. Another is to have an ‘inner cloud’ where provinces or states run their own server farms that provide a security filter before connecting to external servers on the World Wide Web, although I don’t know of anyone that has done this yet (at least in North America – China has a similar system for the Internet as a whole, which is a pretty good indication of the likely opposition if this was tried in North America).
Ron added one more spin on the topic:
I was working at the University of Windsor a while back when they were evaluating new LMS systems to install campus-wide (they were the first in the country to go with Sakai, by the way), and one of the issues we had in the early stages of testing and evaluating was whether we would consider allowing an LMS provider to host the service for a year or two until we felt able to get the infrastructure and expertise in place to run it ourselves. Our legal counsel advised us that any such hosting had to ensure all student files and information had to be housed on Canadian soil, for the very same security and Homeland Security issues you mentioned.
The answer to the question posed in the heading is of course, yes – but there are risks. Now if we listened to lawyers nothing would probably ever get done. Their job is to point out risk, and decision-making requires risk to be balanced by potential benefits, and those of us who are using web 2.0 tools know the benefits are huge. I think Vancouver Community College is doing the right thing by working with the BC Privacy Commissioner to reduce risk and clarify the ground rules.
Ron and Tony and I would be really interested to hear more from others – particularly those with a legal background – about this issue. How can we use web 2.0 tools in a practical way while at the same time protecting student data and privacy? Let’s hear from YOU!