September 20, 2018

Zuckerberg’s Frankenstein

© The Mind Reels

Prosecutor: Dr. Frankenberg, are you aware that there is a monster roaming the countryside, stealing all the villagers’ personal information?

Dr. Frankenberg: Yes, sir, I am.

Prosecutor: And is it true, Dr. Frankenberg, that you invented this monster, in your dorm room at Harvard?

Dr.Frankenberg (proudly): Yes, sir.

Prosecutor: And are you aware that your monster is going around selling the villagers’ personal information to any Tom, Dick or Harry who will buy it?

Dr. Frankenberg: Yes, sir, that’s why I invented the monster – it’s my business model.

Prosecutor: Has your business model been successful?

Dr. Frankenberg (smugly): Oh, yes, sir, it’s made me and my friends very rich. You see the monster sends all the money to me. I only need a few engineers to make sure the monster doesn’t break down – and of course some very good lawyers – so there’s a lot left over afterwards.

Prosecutor: And are you aware that the monster helped our new Emperor, Donald the Terrible, to become emperor?

Dr. Frankenberg: I was made aware of that only just recently, but of course, I had heard of the rumours much earlier.

Prosecutor: So it was not your intent then that the monster should help Donald the Terrible?

Dr. Frankenberg: Absolutely not.

Prosecutor: And are you aware that hostile tribes outside the kingdom have used the monster to attack us?

Dr. Frankenberg: Yes, of course, that’s why I’m here – but honestly, I didn’t know about this until you did. And I made the monster get them to promise not to do that – but they are hostiles and didn’t keep their promise. 

Prosecutor: It seems to me that you don’t have much control over your monster.

Dr. Frankenberg (sighs): Look, you don’t understand how this works. You design something, you throw it out into the world, then wait to see what happens. Sometimes it’s good. Sometimes it’s bad. But there would be no way to make lots of money if you didn’t do this. If you tried to control it, you wouldn’t know what it could do.

Prosecutor: So you agree that your monster is now out of your control?

Dr. Zuckerberg (frowns, drinks water): Not entirely. We tried using chains recently, but the monster is too strong – he keeps breaking them. But our engineers are working on it, believe me.

Prosecutor: Let me put this to you: you created the monster, so you are responsible for it, but you’ve not done enough to control it.

Dr. Frankenberg: That’s a bit unfair. How was I to know it would become so dangerous? I realise it now, but anyone can be smart after the event.

Prosecutor: Some of the Emperor’s advisers are suggesting that the government should try to control the monster. What are your views on that?

Dr. Frankenberg (shrugs):Well, good luck with that. You realise the monster is not just stealing from our villagers, but from everyone’s now – he’s all over the place. But if you think you can do it, don’t let me stop you.

Judge intervenes: Thank you, Prosecutor, Dr. Frankenberg. We’ll adjourn for today, but we’ll be back in court tomorrow. Dr. Frankenberg, I hope you will take advantage of this time for some thought on how we can control your monster, because you should be aware, neither I nor the government have the slightest clue about how to do this.

Court adjourns.

 

 

 

Our responsibility in protecting institutional, student and personal data in online learning

Image: © Tony Bates, 2018

WCET (2018) Data Protection and Privacy Boulder CO: WCET

United States Attorney’s Office (2018) Nine Iranians Charged With Conducting Massive Cyber Theft Campaign On Behalf Of The Islamic Revolutionary Guard Corps New York: U.S. Department of Justice

With the recent publicity about unauthorised use of personal data on Facebook to manipulate elections in the USA and the U.K., and the above report about Iranians hacking universities for research results and intellectual property, everyone now has to take as much responsibility as possible for making sure personal data is secure and used only for authorised purposes.

This is particularly true for those of us working in online learning, where most of our interaction with students is online. Most institutions using learning management systems provide a secure area for student-instructor interactions – security is one reason why universities and colleges pay big bucks for IT systems, and making sure our student data and interactions are kept secure is a major reason for using a learning management system.

However, there are increasing reasons for working outside secure LMSs. Faculty and students now have blogs and wikis that are more open, although most require a password to allow for content to be added or comments to be made. ‘Good’ institutions ensure that student and faculty blogs and wikis are also protected from hacking. For instance, the University of British Columbia offers web and wiki facilities free of charge for all students and faculty and provides the security to support this. This blog is hosted by Contact North, which provides stronger security than I could as an individual or through an affordable commercial agency.

The problem comes when instructors and students start using unrestricted social media tools for instructional purposes. This all becomes ‘product’ for the social media companies and their advertisers (and very valuable product, given that university and college students are more likely to be high income earners after graduation.)

I was an early adopter of Facebook, back in 2005, but within 12 months I became inactive. It was not a company I felt I could trust, even back in 2005. I have good news for Facebook addicts who are wanting to get off of Facebook – life even within the online world is perfectly manageable, enjoyable and effective without Facebook. I do still keep in touch with my family and friends perfectly well and my professional life has if anything improved without Facebook.

Here I admit to being conflicted as I am still a heavy user of Google Search (although I prefer to use Firefox rather than Chrome). I was influenced by the Google corporate policy of ‘Do No Evil’ in its early days. Now Google Search is just one part of the umbrella company Alphabet, whose corporate motto is currently ‘Do the right thing’ – but for whom? It comes down more to pragmatics than ethics in the end. I can manage quite happily and easily without Facebook – I can’t without Google Search. 

This points to the problem we have as individuals in a digital society. Our power to control the use of our personal data is quite limited. We are now at the point where government regulation becomes unfortunately a necessity. (I say unfortunately because this is likely to limit to some extent innovation and change, but then so do the semi-monopolies of Amazon, Alphabet, Apple and Facebook, at least limiting change outside their systems). 

In the meantime, WCET has come to our rescue with a very useful site which really contains all you need to know about privacy and security. As their site says:

This is not just an IT problem! A breach could occur from an unintentional action by non-technical staff or student that could expose personal or institutional data to criminals and place the institution at risk by merely using weak passwords, connecting to dangerous networks, or opening suspicious emails. All members of an academic community must be trained with data protection best practices to preserve the security of the institution.

The WCET site contains links to the following:

  • their Frontiers blog posts on privacy and security issues
  • links to relevant recorded webcasts
  • links to a number of tools and reports on improving/protecting cybersecurity.

Essential reading for us all.

Now forgive me while I go and change all my passwords. 

Examining ethical and privacy issues surrounding learning analytics

Image: SecurityCamExpert, 2013

Image: SecurityCamExpert, 2013

Drachsler, H. et al. (2016) Is Privacy a Show-stopper for Learning Analytics? A Review of Current Issues and Their Solutions Learning Analytics Review, no. 6, January 2016, ISSN: 2057-7494

About LACE

One of the most interesting sessions for me at last week’s EDEN conference in Budapest was a workshop run by Sally Reynolds of  ATiT in Brussels and Dai Griffiths of the University of Bolton, UK. They are both participants in a European Commission project called LACE (Learning Analytics Community Exchange).

The LACE web site states:

LACE partners are passionate about the opportunities afforded by current and future views of learning analytics (LA) and educational data mining (EDM) but we were concerned about missed opportunities and failing to realise value. The project aimed to integrate communities working on LA and EDM from schools, workplace and universities by sharing effective solutions to real problems.

There are a number of reviews and case studies of the use of learning analytics available from the web site, which, if you are interested in (or concerned) about the use of learning analytics, are well worth reading.

The EDEN workshop

The EDEN workshop focused on one of the reviews concerned with issues around ethics and privacy in the use of learning analytics, and in particular the use of big data.

I am reasonably familiar with the use of ‘small’ data for learning analytics, such as the use of institutional student data regarding the students in the courses I am teaching, or the analysis of participation in online discussions, both in quantitative and qualitative terms. I am less familiar with the large-scale use of data and especially how data collected via learning management or MOOC registration systems are or could be used to guide teaching and learning.

However, the focus of the workshop was specifically on ethical and privacy issues, based on the review quoted above, but nevertheless I learned a great deal about learning analytics in general through the workshop.

What is the concern?

This is best stated in the review article:

Once the Pandora’s Box of data availability has been opened, then individuals lose control of the data about them that have been harvested. They are unable to specify who has access to the data, and for what purpose, and may not be confident that the changes to the education system which result from learning analytics will be desirable. More generally, the lack of transparency in data collection and analysis exacerbates the fear of undermining privacy and personal information rights in society beyond the confines of education. The transport of data from one context to another can result in an unfair and unjustified discrimination against an individual.

In the review article, these concerns are exemplified by case studies covering schools, universities and the workplace. These concerns are summarized under the following headings:

  • privacy
  • informed consent and transparency in data collection
  • location and interpretation of data
  • data management and security
  • data ownership
  • possibility of error
  • role of knowing and obligation to act

There are in fact a number of guidelines regarding data collection and use that could be applied to learning analytics, such as the Nuremberg Code on research ethics, the OECD Privacy Framework, (both of which are general), or the JISC code of practice for learning analytics. However, the main challenge is that some proponents of learning analytics want to approach the issue in ways that are radically different from past data collection methods (like my ‘small’ data analysis). In particular they propose using random data collection then subsequently analysing it through data analysis algorithms to identify possible post-hoc applications and interpretations.

It could be argued that educational organizations have always collected data about students, such as registers of attendance, age, address and student grades. However, new technology, such as data trawling and the ability to combine data from completely different sources, as well as automated analysis, completely changes the game, raising the following questions:

  • who determines what data is collected and used within a learning management system?
  • who ensures the security of student (or instructor) data?
  • who controls access to student data?
  • who controls how the data is used?
  • who owns the data?

In particular, increasingly student (and instructor) data is being accessed, stored and used not just outside an institution, but even outside a particular country, and hence subject to laws (such as the U.S. Patriot Act) that do not apply in the country from which the data was collected.

Recommendations from the LACE working group

The LACE working group has developed an eight point checklist called DELICATE, ‘to support a new learner contract, as the basis for a trusted implementation of Learning Analytics.’

Delicate 2

For more on DELICATE see:

Drachsler, H. and Greller, W. (2016) Privacy and Learning Analytics – its a DELICATE issue Heerlen NL: The Open University of the Netherlands

Issues raised in the workshop

First it was pointed out that by today’s standards, most institutional data doesn’t qualify as ‘big data’. In education, what would constitute big data would for example be student information from the whole education system. The strategy would be to collect data about or from all students, then apply analysis that may well result in by-passing or even replacing institutions with alternative services. MOOC platforms are possibly the closest that come to this model, hence their potential for disruption. Nevertheless, even within an institution, it is important to develop policies and practices that take into account ethics and privacy when collecting and using data.

As in many workshops, we were divided into small groups to discuss some of these issues, with a small set of questions to guide the discussion. In my small group of five conference participants, none of the participants was in an institution that had a policy regarding ethics and privacy in the use of learning analytics (or if it existed, they were unaware of it).

There was a concern on our table that increasing amounts of student data around learning was accessible to external organizations (such as LMS software companies and social media organizations such as Facebook). In particular, there was a  concern that in reality, many technology decisions, such as choice of an institutional learning platform, were influenced strongly by the CIO, who may not take into sufficient account ethical and privacy concerns when negotiating agreements, or even by students themselves, who are often unaware of the implications of data collection and use by technology providers.

Our table ended by suggesting that every post-secondary institution should establish a small data ethics/privacy committee that would include, if available, someone who is a specialist in data ethics and privacy, and representatives of faculty and students, as well as the CIO, to implement and oversee policy in this area.

This was an excellent workshop that tried to find solutions that combine a balance between the need to track learner behaviour and privacy and ethical issues.

Over to you

Some questions for you:

  • is your institution using learning analytics – or considering it
  • if so, does your institution have a policy or process for monitoring data ethics and privacy issues?
  • is this really a lot of fuss over nothing?

I’d love to hear from you on this.

Privacy and the use of learning analytics

Image: from Michael Radford's movie, 1984 - Big Brother is watching you!

Image: from Michael Radford’s movie, 1984 – Big Brother is watching you!

Warrell, H. (2105) Students under surveillance Financial Times, July 24

Applications of learning analytics

This is a thoughtful article in the Financial Times about the pros and cons of using learning analytics, drawing on applications from the U.K. Open University, Dartmouth College in the USA, student monitoring service Skyfactor, and CourseSmart, a Silicon Valley start-up that gives universities a window into exactly how e-textbooks are being read.

The UK Open University is using learning analytics to identify students at risk as early as a week into a course.

An algorithm monitoring how much the new recruits have read of their online textbooks, and how keenly they have engaged with web learning forums, will cross-reference this information against data on each person’s socio-economic background. It will identify those likely to founder and pinpoint when they will start struggling. Throughout the course, the university will know how hard students are working by continuing to scrutinise their online reading habits and test scores.

The article also discusses Dartmouth College’s mobile phone app which:

tracks how long students spend working, socialising, exercising and sleeping. The information is used to understand how behaviour affects grades, and to tailor feedback on how students can improve their results.

The article also tries to get a handle on student attitudes to this form of monitoring or surveillance. Not surprisingly, students appear to be somewhat ambiguous about learning analytics and differ in their acceptance of being monitored.

Rationalisations

What was particularly interesting is the range of justifications given in this article for monitoring student behaviour through data analysis:

  • the most obvious is to identify students at risk, so that appropriate interventions can be made. However, there weren’t any examples given in the article of appropriate interventions, highlighting the fact that it is one thing to identify a problem and quite another to know what to do about it. For instance we know that from previous research that students from particular socio-economic backgrounds or students from particular ethnic backgrounds are potentially more at risk than others. What does this mean though in terms of teaching and learning? If you know this is a challenge before students start studying, why wait for learning analytics to identify it as a problem?
  • the next argument is the need to ensure that the high investment each student (or their parents) makes in higher education is not wasted by a failure to complete a program. Because of the high cost, fear of failure is increasing student stress. At Dartmouth, a third of the undergraduate student body saw mental health counsellors last year. However, the solution to that may not be better learning analytics, but finding ways to finance students that don’t lead to such stress in the first place;
  • another rationale is to reduce the financial risk to an institution. The Chief Technology Officer at Skyfactor argues that with revenues from tuition fees of around $25,000+ per student per annum in the USA, avoiding student drop-out is a financial necessity for many U.S. institutions. However, surely there is a moral necessity as well in ensuring that your students don’t fail.

Making sense of learning analytics

The Open University has always collected data on students since it started. In fact, McIntosh, Calder and Smith (1976) found that statistically, the best predictor of success was whether a student returned a questionnaire in the first week of a course, as this indicated their commitment. It still didn’t tell you what to do about the students who didn’t return the questionnaire. (In fact, the OU’s solution at the time was not to count anyone as an enrolment until they had completed an assignment two weeks into the course – advice that MOOC proponents might pay attention to).

As with so many technology developments, the issue is not so much the technology but how the technology is used, and for what purposes. Conscientious instructors have always tried to track or monitor the progress of individual students and learning analytics merely provides a more quantitative and measurable way of tracking progress. The issue though is whether the data you can track and measure can offer solutions when students do run into trouble.

My fear is that learning analytics will replace the qualitative assessment that an instructor gets from, for instance, participating in a live student discussion, monitoring an online discussion forum, or marking assignments. This is more likely to identify the actual conceptual or learning problems that students are having and is more likely to provide clues to the instructor about what needs to be done to address the learning issues. Indeed in a discussion the instructor may be able to deal with it on the spot and not wait for the data analysis. Whether a student chooses to study late at night, for instance, or only reads part of a textbook, might provide a relatively weak correlation with poorer student performance, but recommending students not to stay up late or to read all the textbook may not be the appropriate response for any individual student, and more importantly may well fail to identify key problems with the teaching or learning.

Who gets to use the data?

Which brings me to my last point. Ruth Tudor, president of the Open University’s Students’ Association, reported that:

when the data analytics programme was first mooted, participants were “naturally” anxious about the university selling the information it collected to a third party.

The OU has given strong assurances that it will not do this, but there is growing concern that as higher education institutions come to rely more on direct funding and less government support, they will be tempted to raise revenues by selling data to third parties such as advertisers. As Andrew Keen has argued, this is a particular concern about MOOCs, which rely on other means than direct fees for financial support.

Thus it is incumbent on institutions using learning analytics to have very strong and well enforced policies about student privacy and use of student data. The problem then though is that can easily lead to instructors being denied access to the very data which is of most value in identifying student learning difficulties and possible solutions. Finding the right balance, or applying common sense, is not going to be easy in this area.

Reference

McIntosh, N., Calder, J. and Swift, B. (1976) A Degree of Difference New York: Praeger

 

Balancing the use of social media and privacy protection in online learning

Print

Figure 9.9 Privacy ranking by Privacy International, 2007 Red: Endemic surveillance societies Strong yellow: Systemic failure to uphold safeguards Pale yellow: Some safeguards but weakened protections http://en.wikipedia.org/wiki/Privacy#mediaviewer/File:Privacy_International_2007_privacy_ranking_map.png

Figure 9.9 Privacy ranking by Privacy International, 2007
Red: Endemic surveillance societies
Strong yellow: Systemic failure to uphold safeguards
Pale yellow: Some safeguards but weakened protections
http://en.wikipedia.org/wiki/Privacy#mediaviewer/File:Privacy_International_2007_privacy_ranking_map.png

Print

This is the last of the SECTIONS criteria for selecting media for my online open textbook, Teaching in a Digital World. The last ‘S’ stands for Security and Privacy.

This is a change from earlier versions of the SECTIONS model, where ‘S’ stood for speed, in terms of how quickly a technology enabled a course to be developed.. However, the issues that I previously raised under speed have been included in Section 9.3, ‘Ease of Use’. This has allowed me to replace ‘Speed’ with ‘Security and privacy’, which have become increasingly important issues for education in a digital age.

9.9.1 The need for privacy and security when teaching

Instructors and students need a private place to work online. Instructors want to be able to criticize politicians or corporations without fear of reprisal; students may want to keep rash or radical comments from going public or will want to try out perhaps controversial ideas without having them spread all over Facebook. Institutions want to protect students from personal data collection for commercial purposes by private companies, tracking of their online learning activities by government agencies, or marketing and other unrequested commercial or political interruption to their studies. In particular, institutions want to protect students, as far as possible, from online harassment or bullying. Creating a strictly controlled environment enables institutions to manage privacy and security more effectively.

Learning management systems provide password protected access to registered students and authorised instructors. Learning management systems were originally housed on servers managed by the institution itself. Password protected LMSs on secure servers have provided that protection. Institutional policies regarding appropriate online behaviour can be managed more easily if the communications are managed ‘in-house.’

9.9.2 Cloud based services and privacy

However, in recent years, more and more online services have moved ‘to the cloud’, hosted on massive servers whose physical location is often unknown even to the institution’s IT services department. Contract agreements between an educational institution and the cloud service provider are meant to ensure security and back-ups.

Nevertheless, Canadian institutions and privacy commissioners have been particularly wary of data being hosted out of country, where it may be accessed through the laws of another country. There has been concern that Canadian student information and communications held on cloud servers in the USA may be accessible via the U.S. Patriot Act. For instance, Klassen (2011) writes:

Social media companies are almost exclusively based in the United States, where the provisions of the Patriot Act apply no matter where the information originates. The Patriot Act allows the U.S. government to access the social media content and the personally identifying information without the end users’ knowledge or consent.
The government of British Columbia, concerned with both the privacy and security of personal information, enacted a stringent piece of legislation to protect the personal information of British Columbians. The Freedom of Information and Protection of Privacy Act (FIPPA) mandates that no personally identifying information of British Columbians can be collected without their knowledge and consent, and that such information not be used for anything other than the purpose for which it was originally collected.

Concerns about student privacy have increased even more when it became known that countries were sharing intelligence information, so there remains a risk that even student data on Canadian-based servers may well be shared with foreign countries.

Perhaps of more concern though is that as instructors and students increasingly use social media, academic communication becomes public and ‘exposed’. Bishop (2011) discusses the risks to institutions in using Facebook:

  • privacy is different from security, in that security is primarily a technical, hence mainly an IT, issue. Privacy needs a different set of policies that involves a much wider range of stakeholders within an institution, and hence a different (and more complex) governance approach from security;
  • many institutions do not have a simple, transparent set of policies for privacy, but different policies set by different parts of the institution. This will inevitably lead to confusion and difficulties in compliance;
  • there is a whole range of laws and regulations that aim to protect privacy; these cover not only students but also staff; privacy policy needs to be consistent across the institution and be compliant with such laws and regulation.
  • Facebook’s current privacy policy (2011) leaves many institutions using Facebook at a high level of risk of infringing or violating privacy laws – merely writing some kind of disclaimer will in many cases not be sufficient to avoid  breaking the law.

The controversy at Dalhousie University where dental students used Facebook for violent sexist remarks about their fellow women students is an example of the risks endemic in the use of social media.

9.9.3 The need for balance

Although there may well be some areas of teaching and learning where it is essential to operate behind closed doors, such as in some areas of medicine or areas related to public security, or in discussion of sensitive political or moral issues, in general though there have been relatively few privacy or security problems when teachers and instructors have opened up their courses, have followed institutional privacy policies, and above all where students and instructors have used common sense and behaved ethically. Nevertheless, as teaching and learning becomes more open and public, the level of risk does increase.

9.9.4 Questions for consideration

1. What student information am I obliged to keep private and secure? What are my institution’s policies on this?

2. What is the risk that by using a particular technology my institution’s policies concerning privacy could easily be breached? Who in my institution could advise me on this?

3. What areas of teaching and learning, if any, need I keep behind closed doors, available only to students registered in my course? Which technologies will best allow me to do this?

Over to you

1. I couldn’t find more recent references on this issue than 2011, when it seemed to be a hot topic. Has anything significantly changed with regard to privacy and social media in education since 2011 that I should be aware of? Or have our institutions nailed it regarding sensible policies and practices? (Did I hear guffaws?) References would be particularly welcome.

2. If anyone would like to share their experiences regarding privacy issues as a result of using social media for teaching, please either send me an e-mail (for privacy reasons) or share a comment on this post.

Up next

The final section on Chapter 9: Making decisions about what media to use. This will suggest a relatively simple approach for what is in effect a highly complex topic.

Yes, I know, you just can’t wait for this final episode. Keep tuned to this station.

References

Bishop, J. (2011)  Facebook Privacy Policy: Will Changes End Facebook for Colleges? The Higher Ed CIO, October 4

Klassen, V. (2011) Privacy and Cloud-­Based  Educational Technology in British Columbia Vancouver BC: BCCampus

See also:

Bates, T. (2011) Cloud-based educational technology and privacy: a Canadian perspective, Online Learning and Distance Education Resources,, March 25