Smart teaching and smart learning in safety

(by Fulvio Oscar Benussi) The prof. Fulvio Oscar Benussi, member of AIDR, is a secondary school teacher, trainer and publicist. Didactic innovation expert gave numerous speeches in Italian and foreign universities. Various of his contributions, many written in collaboration with Annamaria Poli researcher of the University of Milan Bicocca, have been published in scientific journals of the university field.

The prolonged need for social distancing and the consequent postponement of the reopening of schools implies the need to deal with CyberSecurity and the protection of the privacy of distance learning platforms (1). After an analysis of the critical issues of the platforms, we hope for a clarification by the Minister.

The effort of pupils and students, their families, teachers and school managers and more generally of the school administration, to maintain the continuity of the educational service through distance learning is commendable, but recent news reports suggest considering with great attention the whole matter.

On 9 April, a hacker attack occurred on the Axios educational platform (La Repubblica https://www.repubblica.it/cronaca/2020/04/09/news/axios_hacker-253550285/?ref=RHPPLF-BH-I253495487-C8 -P4-S2.5-T1) while hacker attacks on other educational platforms had occurred in the previous days. With the attacks, violent and pornographic material was introduced during lessons and some institutions had to interrupt distance lessons for a few days.

So let's ask ourselves what school could have done to stem these problems

The Axios educational platform has suffered a DDoS hacker attack that causes a huge number of fraudulent accesses. Something analogous to this type of attack (2) was suffered by those schools which, without turning to free platforms offered by the market, tried to convey their distance learning by opting instead for solutions offered by the providers of other digital school services. , for example from electronic registers, and which have seen their system sit down and fail to manage the enormous amount of digital traffic generated.

This type of difficulty has also been experienced across the Alps by our French neighbors who, to give continuity to school activities, have used, on the whole national territory and for every type of school, the CNED platform called "My class at home". However, the French Ministry's choice to use this system encountered some difficulties. Due to too many simultaneous connections, the access to the site was saturated and went to block several times.

In Italy, apart from the aforementioned experiences attempted in some schools, it was decided not to rely on a national institutional platform, which is also not available, and which would have been created ad hoc.

In light of the outcome of the choice made by the French, we can say that we were more forward-looking.

But every choice that renounces to take a road leads as a consequence that we must opt ​​for the other alternative, and the MIUR has chosen to suggest to the teachers the use of free platforms offered by the market.

Smart teaching and smart learning with free platforms

When carrying out remote educational activities with reference to the protection of the privacy of pupils and students, it is necessary to consider:

  • The characteristics of the teacher's workstation that provides it (ref. GDPR Regulation (3));
  • Ad hoc training and assignment for individual teachers;
  • The indications contained in the Provision "Distance education: first indications (4)" of the Guarantor for the protection of personal data of 26 March 2020.

The teacher's workplace must be suitable to ensure that "adequate technical and organizational measures have been provided so that the treatment meets the requirements of this regulation" (Ref. Art. 28 paragraph 4 of the GDPR Regulation). In order not to run data breach risks (5), this should imply, in our opinion, that the computer used for distance learning must be protected by antivirus and Firewall. In addition, the PC should not be used by the teacher for personal activities such as e-mail, accounts in social networks, etc. which could facilitate the intrusion of malware, spyware, etc. Furthermore, even if it would be the ideal solution, it is not possible to hypothesize that: “The workplace is made available, installed and tested at the expense and expense of the educational and educational institutions, on which maintenance and management costs would be incurred. support systems for workers ". Yet these are the conditions contractually provided for the teleworking of school staff (ART. 139 - CCNL School teleworking discipline 2006-2009) and even if teleworking was not regulated for teachers at the time of signing the CCNL the new situation, in our warning, allows analogy.

All the conditions listed above are obviously impossible in the current emergency conditions.

However, we believe it would be useful to free the school staff from the responsibilities resulting from any violation of the students' personal data due to the fact that the teachers operate with personal computers which, in many cases, do not have the characteristics indicated above as necessary.

In this sense, we hope for an intervention by the Ministry that can clarify the matter.

To carry out distance teaching, teachers should have followed a special training course (6) on privacy legislation (7) and have received a specific assignment letter from their school managers containing specific instructions for the processing of personal data in the IT area. .

Given the great changes connected to the current situation and the urgency of guaranteeing continuity in the educational activity, there seem to be objective difficulties in the timely implementation of the above.

The indications contained in the Provision "Distance learning: first indications" of the Guarantor for the protection of personal data of 26 March 2020 are the reference on the basis of which we have analyzed the various DAD platforms that can be used.

"The personal data of minors, moreover," deserve specific protection in relation to their personal data, as they may be less aware of the risks, consequences and safeguard measures involved as well as their rights in relation to the processing of personal data " (rec. 38 of the Regulation) ".

We started from this consideration of the Guarantor in proceeding with the verification of the DAD platforms that we have analyzed.

Indications on the procedure followed to analyze the DAD platforms

We point out that the indications that we will now illustrate can also be followed by those teachers who wish to verify the compliance with the privacy rules of DAD platforms that they are using, or are preparing to use.

First of all, for the verification it is necessary to read the disclaimers in the - Privacy - section of the platform. We point out that, to ensure that you have read the privacy policy in its entirety, you must not be satisfied with summaries and summaries, but you must recover the full version. The platforms often offer access to the full version only through the use of buttons and links that can be activated with a click.

It should be noted that when the disclaimer of privacy is written for multiple services offered or concerns both users of the service and company employees, it is extremely difficult to understand which specifications may concern others and which concern students or professors.

The second step is to read the complete information on cookies to check what information they collect.

The third step is to compare what has been declared by the supplier of the DAD platform with what is provided in the Provision "Distance learning: first indications" of the Guarantor for the protection of personal data in order to avoid its use, to carry out the DAD, in case the platform considered not satisfying the indications of the Guarantor.

By analyzing numerous DAD platforms (8) we have identified some critical issues.

Regarding the problems related to profiling, the Guarantor states: "Where, however, it is deemed necessary to resort to more complex and" generalist "platforms, which do not provide services aimed exclusively at teaching, only the strictly necessary services should be activated by default training, configuring them in such a way as to minimize the personal data to be processed, both during the activation of the services, and during the use of the same by teachers and students (avoiding, for example, the use of data on geolocation, i.e. social login systems which, by involving third parties, involve greater risks and responsibilities). "

With regard to the data relating to the user's geolocation, this data can also be identified by acquiring the IP address (9) or the MAC address (10).

For the profiling of the user (the student), the Guarantor states: "This specific protection should, in particular, concern the use of such data for marketing or profiling purposes and, in a broad sense, the related collection in the context of provision of services to minors themselves "

In this regard, in some analyzed DAD platforms, we have found not really reassuring indications, for example:

"We will also make reasonable efforts to ensure that we do not use our products to collect information when you visit websites offered by companies other than ours."

"The deactivation of the technical Cookies indicated [...] could prevent correct navigation on the Site and / or limit its usability (11)"

For further information, we also consider it useful to point out some articles (12) that highlighted the critical aspects of DAD platforms that teachers have used and that in many cases still continue to use.

Of the ZOOM platform Jules Polonetsky, CEO of the Future of Privacy Forum, says “that Zoom's terms of service include some clauses that could invade user privacy. So, as with all products, users should be careful to use Zoom without being aware of some privacy issues that concern it. Always Polonetsky says that Zoom's standard privacy policy allows you to share data for targeted marketing. And some of the company's standard terms are not consistent with the American Family Educational Rights and Privacy Act, or FERPA, in addition to other rules on the protection of personal data (we can indicate the GDPR) (13). ".

We also report the phishing attack on Cisco's Webex platform (14), for indications on the precautions to be taken and to make students aware of the risks related to fraudulent e-mails that can be delivered to them. It is, in fact, important to protect the virtual classroom from any hacking attacks carried out by those who, by winning the recipient's trust with fraudulent e-mails, manage to obtain the credentials to access it and then carry out disturbing or worse actions (15).

Conclusions

The intervention of the Guarantor for the protection of personal data on the specific characteristics that the DAD platforms must guarantee in relation to the protection of the privacy of minors (pupils and students) has explicitly highlighted that there is a privacy problem.

It is clear that the multidisciplinary skills (16) necessary to ascertain whether a DAD platform guarantees the right level of privacy cannot be possessed and therefore demanded by individual teachers or by individual school managers.

In particular, it is unlikely that, for these DAD platforms, teachers and school managers will be able, without risking making mistakes, to "activate, by default, the only services strictly necessary for training, configuring them in order to minimize the personal data to be processed. , both during the activation of the services and during the use of the same by teachers and students "as requested by the Privacy Guarantor.

For this reason, we hope for an intervention by the Minister that can clarify the issue and allow school staff to be able to continue their distance teaching activities with the necessary serenity

The professor. Fulvio Oscar Benussi, member of AIDR, is a secondary school teacher, trainer and publicist. Didactic innovation expert gave numerous speeches in Italian and foreign universities. Various of his contributions, many written in collaboration with Annamaria Poli researcher of the University of Milan Bicocca, have been published in scientific journals of the university field.

Footnotes

  1. Distance learning, hereinafter DAD
  2. This is the type of attack that has recently been assumed to have hit the INPS site
  3. By "GDPR Regulation" we mean the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016. https://eur-lex.europa.eu/legal-content/IT/TXT/PDF/?uri= CELEX: 32016R0679 & from = it
  4. https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9300784
  5. By data breach, in Italian violation of personal data, we mean the security breach that accidentally or unlawfully involves the destruction, loss, modification, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed .
  6. See art. 32 paragraph 4 of the GDPR
  7. The data relating to student privacy can for example be the list of their email addresses.
  8. We have analyzed various platforms, including those reported at the link: https://www. Education.it/coronavirus/didattica-a-distanza.html
  9. "[...] With all this in mind, the only thing that we" ordinary mortals "are allowed to do is to locate an IP address by obtaining general information relating to the area in which the control unit to which the connection is connected is present. reference. There are in fact special tools used for the purpose even if, it is good to keep it in mind, they do not allow to know the street, house number and maybe even the telephone number and name and surname of a person. However, this does not detract from the fact that they may prove interesting. " From: https://www.aranzulla.it/find-nome-and-address-of-home-a-partire-from-an-ip-address-bufala-966.html Geolocation service starting from the IP address https://it.geoipview.com/
  10. "[...] Although the MAC Address can be modified via software, this is a datum that is almost always transmitted in clear text by the various network devices. From the States, a survey recalls how Android phones regularly record the MAC addresses of wireless devices found nearby by broadcasting them on Google's servers. A similar practice is used by Apple, Microsoft and Skyhook Wireless with the aim of "mapping" the geographical position of the routers and access points located on the entire globe. " Taken from: https://www.ilsoftware.it/articoli.asp?tag=Dammi-il-tuo-MAC-address-e-ti-diro-dove-ti-trovi_7476
  11. Recall that the Guarantor states: "Where, however, it is deemed necessary to resort to more complex and" generalist "platforms, which do not provide services aimed exclusively at teaching, only the services strictly necessary for training must be activated by default, configuring them in in order to minimize the personal data to be processed, both during the activation of the services and during the use of the same by teachers and students [...] "
  12. Concerning ZOOM https://www.ilsole24ore.com/art/non-solo-privacy-zoom-bufera-elon-musk-vieta-l-uso-dipendenti-AD2whdH?utm_medium=FBSole24Ore&utm_source=Facebook#Echobox=1585842151&refresh_ce_ce See also: https://www.wired.it/internet/web/1/2020/03/zoom-privacy-facebook/?refresh_ce=
  13. Mischitelli, Zoom and Houseparty: all the privacy and security problems of the most used video conferencing apps, https://www.agendadigitale.eu/sicurezza/privacy/zoom-e-houseparty-tutti-i-problemi-privacy-e-security -of-app-to-video-longer-used /
  14. See: https://threatpost.com/cisco-critical-update-phishing-webex/154585/
  15. Vedere: https://www.corriere.it/scuola/secondaria/20_aprile_01/coronavirus-lezioni-distanza-chi-fa-bullo-commette-reato-pagano-genitori-bbc54664-734c-11ea-bc49-338bb9c7b205.shtml e anche: https://iltirreno.gelocal.it/pisa/cronaca/2020/04/02/news/scuola-lezioni-a-distanza-interrotte-con-video-porno-o-violenti-1.38669535?refresh_ce
  16. To carry out the activity considered, legal, IT and linguistic skills are required (often the disclaimers are written in English).

Smart teaching and smart learning in safety