Privacy in the cloud

November 2013

 

Facebook       Tweet

‘Cloud’ computing is rapidly becoming more than just another buzzword in our digital lives. The expected paradigm shift has implications for schools that are not yet fully understood, and with data integrity on everyone’s mind these days, Education Review, looks at exactly where the buck stops.

‘The cloud’ is something we all hear plenty about these days, but many are confused about the concept. Even less understood is the impact cloud computing will have on schools. There is a sense of confusion, as there is with any emerging technology, around the risks and responsibilities inherent in the idea.

Understanding the cloud

Essentially, we’ve all been using the cloud for many years, we just didn’t realise it. If you’ve used Facebook or streamed a video online, you’re interacting with the cloud. In fact, as Neil Melhuish from Netsafe, a non-profit organisation working toward a safer online environment, puts it, the cloud could be thought of as simply a re-branding of the internet.

“If you’ve interacted with Facebook or anything similar, you’re in the cloud. All that’s really happening is that modern data transfer speeds have made it cost-effective and reliable to the point that people can effectively use off-site storage, and software that isn’t actually on your computer.”

Officially, the word ‘cloud’ (with reference to communication technology) is considered jargon, but it’s an appropriate term in that the concept is nebulous and evolving all the time.

Cloud computing is basically that which is done somewhere else. For example, where a school might previously have had a server (basically a storage computer), and a network that joins the server to computers throughout the school, there is now the option to use the internet itself as the network and server. So all documents, photos, video, everything that the school uses is instead stored on computers that could, in terms of their physical location, be anywhere in the world. In fact, it no longer makes a practical difference where the data is stored … or at least that’s the idea.

The concept goes further. Applications, like the one used to write this article, no longer need to be resident on the computer you’re working from. Google Drive and Dropbox are examples that millions use every day. When you create a spreadsheet from Drive, your computer is just sending instructions to software that lives on a Google computer, likely in the US. Many predict that this concept heralds the end of the personal computer as we know it, and that what we’ll end up with will be no more than a ‘brainless’ screen and keyboard.

Cloud on the rise

The key has been the exponential recent improvement in broadband speeds. Not so many years ago, sending something as small as an email could take half an hour. Cloud computing can be seen as a logical progression simply because it’s no longer a pain to use. No more video that breaks up and needs long buffering times. Applications that are responsive and don’t ‘hang’ like they used to, making them a viable alternative to ‘local’ software (hosted on your computer).

The issue of whether schools should change their digital way of life to embrace cloud computing at this relatively early point is a topic for another article, but a little online research can give anyone who’s interested a good grounding. The two dominant models in terms of application and storage ‘ecosystem’ packages are, predictably, Google Drive and Microsoft Office 365. Google, in particular, has been very clever about getting a jump on the field, largely because transition has been made simple because so many people already have a Google account. Microsoft has been comparatively late to market with their package but continue to make inroads.

Advantages of using the cloud

Most commentators list the following as some of the chief advantages to moving your school’s digital life into the cloud:

Increased opportunity for collaboration. This is across all areas of the school, from learning itself to administration. Taking the example of Google Drive or Microsoft 365, the most immediately obvious advantage is that several students, educators, or other staff can contribute to the same document, at the same time, without the exercise degenerating into a confusing mess.

Risk management: Data cannot be destroyed by a local failure or accident.

‘Anywhere, anytime’: Students and teachers can access work from home, at school, on the bus, anywhere they like. All that’s needed is an internet browser.

Potentially greater data security and privacy: This is a tricky one. Some insist that servers maintained by the ‘big guns’ at enormous off-shore data centres are far less vulnerable to malicious attack than local servers. Others would refute that claim, in part due to the fact that a school’s servers aren’t such a tasty target to an ambitious hacker as are Google’s, for example.

Savings potential: Many schools in New Zealand have a roll of around 300, and therefore may struggle with resourcing to employ IT professionals to maintain servers and networks. Savings in cost of software could also have an impact.

Disadvantages

And the drawbacks? Reliability is rapidly becoming a non-issue, and as far as schools are concerned, the advent of the N4L (Network for Learning) managed network looks set to improve things in this space quite dramatically.

‘Down time’ is a related issue that should still be planned for. Major incidents of the tech giants tripping over a cable and plunging the planet into information darkness are becoming rare. However, there are a number of parties in the chain between you and them. Some of our local ISPs (internet service providers) have recently experienced some embarrassing lapses in this regard. Another aspect of N4L is that schools will no longer need a consumer ISP, which doesn’t necessarily see provision of quality internet to schools as a commercial priority.

But the real crunch point as far as schools are concerned is privacy. Most have probably not giving this much thought until the story broke that revealed the level of data sharing that many major corporations are routinely engaged in. That’s without even going into the intentions of the service provider itself.

A vulnerability trade-off

Neil Melhuish at Netsafe believes that a school that adopts cloud computing as all or part of their digital modus operandi needs to think about what he calls a ‘vulnerability trade-off’. This means that any increase in connectivity will ultimately lead to an increase in potential for both malicious attack and privacy risk.

“The more secure a network is, the less accessible it is. If you unplug completely and isolate your school’s network from the wider internet, then it is 100 per cent secure. But then, nobody can use it effectively. That’s why disclosure and on-going risk management are so important.”

Cost is one of the considerations that will be uppermost in the thinking of schools, says Neil. When asking which is more cost effective, a cloud-based network or school-based, the answer is increasingly becoming the former. Aside from all the recent coverage, it’s this financial imperative that is driving many schools to seek guidance.

The bottom line is that there are as yet no hard and fast rules that schools can follow. Ultimately, schools are responsible for making their own assessment of cloud service providers. The Privacy Act dictates that schools are responsible for ensuring that personally identifying information is protected “by such security safeguards as it is reasonable in the circumstances to take.” The reality, in other words, is that the buck stops with the school.

Key questions

Netsafe cannot give schools a ‘thumbs up’ (or down) on any particular cloud-based service, but Neil says there are some key themes that should be considered during the assessment of any supplier. These include:

Who owns the data? Does the information that is stored with the service remain the property of the school?

How is the data being used by those that are storing it? Will the school’s data only be used for the purpose of providing the service (i.e. does the service use any data for its own commercial reasons, such as advertising?)?

Which jurisdiction’s laws apply to the service? This is an issue that recent media coverage has brought to light. Many cloud services are based in the U.S., and therefore are not subject to New Zealand law. Working out how privacy law in this country works as opposed to that in the host country is something that should be examined.

Is there a succinct and comprehensive overview of the service’s security and privacy policies?

Are the service’s terms and conditions plainly written and easy to follow?

What is the track record of the provider? It should be fairly simple to find out if there has been any negative media coverage of a well-known service.

The best place teachers can go to familiarise themselves with the ramifications of the Privacy Act, and how this applies to cloud computing is of course the Office of the Privacy Commissioner. However, that authority doesn’t publish anything specifically for schools, and education centres are treated as small businesses for the purposes of the Act. Cloud Computing – A guide to making the right choices has some great advice, and can be found on the OPC website www.privacy.org.nz. Search for ‘cloud computing’ within the site for other resources.

T’s and C’s

Neil says that, unfortunately, such is the complexity of the disclosure documents that many providers cover themselves with, most schools are unlikely to have the capacity to make a legally thorough assessment of terms and conditions. Again, recent media coverage has highlighted the dangers therein. The Ask.fm social media site generated headlines recently due to cyber-bullying, and Neil says the example illustrates that there can be ‘banana skin’ caveats that providers may build into their conditions of use, that might even contravene New Zealand law.

“This may have now changed after all the negative publicity, but initially at least the terms and conditions of that site said basically, ‘challenging behaviour on this site is to be expected because the whole thing runs anonymously’. That has clear implications for schools.”

The upshot is that schools are responsible for doing everything in their power to make sure they’re not exposed to risk.

Credibility

A consequence of the inter-connectivity that now plays a huge role in our lives, and one that is normally seen as a positive, is the ability to aggregate opinion. Thanks to the instant and continuous collation of user feedback, it’s easy to find out if punters have been raving about a new restaurant, for example, with the same enthusiasm as its celebrity chef owner.

The big news in New Zealand e-learning is of course the advent of N4L, and aside from improving reliability and speed, one feature in particular will influence schools when it comes to making judgements about cloud service providers. Network for Learning marketing manager Andy Schick explains.

“[N4L] is really undertaking two key streams of work. The most known is around the building of the infrastructure. This will connect schools to each other, and will significantly improve a school’s ability to get the best out of cloud services.

“The second is the development of what we’re calling ‘the portal’ at this stage. This will be an online location that teachers and students will be able to go to find lots of learning content, resources, and services, many of which will be cloud based. It’s really a hub for digital learning. This will become a central location to find good cloud services.”

The portal will have a catalogue, which will be populated by educators who are out there using these services right now. They will login and they’ll say ‘here are all the services that I use. I trust them because of these reasons, and I would recommend them for these reasons.’ It’s a community discussion approach. They will be rated and ranked, and searchable as such.”

The N4L portal means that over time, a far clearer picture will develop among the education community as to which cloud services are trustworthy and useful. In the absence of any kind of list of officially sanctioned services, this information sharing approach will become invaluable.

Best practice approach

Governments are only just beginning to address the jurisdictional implications of our wired world, and so risk mitigation for schools should be two-pronged, says Neil. Schools must, of course, do everything they can to arrive at a reasoned assessment of a cloud provider, but keeping the community ‘in the loop’ is just as important.

“The ‘informed consent’ approach is generally effective when implementing safe and responsible educational use of technology. This is because on-going disclosure emphasises a process, rather than a one-off ‘case closed’ type of judgement. And that is appropriate to the online medium, which is never static.”

This means that the community should be kept informed as to the assessment that a school undertook to ensure the privacy of students’ data, and that schools should be as transparent as possible about what the cloud service is being used for.

Minimising vulnerability with common sense

Neil re-affirms the fact that we all take a risk when doing anything online, but that shouldn’t scare schools off the idea of capitalising on the opportunities afforded by cloud computing. After all, the alternative is much less palatable to the future of our young people: 100 per cent security equates to 100 per cent isolation. But if there’s one thing that the internet has in spades, it’s the potential for community, and collective knowledge is power in the online universe.

“Where does that leave us? Whenever you do anything online, you are taking a risk, that’s the nature of the beast. So reputation becomes important. If my school uses a blogging platform for example, which is used by lots of other schools, and there’s nothing in the media to suggest any misuse of data, then it’s likely to be ok. That is part of the common sense approach that schools need to follow when making decisions. The risk cannot be taken away altogether, only mitigated.”


Post your comment

Comments

No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments