On Schools and Information Security…

Posted on 2014/12/05


DISCLAIMER: This is referring to a single school board in Ontario Canada.

DISCLAIMER: MY OPINIONS. The fact that my children and spouse are involved in the education system to one degree or another is not something that matters here.

What follows is a letter that I wrote in response to receiving an incredibly poorly written “sign all the things” document earlier this year. Enjoy.

Something needs to change, and quickly.

———

2014-09-22

Good morning,

Let me start by giving you my heartfelt apology, what follows is information which needs to be placed in front of HWDSB proper and dealt with in a fashion sufficient to save all of the parents and students, not simply one class or one school. I did not submit my rather scathing review of the last set of forms that were sent, but rather saved that message for someday in the distant future when it might do some good. However, this latest form sent home is like that sprinkling of glass shards that truly makes the mixed metaphor of mumbojumbo salad complete.

I am in receipt of the latest form sent home simply entitled “Acceptable Use Terms & Conditions”. I find that if I sign this form, I will have in all likelihood agreed to things that are beyond my capacity to understand. The previous sentence should come as something of an alarm for you (all) as the subject matter falls within my professional purview (http://www.linkedin.com/in/jamesarlen/) and still leaves me reeling with anxiety and doubt. I suppose that a more casual reader would simply sign (if he or she could determine the correct line upon which to place a signature) but anyone who looks at this form should seriously consider not signing it until having it reviewed by a competent legal authority.

Before I begin discussion of the “Acceptable Use Terms & Conditions” (AUTC), let me quote from the letter I did not send on September 2, 2014:

  1. The “Acceptable Use Agreement for the Internet Consent Form” is incomplete. It specifically refers to the obverse as a form as required reading. There is no reverse side and no simple link to the most current version of the text as hosted on http://www.hwdsb.on.ca – although based on a Google search for “hwdsb acceptable use agreement for the internet consent form” it may be:
    1. Hit 1 – Queen Victoria School – Five pages, February 2012, colour pdf – http://www.hwdsb.on.ca/queenvictoria/files/2011/02/Acceptable-Use-Agreement-Internet.pdf
    2. Hit 2 – Mountain View School – Two pages, September 2013, Word Document (retyped, internal date does not match file location date) – http://www.hwdsb.on.ca/mountainview/files/2011/01/Internet-Use-Agreement-Form-22.doc
    3. Hit 3 – Four pages, September 2013, low quality scan – http://www.hwdsb.on.ca/jamesmacdonald/files/2013/09/InternetUse.pdf

    Note that none of the top three hits (nor any of the hits on the first page of results) will get me the canonical copy of the form from the Board directly.
    In reading the materials located at the above links, they all contain absolute nonsense phrases such as “Users will not … receive offensive messages or pictures from any source”. Unfortunately, the area of Information and Computer Security is one that I am considered to have some level of expertise in and I can absolutely guarantee you that it is not merely impossible but actually UNpossible to comply with that statement while utilizing a computer that is:

    1. Connected to the public Internet,
    2. Connected to any network,
    3. Equipped with a web (http) browser, or
    4. Powered on.

    In any case, without the ability to assess your infrastructure to determine if it meets the basic standards for secured systems as listed in ISO 27002:2013 or other accepted Industry Best Practices, you are asking me to literally sign away my liability on your misapprehension of the nature of computer networks and systems.

  2. The “Consent to the Release of Personal Information for Students” is confusingly two forms in one, for no apparent reason. A simple re-structure with tick-box options for photograph and name with a single consent and signatory section would be significantly more efficient, clear and possibly even increase the likelihood that parents will understand what they are signing.

These two forms have now been either superseded or amended by the AUTC. I am unable to determine which case has taken place.

Disassembling the AUTC and identifying each instance of “What is the actual point?” is something that should be in the hands of either a constitutional lawyer or a Jesuit – to determine either liability or sin. Instead, here are a set of bullets which I hope make the case clearly.

  • Style
    • Pick a font. Seriously. Just one. (Hint: Ctrl/Cmd-A, then select a font) It is not 1985, and you are not attempting to show off your Desktop Publishing prowess.
    • Separate that which is for the fractional (less than 1/14th of the student body) proportion of the population that is over the age of majority from the remainder of the form. Have TWO forms – one for 13/14ths of the students and one for the 1/14ths group. Whacky, but clarifies significantly EVERY SECTION of the form.
    • Link to the canonical (one true) copy of the form so that I can verify that the school has not ‘enhanced’ the form they send home compared to the board official one.
  • Section 1 (Third-party Tools and Resources) Inclusions
    • You are incorporating by reference 10 separate legal agreements with 8 corporations.
    • The Google link you provided is not the actual Terms of Service – that would be: http://www.google.ca/intl/en/policies/terms/regional.html
    • The first Microsoft Link (Office 365) is a red herring, it does not lead to a T&C, the second link provided is the legal document.
    • The third Microsoft Link (Windows Services Privacy) is not a legal document either. The second link applies.
    • The MediaCore license places HWDSB in a position of responsibility, not me. See http://www.mediacore.com/legal/terms/ section 4.3 – additionally, I would refuse to sign this document as it removes my right to validate that the service is delivered as contracted.
    • Desire2Learn/Brightspace are quite clear (2nd paragraph under heading “If you are an enterprise user”) in stating that this Privacy Statement does not apply to the end-user.
    • The ExploreLearning document states clearly that the responsibility for activities on the account remains with the User. It is unclear how authentication and authorization are handled (e.g: Single Sign On / SSO, per-site username/password) and whether or not my child (and myself – as you are asking me to sign) remains in sole possession of the password or other authentication credentials.
    • The EduDentity Service Agreement refers to “Sections 9 and 10” which are neither included nor available by link.
    • The Turnitin.com Agreement specifically restricts the use of the site to those aged 14 and older. Neither of my elementary aged children may use this site. And I find both their business model and the reliance upon their service to be morally reprehensible.
    • I am ineligible to sign off on the VoiceThread agreement. Point 1. of the Basic Terms limits signatories to “K-12 Educator or Administrator”
    • Total page count:
      • Google: 3 pages, no mention of PIPEDA (privacy between me and Google) Correct link is 4 pages.
      • Microsoft Office 365: 2 pages
      • Microsoft: 15 pages
      • Microsoft Windows: 4 pages
      • Mediacore: 16 pages across 5 links
      • Desire2Learn: 11 pages
      • ExploreLearning: 8 pages
      • Edudentity: 2 pages
      • Turnitin: 5 pages
      • Voicethread: 7 pages
      • Creative Commons (either 4.0 or 2.5ca – legal code, not summary): 5 pages
      • Total Pages (worst case) 79 pages
    • You are requiring me to read and comprehend not only the 3 pages of the AUTC, but also the 79 pages of incorporated material.
    • You have not included the additional 24 pages of material required by Apple Canada (https://www.apple.com/legal/internet-services/itunes/ca/terms.html) should the use of any iOS device with an active iTunes account be utilized.
  • Section 2 (Privacy and Collection of Personal Information)
    • I cannot understand how this section ended up buried in the middle of the document – it doesn’t belong and the references to “Manager of Corporate Communications” should properly be references to the (legislative description) “head of the municipality”.
    • All of the noted cases are covered by the Consent to the Release of Personal Information for Students Document that I have already signed. The extension of Photograph to Video is one that should be made on that form rather than as an adjunct to this form.
  • Section 3 (Creative and Academic Works)
    • You are incorporating by reference a license to copyright which is not applicable in Canada – the link you are looking for is actually: http://creativecommons.org/licenses/by-nc-nd/2.5/ca/legalcode.en
    • It seems that the second “checkbox” is in conflict with the previous section as I have now agreed in the third (slightly) different way to the identification of my child to external parties.
  • Section 4 (Liability)
    • Firstly, clean up the page break (see attached PDF) so that “Liability” does not appear alone on the bottom line of the previous page.
    • The paragraph identified as “(a)” refers to “appendices, or any applicable HWDSB policy”:
      • Which appendices – I received three pages total.
      • Who determines applicability of which policy?
      • Is the list (and content) of policies fixed at the time of signature?
    • The paragraph identified as “(b)” requires a adherence to “the standards of behaviour set forth in Appendix A hereto”
      • Drop the fake legalese – it diminishes you while failing to enhance meaningful understanding
      • Provide the Appendix. You wouldn’t sign any other legal document that does not provide all of the information.
    • Signature Block
      • I assume that the first section of the block (Student Signature/Witness/Name) is for cases where the student is of the age of majority. If so, it should be labeled. If not, it’s a curiosity as my child cannot sign it and you hold a standard for “witness” which you do not hold for a parent in the subsequent block.

    Please feel free to either discard or forward this information as you see fit. I would hope that the organization is still capable of thoughtful self-analysis and can see that the torrent of poorly thought out and designed forms sent home is getting to the point of ridiculous. The amount of implied consent granted because we commit to you our most precious and priceless asset on a daily basis is sufficient.

    As I have a number of times in the past, I offer my professional services at zero cost to aid you individually in classrooms, within the school and across the board. It would be nice to have things start to make sense – especially as you struggle with the technology deficit that Ontario schools have suffered from dating all the way back to the CEMCorp / Burroughs-Sperry / Unisys ICON era that I so tearfully remember as a complete and utter waste.

    I know that this suggestion will not be acted upon. We’re not new to the institutional insanity/hubris of the HWDSB. That’s the most damning thing I can say and I’m sorry for both you and our kids that we are so accepting of mediocrity.

    Have a great school year and if there is any thing I can do to help, do not hesitate to reach out.

    The AUTC (PDF Scan)

    Posted in: articles