A few months ago, I gave a talk at BSidesLV on the state of security in education technology. My talk, #edsec: Hacking for Education isn’t a hacker talk in the truest of senses— I had no l33t, sophisticated hacks to show off, no beautiful backdoors into well-maintained code to make my point. Instead, I went the route of discussing the lack of security standards, the dire state of security awareness among educators, the deplorable state of school infrastructure, and the security-averse attitude of developers within education technology .
I should have written this post months ago— I am thankful for alot of people who helped me get through my first-ever talk at a national conference— but I’ve been struggling to overcome an awful, awful feeling that in the pit of my stomach after I finished my week away at hacker summer camp. After being surrounded by people who discussed securing the critical infrastructures that make our web work, protecting medical devices from attack, and preparing for the Internet of Things that is to come, I realized that I didn’t go far enough.
Amid all of the talk of securing critical infrastructures and strengthening frameworks and protocols, I couldn’t help thinking about education. What is going to happen as we’re putting more and more education, a critical social infrastructure, online? What happens when we take an entire generation of students, watch their every move, and put all of that information online? What happens when some of that information coming from technologies that resemble surveillanceware isn’t properly secured to protect a student’s privacy? What happens when we do this all without putting any thinking about security in place?
In the past few months, student privacy advocates have been extraordinarily busy fighting about how to best take care of student privacy. But amid all of the promises, pledges and pacts being made between parents and edtech companies, there has been absolutely no conversation about setting bare minimum security standards for school networks, educators and developers to ensure student privacy. They’ve all agreed they’ll get to it someday, but the main point of contention is the sale of student data, not addressing the fact that the threat model facing educators (free account required to read) includes more than data miners and advertisers itching to get their hands on whatever they can. The ugly truth of the situation is that we can sit around all day long and agree that student privacy should be protected, but security is what we implement to ensure privacy for students, parents, and web users and avoiding serious discussion about it only makes the problem worse.
In the time since my talk, I’ve been relieved to see that some of the companies handling student data get it— I can name two— and they’re even receptive when I email them and tell them where their security policies need work to be useful to educators. But for so many others, the attitude is still, “Do we really need to talk about HTTPS again? We don’t hear demand from our users for it, no one cares about kids’ grades!” when the right thing to do is to build security measures in from the ground up. (Of COURSE you don’t have demand for HTTPS/TLS, most educators don’t know what it is and why it’s important!) The earlier we implement security measures, the better, and falling back on tired excuses claiming there’s “no demand” for 2-factor auth or sitewide encryption is no longer an acceptable excuse for why you didn’t build them into whatever you’re selling to schools.
Even if education isn’t doing the job that it was promised to do (remember when education was supposed to be the great social equalizer? yeah. that.)— even if it is falling apart at the seams and it is awful and it sucks, it is a critical public infrastructure that is moving online through private investment at a breakneck pace. When I look at the security industry, so many people seem to only care about the really big, mindblowing hacks— who pwned Verizon what year and how— all the while ignoring important and vulnerable technology-reliant systems that are used to make big life decisions for people right under their noses. If anyone can help this mess, it’s not just parents asking questions and teachers adopting strong infosec practices in their classrooms, we need — we need talented security researchers and engineers to find out if these tools they do what they say they’re doing, and if they’re protecting our kids the way they should be protected. **** Until we have a serious discussion about adopting bare minimum security standards, we’ll continue live in a world where the average social media user’s posts are more secure than most student data— and that’s not okay.
**** In the case of Edmodo, a curious parent who was a Cisco engineer pointed out privacy and data concerns affecting its 30+ million users at the time. Not every parent has the technological skills to do this, which is why we desperately need those who do to get involved.
One thought on “On #edsec: Education’s massive security problem”