Open Source Security For Schools and Students
Image by vauvau on Flickr
The best way to ensure our children's school data is secure and private? Create open source standards for the software used to provide lessons and grades.
The theme for this issue, Security, was prompted by an article in the New York Times about a tech savvy parent who realized an online service used by schools, and his kids, was not secure. Their names and grades were transmitted across the internet in a way easily intercepted. While no one has proof that happened, the Times reported on the issue and did a decent amount of additional reporting on the topic. (The article, Data Security is a Classroom Worry, Too, is linked below.)
The reasons for the security problems, it turned out, were garden variety. The software provider had not installed an SSL certificate for the entire application, even though Google for several years now has encouraged website owners and software vendors to use SSL certificates. And even though many hosting companies that provide web site hosting services for these online services also provide SSL certificates. For example, the certificate for this site, hosted on a cloud, costs me $2/month for the IP address while the annual cost of the certificate is free.
(If you're wondering what an SSL certificate is, be sure to read the article in this issue.)
But there are deeper issues to consider here. Software vendors don't need to know the name of your child. They don't even need to know the school or state, for that matter. They may not need to know the grade level of the child taking their online course or using their technology. In theory, a teacher might let a bright student take classes one or more grade levels higher.
What software vendors do need is a unique identifier for each child. To be most secure, the school should have the ability to generate these identifiers, to control their creation and local use. Teachers and schools should be the gatekeepers, determining how the child is identified online, what courses they can take, as well as the ability to delete student data after some reasonable time. Definitely when the child graduates high school, perhaps earlier.
As a kid, my struggles in school stayed in school. Same for college. At each stage, I was given the opportunity to start over. My concern is our kids will not be afforded the same natural ability to grow that we had, and that is critical for personal growth. We grow by trying and failing, as well as doing dumb things and learning from our mistakes. School should be a safe haven.
Instead, if the child's name or identity can be stored online, out of local control, it is possible (some would say likely) our kids will be confronted in a job interview or other setting where someone has access to their intimate school data. Worse, in that scenario, they may never be given the opportunity to interview for a job based on what happened in school.
Today people are denied job interviews because of their photos on LinkedIn and elsewhere, as well as immature but regretted Facebook posts, both situations that were private before our digital age. Imagine if you have a job candidate’s name and can match the name to every grade, every teacher comment, every counseling session, and so on. While you and I can forgive someone and move on, such a world is unforgiving, lacking in humanity, compassion, and kindness.
Is that the world we want for our kids?
In the financial world, trading systems use a common standard to define trades. The standard is called FIX, or Financial Industry XML. Stakeholders in the industry worked together to define a common language their software can use to create, handle, and process trades. While FIX can be slow, and there are other options, FIX ensures any software vendor creating a trading system will be compatible with other software, for example, trading exchanges.
Educational software needs a similar common open source standard. A standard driven by schools and technologically savvy parents and teachers.
What would be in this standard? Here are some ideas, as a start point:
- What is the minimum amount of student data needed by online course vendors? Could it be one unique identifier?
- Software to be used locally at schools to manage creation, assignment, and use of unique identifiers for each student.
- Software schools use to connect, engage, and draw results from remote online learning resources.
- Software schools use to organize and display locally and securely the online learning results by student, course, and grade, among other criteria.
- Software schools could use to aggregate anonymous student results to send upstream to course vendors, for example, results by grade or age.
In this ideal world, software vendors would only have to grab the unique identifier for each student. They would use open source data standards to track the course outcomes and send results downstream to the school. Instead of reinventing the user identity and data storage wheel, course vendors could focus more of their time on developing unique course work. Developers also could focus on creating software and secure, easy to manage server environments to handle student data at the local school level.
Let's not only make software used by our kids more secure with SSL certificates, which was the point in the New York Times article. Let's go beyond and create a common open source standard to handle student data, a standard that protects privacy and gives control of personal data to the teachers and schools that know our kids best.
Then every software vendor providing educational tools can be assured their next great thing is compatible with software schools have. Schools can be assured they have total control over their student data and privacy. And parents can be certain their kids are truly free to be themselves in school, to try and fail at many things instead of living in fear somehow their data will live on for decades after they graduate. Our kids deserve the basic right to privacy we enjoyed before the internet. The benefits of the internet and the right to privacy can co-exist easily, if we choose.
As a former kid, and as a parent, every kid deserves the chance to grow up in school with no worries about the future impact of their choices in school. That's probably the true definition of security online: the ability to control your data locally, to limit your data to the minimum viable data set needed, and the ability to delete your data.
If you want to know what SSL is, and how to tell if a website is secure, read the article What is an SSL Certificate? in this issue.
Data Security is a Classroom Worry, Too
Also In The October 2013 Issue
An Interview with Troy Hunt
Troy Hunt is a software architect and Microsoft Most Valued Professional (MVP) focusing on security concepts and process improvement in a Fortune 50 company. He's based in Australia.
1Password, LastPass, RoboForm
If you use a password you created that is less than eight characters, your password is vulnerable to hacking. Here are three ways to create and use secure passwords online.
How to Write Secure Code
Coding securely doesn't have to kill the joy of programming. In fact, learning how to code securely provides insights into languages and computing.
How to Code HTML Email
How to code an HTML email like the ones you open every day turns out to be an offbeat software coding challenge.
What is an SSL Certificate?
How to tell if a web page is secure is one of the most basic yet least obvious ways to protect your data online.
Where to Find Command Line Interface Software
One key computing skill is the ability to use command line interface (CLI) software to enter commands to control a computer. Here are some options.
Lua is a comparatively simple programming language used in a wide range of places, from digital TVs to video games to phone applications. It's also designed to be simple to use and lightweight.
Here is how three programming languages handle a common problem: how do you organize and keep track of useful data?
Linux Command List for Command Line Interfaces
Some of the most common commands you'll need for a command line interface (CLI), in a Linux command list.
Computer science education cannot make anybody an expert programmer any more than studying brushes and pigment can make somebody an expert painter.
News Wire Stories for October 2013
Must read stories about computer science, software programming, and technology for September 2013.
Learn More Links for October 2013
Links from the bottom of all the October 2013 articles, collected in one place for you to print, share, or bookmark.
Pigeons on the Stairs
Here is a deceptively simple math puzzle at least 1200 years old.