Tag Archives: privacy

Moving to the Cloud? What should you consider?

This year our school has adopted Google Apps for Education. Sounds simple, huh?

Not so. Decisions to move your staff and students into Cloud Computing solutions are complex and in my view, require thoughtful planning and consideration. When I became Director of ICT and eLearning at the start of 2013, my first job was to implement a new Learning Management System. That was pretty big and was the main focus for much of 2013, but the early stages of that project coincided with planning starting around the possibility of a move into the Google Apps space.

Why Google Apps? Plenty of reasons, but here are just a few.

The collaborative nature of the docs – the way students can work together and co-create. The visibility of works in progress when shared with teachers. The ability to provide feedback and formative assessment easily at point of need, when students are in the process of writing. The cloud storage provided to users – 30GB for each user when you’re a Google Apps for Education school. Providing staff with a cloud storage option that sits within your domain, instead of having staff opening their own cloud storage accounts eg: Dropbox, and sharing school docs outside of a school domain. I’ll elaborate further on my reasoning in another post (and I promise I’ll get to it!!).

But before any decisions could be made, I needed to familiarise myself with issues surrounding Cloud Computing so that I could evaluate whether or not a move in this direction was right for my school. What did this involve? Reading, and plenty of it. I looked at Gartner and Forrester research and followed links shared on Twitter to business blogs like Harvard Business Review and Forbes. I needed to see where business was heading and explore speculation about the future of work and what might be required. I read countless articles about cloud storage and privacy concerns. And through all this, I was linking what I was reading to the education system and analysing how what applies in business translates to school environments.

Coming across Data Sovereignty and the Cloud: A Board and Executive Officer’s Guide , published by the Cyberspace Law and Policy Centre, UNSW Faculty of Law was fortuitous. The report was sponsored by  NEXTDCBaker & McKenzie and Aon. NEXTDC is a data centre company, looking to become the biggest cloud data centre storage service in Australia. I have visited their Port Melbourne location, taking a tour through what is an impressive facility. Baker and McKenzie are a law firm and Aon is a global provider of risk management services. When you look at recent changes to Australian Privacy Laws you can see why organisations like this are interested in supporting research and policy reports of this nature. Australian Privacy Principle 8 deals with cross border disclosure of personal information – an area affecting schools and businesses if you use a cloud computing solution where the data is stored in overseas data centres.

The report raised many questions for me, and led to a 90 minute phone conversation with David Vaile, one of the authors of the report. Even at the end of that, I was no closer to firm resolve around the issues surrounding cloud computing and privacy. Within the report is reference to the Australian Signals Directorate’s (Defence Force) Cloud Computing considerations. Their discussion paper provides the following:

“…assists agencies to perform a risk assessment and make an informed decision as to whether cloud computing is currently suitable to meet their business goals with an acceptable level of risk.”

Contained within it is an overview of Cloud Computing considerations you can apply to whatever platform you are looking at implementing. In my case, this was Google Apps for Education. What I did was take this list (as follows) and then read Google Security Whitepapers and information about GAFE and found the information that addressed the following considerations.

  1. Cloud computing security considerations include:
    • My data or functionality to be moved to the cloud is not business critical (19a).
    • I have reviewed the vendor’s business continuity and disaster recovery plan (19b).
    • I will maintain an up to date backup copy of my data (19c).
    • My data or business functionality will be replicated with a second vendor (19d).
    • The network connection between me and the vendor’s network is adequate (19e).
    • The Service Level Agreement (SLA) guarantees adequate system availability (19f).
    • Scheduled outages are acceptable both in duration and time of day (19g).
    • Scheduled outages affect the guaranteed percentage of system availability (19h).
    • I would receive adequate compensation for a breach of the SLA or contract (19i).
    • Redundancy mechanisms and offsite backups prevent data corruption or loss (19j).
    • If I accidentally delete a file or other data, the vendor can quickly restore it (19k).
    • I can increase my use of the vendor’s computing resources at short notice (19l).
    • I can easily move my data to another vendor or in-house (19m).
    • I can easily move my standardised application to another vendor or in-house (19m).
    • My choice of cloud sharing model aligns with my risk tolerance (20a).
    • My data is not too sensitive to store or process in the cloud (20b).
    • I can meet the legislative obligations to protect and manage my data (20c).
    • I know and accept the privacy laws of countries that have access to my data (20d).
    • Strong encryption approved by DSD protects my sensitive data at all times (20e).
    • The vendor suitably sanitises storage media storing my data at its end of life (20f).
    • The vendor securely monitors the computers that store or process my data (20g).
    • I can use my existing tools to monitor my use of the vendor’s services (20h).
    • I retain legal ownership of my data (20i).
    • The vendor has a secure gateway environment (20j).
    • The vendor’s gateway is certified by an authoritative third party (20k).
    • The vendor provides a suitable email content filtering capability (20l).
    • The vendor’s security posture is supported by policies and processes (20m).
    • The vendor’s security posture is supported by direct technical controls (20n).
    • I can audit the vendor’s security or access reputable third-party audit reports (20o).
    • The vendor supports the identity and access management system that I use (20p).
    • Users access and store sensitive data only via trusted operating environments (20q).
    • The vendor uses endorsed physical security products and devices (20r).
    • The vendor’s procurement process for software and hardware is trustworthy (20s).
    • The vendor adequately separates me and my data from other customers (21a).
    • Using the vendor’s cloud does not weaken my network security posture (21b).
    • I have the option of using computers that are dedicated to my exclusive use (21c).
    • When I delete my data, the storage media is sanitised before being reused (21d).
    • The vendor does not know the password or key used to decrypt my data (22a).
    • The vendor performs appropriate personnel vetting and employment checks (22b).
    • Actions performed by the vendor’s employees are logged and reviewed (22c).
    • Visitors to the vendor’s data centres are positively identified and escorted (22d).
    • Vendor data centres have cable management practices to identify tampering (22e).
    • Vendor security considerations apply equally to the vendor’s subcontractors (22f).
    • The vendor is contactable and provides timely responses and support (23a).
    • I have reviewed the vendor’s security incident response plan (23b).
    • The vendor’s employees are trained to detect and handle security incidents (23c).
    • The vendor will notify me of security incidents (23d).
    • The vendor will assist me with security investigations and legal discovery (23e).
    • I can access audit logs and other evidence to perform a forensic investigation (23f).
    • I receive adequate compensation for a security breach caused by the vendor (23g).
    • Storage media storing sensitive data can be adequately sanitised (23h).
    • ( Cloud Computing Security Considerations )

This took some time. There were weeks out of my life in 2013 where I was living and breathing information regarding privacy, security and cloud computing. Believe you me, if you encountered me during this time, my conversation topics were limited and suitable only for a specific audience!

But, it was worth it. I had a document I could present to my Executive that helped us come to the decision that Google Apps for Education was suitable for our school environment. What I gained from this exercise was a thorough understanding of issues surrounding Cloud Computing and the information I needed to be able to speak confidently with my school community about the move we were making.

If you’re a school looking to move into the Cloud Computing space, then measures like this are necessary. If you’re an Australian school looking for links to assist you with the process, then take a look at the following.

Defence Signals Directorate – Cloud Computing Considerations

http://www.dsd.gov.au/publications/csocprotect/cloud_computing_security_considerations.htm

Data Sovereignty and the Cloud  - a Board and Executive Officer’s Guide

http://cyberlawcentre.org/data_sovereignty/CLOUD_DataSovReport_Full.pdf

And if you’re looking to go Google, the following will help.

Google’s approach to IT Security – A Google Whitepaper

https://cloud.google.com/files/Google-CommonSecurity-WhitePaper-v1.4.pdf

Google Apps Service Level Agreement

http://www.google.com/apps/intl/en/terms/sla.html

Google Apps Documentation and Support – Security and Privacy Overview

http://support.google.com/a/bin/answer.py?hl=en&answer=60762

Google Apps for Education

http://www.google.com/enterprise/apps/education/benefits.html

Security Whitepaper: Google Apps Messaging and Collaboration Products

http://static.googleusercontent.com/external_content/untrusted_dlcp/www.google.com/en/us/a/help/intl/en-GB/admins/pdf/ds_gsa_apps_whitepaper_0207.pdf

It’s not over for me. The next thing to consider is replication of data to cloud storage. Off I am to the Amazon Web Summit next week in Sydney to explore that one a little further. ;)

 

3 Comments

Filed under Uncategorized

Helping students understand location settings

In the last week of school I had an opportunity to discuss with students from Years 7 through to 11 the importance of thinking about their use of Social Media while they are on their holiday break. There was a consistent resounding cheer when I mentioned they were about to immerse themselves in their various social networks when they finished school for the year and were in the enviable position of determining what it was they wanted to do with their day. For many of the students I teach, that means communicating with their friends over Instagram, Snapchat, Facebook, Twitter and Tumblr.

Sometimes I feel a bit like a broken record reiterating the ‘think before you post’ message, important as it is. I’m always on the lookout for articles, posts or videos that can help me tell the story that needs telling. I find video a really effective way of getting a point across, but it can be hard to find new material. Having a son who trawls YouTube for a living (or so it seems!) proved fortuitous on the weekend before my sessions. He had come across a Social Media Experiment conducted by YouTuber Jack Vale. It was perfect for the message I wanted to convey about making sure your privacy settings are set to friends only and turning off location settings on apps that don’t necessarily require them. Take a look yourself.

Before watching, I did preface with the students that the people in the video were expressing surprise and some of their reactions were bleeped out. It was fascinating watching their reactions during the short few minutes. Many of their faces echoed the expressions of the people on the screen as they realised that all of this information was shared publicly and these people could be found easily because of the location data embedded in photos shared in spaces like Instagram. It was effective across all Year levels, with many of the younger students coming to me at the end of the session to get help finding where location services was located on their phones so that they could turn it off in Apps not requiring it for functionality.

Sometimes we assume our students are savvy users of technology, but my experience tells me they often need direction. Finding opportunities to share and discuss information in our often crowded curriculums is difficult, but we need to make time. Parents are often not in command of knowledge like this and can’t provide necessary guidance. My message to my students at the end of the session was that there is a need for them to be informed users of technology, not ignorant users who can make serious errors by sharing information unknowingly. This means understanding dashboard settings of programs they use on their computers and general settings of devices such as phones that are a part of their everyday lives.

It was time well spent!

3 Comments

Filed under Uncategorized

School’s out Friday

I’ve been missing in action lately.

Why?

Well, work is occupying a lot of my time right now. In fact, I’m working pretty much all day and then following up that with more work into the night. I’m consumed with getting my head around cloud storage, SaaS (Software as a Service) and the implications this has for privacy. It’s pretty intensive and has required some heavy duty reading. Do I feel like I’m settled in where I sit with my thinking around all of this? No, I’m not. I’m torn in fact, and being in this state means that I seem to do nothing but think about this all the time.

Yes, that is the life I lead folks. One consumed by my work. I counsel myself by knowing that this is a subject matter that needs pursuing, and answers need to be made clearer for schools who are signing up for Cloud based storage and SaaS. Hopefully, as things become clearer in my head I’ll be able to share my thinking here.

Time to clear the head and get some sleep, only to ponder more in the morning.

Enjoy your weekend. Grab some downtime (advice I should follow…)

Leave a comment

Filed under Uncategorized

How do you deal with a world that is messy? danah boyd at RMIT.

I had the privilege this afternoon to listen to  danah boyd * deliver a talk entitled, ‘Privacy in Networked Publics’, at RMIT. danah is a Senior Researcher at Microsoft Research, a Research Assistant Professor in Media, Culture, and Communication at New York University, a Visting Researcher at Harvard Law School, and an Adjunct Associate Professor at the University of New South Wales. I’ve long admired danah’s work, and regularly read her blog, danah boyd | apophenia. If you’re looking to understand what teenagers are thinking about when it comes to their behaviours in social networks, then danah’s research findings are the place to start.

danah presents at a blistering pace, and I took copious notes along the way. I’m not going to recount all of what was said, and you’ll be able to check into the RMIT website to listen to the podcast yourself when it is loaded there in the very near future. What I will do is discuss some of the things she said that resonated with me.

danah described teenagers’ participation in social networks as ‘social grooming’. We are seeing our children form and sustain friendships in public spaces on the Internet. I can vouch for this. When I was a teenager, I was out and about with friends on the weekend and after school, and my friendships were formed in what were public spaces, but often private in terms of my parent’s knowledge of what I was doing. The same can’t be said for my own children. They are home a lot of the time, escorted to events and picked up by their parents. Their social lives are lived in large part in online spaces like Facebook and through games where they play online with other kids they know. One thing I’m not doing is friending them in their networks. We have open discussions about their participation and I hammer home the need for control of privacy settings, but I don’t look over their shoulders and peer deeply into their social lives. I respect their need for their own development. They will make mistakes, I’m quite sure of it, but that’s part of the learning curve of life I figure.   I know that I needed space to become my own person when I was a teenager, and they need the same.

danah talked of ‘bedroom culture’ being a feature of participation, and suggested it is a natural extension of what has always been. Once again, I could relate. The only space that was truly mine as a teenager was my room; it was where I practised the latest dance moves in front of the mirror, experimented with make-up, read, slept, did homework, and dumped my clothes all over the floor. It was where my friends and I went when they visited. It was my space and it was important to me. I watch my daughter and see similar patterns, especially the clothes all over the floor. She has a laptop and we have a wireless home connection. She spends time with her friends in online spaces in the environment that she owns. I respect her need to do that. It’s her space, and its important to her.

danah made some interesting points about kids she has interviewed who have their parents as friends on sites like Facebook. She talked of teenagers ‘hiding in plain sight’. One teenager’s comment was ‘everyone disappears after the Mum post’, referring to parents who reply to their kid’s status updates. danah made reference to coded messages teenagers use to achieve a level of privacy for themselves and admitted that even she, who spends so much time examining these networks, can’t work out the coded nature of wall posts. Her overarching message was a need for open dialogue with your children, and a level of trust. She spoke of how kids today are learning to live in a world of surveillance, and are trying to carve out a level of privacy for themselves in these environments. Some have moved away from the very public Facebook to networks like Twitter, where they can make locked accounts and add only who they want into their network. There they feel more sure that what they say will not be escalated to wide scale broadcasting, and nor will they have people they don’t want peering into their conversations.

Her comments on the idea of sexual predators online were really interesting. She said, if my notes are accurate, the ‘Sexual predator statistically doesn’t exist’. The point being, there are few of these instances occurring given the fact that 93% of teenagers are operating in social networks of one form or another. She spoke of conducting 400 studies with all the evidence pointing towards less danger in online spaces than what was imagined, and was told to go back and conduct more research! What we do see is our television and newspaper media honing in on incidents and giving the impression there is danger in every interaction online. She spoke of Australia being “one of the only places competing with the US on fear mongering”. Strong words, and quite possibly, the truth.

danah spoke of how she sees us grappling with a culture of fear and it intersecting with the attention economy we find ourselves living in. Her final points were prompted from a question from Camilla Elliott about how we as educators deal with all of this in schools today. She spoke of the necessity for digital literacy teaching in our schools, and stressed that we should be looking at it with a health and wellbeing focus in mind. She said there is a case for teachers violating the rules of Facebook and setting up second accounts, separate from their own personal accounts. You would share the password to the account with your school principal. Here, teachers could accept friend requests from students, but not request that students become their friends. This space would be where teachers could operate with an eyes wide open approach to safety for kids.  An interesting thought, one that would certainly be at odds with much of what is recommended to teachers today in terms of Facebook use.

danah asked the question to us all, “How do you deal with a world that is messy?” Some of how we go about doing that is looking to the kids themselves and noting how they are managing their online lives. For those of us dealing with this head on in schools, I think it’s about dialogue. It’s about making time in our curriculums to have these conversations, it’s about creating safe spaces where kids feel OK about sharing their concerns, it’s about using social tools/spaces within curriculum so we can model behaviours. It’s a big job, and we need people to do it. That means we need teachers who are willing to be well versed in social networks themselves, and who are willing to commit themselves to learning from experts like danah who have spent years immersed in their understanding.

Thanks danah, for a stimulating presentation. Neurons are firing. I hope what I’ve written here is true to the intentions of your presentation. Please do correct me if there is anything here I have misconstrued.

*why is danah’s name always in lower case? She explains it on her ‘about me’ page.

My birth name was “danah michele mattas” (spelled all funky because my mother loved typographical balance). Two years later, my brother Ryan was born. My parents divorced when i was five and my mother, brother and i set off for York, Pennsylvania. My mother re-married when i was in the third grade and we moved to Lancaster. Shortly afterwards, all of us changed our name to “Beard.” My mother and step-father divorced when i was in the 9th grade, but we stayed in Lancaster. In college, i changed my last name to “boyd” to honor my grandfather. When doing the legal paperwork, i switched back to a lower-cased style to reflect my mother’s original balancing and to satisfy my own political irritation at the importance of capitalization.

8 Comments

Filed under Uncategorized

Freedom vs Control – important lessons to be learned

Cyber crime expect Mikko Hypponen delivered a talk at the TEDxBrussels event that has made it this week onto the TED site. If you’re at all interested in conversations surrounding privacy in this digital age, then it’s 10 minutes well invested.

As teachers, we need to understand the implications of our use of the Internet and we should be helping our students understand it too. Mikko makes the comment in this talk that he believes you are more likely to become a victim of crime in the online world than in the real world. How many of us think about whether or not trojan viruses have infected our computers after visiting a site? Do we ever think that our keystrokes may be being monitored by a criminal hoping to gain password or credit card details?

How many people have any understanding of what a https site is in the first place and how you know if a site has an extended validation certificate? If you’re unclear, head over to “20 Things I Learned about Browsers and the Web“, a really helpful guide written in easy to understand language that won’t befuddle you. It was published by the Google Chrome team in 2010, and is a very handy reference point for anyone wanting to know more about the code, browsers, security risks, and a myriad of other eye opening details about how the Web works. I teach a Yr 7 Information Technology class and I’ve found it very helpful to support my understanding, and the understanding of the students I teach.

Mikko identifies three types of online attacks threatening our privacy and data. Criminals, looking for avenues to steal our money, hacktivists, (groups like Anonymous) who hack as means of protesting, and Nation States, who are apparently willingly infecting suspected citizens computers in order to collect information about them. Worrying, huh? I think so, and I believe it’s important that we as teachers impart this kind of information to our students. We need informed citizens who are capable of making decisions and defending their rights.

Mikko ends his talk stating the issue at hand is ‘Freedom vs Control’, and speculates whether we will spend the next 50 years wondering if we are able to trust our Governments. He’s got me thinking, I can tell you. I bet your students would find it fascinating too. We need to find avenues in our curriculums today to teach these important understandings that have implications for all of us.

1 Comment

Filed under Uncategorized

Explaining Evernote

Image representing Evernote as depicted in Cru...

Image via CrunchBase

I’ve had an Evernote account for some time now, and really think it is one of the best organisational tools available. I love that it exists as an account I can access from any computer, anywhere. I love the desktop version that sits on my Mac. I love the web clipper add on that I use with my Firefox browser. I especially love the Evernote apps I have downloaded to my iPhone and iPad that enable me to get access to what is stored on Evernote and also enable me to add to the account easily. I love that everything syncs so quickly, and that I can use it without an internet connection knowing that it will sync once an internet connection has been established.

I created this screencast recently about Evernote and thought some of you who know nothing about it might benefit from watching it. It is by no means an exhaustive account of what it can do, because truly, I know I haven’t explored everything it is capable of doing. I ran a Staff PD about Evernote and Dropbox after school last week, and people who came were very impressed with the potential it has for education, and their own personal management of data. I would love to see us introduce Evernote to all of our students, and start them really thinking about how they can use it to manage class projects, or save data from whiteboards or even their handwritten notes. It is part of my plan to try and get this happening at my school, and staff members who attended tonight’s session seemed to be in agreement that this would be a positive thing.

One thing that people are wary of is storing their data in the cloud (on an organisation’s servers). There has to be a certain comfort level you have with releasing your data to someone else to store it for you, and people do get concerned that other people (hackers) might be able to access their documents or notes. Dropbox has been under fire in the past week, for a bug in their system that caused a security glitch that allowed people to log into any Dropbox account by typing in any password at all for a period of four hours. Even prior to this unfortunate ‘glitch’ Dropbox have been criticised about their levels of data security.

I think we all have to be mindful that when you host your data elsewhere, and for free, you have to accept that with convenience comes some cost. That cost may be that companies hosting your data could give some of it to Government agencies if it’s requested. It may be that you leave yourself open to hackers who seem intent of late to usurp the claims made by cloud storage companies that data is safe. I certainly love the convenience of being able to access data across multiple devices, but I’m certainly not going to be storing any sensitive documentation there that I wouldn’t want anyone else accessing.

This is part of the game that is the World Wide Web now. Know the rules before you start playing is as good advice as any I’m guessing.

1 Comment

Filed under Uncategorized

Revisiting the Digital Footprint message

Today, I delivered a presentation to our Year 11 students about how they conduct themselves in online spaces, to ensure their safety and to cultivate a positive digital footprint. I delivered a similar presentation to this same cohort in May last year, and I thought I might be flogging a dead horse. I was wrong.

They listened intently, asked serious and thoughtful questions, and even provided examples themselves of people who had had reputations damaged due to poor understanding of the magnification of information shared in social networks today. I thought I’d fall short with information and have to fill time, but I was struggling to get through what I wanted to cover.

One of the things I wanted to cover was Facebook’s places feature. My guess would be that the majority of them weren’t using it, and had no idea that their friends could check them into locations unless they disabled the feature in their privacy settings. I used the following lifehacker video to demonstrate what they needed to do in Facebook to opt out of the feature. It helped me too. I lead a very transparent life, but I don’t want to use the places feature and I don’t want to be checked into places by friends in my network. It’s not a straightforward process. You have to find the customise button and find the page where the settings need changing. The lifehacker video explained it very clearly and I followed those instructions to meet my requirements. The students watched it intently, and it’s my guess a number of them will be looking at their privacy settings tonight.

It was nice to receive words of thanks and a round of applause at the end of the session. It’s made it very clear to me that these messages need repeating and reinforcement in our teaching practices.

3 Comments

Filed under Uncategorized