When it comes to data storage in e-learning, leaked quiz scores are not the issue. Have you ever stopped to think about where your intellectual property is being stored and who may have access to your research or business plans?
According to Thomas Pilz, Activity Tracking xAPI software developer – a tool that allows big data from e-learning to be collected and used responsibly – despite Edward Snowden revelations about the NSA and other intelligence services around the world bending and twisting the law, as well as the arms of Internet services such as Google, Microsoft, and Facebook, to exploit and abuse data, lax user behaviour and convenience is the biggest threat to data protection.
In an interview with ONLINE EDUCA BERLIN, Pilz says learners need to tread carefully when outsourcing data and start demanding that their rights are respected and protected.
Q: What are some of the biggest mistakes education intuitions and organisations are making when it comes to data storage?
Most organisations choose to prioritise the bottom line in their balance sheets over security. Systems in use are often combining a multitude of tools and data storages whereby the actual user (e.g., learner) does not even know that his or her data ends up with some ‘cheap’ cloud hosting in places that today are known to have low standards of data protection rules and/or in general are lacking the understanding and respect of a high-level data privacy protection.
Besides that, the majority of systems in use we know of do not force the learners to use individually created usernames and/or complex passwords and they do not implement an additional layer of security, such as the ‘Two Factor Authentication’ (2FA), which requires an additional one-time-passwords for each login. The 2FA security layer is not the Holy Grail in terms of account security but it is an additional layer of security and the simplest thing to implement. However, software providers do not bother much about this and organisations fear the higher cost of a few pennies; hence, they don’t even think about demanding more security for the benefit of their customers.
The combination of saving pennies and convenience is lethal and the biggest threat to data protection and data privacy.
Q: What kind of implications can this have?
In the worst case, all stored data, the most problematic entrusted user data of an organisation and e-learning institutions, as well as all the ‘know-how’ or even sensitive research and product data are unwillingly shared or leaked to ‘God knows who’ in the world. When the actual score of how a particular learner did in a quiz, for example, is leaked to someone is the smallest problem in this scenario, but it should simply not happen.
Picture this: Corporation X or University Y is using an LMS with a built in author or content creation tool and the software application is provided by a US-based company using a US-based cloud service. Thereby the data of each individual user or learner will be revealed and accessible to a number of intelligence services around the world. Now say Corporation X is creating learning content aiming to increase product quality or sales. With this process Corporation X starts storing sensitive data and is probably giving away the ‘secret sauce’ their business success is built on. They will sooner or later lose the edge they have over their competition and ultimately this will harm their business. Or even worse, they might lose their research and development to some patent trolls, who make them pay for their own invention.
University Y is creating learning content and projects about their latest high-tech or medical research. Usually high profiled university faculties are sponsored by the industry to do the research work jointly or on the sponsor’s behalf, i.e., create and test some new method or product. In this case the university is leaking their science know-how ‘to the world’ and the sponsoring companies lose their investment, probably the next high-flying, money spinning patent in their field of business.
Q: How does xAPI help overcome these problems?
The xAPI is a tool that allows collecting data from all kinds of e-learning sources. The use of the xAPI is in fact producing a huge amount of big data. What protects data is the technical context in which xAPI applications and author or content creation tools and/or LMS that create xAPI compliant content are used in.
What xAPI applications can do for users is to enable them to control their own user/ learner generated data. xAPI providers are required to allow users to have their own accounts such as a Personal Data Locker to store and control all of their data created by xAPI based learning. However, this is again dependent on the technical context and in which location one operates, processes and stores all content and user generated data.
At present it seems as if all US-based services, as well as US companies that provide their service through a third party country are not the flavour of the day in terms of data protection regardless of whether one is using xAPI applications or not.
Q: Why do you think people are apprehensive to talk about this side of data security?
Well, I assume that a lot of people and organisations are afraid to end up on the wrong side of the ‘good book’ with government agencies and/or large players such as Google, Microsoft and the likes. An organisation or e-learning institution should be most concerned about the quality of the services they provide and how they can serve and protect, at best, the interest of their clients. More and more data protection and data privacy is becoming an asset and a real selling point for Internet based services. It’s the customer’s interest that ultimately adds to the bottom line or even guarantees the existence of an organisation or e-learning institution that ought to be put first. If that in turn means that one has to voice out and demand changes from large players then this needs to be done. If ultimately one has to stop using the services of major players, then so be it.
We do not run our business to please government agencies, large Internet services and hardware or software providers. We offer our services to provide top quality products to our clients. We must have the interest of our customers closer to our hearts than the agendas of anyone else.
You’re a specialist on the subject ‘the future user’ – how do you determine the needs of customers in years to come?
Today’s customers and the future customers allow business to prosper and strive to new heights. Any Internet driven business has to understand and respect the fact that without their customers and users they are nothing – zero and just an empty shell with some imaginary multimillions or even billions in stock market value. The customer’s money is the lifeblood of any service provider or company. I wish that customers were more conscious about the power they actually have to demand change, such as for more user-friendly products and services and, most importantly, the control over their personal and user-generated data.
Today, our costumers/users need to be more aware and educated about their rights and make better use of the power they hold. If an Internet service or software provider for example cannot guarantee and prove to be implementing the best available protection level to ensure the customer’s basic right for data protection and privacy then customers should exercise their rights and simply stop using them.
This again leads me to what I previously said: The combination of saving pennies and convenience is lethal and the biggest threat to data protection and data privacy.
I wish for a future user that is educated and aware about his or her rights and does not shy away to demand that his or her rights are respected and protected. Companies that live up to that standard deserve to have many customers and ultimately to prosper and strive on the rightful loyalty and resources of their customers.
Thank you Thomas Pilz for this interview
You can learn more about data security from Thomas Pilz, Sicher-im-Inter.net eG, at ONLINE EDUCA BERLIN