Toronto’s Public Library, the self-proclaimed busiest urban private library system in the world, experienced a set back when their computer systems went down in October of 2023. Four months and one million un-shelved books later, the TPL is still recovering from a ransomware that stalled its services and compromised the personal data of every employee.
Welcome to the W12 topic of privacy and security! This module is designed to be followed in order, either through the sidebar menu or by progressing through each page and using the next buttons. Within this topic, you’ll find two main activities along with an optional third activity that truly encompasses the spirit of “ventures in learning technology”.
Our main goal is to facilitate a deeper understanding of how privacy and security are crucial within your organizations (Activity 2) and also shed some light on how these concepts apply both personally and in broader market contexts. By exploring this content, we hope you’ll uncover valuable insights that can enhance your approach to privacy and security within your professional/educational environment.
As you navigate through the material, keep an eye out for an “easter egg” or a hidden page that adds an element of surprise and discovery to your exploration. Plus, our Activity 3 features an interview with one of the creators of the venture. We look forward to engaging with your thoughts and feedback as you delve into the world of privacy and security.
W12 – Privacy & Security
- Emma, Noor, & Andrew
Week 12 – Privacy & Security
18 responses to “Week 12 – Privacy & Security”
Leave a Reply
You must be logged in to post a comment.
Hello Emma, Noor, & Andrew,
Thank you for your OER on Privacy and Security. It was really interesting! I will first answer one of your questions and then move on to the notes I took throughout exploring your website.
Dr. Leon Geter shares that the weakest link in cybersecurity is the human. Do you have any personal cyber-aware techniques you want to share?
– Leon Geter: “Hackers hack because that’s where the money is”. I think this is so true and it relates to this video by John Oliver. https://www.youtube.com/watch?v=pLPpl2ISKTg&ab_channel=LastWeekTonight This John Oliver clip from Lastweektonight is a great example of internet safety and how it is actually humans who do not do their due diligence and hackers end up manipulating people’s emotions and weaknesses to take their money or weasel their way in.
In my last school we actually had our IT department run simulations and would sometimes send us emails with links to tell them when we opened them it would tell them that we did not do our due diligence and it also showed them what areas they needed us to learn more about to protect the sensitive information of our students and families. I fully believe what he said about how people are the cause of data breaches not the tech behind the data. My family and I have actually developed a codeword as there is a rise in AI Voice Cloning and there are more and more examples of people believing their family member was kidnapped or who need money quickly to pay for something, but it is a scammer who cloned your voice and made your loved one think you are in danger or need money. They then get your credit card information and run with it. This is a very clear example of how humans are a big factor in data breaches.
W12 Privacy & Security
TED Talk Fred Cate
– being able to control how and when our data is used versus the millions of data points they have on each person and how deeply this data controls what we are exposed to.
Privacy notices and consent. What actually happens if someone violates consent of recording or use of data the punishment is much smaller than the crime should be. Consent in data collection is an illusion. You do not have a choice but to agree. I found when traveling in Germany when I said no to their data collection I still had access to the sites whereas in north America if I said no, I did not have access to the site.
ask the consumer if it’s okay to defraud them- great quote. If they collect my data and something goes wrong then they should have to make it up to me or be punished in some way
consent in privacy protection needs to be meaningful timely and consistent. Not just a blanket, yes and they have power for the rest of time.
I think some of the more terrifying aspects of the types of breaches that could happen, and some that have happened, are just the tip of the iceberg. I think that educating the masses about how to protect themselves and their data is integral to our current societal and global landscape.
Thank you for your OER and it has really made me think more about privacy and security.
Thanks for participating and thanks for sharing your thoughts! Consent is absolutely an illusion, especially when presented through dark UX patterns.
I love the idea of a codeword. I floated around that idea with my family, especially with my grandparents who are definitely more susceptible to these scams. Locally, Pat Foran from CTV does a segment called “On Your Side” that often covers common scams to alert citizens in the GTA. My uncle works in IT for a large steel company in Hamilton and he conducts phishing tests on his own employees as well – funny you bring that up!
Watching the John Oliver segment reminds me of my time working at TD Bank. Even back in 2012 we had clients coming in because they were scammed money. There was always a delicate balance of responsibility between the institution and the user. It was difficult to serve customers and keep them happy while also doing due diligence to prevent breaches of privacy and fraud. This is even more scary as in the last 10 years currency moves faster digitally and we have the emergence of cryptocurrency.
Overall, your comment and resources has made me reflect upon the fact that at the end of the day, real humans are getting hurt when privacy and security is compromised. So what are the repercussions? Apparently, not always much. Tim Hortons violated privacy agreements for customers who used their app and the settlement? One free hot beverage and one donut for each user.
Hello again Andrew,
I think you have hit the nail on the head in terms of the balance of responsibility between the institution and the user and what the “payout” is when it is clearly the institutions fault. Personally, I think my safety and privacy is worth at least a dozen donuts but hey ho. (I was joking and hope that came across!). Privacy is such a difficult issue in this day and age and the fact that it is only now that I am able to find apps and websites that will try and find out my personal data that major corporations are selling and benefitting from for advertising, tracking, and so many other elements of my daily life. The fact that I cannot profit from selling my data but others can is so strange to me.
We need to find ways to protect individuals but also I believe that laws and society need to see this as important and make necessary changes so our structures see the value in protecting individuals and also for punishing organizations which do not protect our information to the level they should.
That is very funny that your uncle also does these phishing tests on his employees. Our IT department found it really valuable to see what areas people needed more support or education for how to protect the company and school.
Thank you again for making me think more deeply about this topic.
Hello Emma, Noor, and Andrew,
Thank you for putting together this OER. I will be answering the following question:
When do you encounter or engage with these privacy policies or guidance, and how do these interactions influence your ability to perform your job effectively?
In my Band Classes, I use FIPPA to guide my practice. For example, when I have concerts, I usually get a request(s) from parents to do a live stream. In order to do a live stream, I need all of my students to give consent for their faces and names to be in the video and if a few students have ticked the checkbox to no, then I don’t do the livestream. We have a media consent form that we send home with students to be reviewed and signed by the student and parent. This form informs parents and students that the district requests permission to use their face and name in the media or on our district websites. This can be a bit frustrating when I’m dealing with all of my student groups (8-12) but if it is only one of my groups, then I can ask for parental permission, especially for festivals. The only thing I can’t control is when parents record the concerts.
On another note, like your OER, I take privacy very seriously. I am conscious of what I do in my school life for me and my students and as well as my private life. It was a nice layout and very informative. Thank you again for putting this OER together!
Jeremiah
Hello Jeremiah,
Thank you for your thoughts. Glad to hear you liked our work. There really is the need to get every students consent before proceeding with something like live streaming. I can see how this can be frustrating, especially when dealing with many student groups. Have you had to cancel live streaming last minute if a student changed their mind last minute? You mentioned “faces and names” what about voices? Or is this even applicable to the concerts? You mentioned that you can’t control when parents record the concerts. Are students and parents informed about this (very likely) possibility?
Emma
Thank you group for your OER. A very important topic that impacts all of us and will continue to do so for generations to come. I feel like it wasn’t until the last decade or so that people have started to take notice of where their information is going, who has access to it and what these parties are doing with it. In another MET class a student did a project looking at data privacy and talked about the future and of your personal information. There was a discussion about the idea of our information being a currency and what the future could look like it out personal information was bought and sold by us. It was a very interesting topic that highlighted positives and negatives of what could come as well as the responsibility we have to protect our data. I thought of this when I chose to answer question 4 in the activity. My organization deals with highly sensitive materials and privacy and security is something that is very important so I thought I would answer the question, do you have any personal cyber-aware techniques do you want to share? I am sharing with the group strategies that the organization have been required to use in the past and ones my organization has started to use or experiment with.
A few techniques we have used in the past included:
– Hardware Security Keys which essentially acted as an additional authentication factor for accessing sensitive accounts or systems. These were physical devices we plugged into our laptops that provided an extra layer of protection against unauthorized access, particularly for high-value accounts. We had to use this mainly for when we were needing to access our network remotely.
– File Encryption Tools/Software that are used to encrypt sensitive files and documents . This ensures that even if unauthorized users gain access to the files, they won’t be able to read or change the contents without the decryption key.
Some newer techniques my organization has started to implement include
– Biometric authentication where we use retina scanners and or fingerprints to access things. This adds another layer of security
– Encrypted communication platforms where communication is protected from interception and unauthorized access via encryption
– Virtualization software creates an isolated environment for running potentially risky applications or browsing the web. This is used to help contain and mitigate the impact of malware infections or security breaches.
Hello Meagan,
Thank you for your post about our OER this week. I’m curious what kind of organization you work at and how the newer technologies you are using fits into this organization. If you work with students, are students also using these technologies (i.e. biometric authentication, etc.)? Are you concerned about who is behind these technologies and whether your information (i.e. scan of your retina and fingerprints) is safe or not with them?
Emma
Hi Emma,
I work in law enforcement so a lot of these technologies work with our organization and are important as we have a lot of information and data that has to be secure. I work specifically in training and with recruits so they don’t use this technology while in training but will use it eventually depending on the areas they go to work in. I don’t worry as much when it comes to some of this technology as I know we have a whole department and branch whose job it is to research and vet this technology before it comes out to the membership to use. I would say this is a positive because there are a whole team of people working on deciding what types of technology is good for our organization. I also have not thought about whether I am bothered by using this technology because I know that the risks that exist if I don’t use this technology may be worse than me using it.
Meagan
You make a good point about the risks of not using this technology may be worse than actually using it. I tend to have a skeptical approach to technology, but it’s also important to trust those who are responsible for selecting appropriate technologies for use in an organization. Thanks for your thoughts.
Emma
Thanks for your OER! This is an incredibly important topic and a concern of many of us daily. And those who are not concerned perhaps should be!
Working in an independent school, and especially being close friends with our Director of Technology, has made me quite interested in privacy and security. As an individual, I’m always conscious of my online presence and my choices, and the reality of living in a world that steals my privacy regularly is frustrating – so thinking about my responsibility, my school’s responsibility, and my students’ responsibility in seeking to ensure we are as secure and private as possible is a hot topic for me.
When do you encounter or engage with these privacy policies or guidance, and how do these interactions influence your ability to perform your job effectively?
As a teacher at a school that works with a Google platform and networks that we endeavor to keep secure, I encounter privacy and security guidelines regularly. We are directed to ensure that school-related productions and devices are logged in using our school-provided profiles, that we use the staff wifi account at work to take advantage of all the safety measures put in place, and that we never share passwords (especially with students), etc. Teachers have the ability to select add-ons and apps, however, we receive PD in avoiding risky scenarios. We are asked not to log into our School Management System on public wifi networks as we are quite aware of the risk and realities of malignant access. There are policies and procedures in place to minimize risk. I don’t think about this as limiting my ability to perform my job effectively – it’s simply a reality and I make my technology decisions with all this in mind.
Dr. Leon Geter shares that the weakest link in cybersecurity is the human. Do you have any personal cyber-aware techniques you want to share?
Humans are absolutely the weakest link, and a great deal of common sense is required. Obviously, common sense does not account for all, but human error is a great risk. Before taking or taking action, we need to pause, read closely, and consider the likelihood that something is legitimate. Our school has run phishing and spamming tests to see how aware our staff is, and it is shocking how many people are willing to click or purchase the requested gift cards and send an image of the number on it. As far as cyber-awareness, we’ve been trying to emphasize this common sense, human side of things. Would the head of school really ask you to go get him the gift cards? Does it make sense that you’d be asked to click that link? It’s certainly not a full solution, but it helps!
Thanks again! A great OER!
Hello Sacree,
Thank you very much for your thoughtful reply about our OER. I agree, common sense is a step in the right direction. My concern is that common sense might not always be so obvious in some situations. There are creative ways to make things appear legitimate and convince people to share personal information. Furthermore, each person’s level of common sense can vary. Some members of the population are more vulnerable than others – like children and people with cognitive impairments. Another thing that comes to mind is that the online world is relatively new territory. It may be a bit of a learning curve for many people to understand what common sense means in this online world. With increased awareness of protecting one’s online privacy and security, I believe we can develop common sense skills to help us stay safe online. I appreciate you bringing up this idea of common sense.
Emma
Hi Emma, Noor, and Andrew!
This is a great OER. You picked great topics for each section. There’s definitely something for everybody to relate to. You went above and beyond for the last sections where Andrew recorded a mini-interview.
I really liked the video you picked about AI in privacy. I didn’t realize that cyber criminals can insert malicious code into the answers that the AI spits out. There’s also definitely misinformation with the answers given by AI. It is why we should always fact check. In terms of the advantages that AI can bring, I like the part where the host discusses that the AI can examine the weaknesses within a system. It’s better to be proactive than reactive.
I chose to respond to the question regarding cyber-aware tips under Activity 2 (Policy Hunt). I think the TED video that you chose for that section is really great as it drives the point of being always careful when using the internet. One should also always be aware of their surroundings at all times. Both points are top of mind in my workplace.
I work in the aviation industry so the materials I handle are safety critical. The company I work for periodically releases tips about cyber security and we have to complete online modules to brush up on our cyber security awareness. Here are some tips that have been discussed.
1. Never hold the door for anybody when entering or leaving the building. They must use their own credentials to access the building. Cyberattacks can also happen through a
physical intruder in the building.
2. Never let anyone use your ID cards or know your passwords to any account.
3. When travelling for business, we are reminded to always take our laptops with us. If there’s theft of any kind of company property, report it to the IT department immediately.
4. Be aware of phishing emails. We are constantly reminded of the common signs within these kinds of emails and sometimes the IT department sends out phishing emails to us to
test if we are reporting them. In general, the company tries to educate its employees about social engineering attacks.
5. Reviewing sharing access to certain files periodically. Practice revoking sharing access if that person does not need the file anymore.
6. Changing passwords to accounts periodically.
7. When conversing with a colleague, the company always reminds us to be mindful of where we are. We must always be in a private room or choose to go in a private room when
in public or office if we have to discuss confidential company business.
Hi,,,
Great tips, Bianca, and thank you for sharing this information.
Regarding AI in Privacy, I have watched so many educational videos posted by IBM. It is really straightforward and important to learn about.
We have also shared the video about the company that creates videos about security and privacy on our Privacy and Education page. Their page on YouTube is NINJIO. Each episode explains a different type of cybersecurity attack within various fields. Companies subscribe to their videos and educate their employees.
Good Evening Emma, Noor and Andrew,
WOW!!! Great OER! I find that these experiences have opened my eyes to so many new possibilities. Privacy and security is such an important aspect in our vastly growing digital world. I’ll admit, it’s something I take for granted at times.
The question I would like to answer:
How do you think the educational digital landscape and evolving privacy concerns will influence the future of privacy policies and data protection practices?
I think that this is something that is, and SHOULD BE, changing all the time. Our own personal data is one of the most important things to us. It can be so easily compromised by the wrong people. What do these people want? Money? Information? The ability to manipulate one’s digital identity online is vast, and it’s very easily attainable. It seems that, as soon we set up another level of infrastructure regarding security and data protection, it’s not long before online predators are able to get through it.
In my personal case, as an elementary school teacher, I am dealing directly with minors. From what I see, they are using online applications all the time. Their identity is out there. It’s scary to think, but I have no doubt that their information can very easily be compromised.
How will this influence the future? We need to be ahead of the curve. We need to be ahead of predators, of digital thieves. We must continue to be one step ahead of those who would threaten, who would compromise safety, security, finances, you name it. In many ways, the digital world scares me. Knowing that there are levels of digital protection out there is reassuring, but we need to continue to find new ways to stay ahead, to make sure that our most vital, sensitive information stays safe and protected.
How do you think the educational digital landscape and evolving privacy concerns will influence the future of privacy policies and data protection practices?
I think that keeping up with the evolving policies will always be a challenge. Generally, Government policies changes are slow and cannot keep pace with the evolving technology. I think that organizations will need to increase their security practices and policies. I also considered what type of education will be required, introducing these concepts when kids are in grade school (creating an awareness early in their lives). I also see privacy and security training being a little more stressed within working environments.
I work in a field that stresses data security, and one thing that I considered was the effectiveness of training. Over-training and ineffective training can cause these awareness programs to lose their impact and can result in complacency. I know that there is some online learning and distance learning that is required for my job, but that can sometimes result in the importance and severity of the learning being lost in a course where you are endlessly clicking through slides. With regards to policy development, you need to also balance the training/awareness and policy development (keeping in mind that changes to policies need to/should be taught). Policies are not effective if people are unaware or unsure of them.
I really enjoyed your OER and the information you brought up within the project. Thanks
Sam
Hi Noor, Andrew, and Emma,
Thank you for the Open Educational Resource—it was quite an eye-opener with a lot to consider. The interview you did, Andrew, with Shane, in particular, made me aware of the broader implications of data collection and usage. After some reflection, I believe our school could benefit from a distinct privacy and security policy. Our current social media policy does emphasize the importance of protecting student identities, but I think it would be beneficial to have specific guidelines that clearly spell out preventative measures against data breaches. When I entered my school email into a data breach detector, no breaches were revealed, so it seems we’re doing something right.
Recent discussions at my school have brought to light the importance of careful sharing of Google Drive folders within the organization, to ensure that the information is not misused.
Our Tech Coach advised us not to put any names into ChatGPT. When we query ChatGPT, we don’t want to discover that it has learned a lot about our school. While this seems like common sense, I’m amazed at how often I have to remind myself to anonymize names.
Common sense is crucial. An earlier version of this post contained more specific details about my school, which, upon reconsideration and in the interest of privacy, I have decided to withhold. Isn’t this one of the goals of your OER—to get us thinking in more practical terms about privacy and security? Well, this edit is a direct application of that newfound awareness.
Thanks again for your OER.
David
Hey Noor, Andrew, and Emma,
Thanks for your work on the OER this week. Clearly, privacy and security are common themes across all the OERs we’ve seen during this course. It’s nice to wrap it up with this one.
Working for a post-secondary institution, I took a closer look at our privacy policy and found it quite enlightening. It got me thinking about my interaction with privacy policies in the educational sphere. The policy on the website of my institution does a stellar job at breaking down why student information is collected, how it’s used, and the rigorous security measures in place to protect it. From restricted access to password protection, it’s clear that safeguarding student privacy is a top priority.
In my role, I frequently engage with these policies, whether I realize it or not, particularly during enrolling students or designing courses with third-party interactives. Understanding privacy policies before integrating third-party interactives into course design is crucial for ensuring students’ information is handled correctly and they are not mistakenly exposed to something insecure. Often, students might just use a platform or digital tool just because their instructor recommended it, or if it is built into a course, and therefore, they may rely on blind faith believing it is secure. So, it’s ultimately important for instructional designers and anyone requesting the use of digital learning tools to ensure they are safe for participants.
Having a solid privacy policy at the institutional level is important because when students know their information is protected, they’re more likely to engage fully with the services offered, from health and recreation to library and computing services.
The way institutions outline the use and protection of student information sets a strong example. However, the educational digital landscape is rapidly evolving, and with it, privacy concerns grow more complex. Engaging with these policies is not a one-time event but a continuous learning process. It challenges us to stay ahead of emerging threats and adapt our practices to safeguard our digital ecosystem effectively.
In essence, a good approach to privacy and security reinforces the importance of transparency and proactive communication in managing privacy and security within the educational sector and institutions. Encouraging an institution-wide culture of privacy awareness and compliance is essential. It’s a reminder that, as technology advances, so too must our commitment to protecting the privacy and security of our educational communities.
Thanks for the thought-provoking resource!
Bradley
Hi Noor, Andrew, and Emma,
Thank you for your informative and engaging OER. That is very interesting that teachers can bypass FIPPA with written student permission. My school had a lengthy argument last year as to whether we could store student data in our staff OneDrive or collect student data in Microsoft Forms. I found the argument rather frustrating since we discuss student information in our staff Outlook email, which stores data in the same place as OneDrive and Forms. This discussion was never fully resolved, but never once in the discussion did someone bring up that students could consent to FIPPA violations.
I think these arguments will become more frequent as we implement more and more teaching software that has the potential to harvest enormous amounts of data on students. This could be behaviour, achievement, engagement, or any other type of data. Companies will look to sell this data if they have the opportunity and I find students increasingly don’t care if they give away information about themselves to corporations. I hope we can set the right safeguards and raise awareness among students to prevent a sad future where schools are mined for data benefiting corporations.