UP NEXT: Flipped Classrooms- Old or New?
Tomorrow's Teaching and Learning
---------- 1,965 words ----------
"Private and Secure" Online Classes?
Several years ago I (first author) became aware that an uninvited "guest" had spent some time in an online course. This was surprising, because the course instructor had proactively blocked the entrance of "guests," and no unauthorized person was listed on the course roster. Most concerning, was that the "guest" had focused their lurking activity on the students' self-introductions on a discussion thread.
I realized then, that the obligatory "log-in" and suggested "log-out" rituals that are associated with proprietary course websites promote an inflated sense of privacy and security -- implying that access to a course website is restricted to registered students and assigned course personnel. In reality, course privacy and security are multi-layered, with a host of vulnerabilities.
To what extent is a course website private? That depends upon the instructor's course practices; student behaviors; guest access; the academic institution's policies, procedures, and computing systems; characteristics of the course website; privacy practices of the course management system's commercial vendor (especially when the course is housed on their servers) and the privacy and security of the Internet carrier. This question further extends to the online services offered by a textbook publisher and ancillary communication technologies such as Voice over Internet Protocols (e.g., Skype; Face Time).
Risky Faculty Behaviors
Well intentioned faculty members can engage in risky behaviors that compromise the privacy of an online course. This includes the viewing of course grades and assignments over an unsecured wireless network. It is not uncommon for a faculty member attending an academic conference to admit prolonged use of an unsecured Wi-Fi network to access their course website. They might do so because their hotel does not offer a secured option; the fee for multiple days of use is too expensive and/or unreimbursed by their university; and/or the sole option for (assumed) secure access is inconveniently restricted to the hotel room.
Some faculty unwisely structure assignments in such a manner that students feel compelled to reveal information in class-wide posts that they would not otherwise post to a public website. This includes content concerning their employment experiences, clients or patients, family members (including minors), health status, religious, and political views, and even past and current behaviors.
Risky Student Behaviors
Students often access their course sites via unsecured coffee shop networks. It is common practice for them to view recorded instructor lectures, and post on discussion boards. Students also engage in small group work and take quizzes and exams via these unsecured networks.
Third Party Security Issues
Many academic institutions house their course web sites on their own secured servers. However, others contract with third party course management vendors to house the content. Moreover, students may use third-party vendors outside of the course management site to facilitate group communication --sometimes at the instructor's suggestion. It is important for all academic stakeholders to review these vendors' privacy policies. Given that it is a rare student who would independently seek a privacy statement to review, we recommend links to such policies in a course's "Privacy Statement." To their credit, each of the major course management systems we surveyed posted one or more privacy policies on their corporate website. However, it must be cautioned that stated good intentions do not insure that explicit policies will be upheld.
Instructor Based Preventative TacticsThoughtful and vigilant instructors can serve as a first line of defense against potential assaults on course privacy and security by deploying the following safe instruction practices:
1. Anticipate and Prevent Content-Based Privacy Violations
There is some degree of risk for privacy violations in both on-campus and online classrooms. Even after receiving stern warnings, it is difficult to ensure that a student in an on-campus classroom will not illicitly record the faculty member or a peer and subsequently post the content. A student in an on-campus classroom might erroneously share a client's protected health information in a term paper, discuss a minor's (by name) educational status, or relate a circumstance that could compromise their own future employability. We expect that students will make unintentional mistakes, and hope that the classroom (and paper shredders) will provide a safe haven for such circumstances -- assuming that no future plans for criminal activity are related.
However, the online course website can be far less forgiving than the on- campus class environment:
- If a student in the health sciences mistakenly posts a client's protected health information on an online course site, they will have likely violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, enforced by the US Office for Civil Rights.
- If a student in a business or communication course presents a case study that relates negative attributes of their place of employment (especially when they have indicated where they work on a statement of introduction or a posted bio), the information cannot be contained in the same manner as if presented in an oral presentation in an on-campus classroom with no electronic recording.
- If a student posts an online discussion entry with errors in spelling, grammar, or insensitive word usage, the content can easily become accessible to an audience beyond the instructor or university.
Content posted in a university course website can enjoy a life-long shelf-live, especially when text or photos fall out of the control of the student and instructor.How might an online instructor engage in risk management to avoid content based privacy violations?
- Construct assignments that do not rely upon a student's need to reveal authentic, confidential content that can easily be associated with persons or organizations.
- Discuss how, as with any web site, there could be unimagined privacy and security issues related to a course web site that are beyond everyone's best efforts and control, and that students should therefore exercise wise judgment concerning electronically based content.
2. Manage and Disclose "Guest" Access
As a marketing strategy, some universities allow unidentified "guests" to access various parts of a course website, without logging in. Instructors should be alerted to this possibility, especially when the course system's default settings allow for the presence of guests. Guests whose presence is unbeknownst to faculty and students should never be allowed to view students' posted profiles, discussion board entries, assignment submissions, or grades.
In some departments, personnel who are not assigned to teach an online course are nonetheless granted access, ostensibly to monitor the quality of the instruction and/or to assist with technical aspects of the course. This might include departmental supervisors, administrators, graduate student assistants, and information and computing staff. They may periodically receive statistics concerning the activity of the instructor and students, and the performance of the website. This practice begs the following questions: Is there a site usage audit process in place? What level of access are these individuals afforded (e.g., discussion boards? grade book? posted student assignments?) Are these personnel formally trained in principles of confidentiality and security? What needs precipitate such visits? Will instructors and students be proactively informed of such classroom visits, and if not, why not?
Even when these individuals visibly appear on the course roster, their presence may not be realized by students or their busy instructors who do not regularly monitor the user list. Therefore, if guests are allowed to visit a course, the class should be informed of that possibility via an "Informed Privacy Statement." It is not sufficient to assume that students or instructors might view the online class participant list. And, even if they do, observers can be added and subtracted any time of day or night, unbeknownst to both students and faculty.
An ethical operating principle is that the presence of attendees in the online classroom should be as transparent as in an on-campus, physical classroom. No one in an online classroom should wear a "cloak of invisibility." However, if such is permitted, this should be revealed in the course's "Informed Privacy Statement." Ethical academic communicators disclose the information needed by students to make fully informed decisions about their behavior in the online classroom.
3. Post an "Informed Privacy Statement"
Online course websites routinely post policy statements that relate to copyright obligations, web based accessibility, access to disability services, and even course continuity plans in the event of disruptions. We recommend that universities also include an "Informed Privacy Statement" on each of their online course websites. The legal and ethical issues are sufficiently complex to rely upon a multidisciplinary team (with representation from faculty; administration; computing/information services; legal counsel; privacy experts, etc.) to draft and periodically revise such policies.
The "Informed Policy Statement" might include the following elements:
- An "as required by law statement," similar to that offered by Khan Academy:" Khan Academy may also disclose User information if required to do so by law or in the good-faith belief that such action is necessary to comply with state and federal laws (such as U.S. Copyright law) or respond to a court order, judicial or other government subpoena..."
- A description of the disposition of course content at the conclusion of the semester.
- The course's guest policy, including conditions for such access, and whether their presence will be revealed to students.
- Whether and how a privacy and security breach will be revealed to faculty/students, including what will be done to remedy the breach and prevent a future occurrence.
- Links to the privacy policies of third parties that relate to the website or to whom the students are required to relate (e.g., course management system; textbook vendors that host test questions and ancillary materials, etc.)
- Whether a risk assessment has been performed to determine how private and secure the course site is, (including log in information, password protection, levels of encryption for certain material, the transmittal of information over the Internet, firewalls, antivirus software, authenticity of the site, whether the site has ever been impersonated, the role of the employees of the course site and their background in privacy and security of confidential information, and how long a student's personal profile information will be retained and how it will be used, etc.).
Faculty and students are increasingly obligated to use online course websites. Alerting users to potential privacy vulnerabilities allows all concerned to make informed choices concerning the nature of their participation. This includes the content they choose to post, and performance characteristics such as date, time, and duration of their participation.