Student data, privacy and informed consent

demanding privacy from surveillance capitalists or lobbying for an end to commercial surveillance on the Internet is like asking Henry Ford to make each Model T by hand. It’s like asking a giraffe to shorten its neck or a cow to give up chewing.  Such demands are existential threats that violate the basic mechanisms of the entity’s survival. How can we expect companies whose economic existence depends upon behavioral surplus to cease capturing behavioral data voluntarily? – Shoshana Zuboff

In yet another iteration of my ‘Changing Our Default Settings’ presentation from last year, I presented a webinar for English Australia at the beginning of February. This post is based on that webinar. It’s quite possible that I’m pushing my limited grasp of the issues way too far – I’d appreciate any feedback!

My last post was basically a first draft of the webinar. After some feedback from Damien Herlihy, however, I decided to focus more specifically on ‘Big Data’ and privacy within the Australian English language teaching (ELT) context.

As with that fetishism/commodity chain post, I started the webinar with the same Foucault quote:

My point is not that everything is bad but that everything is dangerous. – Michel Foucault, 1983

I then asked: How does this relate to technology in education? Focusing on internet-connected technologies in particular, they can be ‘good’. I’m blogging right now, obviously. I also use Twitter frequently, on several different devices.

There are also dangers. For example, I might tweet something that gets me fired. In the case of Twitter, though, I see a benefit for me personally, I’m aware of at least some of the dangers and I make a decision for myself to use the service. For the sake of argument at least, we could see this as an example of informed consent.

In reality, the notion of ‘informed consent’ when it comes to using internet-connected services such as Twitter is not quite so simple. The complexity only increases when we bring students – regardless of their age – into the picture.

In a devastating critique of the ‘familiar pair’ of anonymity and informed consent as responses to privacy concerns, Solon Barocas and Helen Nissenbaum (2014) argue that there are “virtually intractable challenges to both” (p. 45).

Informed consent is believed to be an effective means of respecting individuals as autonomous decision makers with rights of self-determination, including rights to make choices, take or avoid risks, express preferences, and, perhaps most importantly, resist exploitation…Thus, where anonymity is
unachievable or simply does not make sense [a whole other can of worms!], informed consent often is the mechanism sought out by conscientious collectors and users of personal information. (pp. 56-57)

However, as I hope to illustrate with this post, informed consent “does not solve ethical problems relating to privacy in a big data age” (p. 51).

Informed consent in Australian ELT

A key piece of the legislative framework governing the provision of education services to overseas students is the ‘National Code’.

To what extent does the National Code emphasise the need to obtain ‘informed consent’ from students about the educational services they are signing up for? By my reading, there is a strong emphasis on ‘informed consent’ in several of the Standards in the National Code. Standard 2, for example, states that, before enrolling students in a course, schools must provide students with “current and accurate information regarding”, among other things, “details of any arrangements with another registered provider, person or business to provide the course or part of the course”.

I think students could also reasonably expect to receive ‘current and accurate information’ regarding practices which result in personal information/data being collected – in other words, a meaningful privacy policy. Indeed, the ESOS Act (of which the National Code is a ‘legislative instrument’) refers to the Australian Privacy Principles (APPs). The Privacy Act 1988 also refers to the APPs and states that an “APP entity [i.e. an organisation or small business operator, such as (I assume) a private ELT school] must not do an act, or engage in a practice, that breaches an Australian Privacy Principle.”

APP 1 relates to “open and transparent management of personal information” and aims “to ensure that APP entities manage personal information in an open and transparent way.” How compliant are our schools with this principle? Think of the practices of the administrative, marketing and academic staff.

In case it wasn’t already obvious, I’m not any sort of an expert on privacy, but, going by several privacy policies that I’ve looked at on the websites of several prominent Australian ELT providers, I think we’d be entitled to feel confident that our colleges are complying quite conscientiously with APP 1.

However, it seems to me that either APP 1 is being breached in spirit or the APPs are inadequate or both. Technological capability has leaped way ahead of policies, standards, expectations, understandings and legislation to the extent that they may have become – for the time being at least – irrelevant.

Third parties, and fourth and fifth and…

Part of the problem is that the ESOS Act protects students in a situation involving up to three parties: the student themselves, the education provider and an education agent. It’s bad enough already that the nature of the relationship between two of those parties – the provider and the agent – is not transparent to the student (i.e. re. sales commissions); for all the good intentions of the ESOS Act, most likely students are already not in possession of all relevant information when choosing a provider.

However, what are the implications if there are actually additional parties to the transaction? Should students be informed in advance that the college pays a fee to TurnItIn ostensibly for a service which actually exploits the student? What happens if the involvement of these additional parties and the collection of student data by them is not disclosed? Would this be in keeping with the APPs?

What happens if the providers, despite the utmost sincerity in meeting their legal and ethical obligations, aren’t even aware of the involvement of these additional parties? What happens if, in any of these scenarios, the additional parties are profiting from the student data they receive? What happens if those parties are then also sharing the data with even more parties? The number of parties involved could conceivably multiply quite quickly.

Making informed consent irrelevant

With such scenarios in mind, I’d like to present three cases in which I think informed consent – in terms of opting into/out of particular technologies – becomes meaningless.

  1. TurnItIn: We make the decision for students. They don’t opt in and they aren’t realistically able to opt out. In fact, they are told that they cannot complete the course successfully unless they submit their work to TurnItIn. Worse, it may not even have occurred to the school’s teachers and staff that there are very valid reasons for someone to opt out.
  2. Facebook : We haven’t made the decision for our students but there may still be factors (e.g. inadvertent pressure from peers or staff) we’re not aware of which subtly coerce the students into using the technology regardless. At one college I’m familiar with, staff actually direct students to log in to their Facebook accounts or set one up and ‘like’ the school’s page  on the spot while the staff member stands over them.
  3. Third party trackers: Timothy Libert has said that this practice is “analogous to the tracking bracing ornithologists place on migratory birds, even if users visit unrelated sites, tracking cookies have rendered them tagged and traceable.” Staff and teachers may not even be aware that these are present on websites that students are directed to, including the provider’s own website. If not, they certainly can’t expect students to be informed or give consent.

What to do about TurnItIn?

This is a tricky one. As a minimum, I’d tell colleagues and students to maintain a strict DBOYD (Don’t Bring Your Own Device) policy: it should only be used on devices provided by the college to minimise the data that could be collected about users.

Beyond that, it’s likely to be an uphill battle against people who argue that ‘plagiarism checking’ software is our only defence against the legions of dishonest students we’re now facing. In the past, students have tried to opt out of it (see the bottom half of the Wikipedia entry) and providers have dumped it.

We in ELT need to at least enter the field by vigorously questioning the ethics and efficacy of it. Perhaps from there we could move on to conscientious objection or working with organisations like CISA?

What to do about Facebook?

If we’re dealing with adult students, perhaps we could just encourage them to read the Terms of Service and Data Policy. The idea that students could inform themselves in this way and decide for themselves is what Jonathan Obar refers to as ‘data privacy self-management’ and is, in his view, a ‘fallacy’ and an ‘unattainable ideal’. When I looked at them last month, they comprised 6200 words in total – would we even expect teachers to make much sense of them, let alone our students?

I wouldn’t encourage it myself, but if students want to get onto Facebook of their own volition in their own time, it’s up to them. Educators should steer very clear of anything that could be coercive, including a school Facebook page or a class Facebook group.

What to do about third party trackers?

By fiddling around with  extensions and code in our web browsers, we can keep some of these out. We could teach our students how to do this in the name of ‘digital literacies’ but it’s somewhat complicated and not likely to be even a short-term solution: predictably, the technology is always developing and we’re left playing catch-up.

Advice from the Office of the Australian Information Commissioner

I emailed the Office of the Australian Information Commissioner (which, incidentally, the current Federal Government has tried to scrap) last month for advice on the scenarios described above. I asked:

  1. How do the APPs or any other relevant legislative instruments relate to the practices I’ve described above? In other words, could the provider be said to have breached any of the APPs?
  2. What advice could you give to providers in terms of their legal obligations and also best practice in relation to these practices?
  3. What advice could you give to students or staff who wished to ‘conscientiously object’ to such practices and opt out?

An Enquiries Officer replied yesterday with the following:

Question 1

The Australian Privacy Principles (the APPs) contained in the Privacy Act 1988 (Cth) (the Act) are technology neutral and does not specifically address the use of online services such as TurnItIn or the other services mentioned in your email, by organisations. The Act also does not specifically address issues surrounding cookies and trackers.

Furthermore it is not clear if any one of the APPs are specifically relevant in the circumstances described in your email. This is because the APPs regulate information which an organisation handles. In the circumstances your describe, the education providers are not specifically handling the personal information, rather it appears the individual is dealing with the online services directly, even though it they are doing so at the direction of the education providers.

Question 2

As best practice, the education providers privacy statements (APP 1) and collection statements (APP 5) should address the handling of students personal information by the online services.

Question 3

The Act does not protect individuals from unfavourable consequences they refuse to follow the processes established by the educational providers. This means that the Act does not specifically give individuals the right to ‘conscientiously object’ or opt out of an organisations processes.

What I conclude from this is that privacy policies can be both compliant and inadequate and that we need to assume more direct responsibility for these issues. We should take careful note of the ‘Question 2’ response, though: the OAIC considers it best practice to inform students about the ‘handling of their personal information by the online services’ (which actually begs a further question: what constitutes ‘personal information’?). We can start by informing ourselves.

Fortunately, there is a very simple (though not necessarily easy) response to companies who make informed consent irrelevant: we make them irrelevant by having nothing to do with them. Don’t require or encourage the use of their services at your college.

Go DBYOD. If students are expected to use TurnItIn or other internet services as part of a course, schools should ensure there are devices available.

Update, 4/3/16: I added the ‘We should take careful note of…’ sentence and the one immediately following it. I also corrected a couple of typos.

Update, 6/3/16: I added the Shoshana Zuboff quote.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s