Web 2.0 nightmare, part 2: personal data

I’m not sure how many of our friends to the south are aware of this, but using web services hosted in the United States is deemed to be a threat to the rights of Canadian students.

Indeed, a public institution such as the one I work for is expected to take ‘rigorous measures’ to “mitigate against illegal and surreptitious access” of students’ private data. What that means has been left open to interpretation, but apparently a student’s email address can constitute private data, and the effect has been a common perception that telling students to set up accounts on Flickr or WordPress.com represents a potential breach of the law. In the absence of a clear sense of what can and cannot be done, our old friends Fear, Uncertainty and Doubt become the default policy drivers.

I haven’t heard the groovy President-elect say anything about revoking the PATRIOT Act (then again, I don’t have cable TV, maybe he said it on Larry King), so I’m not expecting change I can or cannot believe in.

As someone who would like to see higher education tapping more of the fine online applications available outside the academy, and who intuitively favours a platform-agnostic, let-the-students-decide approach to tool selection, the personal privacy issue has been something of a showstopper. I can’t tell you how many times I have known of some free, popular online service that could meet a specific need quickly and easily, only to be shot down by the question “is it hosted in Canada?”

I’m kind of surprised some company hasn’t set up some sort of subscription-based proxy or hosting service for US-based apps to protect private data. The higher education market in Canada alone would be substantial. (As usual, the librarians have moved ahead on this, for example by setting up Canadian-based hosting for RefWorks.)

So I have this naive idea that wider adoption of OpenID might alleviate this problem. Not every service accepts OpenID, but lots of good ones do. I don’t know whether we should look into becoming OpenID providers ourselves, but at the very least, perhaps we can back a trusted Canadian-based OpenID provider so student data stays in the Great White North.

I’ve asked around, and am not sure whether I should be pushing this or not. Scott, while assuring me this wasn’t an idiotic idea, also cautioned me that this would not necessarily be easy to do… Then, as he often does, he said a bunch of smart stuff I didn’t really understand.

Then I run into the problem of explaining how OpenID works to the people I would need to support such a plan. To address this particular challenge, I was grateful to come across OpenID Explained, a very nifty tutorial – now, can I get people to look at it…

If I haven’t made my fuzziness clear, rest assured I would grateful for feedback on any of the above.

12 thoughts on “Web 2.0 nightmare, part 2: personal data

  1. It’s unclear how OpenID mitigates this problem. I certainly think OpenID can provide a level of convenience for what you’re talking about, but until we’re able to push data/activities TO OpenID providers, the data will still be stored on services wherever it’s most convenient, expedient or cheapest for them.

    Perhaps you can elaborate how OpenID would change things?

  2. Thanks for your question, I should have been clearer. As I understand it, the core objection to using US-based services is not the actual work the students might be doing (such as the text on a Wikispaces page), but the information required for a registration (the email address is the most commonly cited example).

    Presumably, there might be content created that might be sensitive, which would be another issue. But would an OpenID be a sort of mask of the identity? (I don’t know.)

  3. As Brian mentioned, the issue is the storage of personally identifiable information on US servers. The content can be stored in the US so long as it cannot be correlated to an individual. I’ve been working with iParadigms to re-work their Turnitin integration to be privacy conscious – it’s no easy task. I will soon be bald.

    Some institutions would prefer that no identifiable information leave the campus walls regardless of hosting in Canada or the US. Given that this is the age of Web 2.0, web services, SOA, etc. – I don’t see this as being impossible. The challenge is convincing content/tool/service providers that this is a valid issue worthy of resources. Namely, what do they stand to gain by making privacy changes – furthermore, how to maintain functionality and address the privacy concerns.

    I suppose OpenID could be used to some extent as a proxy to obscure an individual’s identity?

  4. We had our lawyers deal with this last year. Their solution? Get students to sign off an informed consent form. As long as we got signed consent from students, we were okay. So now faculty who wish to use US hosted solutions need to get their students to sign this horrible, legal document outlining the risks. It does tend to generate a lot of needless FUD and, as a result, many faculty pass on hosted solutions.

    There are workarounds (fake email accounts, a single account for all students in a class, etc), depending on circumstance. Some services (like PBwiki) will even generate anonymous accounts for students, so providers are aware that educators have issue with getting students to give up personal information. But workarounds kinda go against the whole open and transparent spirit.

    I wish I understood the OpenID concept a bit more, but I can’t help but think that since OpenID has the potential to be an even more identifiable mark than an email address, legislation on how we get students to use their OpenID (should it ever come to this point) might be even more restrictive than how we get them to use their email address. Which is more valuable in terms of protecting someones privacy – an email address or their OpenID?

  5. Don’t those same Canadian education shelters issue students with user names and email addresses. COuldn’t a Canadian teacher encourage her students to use “fake” emails and avatar names, similar (but instead of) the shelter giving them fake emails and avatar student numbers?

    That way the shelter (and teacher) would be playing a protective role. The next challenge is how to protect IP addresses.. not a problem inside the shelter’s network.. but the student’s home is a bit harder.

Leave a Reply