Volume 10, Issue 12
The Sydney Morning Herald recently published an article by Henrietta Cook titled “University Students, you are being watched”. Upon further discussion with some of my friends and discovering a general lack of understanding, I thought I should take the time to lay out the privacy framework of the University of Melbourne (or lack thereof).
Among other points, Ms. Cook states that “at the University of Melbourne, Wi-Fi routers track students as they move through the campus”. This is nothing new. Big-data has been disrupting industries for the last two decades at exponential rates. It’s no secret that the Australian education sector has shifted to a more corporatized model, so employing big data analytics should be no surprise. Having worked in data analytics myself, I can tell you that from a profit perspective, utilizing this information is invaluable. But from a personal privacy perspective, you might feel a little violated once you understand the scope of information the university collects. There has been much debate and legislation on this topic in the EU, but other countries are slow to regulate. Cook wrote that Australia is at the forefront of learning analytics,* which I have no doubt is true but largely attributable to the archaic laws which allow collection of such mass amounts of personal data.
Next time you’re sitting in a class and your professor has their version of the LMS on the projector, take note of the “tracking: enabled” noted on each module.** “There's no point pretending you've read your online readings” says Cook, and she’s right. I wasn’t surprised when the Law School scrapped printed materials in my Remedies class and replaced it with online readings via the LMS. When I tried blocking my browser cookies and using a VPN*** to access the readings in order to block the university from tracking my computer activity, the LMS locked me out until I granted the permissions necessary to collect my data. Similarly, it would be pretty easy to track class attendance based on wifi connectivity.
Next time you make a joke about how much you’ve been procrastinating, just remember that the university most likely has a statistic on your procrastination. This is a drop in the sea of statistics that could be generated from such mass-data collection. From a business perspective, the university could run this information against academic performance and demographics. It would be relatively short work to determine model characteristics of students to accept for the following year.
Who has access to this data of ours? Where is it stored? How is it protected? The answers to all of these questions are ambiguously laid out on the university website and can be summarized in one sentence: “we comply with the relevant legislation”.
When you’re using university wifi, the university can collect any piece of data your computer sends and receives unless it’s an encrypted (HTTPS) connection. The extent of what they do collect is unknown.
For an international student such as myself, by law, I need overseas health coverage. And by policy, that account needs to be connected to my student email. This gives the university access to my health information through that previously mentioned google third-party privacy notice. But this practice goes far beyond what I have mentioned, and I cannot possibly summarize the collection and possible uses in such a short article; so I suggest doing some research.
The university sits squarely within the law (obviously) when it collects this information. The practice is not unique and I have no qualms with their methods. My worry is simply making sure that students, as consumers, are aware of their online presence being digitally cemented in the servers of the University.
It’s Monday morning and you arrive in the library. The second you sit down, your laptop and phone connect to university wifi. Yesterday you signed a contract for a new apartment and you’re excited, so you spend some time looking over design ideas on Pinterest and Youtube. Then you decide you want an update on the US election so you spend some time browsing US news sites. The university collects this information and the pages you browse and associates them with the unique username and password used to login to the wifi.
You open your email to send your parents an update on life. In the email you tell them all about the new apartment and how you’ve been working hard and classes are beginning to stress you out. The university system collects this email and using a method called ‘parsing’, it picks out relevant pieces of data from the email.
The computers then match up the fact that you were online for most of the morning browsing pages unrelated to university, and compare that to the email where you say you’re ‘working hard’. A statistic on work ethic is generated; it says you’re lazy. Because people who think they’re working hard but in fact not working at all are lazy. The university runs that statistic against your academic performance.
Remember those political news sites you visited? The computer ranks them in order of extremism and generates a figure on your likely political leanings. Perhaps you’ve sent a job application with your resume over email in the past? The computer picks apart that document and attributes your work experience as another piece of data associated with your unique ID.
Many more pieces of data are collected, stored, and generated from your online activity. And eventually you start to be grouped into categories based on academic performance, work ethic, demographics, political influences, health, financial capacity, work experience, and the list goes on. Of course, this is a simplistic example and in reality these figures are generated over a series of approximately 200 days in the year you attend university multiplied by the amount of years you’re enrolled. And this is all matched and compared against the hundreds of thousands of other students the university is collecting the same data on.
Three years down the road someone is able to penetrate the servers and release all of this information (government organizations have been penetrated, so I don’t think this is far fetched). You lose out on a job interview because of that statistic that says you’re lazy. But in reality you have a high IQ and never needed to study much, and you still achieved decent grades. But it’s 2019 and computers are infinitely smarter than humans so why wouldn’t the employer believe it? Do you want this to be the first time you become aware the university has all of this data about you?
Would you have legal recourse if this happened? Of course. But wouldn’t you rather avoid it altogether? Wouldn’t you rather be the only one in control of the information concerning you?
At this point, you may think I sound like a conspiracy theorist. So let me explain the technology with everyday examples you probably use.
The example I’ve given above is simply a combination of this technology.
The extent of information collected and used by the university is not published. But I would take an educated guess that what I’ve just discussed is not only possible, but probable; and even if it’s only in the early stages of development, it’s a step towards a surveillance state.
Of course, there are positive examples of this technology. Wifi tracking enables the university to quickly determine the group of people present in a particular area if an assault ever took place on campus. But my point is, there is not enough awareness of the technical ability, both in university and life in general, of the un-privacy frameworks we are subject to.
For an alternative framework, see: the right to be forgotten.
I can’t wait to take legal ethics next year.
*This is the practice of taking large amounts of data and synthesizing it into a practicable format to gain insights on performance which allows you to help improve your business model.
**This is the link you click to download/read something. Ie. The University keeps track of whether you’ve read or downloaded what you were supposed to.
*** VPN = virtual private network. This pretty much allows you to be stealth.
Mitch Clarke is a second-year JD student
Development since this article was submitted for print: On Monday October 17th, we were prompted to log in for 2017 course enrolment. Included below is the enrolment declaration you are unilaterally induced into signing to participate in your course. Below this, is the 2016 declaration which the 2015 declaration mimics. You’ll notice that the length of the agreement has more than doubled to include the legal coverage necessary to engage in all of the activity I’ve discussed in the above article.
The rest of this issue(!):