Remote learning has become the norm ever since the COVID-19 lockdowns started. It has changed the learning experience for students making it mandatory for them to use a multitude of software applications to transfer knowledge and ensure their learning experience is not disrupted. This jump to remote learning, however, came with little concern for potential privacy, security, and safety violations. Students from younger age groups and lecturers from older age groups are very vulnerable to cyberattacks.
 
JOSA received multiple reports of security and privacy violations against local students. The violations were caused either by educational institutions that wanted to monitor student behaviour, or by the software applications (themselves mandated by the institutions), many of which have security vulnerabilities which the attackers took advantage of. We want to highlight these violations and offer recommendations for universities and schools to make better choices when it comes to preserving the safety and privacy of students during remote learning.
 

Turning on microphones or cameras without consent

Zoom, like other similar tools, allows the lecturer to unmute or open the camera of any participant in the call without notifying them. It’s considered that “The meeting Host can control [with this feature] the Participant's audio, video and screen sharing options“. This feature poses an ethical problem, the lectures have the ability to violate their students’ privacy during lectures or exams. Such features should never be offered in online tools.
 
This is a privacy issue that lecturers and software providers are both overlooking. Zoom reacted to these reports by providing the participants with a notification when their microphone or camera is about to be turned on by the moderator. Nevertheless, we have received reports from students that they were not being notified or that they are being forced by lecturers to turn on their microphone or camera. It’s important to note that students often turn off their cameras because they have poor Internet and simply want to be able to hear the lecturer more clearly.


“Zoombombing”: spamming lectures by internet trolls

“Zoombombing” or “Zoom raiding” is an undesired intrusion by internet trolls or hackers into a video conference call. In a Zoombombing incident, a teleconferencing session is disrupted by inserted material that is obscene in nature, typically resulting in the shutdown of the session. This is linked to security issues in the conferencing software. Hence, universities should do their research before mandating the use of a certain software in online learning. We received multiple reports of these incidents, some of which were harmful to students and lecturers alike. 

Student emails leaked

After using certain video conferencing tools, many students mention that they started receiving a huge amount of spam mail, advertisements and phishing attacks. This could be caused by leaking the email addresses of those participating in the call in order to exploit or even sell them. JOSA has conducted a further investigation of these leaks, and we found that they are linked to security issues in the conferencing platform used by lecturers and students.

Monitoring student web traffic

Some universities have been taking unethical measures to monitor cheating during exams. This is done by injecting scripts in exam pages and into the university’s learning management system (e.g. the open source LMS Moodle), the script then collects Web traffic on the student’s devices and identifies how often they are leaving the exam pages. This monitoring happens without the student’s consent, let alone their knowledge.
 
According to reports, students were asked to make sure that JavaScript is running on their laptops before being able to join their final exams. Hearing the claim that the exam won’t work without JavaScript, some were sufficiently dubious to investigate the matter. They concluded that using Moodle didn’t actually require Javascript. Following multiple calls and a social media outcry, the university admitted that they were only monitoring the “active time” spent on the exam page. While we don’t undermine the importance of countering cheating, any measures involved should be done with the students’ full knowledge and consent.

Tracking student social media usage

In a similar attempt to counter cheating, some universities started tracking students’ social media usage. Tracking is carried out during exams to platforms such as WhatsApp and Facebook. If it’s found out a student was online during an exam, the student will be questioned by a committee where they have to prove they were not cheating. Although some of this is public information, it is highly unethical to track a students’ presence on social media to learn their behaviour during exams. Universities have access to students' mobile numbers for emergency use only, there is no call for violating the students’ privacy under any other circumstances.


Recommendations

Since such issues have already been encountered and other unexpected issues may show up, here are some possible counter measures to alleviate the possible privacy breaches and educational disruption.

Privacy policy for universities: There should be a unified privacy policy that restricts universities use of students’ personal data, dictates how they should process this data, and where they can store it after they process it. Collecting any data from a student device should only be done with the consent of the student. Students must know exactly what data is being collected and how it will be used.

Safety training: Students and teachers alike should receive digital safety training to learn how to protect their online presence. This includes learning what platform or technology they should use. JOSA has already conducted training for 140 teachers in June of 2020, and is happy to start training more teachers as well as students.

Software recommendations: It is the university’s responsibility to protect the students safety and privacy online by providing a secure and convenient video conferencing as well as learning management tools. Many open source tools are available. Universities can deploy such tools on private dedicated servers to ensure the security and safety of their students’ data and identity. Said tools also protect students from cyberattacks and their information from theft to a high degree.
 
Suitable options for video conferencing include Jitsi. Jitsi is a set of open-source projects that allows universities to easily build and deploy secure video conferencing solutions and it can be hosted on a private server. At the heart of Jitsi are Jitsi Videobridge and Jitsi Meet, which are great to hold private conferences over the internet. Along with many more open source tools. This could be the first step of protecting the privacy and safety of students while remote learning.