For most post-secondary students this fall, electronic devices won’t be connecting to campus Wi-Fi. Instead, they will be connecting from home as classes move to digital delivery because of the COVID-19 pandemic.
And that comes with some new risks.
From virtual lectures and online exam proctoring, to digital thesis defences, students are vulnerable to cybersecurity threats while doing their academic work at home, or exclusively on personal devices.
With all the talk about washing hands, students need to also think about how to practise good cyber hygiene using encryption, VPNs, software updates and password management.
“Inviting tech companies into the classroom without thinking about risks and corresponding mitigation strategies is problematic and needs to be treated extremely sensitively,” said Privacy International, a U.K.-based non-profit, in a statement this spring. It called recent digital privacy risks a “COVID-19 power grab.”
The organization also criticized Google's possible data collection following its decision to offer three months of free internet access at 100,000 locations in California, and giving out thousands of Chromebooks to students.
While tech giants donating their own hardware is a clearer data security weakness to spot, the issue becomes more complex when students are ordered by their colleges or universities to download software as part of their coursework.
What people are reading
“If educational institutions are going to suggest that they have proctored exams online, anything that allows you to take over somebody else's machine is often a really significant security risk,” said Bradley Limpert, a lawyer and director of the Privacy and Cybersecurity Law LLM program at Osgoode Hall Law School. Software that takes over a device can expose the user to spyware, malware or data exfiltration that can compromise health and personal information, or academic research and intellectual property in a competitive field.
“The good news is that the chances of any particular student being a worthwhile target are relatively low because that's a very fragmented target,” Limpert said. “An attacker … would have to go after each individual.”
The risk might be low but it happened to Dennis Johnson, a doctoral student from Long Beach, Calif., as he was defending his thesis on Zoom this spring, according to the CBC. An attacker displayed pornographic images and racist slurs on his screen as Johnson was presenting his dissertation on the plight of African Americans in California’s education system, he told the outlet in April.
Video-teleconferencing platform Zoom made headlines in the early weeks of the global pandemic due to security and privacy issues, prompting New York’s Department of Education to ban its use as a digital classroom.
Hijacking control of Zoom calls, also called “Zoom-bombing,” led the FBI's Boston division to issue a statement in March about reported incidents such as the use of violent or pornographic imagery to disrupt calls.
The pandemic era is creating an apparent gold mine for cyber spies, according to an April report co-authored by researchers Bill Marczak and John Scott-Railton, based at The Citizen Lab research centre at the University of Toronto. The researchers found vulnerabilities with Zoom’s encryption and “waiting room” feature, which it raised with the company.
Reportable incidents of privacy breaches saw an uptick of three to five times in April compared to March, and that rate has held steady since, said Imran Ahmad, a Toronto lawyer and partner at Blake, Cassels & Graydon LLP, in a June podcast with Canadian Security Magazine.
“Hackers are trying to take advantage of the IT networks’ inherent vulnerabilities when people are working remotely,” Ahmad said.
Another Canadian law firm, Osler, Hoskin & Harcourt LLP, also saw more information requests about the privacy obligations of organizations during the pandemic. “To comply with obligations under Canadian privacy statutes, and contractual and other legal confidentiality obligations, it remains critical for organizations to consider the physical, technical and administrative controls necessary to appropriately protect their data assets,” members of the firm wrote in a March article.
They recommend security strategies such as additional training for employees, assisting with the installation of malware or anti-virus protections, and securing virtual private networks, or VPNs, with two-factor authentication.
"Universities tend to be quite careful about doing intrusion detection, and putting up fairly sophisticated access controls," Limpert said, as a result of university servers being under constant attack. "The universities don't advertise that, but that's just a fact."
But the lack of a fortress of on-campus cyber-security, or the offline school experience, will usher in new data risks for students.
“More often, a student's personal or individual or home device is much more likely to be compromised from a data security point of view,” he said.
Vjosa Isai / Local Journalism Initiative / Canada's National Observer