Welcome to the (Cloud) classroom

The 'power' of the cloud provider

A major concern of Privacy First is the often vague and extensive terms of use imposed by these commercial "cloud giants". The complex legal language and lack of transparency make it difficult for educational institutions and their users to fully understand how their data is used, stored and shared. Also, cloud providers often set their own terms and conditions and data collection-based revenue models are present. This while educational institutions are responsible for processing the personal data of their employees and students. It is therefore questionable whether educational institutions can adequately monitor this. Collaborations in the education sector put them in a better position to impose requirements, such as SIVON and SURF who last year worked with Google sat around the table to discuss certain privacy risks. Nevertheless, educational institutions should remain keen on using such cloud providers, and implementing measures to mitigate the risks (e.g. the technical manual for Google Workspace for Education).

Vendor lock-in

Moreover, the reliance on large cloud providers brings the risk of vendor lock-in with it. Schools and universities, once enmeshed in the web of a specific provider, find it difficult to switch because of technical limitations and high costs. This lack of choice strengthens the position of cloud providers and can affect public values in education such as equity (including inclusivity and transparency), humanity (including social safety) and autonomy (including self-determination, privacy and the professional autonomy of teachers, researchers and institutions).[1] In particular, because these cloud providers are far from just providing the infrastructure, they are increasingly determining the content as well as the nature of education. This is because the vast majority of schools work with large cloud providers and publishers adapt their teaching materials to the needs of these cloud providers.

Furthermore, this is also evidenced by educational institutions bearing the 'Google Reference School' label. An example is all the WSKO schools. "With Google skills for kids, we developed a self-directed training programme with YouTube tutorials that allows them to learn to use Google Drive, Docs, Presentations, Classroom and the search engine at their own pace.", states their website. There are several dozen Google Reference Schools in the Netherlands, both primary and secondary schools. This is worrying because it puts public values, public money and public knowledge in the hands of large commercial parties. This is also highlighted in a recent article by the Green Amsterdammer, which also notes that this is how children are very subtly raised to become Google consumers, via public-paid education. Privacy First therefore supports the petition of the Coalition Fair Digital Education (CEDO), in which they request an alternative design of digital learning environments that safeguard public values and autonomy for the individual.

Profiling

Another major concern about these cloud providers is data collection and analysis. Not only are educational data collected, but also, for example, data on who emails with whom, as educational institutions also use large cloud providers for, for example, mail, online video calls and surveillance. Based on this data, detailed profiles of students and employees of educational institutions can be drawn up. Given the volume of documents and lack of transparency of large cloud providers, it is often not possible for individuals to be aware of the extent of their collected data and what profile is linked to it. This can result in incorrect profiling, which can lead to discrimination, unfair treatment or incorrect assumptions and decisions, among others. Users may also be driven in a certain direction based on their data profile, other than their own preference. This affects a person's personal freedom of choice.

Privacy in education is an important area of focus for Privacy First in the coming years. We therefore believe that the price of convenience from large cloud providers should not be the invasion of privacy. Especially since education also processes data of minors who are especially vulnerable.

[1] Rathenau Institute, Towards high-quality digital education, Figure 1: Values framework for the education sector. See: Towards high-quality digital education (rathenau.co.uk)