We live in an outsourced culture. Cost-conscious organizations everywhere are shedding off functions such as email, calenders, scheduling visitors, invoicing, and sometimes entire HR operations to third-parties in order to focus on their core competencies.
Higher ed is no exception. Despite huge tuition hikes, universities are still under pressure to cut costs in order to expand their offerings. This, coupled with universities' perennial inability to offer competitive salaries to to lure competent IT staff away from industry jobs has meant that your standard university has come to rely increasingly on third parties for IT infrastructure. Email (specifically, gmail and outlook), classroom management (blackboard and piazza), and student organizations (orgsync) are some of the most commonly outsourced services.
In this short post, I want to underscore that this trend is incredibly dangerous, for it undermines one of the principle functions of a university. Outsourcing makes sense when it factors out an unwanted, commoditized function that does not constitute a competitive advantage to a specialized provider who can operate just that function at scale. It fails when doing so compromises the values of an institution.
This post was triggered by OrgSync, a service that is used by hundreds of universities to keep track of student organizations. As far as I can tell, every major university uses OrgSync to keep track of the members of campus clubs and organizations. Email poses an even worse vulnerability, but I'll leave that aside for now, as there are specific laws targeted at protecting emails. I'll also leave classroom management (blackboard) alone, because FERPA accords some protection for the privacy of student grades (though not for the content of their written essays).
Organizational memberships betray an amazing amount of information about the interests and views of a large number of individuals. These organizations include political groups, religious organizations, cultural organizations, people with specific ailments and conditions, as well as groups centered around sexual interests. In short, they relate to different aspects of a growing person's most precious possession: their identity. We have seen time and time again that this information can and is frequently used for discrimination, prosecution and retribution.
It's true that the current political climate in the US is currently somewhat accepting, but this was not always so, nor is it guaranteed to remain this way in this country. Further, approximately 15 to 20% of the students at top ranked universities come from overseas, where political climates differ. Anyone who lived through the initial HIV scare can tell you that something as benign as membership in an "HIV Support Group" would have been, at least, a career ender, and can, even now, lead to charges punishable by death in certain jurisdictions. More prosaically, students with an interest in political science should not be renegated to living bland, boring lives where the maximum they can explore, for fear of later public scrutiny, is found within the halls of Young Republicans and Campus Democrat meetings.
Entrusting data on campus organizations to third parties, in my view, represents an abdication of a university's responsibility to safeguard crucial information about its primary constituents. In a post-Snowden world, where we know that just about every single nation state has hacker teams compiling dossiers at an unprecedent scale, universities need to allow their students to engage in campus organizations without fear that their participation will become public knowledge. They should be able to hold office in a university organization without fearing that doing so will hound them to their grave.
Oddly, many of the people currently making these decisions to outsource these activities lived through the 60's Student Movement, where campus organization played a crucial role in putting an end to an unpopular war and supporting civil rights. It ought to be an anathema to any individual from that era to hand over student organization records to a nationwide registry, where this information can be quietly subpeonaed by law enforcement or exfiltrated by hackers. The crucial protections offered by any good university to its students go out of the window when the university's data is in the hands of unknown custodians, easily compromised or corrupted without oversight. From a legal perspective, centralized databases bring in jurisdictional issues, where the data governance policies of the university may have to be cast aside, because the data is now warehoused in a datacenter in a different state, with different laws, evidentiary standards, and reporting standards.
And it does not bode well that the relevant section from OrgSync's privacy policy has a section on "How Secure Is Information About Me?", wherein the said section is precisely two sentences long. Worse, it only mentions the security of the data in transmission -- it does not touch upon the security of data at rest, even though data spends approximately 99.99999% of its lifetime at rest.
So far, I have focused on how a nationwide database of student organizations poses a single, centralized point of vulnerability. This can be used by law enforcement to collect data. As well, it can be exploited by hackers to collect data on a generation, wholesale, at once. What I have not touched upon, though remains a big threat, is corporate access to valuable marketing data. OrgSync's privacy policy, for example, explicitly mentions that the user data is part of the valuable assets that will be disclosed in the event of a merger or acquisition.
Sure, the alternative does not necessarily mean that our students will be any more secure: for instance, I have no faith that Cornell's current CIO can implement an online service that is actually secure against anyone but the most unsophisticated hackers. But there are two arguments for why getting rid of centralized, outsourced services would improve the current state of the world: (1) it eliminates a single, central, global database, and consequently, replaces a single point of vulnerability with a decentralized constellation of smaller databases, and (2) it restores a university's autonomy and control over its own students' data, and we at least get a handle on the set of people we can hold accountable for any data breaches.
As it stands, the IT infrastructure at universities is perilously insecure. Data not protected by FERPA is accorded no respect and scant protection; we have no handle on law enforcement requests to collect this data; and even progressive universities that, otherwise, have historically provided strong privacy guarantees for their students have unfortunately relinquished control over crucial data to realize cost savings.
It's time to reverse this trend. The first step is to refuse to accept this push towards centralized services where critical data worldwide is pooled at a handful of locations where it can be accessed trivially by law enforcement and creates a juicy bounty for the data collection arm of surveillance operations. An alternative to centralized, online services is to push for locally-hosted solutions where universities remain in control of their own data. This enables universities to exercise their own policies for data custodianship. They can then determine the extent and the process for cooperating with law enforcement. And most crucially, they can remain in control of data archival and retention, guaranteeing that data that is not needed is incontrovertibly destroyed.
Communities whose purpose is to provide room for individuals to grow need to provide mechanisms by which those individuals can experiment with holding unconventional views, without fear that it will follow them for a lifetime. Creating such an environment, and fighting the corporate and state surveillance machine's constant push to compile information, ought to be a fundamental part of the value proposition offered by educational institutions.