“University administrations are outsourcing more and more of their IT services to American cloud giants”, reads the letter, signed by eighteen full professors and one associate professor. This is an ill-advised strategy in the long term, they believe. Cursor asked Tanja Lange, professor of Mathematics & Computer Science who also signed the letter, for a response, but she did not feel the need to elaborate further because it is already too late for TU/e.
Students should have a safe learning environment in which they are able to make mistakes, the signatories argue. “It should be impossible for privacy-sensitive student data to be misused for other purposes.”
If this information is stored in an American cloud, data security can’t be guaranteed. A ‘cloud’ is a server that holds your data and allows you to access it online. This means that the data in question is no longer on your own computer, which can crash or be hacked, but stored ‘safely’ in the cloud.
Companies could misuse students and staff’s data for commercial purposes, the signatories argue, citing the Cambridge Analytica scandal. This company analysed the privacy-sensitive data of millions of people to advance Donald Trump’s 2016 presidential campaign.
Besides commercial parties, the US government could also gain access to the email traffic and data of students and staff at Dutch universities, the professors say. “We are giving the Facebooks, Googles, Amazons and Microsofts of this world the power to not only manage our data as they see fit, but also to act as a kind of border police for that data.”
The cyber experts believe that it would be better if such services remained in Dutch hands, for instance at SURF, the Netherlands’ IT organisation for education and research. Martin de Vries, Chief Information Security Officer at TU/e says he is familiar with the letter from the professors and the call they made. “The interests are known and recognized. There is a good connection with the scientists involved from TU/e, and these topics are also discussed with them. Furthermore, this letter is being discussed at SURF and the chairman of SURF will talk to the initiator(s) of the letter.”
De Vries: “Of course, TU/e does a lot to ensure that we always follow the applicable conditions (through cloud strategy, purchasing conditions, etc.). A possible solution (or solutions) is complex and not immediately available. Many parties will be involved in the solution(s) and it will also require political support at both a national and European level. With regard to cyber security and privacy, TU/e takes a risk-based approach and we will continue to do so with every step we take.”
The open letter is certainly not the first criticism of privacy issues in higher education IT. Last year, internet pioneer Marleen Stikker urged students and staff to demand secure IT environments. “It’s okay to be a difficult customer as a student or teacher”, she opined.
IT organisation SURF is currently revising its privacy terms for certain education software offered by Google. The Data Protection Authority has been looking into the matter as well and believes that the Minister of Education should get involved.
The problem has also been noted by the rectors of Dutch universities, who published a joint letter in de Volkskrant last year, signalling their intention to address digital vulnerabilities. But the cyber security experts say the topic has since fallen off the radar again.
“When you’re dealing with Big Tech, remember: you can check in any time you like, but you can never leave”, the experts write, in a nod to ‘Hotel California’ by The Eagles. In this song, the narrator succumbs to temptation and finds himself trapped forever.