OWL Institute

Scott Leslie has a good post up ruminating on the moving target of open textbooks which reminded me that I have long intended to write a follow-up to an exchange that he, I, and Rob Abel had in the comments section of a post a I wrote a while back. Scott lamented that the Washington State Board for Community and Technical Colleges was releasing its open course content in IMS Common Cartridge format, which seemed to him to be not so easily accessible or universally usable as one might like. I wrote in response,

Fundamentally, I don’t believe in cartridges. I don’t believe in forking a copy of a digital resource and stuffing it into another system. It’s bad for a variety of reasons, including but not limited to the implementation challenges that Scott ran into with Moodle (although it’s fair to say that some LMSs handle CC import better than others). Common Cartridge made more sense 5 or 10 years ago, but it’s late to the game and is ultimately destined to be eclipsed by in-place APIs, including but not limited to IMS LTI. (By the way, I’m not so sure it’s such a good idea to let Google own our integration API either.)

Unsurprisingly, Rob Abel, as CEO of the IMS, took issue:

If there is agreement that CC helps with the issue of content in an LMS then, well in your scenario the content is inside the publisher “LMS” (or equivalent).

Can I tailor it? Can I put things in there – like a syllabus – and get it out? If I’m the student and I create something in there can I get it out? Can I mix and match with other publisher materials? Can I archive that mixing for next term? Can I share what I did with my faculty peers who might want to learn from it? Can I create assessments in there and then use them somewhere else or just put them somewhere so that I can use them in the future?

Common Cartridge – or something like it – helps solve those issues. Fits right into the topic of openness. But, most importantly, in the digital education age we need to make digital education easy for the faculty and the students. Otherwise there won’t be a digital education age

Perhaps a mixture of OER and publisher proprietary stuff might be a solution. IMHO, some stuff needs to be tailored, remixed, moved in, and moved out. Doesn’t matter whether it’s a publisher platform or an LMS. Faculty want their stuff. Students want their stuff. Publishers need to help them, not thwart them.

I said that the binary choice Rob was offering up wasn’t the right one and promised to elaborate in a future post. Here, at last, is that response.

Let me start by reviewing an argument that I have made here before, which is that there should only ever be one copy of a learning resource except under very limited and specific circumstances. In this era of iframes, you can embed content pretty much wherever you want. By keeping the single canonical copy at one URL and surfacing it where it is needed (as opposed to copying it), you both maintain access to the most updated version from the authoritative source and preserve the ability to do in-depth usage and learning analytics. Who is using this content to learn what in which contexts? If you have a thousand copies of the same resource floating around, you can’t effectively aggregate this data (especially if you don’t know whether or how the content has been altered in those copies). There are only two circumstances under which it makes sense to make a second copy of a web-based learning resource: (1) you want to cache it locally for access in offline or bandwidth-constrained environments, or (2) you deliberately intend to fork the content and create a new version of it. And the first case should be addressed as a caching problem rather than a copying problem.

We have a number of formats today that are designed to take web-based resources and organize them for a particular type of consumption. Common Cartridge is one such format. It provides the content wrapped in metadata so the LMS knows where to put it. EPUB and the .ibooks derivative are other examples; they pull together disparate web-native resources into a book-like sequence and user experience. That’s fine. I have no problem with it. My problem is when those resources are copied and stored locally for no good reason. If you want to use one of these formats as a metadata wrapper to surface the remotely stored content within a context and user experience that makes it most useful, then yay. Use iframes or some similar technology and wrap them in the metadata you need. But don’t make local copies of the resources unless you have good reason to do so.

I would argue that efforts like the one by Washington State Board for Community and Technical Colleges should make the OER content available in canonical copies on their servers as plain old web pages and then provide cartridges that include pointers to those copies. Since one of the values of OERs is being able to remix, then maybe Common Cartridge should be extended to include an option to pull down the remote resource for local editing, constrained by the particular machine-readable license of that remote content. (I actually have an idea that would allow remixing but still maintain the “chain of custody” to the original resource for the purpose of learning analytics, but that’s another post for another time.) But the decision to download should be a deliberate one, not a default one, and all resources should be available on the naked web and not locked up by default in some metadata container that you have to crack open if you want access to the content.

Possibly related posts:

Rockin' Content Management So, I’ve been keeping an eye lately on Alfresco, a...
Sakai 3: The Benefits of 'Everything is Content' One of the more radical departures that Sakai 3 makes...
Separating Content from Presentation for Pedagogy and Reusability A post on the OpenACS discussion board clued me in...
A Guide To Open Content Licenses The Piet Zwart Institute has published a fairly comprehensive online...
e-Portfolios and Personal Content Management–Rip, Mix, Burn Last week I had the pleasure of spending most of...

When It Comes to Content, Say “Yes” to Wrappers But “No” to Containers by %%AUTHORINK%% on e-Literate

Categories: OER Blogs

Farewell to the Enterprise LMS, Greetings to the Learning Platform

Fri, 03/02/2012 - 9:13am

Along with others, I have written several times over the past 12 months here, here, here and here about the significant changes occurring in the educational LMS market. In my opinion, when we look back on market changes, 2011 will stand out as the year when the LMS market passed the point of no return and changed forever. What we are now seeing are some real signs of what the future market will look like, and the actual definition of the market is changing. We are going from an enterprise LMS market to a learning platform market.

What I mean by ‘enterprise LMS’ is the legacy model of the LMS as a smaller, academically-facing version of the ERP. This model was based on monolithic, full-featured software systems that could be hosted on-site or by a managed hosting provider. A ‘learning platform’, by contrast, does not contain all the features in itself and is based on cloud computing – multi-tenant, software as a service (SaaS).

The 2011 EDUCAUSE event captured the zeitgeist of the changes, as it seemed most of the buzz at the conference centered on new LMS solutions and paradigm changes. Instructure made their debut at the conference, Pearson’s OpenClass was announced, Blackboard announced a new move in open content focused on CourseSites, and Cengage demonstrated their MindTap platform. Rather than slowing since EDUCAUSE, we have seen several additional announcements in the past three months.

CourseKit was released as a free learning platform targeted at faculty adoption.
Apple’s iTunesU app was announced alongside the iBooks / Author textbook offering, extending iTunesU as an iPad-based learning platform.
Facebook made a move within its higher education roots, starting a pilot program with Groups for Universities.

In my post from last summer, I characterized the changes we were starting to see, but with all of the recent changes, I think it would be useful to extend the first two trends mentioned.

The question is, what will the LMS market that is emerging from these changes look like? No one can know for sure what will happen over the next 3 – 5 years, but I do think there are some key trends that are worth understanding.

The market is more competitive, with more options, than it has been for years. Instructure is a real player that has shown that it can win against established LMS vendors with big wins in Utah and at Auburn. LoudCloud has new clients at CEC, Grand Canyon U and an unreported win at a public state university. BrainHoney won at BYU. Pearson LearningStudio has major wins at Arizona State and Columbia online programs. Desire2Learn has roughly doubled in size in the past year. Moodle and Sakai, including through providers such as MoodleRooms and rSmart and Unicon, continue their impressive wins in the market.

In terms of market competitiveness, we are seeing even more offerings than mentioned in August, including a new class of “free”. Pearson’s OpenClass, Blackboard’s CourseSites, CourseKit, Apple’s iTunesU app, and Facebook’s Groups all join NIXTY as free learning platforms. We have not had the time to see the market share changes based on these new offerings, but if nothing else, there are even more choices now.

Related to the above, there is a trend towards software as a service (SaaS) models for new LMS solutions. The SaaS model offers some compelling advantages in terms of deployment time and ability to mine and report transactional data that might not be possible with other approaches. SaaS is not a panacea, but this is a growing trend in the LMS market.

The trend towards SaaS could perhaps more accurately be described as the default model now for new offerings. In the LMS market from just short two years ago, the default model was enterprise LMS. The only exception was Pearson’s LearningStudio (the artist formerly known as eCollege.com). Today, every single new offering mentioned above is SaaS-based. Apple’s iTunesU app is a mobile app, but the content is served from a behind-the-scenes SaaS platform.

Perhaps more significantly – there has not been a new enterprise LMS created since around 2004. Yes, each legacy LMS provider has major new releases available, but the one exception you could argue is that Sakai 3 is a new LMS and not just an upgrade from Sakai 2. Other than this exception, every new LMS solution to enter the market in the past two years has been based on a learning platform. I doubt we will see any more enterprise LMS solutions created given the cost-benefits of creating SaaS offerings.

Another trend that is becoming apparent is that many of the new offerings are not attempting to fully replace the legacy LMS, at least all at once. Rather than competing with all of the possible features that are typical in enterprise LMS solutions, the new platforms appear to target specific institutional problems and offer only the features needed. Perhaps inspired by Apple’s success in offering elegant solutions at the expense of offering all the features, or perhaps inspired by Clayton Christensen’s disruptive innovation model, the new learning platform providers are perfectly willing to say ‘no – we just don’t offer this feature or that feature’.

My colleague Jim Ritchey has written about the changes that SaaS models are starting to have in the higher education ERP market, put in context of the Datatel+SGHE merger. His key point:

Therefore the challenge for the vendors is how to get the ERP, with its slow development and implementation cycles, to provide the solutions to the new needs of the institution.

In the LMS market, the new answer to this question – how to adapt and respond to new institutional needs – appears to be based on learning platforms.

Possibly related posts:

What Platform Do You Use for (Pure) Distance Learning? I’m doing a little research and could use your help....
Oracle's New Academic Enterprise White Paper The product group I’m in at Oracle (Academic Enterprise Solutions,...
Zimbra: What a Mashup-Enabled Enterprise App Looks Like Phew. Enough with the Apple stuff. I actually still have...
Enterprise vs. Internet World Views in Educational Tool Design There’s an excellent (albeit necessarily technical) conversation about implementing OKI...
Sakai Foundation Board Platform: Vision for the Technology I am honored to announce that I have been nominated...

Farewell to the Enterprise LMS, Greetings to the Learning Platform by %%AUTHORINK%% on e-Literate

Categories: OER Blogs

Instructure Makes Its Move into the K-12 Market

Wed, 01/02/2012 - 11:00am

By Audrey Watters

The learning management system upstart Instructure is unveiling Canvas K-12 today, a version of its platform aimed — as the name suggests — for the K-12 level. The company says that it’s already had over a dozen school districts adopt Canvas, even before this roll-out of a specially designed LMS.

Traditionally the LMS has been something implemented primarily by colleges and universities, but as more and more K-12 schools move to online learning and digital curriculum, there’s a growing demand at that level. It’s a hot market, and according to research published in December 2011 by Simba Information, “the LMS segment is expected to grow at a compound annual rate of 7.3%, reaching $377 million by the 2014-2015 school year.”

As such, it’s hardly surprising to see some of the big education companies make their move to offer schools these services. The acquisition of Edline by Blackboard last fall made it clear that the learning management giant was serious about its push into that market.

But as the Simba research suggests, it’s a market that’s still up for grabs. While Blackboard still holds a little over half of the higher ed LMS market, Blackboard, Pearson and Moodle altogether share only about 30% of the K-12 market.

That provides an interesting opportunity for Instructure, which officially launched its cloud-based LMS this time last year.

Its new K-12 offering includes several new features aimed at this level: it contains Common Core standards and objectives so that it’s easy to align assignments with them. There are also analytics for districts, schools, teachers and parents to be able to assess student progress. And that parent piece is particularly important as parents will have access to their child’s information, and just as importantly, have access to Instructure’s messaging system — so you can get an SMS when your child doesn’t turn in a homework assignment or an email with the week’s spelling list and so on.

Despite competition from some of the big LMS players, Instructure has made some inroads into higher education. Can it do the same at the K-12 level? When I spoke to CEO and founder Josh Coates yesterday, he noted that the company’s recent trip to FETC made them realize that a lot of K-12 teachers are fairly unfamiliar with the idea of what an LMS even is. (That’s something that should make us ask if an LMS is even necessary.) Of course, Instructure isn’t selling to teachers (although it does offer a free product that any teacher can adopt). It’s selling to districts.

But that the LMS is a new(ish) thing to the K-12 level might just work in Instructure’s favor, even if the startup remains a relative unknown. If schools choose to adopt an LMS because of their move online, then a Web-friendly, user-friendly, cloud-based tool (with easy Google Apps for Edu integration) might just fit the bill. That is, if the price is right, something that makes the future of that K-12 market — what with shrinking K-12 budgets and options for free and low-cost alternatives (“apps” not “systems”) — more than a little uncertain.

Possibly related posts:

Sakai 3: What It Is and When To Move To It I have been getting a lot of questions from the...
ANGEL's Open Source Move ANGEL Learning has announced that they have incorporated TiddlyWiki into...
What Makes It Great? When I was in college, I was very fortunate to...
Instructure and Security Testing Instructure has had a very interesting reaction to the news...
Instructure Canvas: A New LMS Entrant We’re making progress on getting the Sakai conference keynote videos...

Instructure Makes Its Move into the K-12 Market by %%AUTHORINK%% on e-Literate

Categories: OER Blogs

Apple and Textbooks, Part 1: The War on Paper

Tue, 24/01/2012 - 5:22pm

Unsurprisingly, there has been a lot of good coverage of the Apple announcements already. I’m partial to Phil Hill’s pre- and post-announcement write-ups here at e-Literate as well as Audrey Watters’ analysis at Hack Education. Nevertheless, I do think there are a few more things that can be said about the announcement.

From a functional perspective, there really isn’t anything new about the e-textbooks that Apple is touting. Pretty much all of the functionality can be found in one, several, or even all of the entrants in the product category that I have occasionally referred to as “nextbooks,” e.g., Inkling, Kno, MIYO, DynamicBooks, and my own employer’s MindTap product. In fact, as I’ll go into in a later post, Apple’s entrants are missing some features that are critical to this product category. But the facts of the product announcement alone don’t tell the whole story. I don’t think you can really tease out the full impact without understanding the company’s commercial goals—particularly when the company is Apple, which has a history of moving markets in ways that other companies can only dream of. In the next couple of posts, I’m going to tease out what I believe Apple is trying to accomplish for itself, and then use that context to explore where their efforts are likely to have progressive effects on education and where there are gaps or problems.

Let’s start with Apple’s prime motivation. They want to kill paper.

In the oft-quoted passage from Walter Isaacson’s biography of Steve Jobs, it is clear that Jobs wanted to displace textbooks with digital content on an iPad:

“In fact Jobs had his sights set on textbooks as the next business he wanted to transform. He believed it was an $8 billion a year industry ripe for digital destruction. He was also struck by the fact that many schools, for security reasons, don’t have lockers, so kids have to lug a heavy backpack around. ‘The iPad would solve that,’ he said. His idea was to hire great textbook writers to create digital versions, and make them a feature of the iPad. In addition, he held meetings with the major publishers, such as Pearson Education, about partnering with Apple. ‘The process by which states certify textbooks is corrupt,’ he said. ‘But if we can make the textbooks free, and they come with the iPad, then they don’t have to be certified. The crappy economy at the state level will last for a decade, and we can give them an opportunity to circumvent that whole process and save money.’ “

Let’s be clear about what this vision does and does not encompass. This isn’t about radically changing the way our education system works. It isn’t about improving teaching and learning. Not directly, anyway. It’s about freeing children from the weight of the backpack and freeing teachers and schools from the prescriptions of state textbook selection boards. Above all, it’s about selling iPads. Apple wants every child to be required to have an iPad for school, and the way they will attempt to accomplish that is by making the iPad the source of all curricular content, displacing the paper textbook in the process.

But there’s a problem. Every couple of months, another study or article comes out saying students don’t like e-textbooks. If you read a couple of these pieces, you’ll quickly see there are two common themes: loss of functionality and cost. Students want to be able to do what they can do in their print books, such as highlighting and making margin notes. The e-textbooks the students in these studies are getting, by and large, are inferior copies of print. Think PDF. And, of course, the number one affordance that college kids miss about their physical textbook is the ability to resell it to recoup some of their costs. So if Apple wants to displace paper, it has to close the functionality gap, lower the price, and add some unique features that make the product attractive. They have certainly narrowed or closed the functionality gap and demonstrated some compelling digital-only features. (Cost is more complicated; I’ll get to that shortly.) But again, none of these features are new to digital textbooks. So what is Apple attempting to accomplish by weighing in this way?

Textbook publishers have a chicken-and-egg problem. While they are building out some “born digital” textbook replacement products, there’s a limit to the size of the bet they can make as long as they have to address the needs of students who don’t have the right device, i.e., a decent tablet. Right now, that’s most of them. As long as that is the case, publishers are going to be inclined to stay with their current (cumbersome) print-optimized production processes and try to add digital features as they can. The publishers don’t feel they have the clout to drive the transition to digital, so they are constrained by whatever the market mix is at the moment.

Apple is different. First of all, unlike the textbook publishers, they get zero revenues from analog print products and have no installed base of textbook users to support. They can drive hard toward tablets and it’s all upside for them. Second, Apple is a taste maker like no other technology company in human history. They can raise the profile of these innovations. They can drive demand. They can make digital textbooks cool.

Just stop for second. Think about that.

Also, by releasing the authoring tools, Apple is trying to get around the whole print-first production apparatus at traditional publishers. They’re supplying a tool that makes it easy to create born-digital textbooks. And by releasing the tool for free, the implicit threat is that if the traditional publishers don’t come on board, others will. Apple is attempting to accelerate the creation of these (relatively) higher-value eBooks by stimulating demand and lowering barriers to entry on the production side.

But even that is not enough. That is why I expect several announcements to follow this one.

What’s Next?

Apple hasn’t yet cracked the affordability problem with these textbook offerings. Remember, the pricing is for K12 books. Typically, those books will sell to schools for around $75 and will be used for about five years. Do the math. That’s $15/year, or roughly what these iTextbooks are being sold for on a per-student basis. Apple needs to make this more affordable. As a first step in that direction, I think we can count on an announcement of a significantly cheaper iPad some time between now and September. This strategy just doesn’t make sense at a $500 price point. But if Apple were able to get the price down to Kindle Fire territory, that would change the dynamic considerably. Since these books take heavy advantage of multimedia and really want a larger screen, I don’t expect Apple to save money by coming to market with a smaller screen. They are much more likely to take the same strategy that they have with the iPhone, i.e., drop the price substantially on the current model when the new one comes out.

Then there’s the challenge of administering all these iPads in a school environment. Remember, Apple is targeting K12 first. It’s not really clear whether Apple’s strategy is to get schools or parents to purchase the devices. If the former, then the company will have to release administrative software that lets schools find the iPads, control what’s been installed on them, monitor what students are doing on them, and so on.

But all of this still doesn’t get us to Steve Jobs’ original vision. Remember what he said:

’The process by which states certify textbooks is corrupt,’ he said. ‘But if we can make the textbooks free, and they come with the iPad, then they don’t have to be certified. The crappy economy at the state level will last for a decade, and we can give them an opportunity to circumvent that whole process and save money.’

Let’s say that Apple is successful at creating a market and, in a few years, has a rich selection of textbooks in Bookstore that span the entire K12 curriculum. What’s their next move? Think Netflix. The school pays a flat subscription in order for the students to access whatever textbooks they need. If done right, it is possible that this structure could circumvent the textbook approval boards, since the schools are not specifically buying any particular textbooks. (I have a feeling that state boards won’t give up control so easily, but that’s another post for another day.) And Apple controls pricing.

There is no question that Apple wants to control the revenue stream from the textbooks in addition to selling the iPads. Much has been made of the fact that iBooks Author doesn’t quite publish to the EPUB standard and has a EULA that requires authors sell any products that were created with the tool through Apple and give Apple a cut of the revenues. They could have charged $5 or $10 for the tool and sold it straight up without the restrictions as part of iWork. But from Apple’s commercial perspective, this isn’t fundamentally about capturing the revenue from unleashing creativity for the creation of educational content. It’s about capturing the revenue stream from the consumption of educational content. That’s a very different business driver that will result in very different product development plans, both now and down the road.

Obviously, there’s a lot to unpack here regarding the implications for education. In my next post, I’ll write about how this approach shapes and limits the vision for what textbooks (or their digital replacements) can be.

Possibly related posts:

Apple Visit, Day 1 This is part 1 of a series of posts documenting...
Apple's Stake in Higher Education This is part 3 of a series of posts documenting...
Apple Trip, Day 2–the Warm-up This is part 2 of a series of posts documenting...
Why Apple May Beat Microsoft to Workflow Learning The evolution of workflow learning follows the evolution of workflow...
More on Apple's Workflow Taxonomy More good stuff: The prerelease version of Automator currently comes...

Apple and Textbooks, Part 1: The War on Paper by %%AUTHORINK%% on e-Literate

Categories: OER Blogs

U.S. Copyright Infringement – U.S. Strikes in New Zealand

Tue, 24/01/2012 - 8:18am

On Friday January 20, two helicopters and “76 police staff, including armed offenders squad members” raided the home of Kim Dotcom north of Auckland, New Zealand. He was sought by the U.S. for copyright infringement and racketeering under an indictment from the U.S. District Court of Virginia, Eastern Division. Three associates were also arrested.

The issues of whether links to documents can be copyright infringement, acts that preclude DMCA safe harbor, and barring legitimate users from their files may be resolved as two legal teams—the U.S. Department of Justice and a yet to be named legal team representing “the Mega Conspiracy” in the U.S.—clash in Virginia These are issues that will affect colleges and universities because of the similarity between these sites and the way some students use the Internet.

Under the indictment the U.S. seized, without notice, “The following domain names: Megastuff.co; Megaworld.com; Megaclicks.co; Megastuff.info; Megaclicks.org; Megaworld.mobi; Megastuff.org; Megaclick.us; ageclick.com; HDmegaporn.com; Megavkdeo.com; Megaupload.com; Megaupload.org; Megarotic.com; Megaclick.com; Megavideo.com; Megavideoclips.com; Megaporn.com.” Kim Dotcom is associated with the website called Megaupload, based in Hong Kong. A Palo Alto Networks study found 57% of their sample or organizations use Megaupload.

The 72 page indictment describes the processes and pricing in detail to support its conspiracy argument. The indictment is available here.

The New Zealand police made clear “The men have not been charged by police in New Zealand and are being held in custody on the warrant issued by the U.S. Government.” This is similar to the U.S. request to extradite Richard O’Dwyer, a student at Sheffield Hallam University in the U.K., even though most believe that his website was legal under British law.

The New Zealand police completed their search on Saturday “seizing assets such as luxury cars and artwork, as well as computers and documents as evidence.” The New Zealand Herald reported that Detective Inspector Grant Wormald “confirmed that the team of four FBI staff working on the searches would also continue to do so ‘for the next few days.’”

This case again brings up two issues. What actions must a website take to identify and remediate materials infringing copyright? Mega argues it provided a “cyberlocker” which is a private data storage provider. If there is infringing content, Mega would be unaware of it since uploaded files are not reviewed for copyright infringement (which for some users would be in invasion of privacy). This is similar to college and university websites that are unaware of all of the content stored by students and faculty. The U.S. argues a website should know if there is infringing content.

This also brings up the issue of whether links to copyrighted files are themselves copyright infringement as the U.S. argued in the U.K.

In an interview with CNET, Ira Rothken, an attorney [representing those arrested] well known in the tech sector for defending Web sites accused of copyright violations, said that his clients “are assembling a team of crack copyright, criminal and technology attorneys to defend them in courts across the globe.”

“There are significant issues of due process,” Rothken said early this morning. “The government has taken down one of the world’s largest storage providers and have done so without giving MegaUpload an opportunity to be heard in court.”

Mark Lemley, Davis S. Levine and David G. Post commented on due process in their article “Don’t Break the Internet” published in the Stanford Law Review.

The procedures [this month being implemented by the courts without the referenced SOPA and PIPA legislation] fail this fundamental constitutional test. Websites can be “completely removed from circulation”—rendered un- reachable by, and invisible to, Internet users in the United States and abroad— immediately upon application by the government, without any reasonable opportunity for the owner or operator of the website in question to be heard or to present evidence on his or her own behalf..

Eric Goldman, University of Santa Clara Law School, commenting on Deckers v Liyanghua wrote:

Ex parte orders regarding foreign alleged infringers are out of control. Without sufficient regulation and without any adversarial pushback, rightsowners have learned that they can ask for ridiculous relief on an ex parte basis and get a judge to sign off on most or all of it. It’s clear that rightsowners are asking for way more than the law allows, but judges seem to acquiesce. The results are two fold:

1) the rightsowners are taking control over third-party domain names on an ex parte basis and with questionable notice given to the domain name registrants

2) worse (IMO), judges are issuing orders that purport to bind third-party non-litigants, such as domain name registrars, search engines and shopbots.

Although few stored their files on the Megaupload computers, seizing the domain names meant the users storing this work files would not have access unless they knew how to access their files without a URL. The FBI was silent on the issue.

Using “cyber lockers” to store personal files carries a risk for the unaware.

Subsequently TorrentFreak reported: “Filesonic, one of the Internet’s leading cyberlocker services, has taken some drastic measures following the Megaupload shutdown and arrests last week. … the site has disabled all sharing functionality, leaving users only with access to their own files.” The site is among the top 10 file-sharing sites on the Internet, with a quarter-billion page views a month.

These actions suggests colleges and universities consider making their faculty and students aware their domain name can be seized without notice eliminating links to websites content. It may be helpful to suggest faculty and students to store critical files on personal storage devices.

Although losing a domain name should be rare, copyright owners may disagree.

Possibly related posts:

Search, Copyright, and Course Pack Affordances I’m still very much interested in the idea of creating...
Blackboard Files Patent Infringement Suit Against Desire2Learn in Canada Once again, Jeff Bohrer gets the scoop. (Add this guy...
Blackboard, Inc. Sued for Patent Infringement A company called TechRadium is suing Blackboard in East Texas...
Desire2Learn Strikes Back Desire2Learn filed their response to Blackboard’s infringement suit, and they...
Blackboard's Patent FAQ #2: The Empire Strikes Back Thanks to Al Essa for discovering Blackboard’s latest FAQ on...

U.S. Copyright Infringement – U.S. Strikes in New Zealand by %%AUTHORINK%% on e-Literate

Categories: OER Blogs

U.S. Claims Global Jurisdiction of .net and .com Web Sites: Is .edu Next?

Sat, 21/01/2012 - 1:43pm

On January 13, a UK magistrate ruled a 23-year-old student can be extradited to the United States for running a website posting links to pirated TV shows and films; this despite significant doubts over whether such sites break any UK laws. He has become the “guinea pig” of expansive U.S. justice.

About four years ago Richard O’Dwyer, a computing student at Sheffield Hallam University, began a website registered as TVSHACK.net. It “posted links to pirated material. It did not directly host any files, which meant, according to the student’s lawyers, that it acted as little more than a Google-type search engine and did not breach copyright.” The US Immigration and Customs Enforcement (ICE) seized the domain name in July 2010 and subsequently TVSHACK.cc in November. (Seizure must be challenged with ten business days, difficult for someone outside the U.S.).

The defence team pointed out that the only UK prosecution of a similar site, TV-Links, ended last year with the case being thrown out. [In Europe, copyright infringement requires that the copyrighted material themselves be hosted on the website in question.] O’Dwyer has never been to the U.S. In his case, UK authorities did not attempt to prosecute for copyright infringement. The U.S. Department of Justice argues the U.S. has world-wide jurisdiction over all .com and .net domain registrations. Both registries are operated by Verisign under contract with the U.S. Department of Commerce’s National Telecommunications and Information Administration. Verisign is based in Virginia.

In July, ICE’s “assistant deputy director told the Guardian that ICE would now actively pursue websites similar to TVShack even if their only connection to the US was a website address ending in .com or .net.” Those familiar with the operation of the Internet know that traffic between two U.K. websites would not flow through the U.S. The domain names—TVShack.net for example—would yield only an Internet Protocol numeric address that determines routing of the message traffic.

In addition to arguing that registration of a domain name in the U.S. is sufficient to give jurisdiction, ICE also argued jurisdiction because the referenced materials had a U.S. copyright. Unlike the U.S. interpretation of the law, an index site—one that refers to rather than contains material—does not violate European law. In a similar case:

Judge Ticehurst gave his judgment, announcing that TV-Links had won their case. He ruled in detail for the first time in a Crown Court in relation to Section 17 of the European Commerce Directive 2000, stating that Section 17 indeed applied and afforded TV-Links a complete defense in criminal proceedings in England and Wales for their linking to other web sites. In a nutshell and to coin a familiar phrase, the site was deemed a mere conduit of information

But on January 13, the UK district judge, Quentin Purdy, ruled that O’Dwyer should nonetheless face trial in the U.S. “There are said to be direct consequences of criminal activity by Richard O’Dwyer in the USA, albeit by him never leaving the north of England,” Purdy said. “Such a state of affairs does not demand a trial here if the competent UK authorities decline to act, and does, in my judgment, permit one in the USA.”

Now the extradition treaty itself has been criticized. The Daily Mail reported:

Former Liberal Democrat leader Sir Menzies Campbell yesterday attacked efforts by the U.S. to extradite a British computer student for trial.

The QC said the extradition treaty between Britain and America was “never intended” for people like Richard O’Dwyer, whose offences are not even a crime in this country.

Sir Menzies’ comments have extra weight because he is leading a review of the UK’s extradition arrangements on behalf of Liberal Democrat leader Nick Clegg.

The U.S. approach may have some unintended consequences:

Websites may re-register outside U.S. jurisdiction and practices, especially when, as in the UK, indexing sites are not illegal. There already are examples.
Websites that do provide copyrighted materials—Bit Torrent sites are estimated to provide 50% of movies and music subject to copyright—will begin to encrypt these transmissions. Early this month Torrent Privacy was introduced. The software addition permits any Bit Torrent site to encrypt their transmissions. The software uses the same encryption technology and level of security during transmission typical of websites that handle financial transactions, including ordering goods.
There is now are conflicts between U.S. law and the provisions of U.S. extradition treaties as practiced and the European Union Directives on electronic commerce, copyrights in the information society, enforcement of intellectual property rights and processing of personal data and the privacy in the electronic communications sector taken collectively.
The O’Dwyer case may be motivation for countries to review their free trade agreements and extradition treaties with the U.S. The protection of U.S. intellectual property has been a major provision of recent free trade agreements with Panama, Columbia, and Korea.

U.S. Internet Domain Registries have become an enforcement agent. In a December Intellectual Property Magazine interview Verisign’s Pat Kane said: “I think the registry operators will always have to live within the laws of the jurisdiction in which they operate in. … When it comes to content take down, the reality is that the registry operator doesn’t end up taking down the content. We basically remove a route that gets to that content, and if you want to have real effectiveness from a take down it really must go to the hosting company. For a lot of websites out there, there are multiple routes than go through multiple top-level domains.” He was careful to say that “we don’t identify [infringing] content and we don’t act upon content.”

Germany has taken a different path to protect intellectual property. Indexing is not a crime. The copyright holder first identifies specific infringement, and then the copyright holder may seek a reasonable license fee. For the major U.S. studios this fee has been between 500 and 1000 Euros or US$ 650-1,300 (unlike the multi-million dollars claims in the U.S.) The typical response has been to pay the license fee. This avoids the frequent intense enforcement and litigation found in the U.S.

Most U.S. colleges and universities have domain names registered with EDUCAUSE using .edu as their top-level domain. EDUCAUSE operates the education domain under an agreement with the U.S. Department of Commerce. On September 11 of this year it was extended through 2016. EDUCAUSE is subject to the same enforcement actions as Verisign.

Internet search providers and higher education are vulnerable to demands for enforcement. All of these websites have, intentionally or not, material subject to copyright. Faculty and students, intentionally or not, may post materials subject to copyright. A copyright holder can seek to “take down” a site that, under current U.S. practice, only points to a source. For example a posted syllabus can point to copyrighted articles, books, movies, audio, and even, under U.S. law, blogs. Institutions need to have a way of removing content and links to external websites before court action seizes the domain name and deletes references to the site by U.S. based search engines.

Possibly related posts:

More on RSS, the Power Law, and Blogger Sites Reader Alan Levine (of MLX and cogdogblog fame) writes in...
All 44 Blackboard Patent Claims Invalidated by USPTO This just in: On March 25, the U.S. Patent &...
Court Re-affirms Invalidation of First 35 Blackboard Patent Claims This just in from the D2L patent blog: On August...
Moodlerooms and the Cambridge Global Grid for Learning I know it’s been a little quiet here on e-Literate...
Global Trends in Education Costs? I got into an interesting discussion on Twitter with Rosa...

U.S. Claims Global Jurisdiction of .net and .com Web Sites: Is .edu Next? by %%AUTHORINK%% on e-Literate

Categories: OER Blogs

Four Initial Answers from Apple’s Education Announcement

Thu, 19/01/2012 - 4:54pm

In a recent post I offered four key questions for the Apple Education Announcement held today (Jan 19th). Now that the event is over and the blogosphere is responding, I thought it would be useful to answer those four questions. Once I’ve had time to digest all the information coming out, I’ll post more of an analysis.

1. Regarding textbook content, will the model follow iTunes, iBooks, or Amazon’s Kindle Self-Publishing?

The answer to this question is that we have a new hybrid model that attempts to takes elements from all three models mentioned in the question, at least for the K-12 market that was the focus of initial efforts.

Like iTunes, it places an affordable maximum price of $14.99.
Like iBooks, it allows the content creator to set its price (although within the $0.00 to $14.99 range).
Like Amazon’s Kindle Self-Publishing, it democratizes textbook creation and distribution, providing an attractive path that could avoid traditional textbook publishers.

UPDATE: From a new post at TheNextWeb, there is a very important paragraph that indicates the publisher partnerships are tenuous.

McGraw-Hill CEO Terry McGraw told Peter Kafka of All Things D that the $15 mark was ‘pilot pricing’, which would indicate that it hoped to raise the price at some point. Apple’s Eddy Cue had a completely different take on it, telling Kafka that “This isn’t pilot pricing, all of our books will be $14.99.”

2. Will iTunesU support OER content without artificial restrictions?

Although there are still some open questions, Apple appeared to sidestep the whole OER movement. However, the answer to this question is no – all content is targeted for the iPad, and iBooks does have digital rights management (DRM) applied to all content.

The caveat here is the new iTunesU app that could allow authors to embed free OER content. That is tied to the iPad device, but it avoids DRM restrictions.

3. Will the content consumption model be explicitly tied to the iPad?

A simple, understated answer here – YES, YES and YES. The iPad is the whole centerpiece of Apple’s updated education strategy. iBook Author, iBooks, and iTunesU app are all based on iPad consumption. iBook Author runs on a Mac, but the output is only for iPad.

4. Will Apple transform iTunesU to go beyond content distribution and expand the learning platform?

The clear answer here is yes. After a mere 6 years, Apple’s strategists have finally caught up to Michael Feldstein’s vision and made iTunesU (or at least the new iPad iTunesU app) a learning platform. Apple added a syllabus tool, note taking, assignments and other tools to “help teachers reinvent curriculum”. The caveat is that all students would need to be on the iPad.

Possibly related posts:

Four Key Questions for the Apple Education Announcement There is growing buzz online about Apple’s planned media event...
Blackboard's Answers to the IMS Blogged Stuart Sim has live-blogged the IMS Q&A session with Blackboard...
Regulatory Barriers to Innovation for Ed Tech and Open Education Over the past few weeks there has been a significant...
What the Sakai Announcement Means Barry Dahl read the Sakai Foundation’s recent announcement about the...
Apple's Stake in Higher Education This is part 3 of a series of posts documenting...

Four Initial Answers from Apple’s Education Announcement by %%AUTHORINK%% on e-Literate

Categories: OER Blogs

The Tide is Turning – SOPA May Not Make It Out of Committee

Mon, 16/01/2012 - 7:49am

Over the past few days, there have been three significant developments that indicate the tide is turning on SOPA (and the Senate version, PIPA). As I have written previously, SOPA poses a threat to open education and educational technology in general, while most educational publishers are actively supporting this legislation. At the end of 2011, SOPA appeared to be likely to pass, with strong bipartisan support for the legislation. Since that time, there is a growing backlash, particular from technology companies as well as online communities such as Reddit. This backlash is having a real effect, and as of this weekend, SOPA may not even make it out of the House Judiciary committee.

1. DNS – Blocking - The first piece of news came out Friday that the DNS-blocking portions of the bill were being stripped. These provisions were viewed by experts to increase security threats to internet addressing, and after initially bypassing experts, congressional sponsors seem to be listening.

“After consultation with industry groups across the country,” SOPA author Rep. Lamar Smith (R-TX) said in a statement released by his office, “I feel we should remove DNS-blocking from the Stop Online Piracy Act so that the [U.S. House Judiciary] Committee can further examine the issues surrounding this provision.”

2. House Leadership – The second piece of news came out early Saturday that the House Republican leadership has agreed to not allow SOPA to move to a floor debate until there is a real consensus. According to Rep. Darrell Issa, one of the leading opponents of SOPA:

“While I remain concerned about Senate action on the Protect IP Act, I am confident that flawed legislation will not be taken up by this House. Majority Leader Cantor has assured me that we will continue to work to address outstanding concerns and work to build consensus prior to any anti-piracy legislation coming before the House for a vote,” said Chairman Issa. “The voice of the Internet community has been heard. Much more education for Members of Congress about the workings of the Internet is essential if anti-piracy legislation is to be workable and achieve broad appeal.”

3. White House Position – The third piece of news also came out Saturday in that President Obama has now taken a position on SOPA and PIPA, and he clearly opposes the legislation as written. In addition to opposing the DNS-blocking portions, the White House also took a position against the censorship aspects. In their response to online petitions, the White House stated:

Any effort to combat online piracy must guard against the risk of online censorship of lawful activity and must not inhibit innovation by our dynamic businesses large and small. Across the globe, the openness of the Internet is increasingly central to innovation in business, government, and society and it must be protected. To minimize this risk, new legislation must be narrowly targeted only at sites beyond the reach of current U.S. law, cover activity clearly prohibited under existing U.S. laws, and be effectively tailored, with strong due process and focused on criminal activity. Any provision covering Internet intermediaries such as online advertising networks, payment processors, or search engines must be transparent and designed to prevent overly broad private rights of action that could encourage unjustified litigation that could discourage startup businesses and innovative firms from growing.

This is good news for almost all of the education community, with the possible exception of the publishers who are backing SOPA*. While neither SOPA nor PIPA is dead, the news is much more encouraging today than it was even a week ago. Plus, there is some entertainment value in seeing President Obama and Rep. Issa agreeing with each other.

Human sacrifice, dogs and cats living together… mass hysteria!

- Dr. Peter Venkman

* Tim O’Reilly and his publishing company are a notable exception to the other educational publishers, as he has come out strongly against SOPA and PIPA.

Possibly related posts:

Educational Publishers Appear to be Supporting SOPA UPDATE 12/23: Per the House Judiciary Committee, it is now...
How Georgia Tech Has Shown the Perils of SOPA This has been a tough week for open education, at...
Turning Your Blog Into a Social Network Node I haven’t forgotten that I still owe you the last...
Regulatory Barriers to Innovation for Ed Tech and Open Education Over the past few weeks there has been a significant...
Ambivalent on Ed Tech: The EDUCAUSE Re-write Now that I’ve had time to digest the implications of...

The Tide is Turning – SOPA May Not Make It Out of Committee by %%AUTHORINK%% on e-Literate

Categories: OER Blogs

Four Key Questions for the Apple Education Announcement

Thu, 12/01/2012 - 4:38pm

There is growing buzz online about Apple’s planned media event on January 19th in New York City. Most speculation is focused on Apple distributing textbooks through iTunesU, as described in a New York Times blog. The basis for most speculation seems to be the short comments in the Walter Isaacson official biography of Steve Jobs. This information, along with some additional inside sources have led the NYT blogger Nick Wingfield to suggest that textbooks might be offered for free. In a post on Mashable, Kate Freeman suggests a partnership with publishers such as Pearson Education.

The relevant section in the biography:

In fact Jobs had his sights set on textbooks as the next business he wanted to transform. He believed it was an $8 billion a year industry ripe for digital destruction. He was also struck by the fact that many schools, for security reasons, don’t have lockers, so kids have to lug a heavy backpack around. ‘The iPad would solve that,’ he said. His idea was to hire great textbook writers to create digital versions, and make them a feature of the iPad. In addition, he held meetings with the major publishers, such as Pearson Education, about partnering with Apple. ‘The process by which states certify textbooks is corrupt,’ he said. ‘But if we can make the textbooks free, and they come with the iPad, then they don’t have to be certified. The crappy economy at the state level will last for a decade, and we can give them an opportunity to circumvent that whole process and save money.’

I do not plan to speculate on what the announcement will entail. Rather, I’d like to highlight some key questions about their announcement that should determine how significant Apple’s move will be.

1. Regarding textbook content, will the model follow iTunes, iBooks, or Amazon’s Kindle Self-Publishing?

This question is crucial, since we are clearly seeing the the e-book world has some serious flaws. We have studies showing students only saving $1 on digital textbooks and other studies showing that the adoption of digital textbooks has hit a plateau (and yes, these two factors are intertwined). The existing textbook model, including pricing, has its limits. Audrey Watters had a post in December casting some real skepticism on how disruptive this move could be.

If the model is iTunes and how it changed the music industry, the announcement could be a game changer. Apple dictated the terms to music companies, getting them to support 99 cent songs – thus disaggregating the album to a ‘take what you want’ model, and making the pricing attractive to end users. Could Apple use its muscle to force publishers to change their pricing models? Inkling and a few others have already started to disaggregate the textbook, with $1.99 chapters available, but Apple could take this to a whole new level.

If the model is iBooks, where we now have e-books available for roughly the same price as the printed book, then this news will be a huge disappointment with little long-term impact. In this model, Apple allowed the book publishers to dictate the end user pricing. All this model would provide is a more attractive distribution platform across publishers. Amazon textbook rentals and Barnes&Noble college bookstores may suffer, but this will not be a game changer, in my opinion.

The most aggressive model is if Apple follows Amazon in their Kindle Self-Publishing program and cuts out the publisher middlemen altogether. Will Apple (or has Apple) found academics and designers to create textbook content independent of the publishers? If so, Apple could even offer digital textbooks for free through the iPad. I would note that this aggressive model is closest to what Steve Jobs described in the biography. If Apple follows this model and has some way to scale the model, then we could have a significant long-term impact.

2. Will iTunesU support OER content without artificial restrictions?

Open educational resources are of growing interest to the higher education community, and there is real potential for this OER content to change our models. It seems a natural that Apple would include OER content within the iTunesU announcement, but will it do so without adding unnecessary digital rights management and other artificial restrictions? Currently iTunesU does not support DRM, so hopefully we get a good answer on this question. However, if they partner with publishers, I could see pressure to add some controls on OER.

3. Will the content consumption model be explicitly tied to the iPad?

Or, will any browser access allow consumption of content, as is currently true for iTunesU media? I could see a real argument that tying the content to the iPad would allow Apple to offer free textbooks in a scalable business model, but this connection would limit the disruption potential of the announcement. Additionally, tying the new content / features to the iPad would allow for a much richer implementation of digital content, as Inkling has shown. This will be an interesting part of the announcement – whether it is tied just to iTunesU or also to iPad.

4. Will Apple transform iTunesU to go beyond content distribution and expand the learning platform?

There are some key capabilities already in place with iTunesU that suggest this announcement might not just be about content distribution. Going back as far as 2006, Michael Feldstein observed:

If you’re a believer in all the Learning 2.0 stuff, then you should be studying Apple closely: Apple is all about “democratization of digital expression.” Really and truly, they get it. And the way they define a “learning environment” (as distinct from an LMS) is very expansive and progressive.

Subsequent observations by Michael from 2006:

If you supplement this capability [ed - content distribution] with a discussion board and maybe a shared calendar, then you’ve provided pretty much everything that the majority of web-enhanced classes use today. You’ve also greatly diminished the value of licensing a traditional LMS to cover the entire campus. This is precisely why Apple draws the distinction between a learning management system (which is narrow) and a learning environment (which is broad).

In other words, Apple has many elements of a learning environment already in place, and potentially the Jan 19th announcement could add more to this vision. Will they add some of these non-content-distribution features in a way that might challenge the LMS model in higher education?

Summary

I expect this announcement to be quite significant in the short term, in terms of media attention, debate in the blogosphere, and discussion amongst institutions. Whether or not there is a long-term impact and disruption on existing educational content and technology markets depends on the answers to the questions above.

Possibly related posts:

Four Initial Answers from Apple’s Education Announcement In a recent post I offered four key questions for...
Apple's Stake in Higher Education This is part 3 of a series of posts documenting...
Apple Trip, Day 2–the Warm-up This is part 2 of a series of posts documenting...
What the Sakai Announcement Means Barry Dahl read the Sakai Foundation’s recent announcement about the...
Regulatory Barriers to Innovation for Ed Tech and Open Education Over the past few weeks there has been a significant...

Four Key Questions for the Apple Education Announcement by %%AUTHORINK%% on e-Literate

Categories: OER Blogs

Analysis of Instructure Security Testing

Tue, 10/01/2012 - 6:13pm

Instructure has engaged Securus Global to test the Canvas LMS product for security vulnerabilities. Instructure also invited me to be an independent observer – participating in the process and independently reporting on the testing and Instructure’s response to any vulnerabilities identified. Part 1 of this series of posts described the concept. Part 2 gave a mid-term update, describing the process involved and initial results. Part 3 described the full results of the security assessment. In this final post on the experience I’d like to address two subjects – my own impressions of the testing, and a call for more LMS vendors to follow suit and make their security testing more transparent.

Results Themselves

As described in part 3, the risk assessment found 10 vulnerabilities – 1 critical, 1 high, 4 moderate and 4 low risk – in the Canvas LMS system. I do not have a basis to judge the relative number of vulnerabilities found compared to Instructure’s competitors, as there is not an industry-specific standard on the depth and extent of penetration testing, but by all appearances the Canvas LMS system is a well-designed, generally secure application. I base this judgment on two factors:

Instructure has been able to remediate 7 of the 10 vulnerabilities in less than a month and a half since the testing was completed. Additionally, the critical item was remediated within 24 hours and the high item was remediated within 2 weeks. The remaining 3 items include 2 moderate risk vulnerabilities and 1 low risk vulnerabilities. See part 3 for additional details.
In the report, Securus Global summarized the findings with the observation that “It is our impression that CANVAS is generally a secure application and that the issues found can quickly be remediated”, and that “None of these issues are associated with major application flaws that are difficult to remediate”. Indeed, this impression by Securus has largely been validated by the subsequent remediations.

I cannot state how these results for Canvas compare to competitive LMS solutions, as no other vendor has been this public with their testing results. It is worth noting that there was one critical and one high risk vulnerability found. Securus Global has stated that ~95% of systems going through penetration testing do end up with at least one critical item; however, this goes across industries into financial systems, etc.

When talking to Instructure staff, they appeared to be surprised by the existence of the critical item, given their history of internal security audits and automated testing. In other words, Securus Global found vulnerabilities that Instructure has been unable to find. As Josh Coates, CEO of Instructure, related to me, it is a classic engineering case that having another set of eyes look at your system will inevitably find issues that the developers may miss – if you are too close to the problem, you often can’t see the issue. This is especially true when the 3rd party includes experts in their domain, such as full-time ethical hackers. Furthermore, by having the process done in public through an independent observer, Josh stated that Instructure somewhat cornered themselves – it would not look good to avoid fixing the important issues. While this is not to say that Instructure would not have addressed the issues in a private test, the public process ensured that Instructure put great emphasis on the follow-up to the testing results.

Due to this third-party security testing done in a public manner, the Canvas LMS is now more secure that it would have been without the testing.

Transparency in Security Testing – A Call for Other LMS Vendors

One aspect of this security testing that I would like to focus on is transparency of the process. Should we (the higher education and K-12 community) or should we not have more transparency in the security testing of the enterprise systems we rely upon to support the academic mission? This is not an easy question.

In my experience, system security has been too easily swept under the rug in the LMS world – at least within education markets. Most schools go through the motions of asking about security during Request for Proposal (RFP) processes, but by and large, they just ask generic questions which the vendors answer in the proposals and follow-up meetings. The net result is that it is up to the vendors to describe how thorough their security testing is. These descriptions are run through sales & marketing groups as part of the proposal process, and the end result is vague, non-verifiable answers.

A minority of schools go to the addition step of performing their own security audits, which is commendable, sometimes including their own penetration testing. This situation is superior to relying RFP responses alone, but I see two main problems with this approach.

The testing is typically done by institutional IT staff and not by security professionals – hackers, in other words. As Instructure found out, real hackers can find vulnerabilities that most IT staff and engineers cannot find.
The testing results are not public, therefore only the institution in question benefits from the testing. The higher education LMS market does not benefit from security evaluations in the same way that it benefits from other parts of public evaluations – features & functions, and even pricing.

Neither choice is likely to produce real understanding of the security vulnerabilities of a particular LMS, yet these systems are mission-critical to the university, and they house some of our most sensitive data.

Argument For More Transparency

In my opinion, the LMS market (both higher education and K-12) would benefit from making security testing results more open. Consider what the LMS market knows about Instructure based on this public testing.

We know the number and risk-level of security vulnerabilities found by a qualified, independent security testing firm after 2 and a half weeks of penetration testing with access to source code.
We know the response times for Instructure to remediate 7 of the 10 identified vulnerabilities.
We have insight into the trade-offs that Instructure makes to determine whether and how to fix security issues.
Any institution has these results available to support their decision-making.

I would argue that this is more information than is available to the vast majority of institutions making LMS decisions using traditional methods of security inquiries. The market in general would benefit if other LMS vendors followed suit and agreed to 3rd party security assessments using an independent observer.

To be fair, other LMS vendors also use 3rd party security audits, but what is not known is the nature of those audits, what the results are, and what the response times are for the vendor to address the vulnerabilities found.

Argument Against More Transparency

There are risks, however, to this method of public security testing. Drazen Drazic, the managing director of Securus Global, indicated that in talking to people around the world through security-related social networks, no other companies have chosen to use an independent observer for this testing. This is not to argue that no one should do it, but clearly we are breaking new ground here and need to be cautious.

One downside of public security assessments is that the act of publicizing results can in fact increase the likelihood that vulnerabilities would be exploited by hackers. As one executive from a competitive LMS put it to me, we need to focus on security consistently and not as a once-a-year exercise. Any public exposure of vulnerabilities can increase the likelihood of hackers exploiting those vulnerabilities, so the trick is to not disclose specific pathways to exploitation. In our case, I described the category of vulnerability found, and I avoided disclosing any information on the critical and high-risk vulnerabilities until after they had been remediated. Still, this is a tricky area.

Two competitive LMS vendors have criticized these tests as a marketing ploy that could be dangerous. In their opinion, student and client data is best protected by keeping the testing process out of the public domain. I cannot speak for Instructure’s motivations regarding marketing, but I did want to share these criticisms.

Proposal

While there are valid arguments as to the risks of more transparent security testing, I believe the benefits outweigh the risks. The main change I would make to this type of testing is that I would separate the reporting from the testing by several months. I did find myself going back and forth on when to disclose the testing results, and a simple solution is to delay any reporting for 2 -3 months after the tests are complete. I would also argue that no critical or high risk vulnerabilities should be described until after they have been remediated.

Regarding the criticism about using security testing as marketing, I do not see the problem. Yes, Instructure may use these results from a marketing perspective, but these are real testing results that shed real insight into their system. In my opinion, that is a type of marketing that adds value to the customers and market in general. In fact, it will likely put pressure on other LMS vendors to disclose more information to clients.

There are real arguments on both sides, however. What are you opinions? Here are a couple of questions that could be addressed in the comments.

Do you agree that most current RFP processes do not result in real insight into the security of systems and remediation practices under consideration? Are there examples that can be shared publicly?
Do you agree that the market would benefit from security testing with independent observers, or is it better to keep these results out of the public domain?
What alternate suggestions do you have to improve the level of institutional insight into system security and remediation practices, while not jeopardizing client data?

Possibly related posts:

Instructure and Security Testing Instructure has had a very interesting reaction to the news...
Instructure Security Mid-Term Instructure has engaged Securus Global to test the Canvas LMS product for...
Instructure Security Assessment Results Instructure has engaged Securus Global to test the Canvas LMS product for...
Analysis of Blackboard Response to Recent Disclosure of Security Vulnerabilities There’s been an interesting set of public relations based on...
Instructure Goes Open Source Update: The video was briefly broken as Instructure inexplicably chose...

Analysis of Instructure Security Testing by %%AUTHORINK%% on e-Literate

Categories: OER Blogs

(I Hope This Isn’t a) 2012 Predictions Post

Wed, 04/01/2012 - 4:22pm

By Audrey Watters

Happy 2012. After writing a blog series outlining some of the major ed-tech trends of 2011 as well as a few obligatory posts with predictions for the new year, I figured I’d be off to the races, energized about my work as an education technology writer, excited for the potential for better teaching and learning opportunities facilitated by technology. But so far — and yes, I realize it’s only January 4 — it doesn’t feel like a terribly happy new year to me. There have been a string of ed-tech-related news stories over the last 4 days that have left me frustrated, if not depressed, about the year ahead.

1. CodeYear: A “learn to code” New Year’s resolution is a great idea. But as I’ve ranted on my own blog, I have some concerns over Codecademy, the startup behind the Code Year campaign, and its promise that it’s the “easiest way to learn to code.” Despite myself and others questioning Codecademy’s pedagogy, the tech press adores this new company. As such, story after story after story has already been written this year about its marketing campaign. Many of the most recent ones have touted the number of sign-ups for Code Year. My frustration: we are confusing enrollment in an email newsletter with educational outcomes. To quote former President George W. Bush, when it comes to the tech press, “Rarely is the question asked, ‘Is our children learning?’”

2. CourseKit: The alternative LMS Coursekit announced that it’s raised $5 million in funding. The startup earned buzz early in 2010 when it raised $1 million in investment and its trio of founders then dropped out of the University of Pennsylvania to pursue their business idea full-time. Add another $5 million on top of that now and it’s clear investors are interested in learning management systems — well, ones not named “Blackboard,” at least. But as I’ve written elsewhere (here and here), this is a crowded market, although CourseKit is aiming at professors as its customers, not institutions, offering a tool that’s more social and Web-oriented. My fear: I worry about education startups that have a lot of investors but no clear business model. As Douglas Rushkoff argues, if you’re not paying for the product, chances are you are the product.

3. Apple and iTextbooks?: Okay, this one is from the technology rumor mill, but word on the street is that Apple is poised to make a major announcement this month about textbooks and iTunes U. It’s not terribly surprising as the Walter Isaacson biography of Steve Jobs indicated that textbooks was the next industry that Apple — or Jobs at least — planned to “disrupt.” But having read the biography, I am not sure I’d label the plans (at least as described therein) terribly disruptive. And as Phil Hill has noted here, all of the major educational publishers are supporters of SOPA, the Stop Online Piracy Act, a proposed piece of legislation that would crack down on copyright infringers and would also (as some technologists have argued) “break the Internet.” My concern: While it’s silly to get too upset about rumors and speculation at this time, I do wonder what Apple and textbook publishers could be scheming in terms of DRM-protected, walled gardens and how such plans might impact the open Web and OER.

4. Vi Hart joins Khan Academy: “Mathemusician” Vi Hart announced yesterday that she’s joining the faculty of Khan Academy. Hart’s YouTube videos are incredibly popular — her latest, about Fibonacci sequences, that she posted on December 21 already has well over 200,000 views, for example. “Vi Hart is awesome!” has been the response to a lot of folks about the news (and indeed, she is). So why do I find this troubling? In part, I think it’s connected to my long-standing concerns about pedagogy and the rote sort of teaching that Khan Academy videos offer. Hart’s math videos have long stood as a brilliantly creative alternative, ones that demonstrate the beauty of math and the joy of a mathematician. I worry how Hart will fit into Khan Academy (she says that she has free license there — that is good, of course). After all, Khan Academy isn’t just about video lessons — it’s about an exercise drill and adaptive learning platform. Does Hart fit in there? If so, how? My hesitation: is this an example perhaps of how the massive amount of funding and influence that Khan Academy has accrued over the last year or so may be wielded to co-opt others who may well offer more “disruptive” ways of thinking about teaching and learning (and math)?

This is the point, of course, where readers are free to dismiss me as as critical if not curmudgeonly. Readers are also free to hum along with The Rolling Stones’ “You Can’t Always Get What You Want” — something I confess that I’d frequently do years ago when my son was younger and he’d stomp his feet and pout when things weren’t going his way. It’s also the point where entrepreneurs (particularly those mentioned above) vow to never ever speak to me again, because I’m being pretty dour about what is — particularly in the case of CourseKit and Codecademy — great news for their companies.

Yes, perhaps I am being overly negative and ridiculously pessimistic about how any or all of these news items stand as harbingers of “the bad” and not “the good” that’s still to come this year.

Perhaps.

Perhaps too these news items are really just “more of the same.” It’s not as though suddenly investors, educators, entrepreneurs, students, publishers and engineers have divergent interests or motivations. It’s not particularly new or newsworthy that much of the drive for technology in education actually supports the institutional and financial structures that we have in place rather than transforming or (the verb du jour) disrupting them.

I do wonder (and worry) about how best to change the conversation we have about technology and education — what matters, to whom, and why. And in doing so, I admit, I’m already exhausted just four days in to a new year.

Possibly related posts:

Your Predictions for 2008? Well, it’s December 30th, and I have already gotten my...
A Quick Follow-Up on the OpenClass Post I’m already getting quite a bit of public and private...

(I Hope This Isn’t a) 2012 Predictions Post by %%AUTHORINK%% on e-Literate

Categories: OER Blogs

The Zone of Proximal Curiosity

Mon, 02/01/2012 - 12:48pm

Gardner Campbell has a great piece at Campus Technology that asks the following question:

What if we took another tack, specifying that students should not only remember information but also demonstrate increased curiosity?

I have enormous sympathy for this line of inquiry. In this post, I’m going to cover why I think it’s so important, how educating for curiosity interacts with other sorts of educational goals, and how we might begin to encourage it.

Curiosity Makes You Smarter

In a recent article, Scientific American‘s Andrea Kuszewski discusses research showing that a person’s intelligence can be improved through certain kinds of intellectual work:

I’m talking about increasing your fluid intelligence, or your capacity to learn new information, retain it, then use that new knowledge as a foundation to solve the next problem, or learn the next new skill, and so on.

Now, while working memory is not synonymous with intelligence, working memory correlates with intelligence to a large degree. In order to generate successfully intelligent output, a good working memory is pretty important. So to make the most of your intelligence, improving your working memory will help this significantly—like using the very best and latest parts to help a machine to perform at its peak.

The take-home points from this research? This study is relevant because they discovered:

1. Fluid intelligence is trainable.

2. The training and subsequent gains are dose-dependent—meaning, the more you train, the more you gain.

3. Anyone can increase their cognitive ability, no matter what your starting point is.

4. The effect can be gained by training on tasks that don’t resemble the test questions.

Note the last point. It is possible to improve intelligence, but not through standardized testing. How? Kuszewski talks about five principles, the first of which is Seek Novelty:

It is no coincidence that geniuses like Einstein were skilled in multiple areas, or polymaths, as we like to refer to them. Geniuses are constantly seeking out novel activities, learning a new domain. It’s their personality.

There is only one trait out of the “Big Five” from the Five Factor Model of personality (Acronym: OCEAN, or Openness, Conscientiousness, Extroversion, Agreeableness, and Neuroticism) that correlates with IQ, and it is the trait of Openness to new experience. People who rate high on Openness are constantly seeking new information, new activities to engage in, new things to learn—new experiences in general [2].

When you seek novelty, several things are going on. First of all, you are creating new synaptic connections with every new activity you engage in. These connections build on each other, increasing your neural activity, creating more connections to build on other connections—learning is taking place.

An area of interest in recent research [pdf] is neural plasticity as a factor in individual differences in intelligence. Plasticity is referring to the number of connections made between neurons, how that affects subsequent connections, and how long-lasting those connections are. Basically, it means how much new information you are able to take in, and if you are able to retain it, making lasting changes to your brain. Constantly exposing yourself to new things helps puts your brain in a primed state for learning.

Novelty also triggers dopamine (I have mentioned this before in other posts), which not only kicks motivation into high gear, but it stimulates neurogenesis—the creation of new neurons—and prepares your brain for learning. All you need to do is feed the hunger.

Excellent learning condition = Novel Activity—>triggers dopamine—>creates a higher motivational state—>which fuels engagement and primes neurons—>neurogenesis can take place + increase in synaptic plasticity (increase in new neural connections, or learning).

As a follow-up of the Jaeggi study, researchers in Sweden [pdf] found that after 14 hours of training working memory over 5 weeks’ time, there was an increase of dopamine D1 binding potential in the prefrontal and parietal areas of the brain. This particular dopamine receptor, the D1 type, is associated with neural growth and development, among other things. This increase in plasticity, allowing greater binding of this receptor, is a very good thing for maximizing cognitive functioning.

Take home point: Be an “Einstein”. Always look to new activities to engage your mind—expand your cognitive horizons. Learn an instrument. Take an art class. Go to a museum. Read about a new area of science. Be a knowledge junkie.

Shorter Kuszewski: Exercising your curiosity makes you smarter. It actually changes your brain. In today’s consumerist view of education, thirst for knowledge tends to get relegated as a somewhat quaint old liberal arts value that might be nice to pick up on the side after students have acquired those essential job skills. But the truth is that cultivation of curiosity makes students better equipped to acquire those essential job skills. (Not to mention more interested in doing so.)

The Broader Picture

This is just one example of the false dichotomies that often play out in educational reform debates, with one group pushing for a focus on job skills and the other championing the traditional liberal arts education. While there are some legitimate tensions between these goals, a lot (I might even say most) of the debate is caused more by an outdated industrial-age model of an ideal worker clashing with an outdated model of a well-rounded person descended from the university’s heritage as a refuge for the privileged class. Instead, we should be looking to different educational goals, returning to first principles, and figuring out how each one should be approached and layered on the others in a complementary way.

I propose three such layers. The first is what we might call educational readiness. These are the skills and habits that are necessary to learn anything. Curiosity is definitely one. Others might include the critical thinking, the ability to follow directions and the ability to concentrate. These are just examples; I’m sure others can do a better job of defining this domain. But the point is, without this foundation, any other educational effort is mostly wasted. The second layer is what I’d broadly call literacies. It’s a collection of skills and knowledge that one needs to function in modern society. It definitely includes traditional written literacy and numeracy, but it could also include media literacy, a basic understanding of statistics, some civics, and so on. The definition of this layer is open for debate and, in some cases, politically inflected, but the fact that the boundaries are up for grabs doesn’t mean we shouldn’t do our best to define it. Educational readiness and literacies are the core of an education that everybody should have. Everything else, I would argue, is training. That includes academic disciplinary training. Training needs change based on the person, the state of the field or discipline as a body of knowledge, and the employment environment. But educational readiness and literacies are foundational. They are critical to the success of anyone in modern society. They are also consistent with both the desire to educate people to find productive and materially successful career paths and the desire to help people become well rounded, thoughtful, and personally fulfilled.

It is often the case that the same course will address two or even three of these domains. A survey of English literature can teach a student how to think critically, how to read a text carefully and how to do literary analysis like an English scholar all at the same time. But we shouldn’t assume that it will do so. Each of these three layers needs to be addressed explicitly, and sometimes separately. We can’t just layer on “core competency” evaluations and expect that to do the job. I also think that curiosity is unique in the sense that, by its very nature, to assess it is to destroy it. You can’t provide an extrinsic motivator like a grade to improve intrinsic motivation. The minute you start grading it, you’re done for. But you can encourage curiosity, and you might even be able to provide students with tools that help them become more aware of the degree to which they are pushing their own boundaries.

The Curiosity Zone

To borrow from Vygotsky, I think the way to foster curiosity is to find the zone of proximal curiosity. Think of it as a kind of assisted stretching. The goal is to find something close enough to the student’s current interests to get her to click but far enough away that it’s not something she would have thought to look for herself. There are a number of ways to do this. Certainly, MOOCs (or ROE classes, as I prefer to call them) are very useful in that (a) they don’t require anything of the student, but (b) the class structure and the social environment encourage students to try stuff. If you signed up for a ROE class in the first place, then there was something close enough to your zone to get you interested. An array of assignments, coupled with seeing your classmates do interesting things, might encourage you to try something. I particularly like Jim Groom’s twist of giving students the opportunity to create their own assignments. Anything to find that hook.

I also think technology can help. Like lots of other folks, I have grown frustrated at the low signal-to-noise ratio of my RSS reader and Twitter feed. I am simultaneously getting too much of the same thing and not enough of what I really want. Certainly, I’m getting a lot more information about a lot more topics than I did before I had these things, but I find they’re more useful for filling in gaps in my knowledge than for expanding my horizons, and the time investment I put in is high. Flipboard was something of an improvement because it added some curated content, but at the end of the day it was just tacking a news magazine onto my feed reader.

Enter Zite. Zite is like Flipboard, but with analytics that learn my preferences. I tell it which articles I liked and which ones it didn’t. It takes these evaluations and looks at the tags, authors, and publications of the article (and presumably Amazon/NetFlix social preference clustering) to find me more articles that might interest me while showing me fewer that I don’t like. One of the most gratifying things about using the app is that it has gotten me to read much more in areas where I have some latent interests but never bothered to find the right publications. I’m interested in psychology articles about brain plasticity and learning but not about “Six Ways to Be More Satisfied With Your Life.” I’m interested in arts and culture articles about art history but not so much about opera. Now I learn about stuff that interests me but that didn’t interest me enough to invest the time in finding reliable information sources to feed my hunger. Thanks to the app, I am reading much more widely than I was a couple of months ago. Zite has found my zone of proximal curiosity.

Imagine using similar technology but mixing in paradata in the style that the Learning Registry aspires to deliver (fast forward to about 1:15:05 for the relevant part):

If we are able to layer on explicit information about how the content is related to the person’s learning goals (e.g., I want to learn how to build robots) and learning context (e.g., I’m teaching myself), then we could deliver the content as learning resources. We could make it more useful. And, of course, all of this metadata and paradata we’re using could be represented as a network graph. We could show students exactly how far they are venturing from their initially stated core interests over time. We could provide them with a map of their intellectual explorations.

No related posts.

The Zone of Proximal Curiosity by %%AUTHORINK%% on e-Literate

Categories: OER Blogs

Protecting the Security of Student Data: Krebs v Rutgers, a case study

Sun, 01/01/2012 - 3:51pm

In 1992 seven students at Rutgers University sought federal court action to compel University administrators to protect their Social Security Numbers (SSN) from dissemination. The case became known as Krebs v Rutgers. It is often cited as guidance for what must be done to protect privacy from promiscuous use of SSN. The court record tells their story.

On April 20, 1992 Keith Krebs and six other students filed a federal case, later amended to include FERPA in their complaint. They sought the courts to prevent, by injunction, the University’s collection of Social Security number, except where required by statute, and dissemination of Social Security Numbers. Three months later the court granted the requested injunction. Subsequently the students and the University reached a confidential agreement for student privacy.

Several years later an unidentified author on the website of the Computer Professionals for Social Responsibility wrote:

Keith Krebs sent me email in early 2000 saying that the case may need to be re-opened, since the University seems to be “unilaterally abrogating the settlement decree by initiating a change in policy prohibiting students from obtaining dummy SSNs [rather than have their real SSN used by the University]. I haven’t heard from him recently.

In his opinion Judge H. Lee Sarokin summarized the issues:

Plaintiffs, students at Rugters University … challenge the collection and use of social security numbers by the university. Although the court determines herein that the university has the right to request and to utilize the social security numbers of its students, there is evidence that the confidentially promised and required has been and will continue to be breached. Such future breaches must be enjoined.

[The law] does prohibit their [SSN] unauthorized dissemination, because of the vast source of personal information for which they provide access.

Krebs and his colleagues filed their case under the Privacy Act of 1974. Later they amended their Complaint citing the Federal Family Rights and Privacy Act (FERPA).

According to the plaintiffs, the student’s Social Security Numbers were used on student identification cards, in class rosters that included the student’s name, and in posted grades. Thus “Any student in the class can obtain the social security number of any other student in the class, thereby, obtaining the means to discover confidential information such as grades, credit history, etc.” The University conceded “such a practice would violate FERPA if this were a policy or custom of the University, an assertion which [the University and President] dispute.”

During the litigation the University only agreed to advise faculty members to cut off or delete student identification numbers [Social Security Numbers] from any class rosters circulated in the classroom. University officials also indicated “any student can request a ‘dummy’ nine-digit social security number to be used as his or her identification.”

The court concluded the Privacy Act does not apply to Rutgers University “because Rutgers is not an [governmental] ‘agency’ as defined by the Act.” The State of New Jersey did not have “direct, let alone day-to-day control” to define Rutgers University as a state agency.

Referring to FERPA Sarokin writes:

[The seven students] recognize and accept that every court which as addressed the issue has concluded that FERPA does not provide a private cause of action.

That is a person may not enforce FERPA through the courts. A person may initiate action only by a compliant to U.S. Department of Education, which has only limited remedies.

There are no records that suggest the Department has ever initiated an enforcement action. Violators are provided “a reasonable period of time, given all of the circumstances of the case, during which the educational agency or institution or other recipient [receiving a notice of non-compliance] may comply voluntarily.” If an education agency or institution or other recipient of Department funds does not comply, the Secretary may withhold further payments, issue a cease and desist order, or terminate eligibility to terminate eligibility or receive funding. Unenforced FERPA is hardly threatening.

The students claimed “irreparable harm.” Judge Saorkin pointed out:

“… any violations of those protected rights presents serious, ‘irreparable’ injury. Privacy Act case law and legislative history support this assertion.”

He commented:

Notwithstanding plaintiff’s broad assertions of harm and indignity, plaintiffs’ point is very well taken, especially in light of the antagonistic and dismissive attitude which the university has taken during the parties’ initial negotiations.

Rodney Hartnett, Associate University Vice president for Academic Affairs had certified “that a simple notice to all faculty might cure the problem,’ yet the University had taken no action. Judge Soarkin concluded an injunction would be appropriate. The students had, via the courts, forced a change of the University’s collection and use of Social Security Numbers. SSNs became protected data at Rutgers University.

The U.S. Department of Education recognizes the limitations on enforcement of FERPA. In the December 2, 2011 discussion of the amendments to FERPA, the Department noted:

Four commenters requested that the Department adopt more significant penalties, including incarceration and substantial fines, for FERPA violations.

The Department responded aggressively:

In FERPA, Congress expressly directed the Secretary to “take appropriate actions” to “enforce” FERPA and “to deal with violations” of its terms “in accordance with [the General Education Provisions Act]. … GEPA’s enforcement methods expressly permit the Secretary to issue a complaint to compel compliance through a cease and desist order, to recover funds improperly spent, to withhold further payments, to enter into a compliance agreement, or to “take any other action authorized by law,” including suing for enforcement of FERPA’s requirements.

The Department also now requires “written agreements” with servicers and others comply with FERPA as a contractual requirement. This is a similar approach that Tracy Mitrano recommended in her November 11, 2011 Inside Higher Education blog. But the Department’s agreements have all of the weakness of FERPA.

Judge Soarkin’s comment and university inaction did not reflect well on either University leadership or general counsel, and should be a lesson for college and university attorneys.

He also commented: Plaintiffs, students at Rutgers University, represented “themselves in a highly competent and thoughtful manner.” This is a high and deserved compliment to the University’s faculty and their seven students who did so well in a complex case.

Notes

cause of action

1 : the grounds (as violation of a right) that entitle a plaintiff to bring a suit [an amended pleading reiterating a cause of action for lost profits "J. H. Friedenthal et al."]

;also

: the part of a suit brought on those grounds [removed the cause of action to the district court]

2 : right of action [the court, led by Justice Brennan, said Congress intended to provide a private cause of action "National Law Journal"]

Exhaustion of Remedies

:a doctrine of civil and criminal procedure: a remedy cannot be sought in another forum (as a federal district court) until the remedies or claims have been exhausted in the forum having original jurisdiction (as a state court, tribal court, or administrative agency) compare primary jurisdiction at jurisdiction NOTE: The doctrine of exhaustion of remedies was first developed by judges in case law based on comity. It is used primarily in administrative law cases and federal habeas corpus cases, and it is now incorporated in the federal habeas corpus statute (section 2254 of title 28 of the U.S. Code). It may also be applied when an administrative agency has original jurisdiction over a claim. It is used in proceedings in tribal courts.

private

1 a : intended for or restricted to the use of a particular person or group or class of persons

: not available to the public [a park]

b : not related to, controlled by, or deriving from the state [a school]

2 a : owned by or concerning an individual person or entity [ land]

b : not having shares that can be freely traded on the open market [a company]

3 : affecting the interests of a particular person, class or group of persons, or locality [ legislation] [ rights]

4 a : not invested with or engaged in public office or employment [a citizen]

b : not related to or dependent on an official position [ correspondence]

5 : not known publicly or carried on in public

;esp

: intended only for the persons involved

6 : made under private signature [a instrument]

right of action

1 : a right to begin and prosecute an action in the courts (as for the purpose of enforcing a right or redressing a wrong)

2 : chose in action at chose

section 1983

: the section of title 42 of the U.S. Code that makes a person liable for depriving another of any rights, privileges, or immunities secured by the U.S. Constitution and laws while acting under color of any statute, ordinance, regulation, custom, or usage of a state

Possibly related posts:

Protecting the Security of Student Data: CollegeNet v XAP, A Case Study In her blog “Law, Policy and IT” Tracy Mitrano expressed...
Case Study on Moving from WebCT to Moodle EDUCAUSE has posted a presentation by SUNY Delhi’s Clark Shah-Nelson...
A “Bold Idea” Essential for Student Privacy In Tracy Mitrano’s October 31, 2001 blog “FERPA, GLBA and...
Desire2Learn and Blackboard Technology Tutorials for the Patent Case D2L has posted the Flash-based technology tutorials that both sides...
Academic Study of Blackboard vs. Sakai at UNC School of Medicine Brian Moynihan has posted his Masters Thesis on University of...

Protecting the Security of Student Data: Krebs v Rutgers, a case study by %%AUTHORINK%% on e-Literate

Categories: OER Blogs

Taking the Next Step at e-Literate

Sun, 18/12/2011 - 12:53pm

As you know, I have been experimenting with having more featured bloggers (both regular and occasional) here. This decision was triggered by the fact that I haven’t been able to blog as much or as widely as I used to, but the truth is that it’s something that I’ve wanted to do for a very long time. The conversation has been what has interested me. My main concern was whether I could pull off a group blog in a way that would maintain the voice, focus, and quality that I strive for without more effort than I can sustain.

From my perspective, the experiment has been an unqualified success. Phil Hill has been a particularly prolific contributor, burning up the blog with posts that provide the kind of analysis and raise the kind of questions that are in what I believe is the best spirit of what e-Literate has always strived for. The other writers—Jim Farmer, Audrey Watters, David White, and Kim Thanos—have provided a wonderful, rich, and well-rounded array of complementary insights and perspectives. I am thrilled. A couple of you have told me that you only read my pieces and skip over the other bloggers. Let me be clear: You are making a mistake. Some of the best writing ever to grace the pages of e-Literate is being published right now, and it’s not coming from me.

And so today I am announcing that the experiment has ended. I am making the blog officially and permanently a collective endeavor. If you look around the site, you will see changes in the branding that de-emphasize me and positioning e-Literate as a group publication. (The last piece will be adding full-page bios for the other authors, which I will do as they become available to me.) I expect to bring on board a few more regular bloggers and more occasional guests. And I am going to start experimenting with themes that I invite the bloggers, here, and elsewhere, to discuss with each other. I want e-Literate to be a stone thrown in the pond. I want it to create ripples of conversation about topics that are important to us.

Possibly related posts:

I Need Your Input: What’s Up at e-Literate I’m sure you’ve noticed that I’ve been bringing in more...
Shameless Capitalism Comes to e-Literate Since I seem to be sending a lot of business...
Happy Birthday, e-Literate One year ago today, I posted my first entry in...
Welcome to e-Literate 2.0 At long last, I have managed to move my blog...
The e-Literate Redesign Is Up C’mon in and look around. We’re still making some minor...

Taking the Next Step at e-Literate by %%AUTHORINK%% on e-Literate

Categories: OER Blogs

Educational Publishers Appear to be Supporting SOPA

Fri, 16/12/2011 - 8:30am

UPDATE 12/23: Per the House Judiciary Committee, it is now confirmed that these companies are on the record supporting SOPA and the Protect IP companion legislation.

Yesterday the House Judiciary Committee began the process of marking up the Stop Online Piracy Act (SOPA) bill. From all appearances, most of the amendments have been rejected, thus leaving SOPA essentially in its original form. While passage is not assured, it is certainly a possibility as described by CNET.

After a marathon debate on the Stop Online Piracy Act, it’s clear that the Hollywood-backed bill enjoys enthusiastic support among key members of the U.S. House of Representatives and is one step closer to becoming law.

That became obvious after every legislative attempt to defang, rewrite, or significantly alter SOPA over nearly a 12-hour period today ended in victories for large copyright holders–and defeat upon defeat for the bill’s critics.

While the SOPA impacts are not fully understood, there are some real dangers to educational usage that we need to follow. As described in my first post on the subject, SOPA could have a major impact on institutions using any form of educational technology to share content outside of a tightly-controlled password-protected course site. As we saw at EDUCAUSE this year, much of the potential of educational technology is to facilitate sharing of content outside of the traditional “walled gardens” of traditional LMS solutions, and enabling collaboration more broadly.

This year’s EDUCAUSE keynote speaker, Seth Godin, has a post up at The Domino Project that calls out many of the list of “companies behind one of the lobbying groups pushing for SOPA”. On this list, lo and behold, we find most of the educational publishing companies.

Pearson Education, Cengage Learning, McGraw-Hill Education, Macmillan, Scholastic, etc. They are all on the list.

(ed. – To be fair, very few companies are officially supporting SOPA legislation, as it is mostly lobbying groups providing the support. I could not find corroboration for these claims, so I am assuming that The Domino Project is providing an accurate list. If I find out differently, I’ll update this post.)

While no one should be surprised that education publishers support SOPA, as the bill is designed to protect content and media companies, I suspect that this support will come back to haunt these supporters. There is a strong backlash growing against SOPA, and if it is enacted as law, this backlash will grow exponentially.

Cory Doctorow wrote in Publisher’s Weekly about a key aspect of SOPA that is relevant to education.

As bad as this is, it gets worse: SOPA would also expand the definition of copyright infringement to include hosting a single link to a site that is alleged to contain infringing material. Thus, if an author’s blog, or a book discussion group, attracts a single post that contains a single link that goes to a site that someone accuses of copyright infringement, that site becomes one with the alleged infringer, and faces all the same sanctions—without any proof required, or due process.

Now think about the big move in education for open content and user-generated content. How would schools or platform hosting companies be able to police all the content if they are liable for infringement? The answer is that they couldn’t in a realistic manner. Cory continues . . .

Yet the services that provide the bulk of these benefits—search engines, Web hosts, and online service providers like Blogger, Tumblr, Twitter, Wikipedia, and YouTube—could never satisfy the requirements set out in SOPA. The only way for these platforms to satisfy SOPA would be to all but shut off the public’s ability to contribute and to throttle free expression for all but those entities that can afford to pay a lawyer to certify that their uploaded material will not attract a copyright complaint.

I would add educational platforms such as LMS solutions to this list of providers. By supporting SOPA through their lobbying groups, the educational publishers risk undercutting their own internal efforts to encourage open content and collaboration including user-generated content. This could push us back towards the walled gardens that we want to leave. As an example of undercutting efforts, consider Pearson’s free OpenClass LMS announced at EDUCAUSE this year. Inside Higher Ed’s Joshua Kim made an excellent point about needing to understand Pearson’s business interests.

A free LMS will always be suspect to decision makers on campuses unless we can be convinced that the provider is in the game for the long-term, and is investing enough resources in the business to ensure high levels of service, support, and robustness. We will not be convinced unless we truly believe that the free LMS is in the long term business and financial interests of the provider.

I would add that it is also important that the provider’s business interests align with educational institution interests. Based on SOPA support, it could become quite difficult for Pearson to convince people that OpenClass is open and can encourage collaboration. Pearson owns and maintains the site. What happens when someone claims that one of the courses on OpenClass violates copyright and demands that Pearson take action? Given their liability under SOPA, what would prevent Pearson from determining that it is far safer to only allow publisher-provided content to be shared outside of a single course, since publishers have the resources to QA the content and check on all copyrights? Under the circumstances, I wouldn’t blame them.

SOPA support thus could stifle innovation at educational publishers, erode confidence and support from the educational community as the corporate motivations become clear, and actually hamper the necessary moves to meet the industry needs for collaboration and open content.

In my opinion, antagonizing your customer base and undercutting strategic moves such as OpenClass is a poor long-term decision. The publishers’ support for SOPA could permanently harm their ability to be viewed as potential change agents helping the education industry move to new models. I sincerely hope that we find that the educational publishers are not actually supporting SOPA, or perhaps that they wake up and change course as Microsoft did.

In an excellent post at The Plashing Vole, the author makes the following point that captures how piracy should be handled.

A long time ago, John Milton wrote Areopagitica. In it, he opposed the pre-licensing of newspaper articles by governments as an attack on free speech. Instead, he wrote, one should publish and be damned: allow publication, then argue about it in court later. That way speech is free while piracy is punished.

UPDATE: Fixed error in bill name, fixed link to Godin post, removed reference to Senate

Possibly related posts:

How Georgia Tech Has Shown the Perils of SOPA This has been a tough week for open education, at...
The Tide is Turning – SOPA May Not Make It Out of Committee Over the past few days, there have been three significant...
Role of Educational Technology in Enabling Higher Ed Change This is a guest post by Phil Hill from Delta Initiative,...
SpikeSource Supporting Moodle on the Microsoft Stack Jim Farmer has an interesting guest post over at Seb’s...
The Definitive Article on Educational Blogging I’m going to do something I normally don’t like to...

Educational Publishers Appear to be Supporting SOPA by %%AUTHORINK%% on e-Literate

Categories: OER Blogs

Instructure Security Assessment Results

Mon, 12/12/2011 - 8:12am

Instructure has engaged Securus Global to test the Canvas LMS product for security vulnerabilities. Instructure has also invited me to be an independent observer – participating in the process and independently reporting on the testing and Instructure’s response to any vulnerabilities identified. Part 1 of this series of posts described the concept. Part 2 gave a mid-term update, describing the process involved and initial results. In this post I’ll describe the full results of the security assessment. I’ll add my actual analysis in the final post.

The purpose of the testing was to validate and review the Canvas LMS design and implementation with respect to vulnerabilities that could be exploited by a motivated hacker. Securus employed security experts to ethically hack, both manually and with automated tools, a test environment to try and identify specific vulnerabilities, working from the perspective of both an unauthorized user and an authorized user. There was a range of exploits tested, but the basic idea is to find out if someone could access information or functionality that should be protected by system controls including role-based security.

Summary of Findings

The findings were presented to Instructure on November 29, 2011 in report form and with a conference call to discuss.

As described in my 2nd post:

The testing took place from approximately November 7 – 25, 2011. During this timeframe, Securus had full access to the test environment, including access to the LMS source code (not only the officially open source code, but also the closed source plugins where needed). Additionally, Securus requested and had access to certain system error log files. The source code and error logs could be useful to identify hidden attack pathways.

As expected, Securus did find a number of security vulnerabilities. Each vulnerability is rated by Securus in decreasing order of perceived risk as Critical, High, Moderate, or Low. This risk is based on assessment of the likelihood and consequence of particular vulnerabilities being exploited. As stated in the assessment report:

Securus Global follows the International Standards ISO 31000 and ISO 31010 for risk identification, classification and assessment.

Based on this ISO-based classification, the risk assessment found 10 vulnerabilities – 1 critical, 1 high, 4 moderate and 4 low severity – in the Canvas LMS system.

As of December 10, Instructure has already addressed and remediated 5 of these 10 vulnerabilities, including the critical and the high items. Additionally, 2 fixes have been developed and are scheduled to be put into production by the end of December, and 3 fixes remain open and under investigation. As mentioned in the part 2 post, the critical SQL Injection vulnerability was addressed and remediated within 1 day – see this security advisory for details.

The table below summarizes the results.

In the risk assessment report, Securus included details on each of the vulnerabilities discovered during testing. These details included a full description of the vulnerability, likelihood of exploitation, impact to the system, reproduction details, and recommendations to address the vulnerabilities. For security reasons, I am not going to describe these details publicly.

Nature of Vulnerabilities

As part of the review, Securus provided feedback to Instructure not just on the specific findings, but also on the pattern of findings. Keep in mind that Canvas LMS is open source, allowing testers access to system design and code. According to the Securus report:

It is our impression that CANVAS is generally a secure application and that the issues found can quickly be remediated. CANVAS is built upon a foundation of very widely used programming frameworks that have been subject to extensive security auditing.

During testing several issues were identified, including one critical vulnerability. Due to progressive reporting and status updates with Instructure the critical vulnerability identified was promptly remediated and released to users.

The remaining issues present a moderate risk to the integrity and confidentiality of the stored data which could lead to reputational damages and loss of confidence in the CANVAS system should they risk be realised. None of these issues are associated with major application flaws that are difficult to remediate.

It was not always straightforward, however, on how Instructure should fix each issue. The biggest challenge seemed to be balancing the need for security with the need for usability for Instructure’s customers. For example, on the Arbitrary File Upload vulnerability Instructure was initially hesitant to directly follow the recommended remediation of forcing all conversation file attachments to be downloaded by the browser rather than displayed in-line. The reason for the recommendation is to avoid phishing attacks, but there was a competing issue of customer expectations to see attachments in-line. After internal discussions, Instructure evaluated that users do not have the same expectations for in-line viewing conversation file attachments as they do for wiki pages and course modules; furthermore, the risk of phishing attacks in greater for conversations. Based on this internal discussion, Instructure is now in the midst of directly implementing the recommended change.

Although the report did not identify any major design flaws, there is one vulnerability that could lead to extensive changes to the Canvas code base. This involves the No Access Controls for Uploaded Files vulnerability, and according to Instructure the remediation will likely involve adding timeouts to the signed URLs. Simple changes, but extensively applied.

Next Steps

For the Canvas community, updates to the remaining security fixes will be provided through security advisories on the Instructure web site.

For me, I’ll add my analysis in a separate post, in order to allow the reported results to stand by themselves.

Possibly related posts:

Instructure Security Mid-Term Instructure has engaged Securus Global to test the Canvas LMS product for...
Analysis of Instructure Security Testing Instructure has engaged Securus Global to test the Canvas LMS product for...
Instructure and Security Testing Instructure has had a very interesting reaction to the news...
Analysis of Blackboard Response to Recent Disclosure of Security Vulnerabilities There’s been an interesting set of public relations based on...
UNC's Sakai Evaluation Results The University of North Carolina, a current Blackboard customer that...

Instructure Security Assessment Results by %%AUTHORINK%% on e-Literate

Categories: OER Blogs

Protecting the Security of Student Data: CollegeNet v XAP, A Case Study

Sun, 11/12/2011 - 11:32am

In her blog “Law, Policy and IT” Tracy Mitrano expressed a concern: protecting student privacy as colleges and universities outsource information processing with external servicers. To ensure education records are protected, she writes, outsourcing contracts must explicitly detail the protection to be provided student data. She suggested contract provisions should require an entity comply with federal law including the Federal Education Rights Privacy Act. FERPA is one of the United States’ earliest public privacy laws enacted more than thirty years ago. She said “the Department of Education has already made clear that outsourcing these records does not alleviate the institution of its obligations under this law.” Her recommendation would build a “chain of responsibility” for the privacy and security of student education records. She observes these records have become “an important and permanent marker of an individual in a competitive society currently plagued by high unemployment rates even among college and professional school graduates in an era where corporations and firms routinely amass information from a variety of sources in the course of hiring.”

Student data have been disclosed and sold without permission by external vendors. One example is described in the court records of CollegeNet Inc. v XAP Corporation, U.S. District Court for the District of Oregon.

Litigation began September 10, 2003 when CollegeNet Inc. asserted patent infringement. Subsequently CollegeNET was awarded “$4 million in damages for Xap’s1 patent infringement.” On June 9, 2009, the court authorized a Consent Judgment after the two firms reached a settlement agreement. The agreement is not included in the court records.

On June 10, 2004 CollegeNET also filed a “Complaint for False Advertising and Unfair Competition” against XAP Corporation which raised questions about the security of student data.

As background of the two firms from court records:

“Plaintiff [CollegeNET] provides online college admission application services to college-bound students and to the colleges and universities (hereinafter referred to collectively as colleges) to which the students intend to apply. The colleges pay Plaintiff for these services.

“Defendant [XAP Corporation] provides online college application and admission processing services to college-bound students through approximately 30 “Mentor” websites. Defendant’s paying customers for online services are state agencies, departments of education, and/or student-loan guarantee authorities; e.g., banks and other lending institutions (collectively referred to as commercial institutions). Defendant does not charge colleges directly for these online services.”

Georgetown University Law School professor Rebecca Tushnet explains:

CollegeNET brought state and federal unfair competition claims, on the theory that XAP makes false representations to its customers about privacy, putting CollegeNET at a competitive disadvantage in the online application and admissions processing services market. Colleges have to pay for CollegeNET, but they can get XAP services for free because the financial aid institutions pay for XAP. CollegeNET further alleges that XAP misleads colleges about its privacy policies, giving colleges the false impression that XAP won’t sell or provide student data to third parties without a student’s express consent.

She describes the issue:

If I make money by delivering eyeballs to my clients, is there a Lanham Act violation when I lie to get those eyeballs? My intuition is yes, at least for defendants like Google and XAP – but I’d have to draw the line at communicative products, like a newspaper with articles by Jayson Blair.

I tried to distinguish the actual content of the site, which has full First Amendment protection, from the representations used to entice people to the site, which can be false commercial speech subject to the Lanham Act.

The jury agreed with Ms. Tushnet finding “that Xap engaged in unfair competition by making false or misleading states in violation of the Lanham Act, § 15 U.S.C. 1125(a)” and awarded CollegeNET $4.5 million.

What about student privacy?

To assure privacy and informed consent, Judge Brown issued a permanent injunction:

“The Court finds that there is a threat of present and future irreparable harm to students using [the XAP websites] because the disclosure currently provided by Xap at the time that student applicants are given an opportunity to request additional information in connection with student loans or financial aid (the “Opt-In Question”) is inadequate to assure that the applicant knowingly and unequivocally consents to the disclosures and use of Personal Information.”

She required:

Student applicants shall be informed in plain, concise, and conspicuous language set forth at the time that the Opt-In Question is presented and before any Personal Information is transferred that by answering “yes’ to the Opt-In Question, the student applicants understands that he or she specifically is authorizing Xap to disclose the following Personal Information to the Site sponsors as appropriate: [a description of the Personal Information that will be disclosed] to the following: [a list of all entities that will receive any or all of the Personal Information] for purposes of [a description of all purposes for which the Personal Information is submitted] (brackets from the original).

Personal Information was defined as data “that uniquely identifies, or that can be used to uniquely identify, an individual person.” How valuable is the data? As an example, CollegeNET alleged:

“KHESLC agreed to pay, and on information and belief has paid XAP $10 in exchange for personal information of students who established an account with XAP and submitted online admissions applications through the Kentucky Mentor site.”

Can a student be required to provide data to the servicer? During this period the California State University required students apply for the universities through XAP. Whether their agreement with XAP included privacy provisions as Mitrano suggests could not be determined from the court records.

This case identified three issues:

Would contract provisions, as suggested by Mitrano, be sufficient to prevent the disclosure of student data not authorized by the student?
Should a college require a student to provide data that is “sold” to benefit the college?
What is the role of college information technology staff in monitoring the protection of student data both from campus websites and by contractors?

On November 14, 2011, the George Tech College of Computing “took down all past course websites stored on College servers” to comply with FERPA. On November 29th Facebook agreed to improved protection of user data resulting from user concerns about privacy. Facebook is to provide the same informed consent for data sharing that Judge Brown required in her permanent injunction. On December 2nd the U.S. Department of Education issued revisions to FERPA regulations that require written agreements similar, but less specific, than Mitrano suggested. However FERPA has never been enforced. These recent examples show the need for collaboration among faculty, students, and information technology staff to balance students’ privacy, faculty improvements of teaching and learning, and IT capabilities.

Perhaps this case history illuminates the issues and can contribute to these discussions.

The correct name is XAP Corporation. However Xap is used when this spelling appeared in quoted court records.

Possibly related posts:

Case Study on Moving from WebCT to Moodle EDUCAUSE has posted a presentation by SUNY Delhi’s Clark Shah-Nelson...
A “Bold Idea” Essential for Student Privacy In Tracy Mitrano’s October 31, 2001 blog “FERPA, GLBA and...
Distributed Learning is Here: Ask Any College Student This is a guest post by Jim Farmer for a...
Desire2Learn and Blackboard Technology Tutorials for the Patent Case D2L has posted the Flash-based technology tutorials that both sides...
Academic Study of Blackboard vs. Sakai at UNC School of Medicine Brian Moynihan has posted his Masters Thesis on University of...

Protecting the Security of Student Data: CollegeNet v XAP, A Case Study by %%AUTHORINK%% on e-Literate

Categories: OER Blogs

Instructure Security Mid-Term

Wed, 30/11/2011 - 9:54pm

Instructure has engaged Securus Global to test the Canvas LMS product for security vulnerabilities. Instructure has also invited me to be an independent observer – participating in the process and independently reporting on the testing and Instructure’s response to any vulnerabilities identified. Part 1 of this series of posts describes the concept. In this post, I’ll give a mid-term update, describing the process involved and initial results. In the next post I’ll describe the full results of the security testing. I’ll try to keep my actual analysis in the final post, after I have objectively described the process and results.

The purpose of the testing was to validate and review the Canvas LMS design and implementation with respect to vulnerabilities that could be exploited by a motivated hacker. Securus employed security experts to ethically hack a test environment to try and identify specific vulnerabilities, working from the perspective of both an unauthorized user and an authorized user. There was a range of exploits tested, but the basic idea is to find out if someone could access information or functionality that should be protected by system functionality including role-based security.

There are two particular viewpoints that have led to my interest in this independent observer role.

No enterprise software platform is perfect and you should always expect some vulnerabilities. The issue should not just be on whether there are vulnerabilities, but perhaps more importantly, on how a company or organization responds to a security vulnerability or incident.
I have called for transparency from LMS vendors and open source communities, arguing that they should share information from their third-party security audits and tests.

Two aspects of the Canvas LMS are particularly relevant for this discussion.

Canvas is a Software-as-a-Service (SaaS) platform, also known as multi-tenant platform. In this setup, Canvas is run “in the cloud” where all paying customers share the same instance of the LMS. This is the same model as Amazon, Facebook, iTunesU, as well as many of the newer LMS solutions. Because of this model, there is one deployment of software in production that customers share.
Canvas is a commercially open source. Instructure controls and updates the code base, but the source code is freely available and can be downloaded or used by non-paying customers. Additionally, paying customers obviously have full access to see the source code.

Testing Process

Each identified vulnerability was rated by Securus as Critical, High, Moderate, Low or Informational Purposes – in decreasing order of risk severity. Instructure uses a different system of Highly Critical, Less Critical, etc in their security advisories, but I will keep my descriptions based on the severity levels identified by Securus.

During the testing, we had conference calls roughly once a week, where I was able to participate and hear the results-to-date, questions, and general discussion. In addition to the verbal updates by phone, Securus provided an interim written update on November 16th that identified several vulnerabilities that had been identified. The draft final report was delivered on November 28th, and the final report should be published shortly.

My descriptions lag the actual testing dates to avoid publicizing vulnerabilities before there are remediations – while I am interested in transparency, there is no need to increase risk by reporting on issues that have not been addressed.

Mid-Term Results

The mid-term results provided on November 16th did identify several vulnerabilities. These vulnerabilities were described in more detail in the final report, which I’ll cover in a future report, but there is one issue that is worth relating ahead of time.

The testing “identified a SQL injection attack vector in the file re-ordering capability, available in the users file area and the course/group file areas” (from the subsequent security advisory posted by Instructure). This issue was deemed by both Securus and Instructure to be Critical severity that could lead to manipulation of data, exposure of sensitive information, and privilege escalation (users gaining access to a more information and functionality than should be allowed based on their role).

Due to the critical nature of the SQL injection vulnerability, Instructure took the step of developing a fix, testing and deploying to the production server and open source code base approximately 24 hours after the mid-term report.

The mid-term update also identified three other vulnerabilities which appear to be Moderate or Low severity. I’ll describe the actual vulnerabilities and remediations in a future post.

Update: Fixed dates of testing period

Possibly related posts:

Instructure Security Assessment Results Instructure has engaged Securus Global to test the Canvas LMS product for...
Analysis of Instructure Security Testing Instructure has engaged Securus Global to test the Canvas LMS product for...
Instructure and Security Testing Instructure has had a very interesting reaction to the news...
Analysis of Blackboard Response to Recent Disclosure of Security Vulnerabilities There’s been an interesting set of public relations based on...
Instructure Goes Open Source Update: The video was briefly broken as Instructure inexplicably chose...

Instructure Security Mid-Term by %%AUTHORINK%% on e-Literate

Categories: OER Blogs

Regulatory Barriers to Innovation for Ed Tech and Open Education

Tue, 29/11/2011 - 7:31am