Pluralistic: Why is this Canadian university scared of you seeing its Privacy Impact Assessment? (01 Aug 2024)


Today's links


The notorious 2002 California Coastal Records image of Barbara Streisand's mansion and the surrounding coastline. It has been altered: the heraldic logo of Langara College has been superimposed on its many pitched roofs.

Why is this Canadian university scared of you seeing its Privacy Impact Assessment? (permalink)

Barbra Streisand is famous for many things: her exciting performances on the big screen, the small screen, and the stage; her Grammy-winning career as a musician (she's a certified EGOT!); and for all the times she's had to correct people who've added an extra vowel to the spelling of her first name (I can relate!).

But a thousand years from now, her legacy is likely to be linguistic, rather than artistic. The "Streisand Effect" – coined by Mike Masnick – describes what happens when someone tries to suppress a piece of information, only to have that act of attempted suppression backfire by inciting vastly more interest in the subject:

https://en.wikipedia.org/wiki/Streisand_effect

The term dates to 2003, when Streisand sued the website Pictopia and its proprietors for $50m for reproducing an image from the publicly available California Coastal Records Project (which produces a timeseries of photos of the California coastline in order to track coastal erosion). The image ("Image 3850") incidentally captured the roofs of Streisand's rather amazing coastal compound, which upset Streisand.

But here's the thing: before Streisand's lawsuit, Image 3850 had only been viewed six times. After she filed the case, another 420,000 people downloaded that image. Not only did Streisand lose her suit (disastrously so – she was ordered to pay the defendants' lawyers $177,000 in fees), but she catastrophically failed in her goal of keeping this boring, obscure photo from being seen:

https://en.wikipedia.org/wiki/Streisand_effect

Streisand has since called the suit "a mistake." On the one hand, that is very obviously true, but on the other hand, it's still admirable, given how many other failed litigants went to their graves insisting that their foolish and expensive legal gambit was, in fact, very smart and we are all very stupid for failing to understand that.

Which brings me to Ian Linkletter and the Canadian Privacy Library. Linkletter is the librarian and founder of the nonprofit Canadian Privacy Library, a newish online library that collects and organizes privacy-related documents from Canadian public institutions. Linkletter kicked off the project with the goal of collecting the Privacy Impact Assessments from every public university in Canada, starting in his home province of BC.

These PIAs are a legal requirement whenever a public university procures a piece of software, and they're no joke. Ed-tech vendors are pretty goddamned cavalier when it comes to student privacy, as Linkletter knows well. Back in 2020, Linkletter was an ed-tech specialist for the University of British Columbia, where he was called upon to assess Proctorio, a "remote invigilation" tool that monitored remote students while they sat exams.

This is a nightmare category of software, a mix of high-tech phrenology (vendors claim that they can tell when students are cheating by using "AI" to analyze their faces); arrogant techno-sadism (vendors requires students – including those sharing one-room apartments with "essential worker" parents on night shifts who sleep during the day – to pan their cameras around to prove that they are alone); digital racism (products are so bad at recognizing Black faces that some students have had to sit exams with multiple task-lights shining directly onto their faces); and bullshit (vendors routinely lie about their tools' capabilities and efficacy).

Worst: remote invigilation is grounded in the pedagogically bankrupt idea that learning is best (or even plausibly) assessed through high-stakes testing. The kind of person who wants to use these tools generally has no idea how learning works and thinks of students as presumptively guilty cheats. They monitor test-taking students in realtime, and have been known to jiggle test-takers' cursors impatiently when students think too long about their answers. Remote invigilation also captures the eye-movements of test-takers, flagging people who look away from the screen while thinking for potential cheating. No wonder that many students who sit exams under these conditions find themselves so anxious that they vomit or experience diarrhea, carefully staring directly into the camera as they shit themselves or vomit down their shirts, lest they be penalized for looking away or visiting the toilet.

Linkletter quickly realized that Proctorio is a worst-in-class example of a dreadful category. The public-facing materials the company provided about its products were flatly contradicted by the materials they provided to educators, where all the really nasty stuff was buried. The company – whose business exploded during the covid lockdowns – is helmed by CEO Mike Olsen, a nasty piece of work who once doxed a child who criticized him in an online forum:

https://pluralistic.net/2020/07/01/bossware/#moral-exemplar

Proctorio's products are shrouded in secrecy. In 2020, for reasons never explained, all the (terrible, outraged) reviews of its browser plugin disappeared from the Chrome store:

https://pluralistic.net/2021/09/04/hypervigilance/#radical-transparency

Linkletter tweeted his alarming findings, publishing links to the unlisted, but publicly available Youtube videos where Proctorio explained how its products really worked. Proctorio then sued Linkletter, for copyright infringement.

Proctorio's argument is that by linking to materials that they published on Youtube with permissions that let anyone with the link see them, Linkletter infringed upon their copyright. When Linkletter discovered that these videos already had publicly available links, indexed by Google, in the documentation produced by other Proctorio customers for students and teachers, Proctorio doubled down and argued that by collecting these publicly available links to publicly available videos, Linkletter had still somehow infringed on their copyright.

Luckily for Linkletter, BC has an anti-SLAPP law that is supposed to protect whistleblowers facing legal retaliation for publishing protected speech related to matters of public interest (like whether BC's flagship university has bought a defective and harmful product that its students will be forced to use). Unluckily for Linkletter, the law is brand new, lacks jurisprudence, and the courts have decided that he can't use a SLAPP defense and his case must go to trial:

https://pluralistic.net/2023/04/20/links-arent-performances/#free-ian-linkletter

Linkletter could have let that experience frighten him away from the kind of principled advocacy that riles up deep-pocketed, thin-skinned bullies. Instead, he doubled down, founding the Canadian Privacy Library, with the goal of using Freedom of Information requests to catalog all of Canada's post-secondary institutions' privacy assessments. Given how many bodies he found buried in Proctorio's back yard, this feels like the kind of thing that should be made more visible to Canadians.

There are 25 public universities in BC, and Linkletter FOI'ed them all. Eleven provided their PIAs. Eight sent him an estimate of what it would cost them (and thus what they would charge) to assemble these docs for him. Six requested extensions.

One of them threatened to sue.

Langara College is a 19,000-student spinout of Vancouver Community College whose motto is Eruditio Libertas Est ("Knowledge is Freedom"). Linkletter got their 2019 PIA for Microsoft's Office 365 when he FOI'ed the Nicola Valley Institute of Technology (universities often recycle one another's privacy impact assessments, which is fine).

That's where the trouble started. In June, Langara sent Linkletter a letter demanding that he remove their Office 365 PIA; the letter CC'ed two partners in a law firm, and accused Linkletter of copyright infringement. But that's not how copyright – or public records – work. As Linkletter writes, the PIA is "a public record lawfully obtained through an FOI request" – it is neither exempted from disclosure, nor is it confidential:

https://www.privacylibrary.ca/legal-threat/

Langara claims that in making their mandatory Privacy Impact Assessment for Office 365 available, Linkletter has exposed them to "heightened risks of data breaches and privacy incidents," they provided no evidence to support this assertion.

I think they're full of shit, but you don't have to take my word for it. After initially removing the PIA, Linkletter restored it, and you can read it for yourself:

https://www.privacylibrary.ca/langara-college-privacy-impact-assessments/

I read it. It is pretty goddamned anodyne – about as exciting as looking at the roof of Barbra Streisand's mansion.

Sometimes, where there's smoke, there's only Streisand – a person who has foolishly decided to use the law to bully a weaker stranger out of disclosing some innocuous and publicly available fact about themselves. But sometimes, where there's smoke, there's fire. A lot of people who read my work are much more familiar with ed-tech, privacy, and pedagogy than I am. If that's you, maybe you want to peruse the Langara PIA to see if they are hiding something because they're exposing their students to privacy risks and don't want that fact to get out.

There are plenty of potential privacy risks in Office 365! The cloud version of Microsoft Office contains a "bossware" mode that allows bosses to monitor their workers' keystrokes for spelling, content, and accuracy, and produce neat charts of which employees are least "productive." The joke's on the boss, though: Office 365 also has a tool that lets you compare your department's usage of Office 365 to your competitors, which is another way of saying that Microsoft is gathering your trade secrets and handing it out to your direct competitors:

https://pluralistic.net/2021/02/24/gwb-rumsfeld-monsters/#bossware

So, yeah, there are lots of "features" in Office 365 that could give rise to privacy threats when it is used at a university. One hopes that Langara correctly assessed these risks and accounted for them in its PIA, which would mean that they are bullying Linkletter out of reflex, rather than to cover up wrongdoing. But there's only one way to find out: go through the doc that Linkletter has restored to public view.

Linkletter has excellent pro bono representation from Norton Rose Fulbright, a large and powerful law-firm that is handling his Proctorio case. Linkletter writes, "they have put this public college on notice that any proceeding is liable to be dismissed pursuant to the Protection of Public Participation Act, BC’s anti-SLAPP legislation."

Langara has now found themselves at the bottom of a hole, and if they're smart, they'll stop digging.

(Image: Copyright (C) 2002 Kenneth & Gabrielle Adelman, California Coastal Records Project, www.californiacoastline.org, CC BY-SA 3.0; Langara College, Fair Use (parody), Fair Dealing (parody); modified)

Hey look at this (permalink)


A Wayback Machine banner.

This day in history (permalink)

#15yrsago Call for submissions for an event to honor Toronto’s venerable, shuttered Pages Books https://quillandquire.com/book-news/2009/07/29/pages-requests-memories-for-send-off-bash/

#15yrsago Matrix Online goes out with a party, not a whimper https://web.archive.org/web/20090802104032/http://www.massively.com/2009/07/27/reminder-check-out-the-matrix-online-before-it-decompiles/

#15yrsago India’s airlines to ground all planes and press for bailout https://timesofindia.indiatimes.com/india/no-private-airlines-to-fly-on-aug-18/articleshow/4842710.cms

#5yrsago Summing up the Democrats’ debate: Colbert’s scorching monologue https://www.thedailybeast.com/stephen-colbert-hits-longshot-democrats-for-spewing-republican-talking-points-at-cnn-debate

#5yrsago A modest proposal to solve no-deal Brexit: insure all losses with the pensions of Brexit supporters https://web.archive.org/web/20190205121528/https://twitter.com/Sime0nStylites/status/1092343448483651589

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, holding a mic.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • Picks and Shovels: a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books, February 2025

  • Unauthorized Bread: a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2025


Colophon (permalink)

Today's top sources:

Currently writing:

  • Enshittification: a nonfiction book about platform decay. Today's progress: 911 words (30817 words total).

  • A Little Brother short story about DIY insulin PLANNING

  • Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. FORTHCOMING TOR BOOKS JAN 2025

  • Vigilant, Little Brother short story about remote invigilation. FORTHCOMING ON TOR.COM

  • Spill, a Little Brother short story about pipeline protests. FORTHCOMING ON TOR.COM

Latest podcast: Unpersoned https://craphound.com/news/2024/07/29/unpersoned/

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Medium (no ads, paywalled):

https://doctorow.medium.com/

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

1 Comment