A front page story in the yesterday’s New York Times (and our local paper here in Champaign-Urbana) about massive credit card theft has got me rethinking my own views about security online. I should add that recently I’ve been talking with some folks from Purdue University and they have been going through living hell because of some similar break-ins on campus computers there (but not at the scale of the credit card theft). Further threats seem quite real.
My campus has been quite security conscious for some time and because I have a comparatively high level position in the main IT organization, I have butted heads with a variety of network and security people who, though obviously smarter about the underlying risks than I am, seemed to be all too willing to be Big Brother-ish on measures to make our campus more secure. For my part, I had argued that we should do more education in the community and let community members make an informed choice instead of simply imposing rules from above.
Among the issues we’ve discussed is whether there should be single sign-on through some gateway after which there would be authentication via “trust” of the gateway rather than entering in another ID and password. On a similar front, we’ve also debated whether there should be one common password for all our different types of accounts. (Currently, there are different passwords for logging onto the course management system, doing email, and working in our computer labs, and they are all “strong” passwords, meaning they shouldn’t be readily figured out from a simple algorithm so they’re harder to remember.)
Most people on campus want the convenience but when a security incident occurs they, of course, bemoan the loss. The time inconsistency in people’s attitudes makes it hard to get the right balance. The thing the Times article pointed out to me, and I must say I’ve been a dope for not understanding this earlier, is that many people on campus have not only their own data, but they also have data about others and they should be good data custodians. The most obvious is where the instructor has an Excel spreadsheet of class grades of the students sitting on the instructor’s office computer. Similarly, administrators have information about staff on their office computers. The pure libertarian approach that I advocated conveniently ignores this interdependency. Some convenience does have to be sacrificed to ensure data safety. I still don’t understand in my head the right balance, but I know my old argument wasn’t quite right.
I want to take those same concerns and consider them in the context of teaching, but focus on other issues than the grade book stored on the instructor’s computer. Every campus in the United States that receives Federal dollars to support the educational enterprise is bound by the stipulations of the Family Educational Right to Privacy Act (FERPA). Because of FERPA instructors are not supposed to post final course grades on the door or wall outside their office (and they are definitely not supposed to use social security number in part or full as a student identifier). Nor should instructors hand back paper assignments by leaving them in a file outside their office that students can go through and see the grades of classmates. And indeed, according to our campus interpretation, while student enrollment on campus is directory information and can be checked in the online electronic directory (though students can suppress this information if they so desire) student enrollment in a particular class is part of the student record and therefore subject to FERPA.
The implication of that last observation is that putting student work on a public Web site with attribution to the author(s) (would we want to put up student work that doesn’t carry such attribution?) is inconsistent with FERPA unless the students have given their prior release to do just that. And it is a bit of a trick to have a mechanism that is non-coercive in securing that release (after all, it is the instructor who gives out the course grade). At a minimum, the instructor would have to allow a way for the student to get credit for doing the work without it appearing on the public site.
Yesterday, I read the Educause piece by Steven Downes about blogging for educational purposes. It is a good article and covers the teaching issues nicely. And maybe in Canada there is no analog to FERPA; I don’t know. But although the piece was balanced in talking about where student blogs don’t work along with other cases where blogs really engage the students, I am nevertheless troubled that one of the enticements of using blogging in this way is that it potentially can engage outsiders who have an interest in what the students write about and then create a broader community that includes both the outsiders and the students. May the Force be with you but do remember there is a Dark Side and it is insidious.
Since I wear both an administrator hat and a teacher hat and go back and forth between the two, I’m sometimes not sure about where my views come from. So while this may be administrator rationalization, let me give my teaching argument for using discussion boards inside the course management system for diary posting (and then only using that if it is a type of writing that makes sense for the course) and not use blogging open to the rest of the world for instruction. Students might then opt into blogging as an alternative, “Professor, would you mind if I wrote in my blog rather than in your discussion board? Here is the url for it.” But that would not be the prescription. It would only be their option.
Pedagogically the key, especially early on in the course, is to get the students to open up. Doing so is always personally risky. In the context of teacher-student the obvious risk is that the student will “act dumb” and consequently the teacher will not hold the student in high regard. Certainly, it is necessary to get past that to have meaningful class discussion. But that is not the only risk. Occasionally, members of the class will say something that is of a personal nature and do so in the context of the class discussion. It is necessary that they have the freedom to do so. After all, we as teachers are encouraging the students to make personal connections to the subject matter so they can better internalize the material the class covers. (Recall yesterday’s discussion about encouraging students to see alternative perspectives on an issue.)
It seems to me that the default should be, “what is said in the classroom stays in the classroom,” and I for one envision the classroom as a hermetically sealed, safe environment that encourages openness among class members. The CMS structure, which some have criticized because it doesn’t sufficiently promote notions of connection and a broader sense of community, does match this idea of a hermetically sealed space quite nicely.
There is one other important point to consider. Downes makes clear the blogging (but really any diary-like writing) is as much about reading as it is about writing. There have to be issues to write about. Those issues have to seem important to the student and the student has to feel there is something to say about them. So apart from a sense of openness, the instructor must convey a sense of relevance. That may be harder to do and it very well may be that that the student writing is dull for some time, because that goal has not been achieved. In that sense the instructor goal is to have students make the leap and see the relevance and if that happens the instructor will have to a large extent succeeded in the teaching.
Consider the time before the leap has occurred. Ask whether the students are aware that they are not connecting to the material, that their writing is dull, that they feel like they are only going through the motions. Now ask whether during that phase if the work should be made available for public view. This is similar to asking whether one should showcase first drafts of work or only more polished final versions. There is a good argument to be made that earlier work should be held more closely. It is not ready for public view. By putting the work out for consideration too early that can create harm, perhaps to the extent that the polished more mature work never gets produced.