Looking over your shoulder: Lecturers were able to see what students opened in Brightspace – and the students had no idea
For over a year, lecturers at AU have been able to access data about students’ activity on Brightspace – unbeknownst to the students themselves. A lecturer and his students challenged AU about tracking on the learning platform, and the university has deactivated it – until further notice.
Midas Nouwens is an assistant professor at AU and an expert on digital rights and data protection. And as he was preparing for his class on the datafication of society one day, he saw something on Brightspace, AU’s learning platform, that made his eyes widen. Nouwens had been clicking his way around the platform, familiarizing himself with its functions, when he stumbled over functions that could tell him when students signed in to Brightspace, what they clicked, what they read, and what they downloaded.
As an expert on data security and data rights, Nouwens realized that this was a perfect case to use in his class. And when he presented it to his students, they were surprised, to say the least:
“I showed it to my students, and they were pretty surprised and shocked by it,” Nouwens said. “I encouraged them to investigate it, because I didn’t think it was in line with the GDPR. But it was only after I brought this up again in the 2022 fall semester in my data studies course that one of the students took the initiative to contact the university’s data protection officer.”
That student was Victor Nørgaard, a fourth-semester information studies student.
Nørgaard said: “That was one of the first things Midas presented to us, and and I almost couldn’t believe my ears. But it was really cool that he showed us, because those functions could actually be used to his advantage. They’re available to the lecturers, and we didn’t know anything about it. But he said right up front that he wasn’t going to use it. And that kind of set the tone for the course we were about to have, with a critical approach to data and surveillance.”
Nørgaard was outraged and annoyed, he remembered, because it had never occurred to him that the university would collect that kind of information about his movements online:
“I guess I had a kind of naive belief that there would be progressive forces and minds at a university like AU to prevent this kind of thing happening here,” he said.
“Now I’m in the information studies programme myself, where there’s a critical approach to tracking and data, but I I guess I had a kind of naive belief that there would be progressive forces and minds at a university like AU to prevent this kind of thing happening here. I believed it was more or less self-evident that the programme selected as our teaching platform wouldn’t be tracking us and wouldn’t be giving the lecturers these kinds of details.”
Student: It’s never fun to be tracked
On behalf of all of the students taking the data studies course, Victor Nørgaard wrote to Søren Broberg Nielsen, AU’s data protection officer at the end of September last year to express the students’ concerns about AU’s use of their data in Brightspace. The document he sent to Nielsen was based on a draft Nouwens had written based on in-class discussions of the issue that students had revised and expanded.
The students’ concerns centered on the risk that their lecturers could take the data about them into account when assessing their performance.
In the document, they stressed questions about the legal basis of the data processing involved, in addition to why it was taking place and for whose benefit.
Nørgaard explained that the students were particularly offended by the fact that they hadn’t been informed about what data their lecturers could see. He has a hard time seeing the good arguments in favor of lecturers needing to know what their students have read something on Brightspace and when:
“It’s never fun to be tracked like that,” he said. “And particularly not when it’s a question of how you learn and participate in a course. After all, it seems to me that the university has been saying from day one that there are different learning styles. Some read things several times, other fewer. So it made me kind of uncomfortable that they could see our activity down to the second, for how long we spent on the different modules, how long we looked at a text and how many times we downloaded it.”
FACTS:
Brightspace
Brightspace is AU’s Learning Management System (LMS), which is the students’ portal for course curricula, assignments and other course materials as well as for communicating with their lecturers. It’s an essential tool for both students and lecturers.
AU switched to Brightspace in the fall of 2021. Prior to that, AU had a different LMS called Blackboard. However, the first students started exploring Blackboard back in the spring of 2021, when AU tested the platform.
Brightspace is supplied by a Canadian developer.
Source: AU
Nørgaard said: “Maybe there are good intentions there somewhere, but I don’t think that justifies such extensive tracking of the students. After all, lecturers can talk to their students. Or in any case, lecturers should let students know that they can see this information, and then decide what to do from there. But that’s not something we’ve ever been asked for our input on.”
The students suddenly started to feel that they had an opportunity to change things if they took action.
“There was a collective feeling that we could actually put a stop to this.”
“There was a collective feeling that we could actually put a stop to this,” he said. Precisely because there were such good arguments against it. That there was no information about the fact that this tracking was taking place anywhere is a red flag in itself. So we had this shared sense that if we asked some critical questions, we could get the university to pay attention. And that turned out to bear fruit, at least to some extent.”
CED switch off tracking
Lecturers can no longer track what students do in Brightspace: these functions have been switched off. This is a result of the students’ complaint to AU’s data protection officer Søren Broberg Nielsen, who handled it as a request for information and forwarded it to CED, the university’s teaching development centre, which as Brightspace system owner is obligated to respond to the students’ request. Nielsen then went on to draft a nine-page memo on the case, and CED is currently in the process of revising these functions in Brightspace; in the meantime, they have been deactivated.
Nielsen’s memo contains comments from the system owner CED, which justifies the tracking of student activity on Brightspace because it’s necessary to ensure “optimal pedagogic use and technical operation of Brightspace”.
In the memo, Nielsen notes that CED had blocked lecturers’ access to tracking data about students, and questioned whether “all of the personal data collected is necessary in order to achieve the purposes for which the data is processed”. He also refers to the data minimisation principle, according to which data owners must limit their data collection to what is necessary, and asks that CED reconsider whether “the collection of sign-in information and sign-in history is strictly necessary”.
Nielsen acknowledges that it is currently up to CED to assess what they have the right to use the data.
As he put it: “Yes, and that’s always how it will be. CED – i.e. AU – is the system owner, and that means it’s their responsibility to ensure that personal data is processed in accordance with the law. That’s what I point out in my memo by saying: I question whether it’s necessary to collect all of this personal data to achieve the lawful data processing purposes. And I think you should reconsider whether it’s strictly necessary to collect sign-in information and sign-in history in order to carry out evaluations and quality assurance. But I’m not in a position to say whether it’s illegal. I don’t have that authority – that’s up to the Danish Data Protection Agency.”
The data minimisation principle
As Nouwens explained to me, the function that allows lecturers to track student activity was also available on Blackboard, AU’s previous learning platform. But lecturers had to actively switch on the function to use it on Blackboard. On Brightspace, which AU launched in the fall of 2021, it’s switched on by default.
Nouwens believes that tracking student activity is at odds with the principle of data minimization:
“It’s not for the benefit of the lecturers, because as a lecturer, I’ve never asked for it,” he said.
“I disagree with the CED’s arguments. They say they’re collecting this information in order to allow lecturers to evaluate their teaching and so on. But it’s not for the benefit of the lecturers, because as a lecturer, I’ve never asked for it. I believe it ought to be deactivated by default. Subsequently it might – potentially – benefit me as a lecturer to use it, but if it’s there for my sake, I should be the one who controls it. It’s as if there’s an assumption that all data is good and measures something relevant, but I don’t think that’s self-evident.”
CED: We should have looked at all the functions from the beginning
Division Manager Anders Hyldig from CED acknowledges that the centre should have reviewed all of the system's functions before Brightspace was launched in 2021:
“If we’d done it completely by the book, in theory we should have sat down and said: Now we have a new LMS - Learning Management System - we have to look at each function and assess whether we should turn it on or off,” he said. “That would have been optimal. And we didn’t do that, unfortunately, because we continued the practice we had from Blackboard.”
At the same time, he stressed, no final conclusions have been reached. CED views the functions in Brightspace as pedagogical tools that lecturers can use to evaluate whether there is “dynamism and progress in the course”. For example, the data might prompt a lecturer to make changes in a course if it reveals that few students are reading or downloading course materials from Brightspace.
CED deactivated these functions in Brightspace out of an abundance of caution after the students drew AU’s attention to their concerns about the relevance of such data.
Anders Hyldig said: “The need to protect students’ data weighs more heavily here. That’s why we’ve switched it off, until we have a solid rationale for considering turning these functions on again.
We’ve switched off some of the functions that are potentially problematic – which we don’t yet know for certain – out of an abundance of caution.
Now we’re in the process of investigating whether they hit the mark in terms of GPDR, and whether there’s a sufficient pedagogical purpose. If both of these things are in place, then there’s a good reason to turn them on again. We’re trying to balance the pedagogical utility of it against data minimization considerations. This is a longer process, so we’ve switched off some of the functions that are potentially problematic – which we don’t yet know for certain – out of an abundance of caution.”
But to take one example, the lecturer could see when students signed in to Brightspace – in what way does that serve a pedagogical purpose?
"The login activity is more in relation to being able to run safe operations and Brightspace support on our part,” Hyldig replied. It was turned on by default for the lecturers as well, who were able to see when students signed in, and of course, we’ve switched that off as well. And this is probably one of the functions that we’ll keep switched off, because there’s probably not an adequate pedagogical argument in favor of lecturers being able to access it, as things look right now.”
CED is engaging with the Brightspace supplier to explore the possibility of allowing lecturers to track student activity if they feel it’s necessary, rather than automatically giving all lecturers this information as before.
Hyldig believes that CED will reach a conclusion about the revision of the functions within a few months.
CED: We have to be clearer about what data we collect
One lesson Hyldig has learned from this case is that AU must do a better job of informing students about what data the university collects about them in Brightspace:
“I’ve learned that our privacy policy for the system needs to be clearer,” Hyldig said. “That will be the main product of this whole process – that we make it clear to the students what data we are collecting and why. That will create transparency, and as I see it, transparency will also give students a sense of security.”
AU student Victor Nørgaard sees it as a step forward that CED is addressing the problem:
“I think it’s a good idea to remove as much as possible,” Nørgaard said. “But I’m still concerned about what would have happened if no one had said anything. If our lecturer hadn’t mentioned it, I might have gone through my entire academic career not knowing that AU was collecting this data about me. So, yes, it’s fine that they’re starting to remove the things they think can be removed, but may they shouldn’t have been there in the first place.”
If AU just starts doing a better job of informing students about what information is being collected, it will make a big difference, he thinks.
“If they’d just provided that information from the beginning, we would have known about it, and it would have seemed a little less shady than we we had to find out about it from a lecturer. So I really do hope they’ll be more transparent about what’s being tracked in future. On the other hand, I’m afraid of what it might mean for how people use Brightspace. I think some people might change their behaviour if they know their lecturer can see what they do. Maybe you click a bit more, or download texts more times, precisely because you don’t want to stick out.”
FACTS:
Privacy policy for Brightspace
In 2019, AU drafted a privacy policy for the university's learning platform, which was Blackboard at the time. This policy has since been transferred to Brightspace and can be found on the CED website.
After the students contacted AU’s data protection officer, CED added a link to the policy at the bottom of the Brightspace landing page and on AU Studypedia.
The privacy policy states, among other things, that, on behalf of AU, Brightspace collects and processes data on sign-in information, traffic and location data and learning activity, for example quiz responses and activation of learning content.
Source: CED
Lecturer: A good example of how to handle it
Midas Nouwens, the lecturer who started the whole process, is also pleased with how things have turned out: his case for his students has led to real changes:
“I feel it’s important for me to say that this has been handed well,” he said. “Someone lodged a complaint, someone looked at it and dealt with the case, and hopefully things are better now.
So all in all, I think it’s cook that the functions were switched off, and if they ever come back, they should be something lecturers switch on – they shouldn’t be switched on automatically. And students should be informed about it.”
This process is a good example of how cases involving data security and data rights should be handled, he believes:
“Data studies is about understanding what data are collected, what they mean, and what they’re used for. So this was the perfect opportunity to discuss this with my students. If I told them that Facebook is tracking them, they’d all say ‘Yes, we know. And?’ This was relatable, and I could show them the process: We use the existing legislation, talk to the authorities, see what happens, and then we get something back.