This week: that Canvas hack; should schools use student photos; Instagram turns off E2EE encryption. And a US school project that looks quite a bit like CAISE…!
🔍 This week I’ve been thinking about…
I took a short course recently. The materials were hosted on a system called Canvas. This means that my name and email address are almost certainly in whatever ShinyHunters walked off with as part of the not one, but two hacks they carried out against Canvas’ parent company, Instructure that have made news this week. I’m thrilled about that. As are the other millions of users, I’m sure.
I was part of a research team a couple of years ago that studied the harms ransomware causes to organisations, funded by the UK’s NCSC. So, on some level, I know that ShinyHunters are after Instructure, not individual students. What was taken — names, email addresses, messages between students and teachers — is phishing material. It’s still a bit disquieting. I’ll be keeping an eye out for weird emails; if you’re linked to education in any way, you probably should too.
If you’re reading this as a parent, or even as a teacher or student, know that your school has zero ability to get Canvas running again by itself. The target was Instructure. But that doesn’t matter, really: endless social media posts of locked screens with ransom notes on show that the users suffer too, in very tangible ways.
This is the thread running through all three of this week’s stories: questions around the way children’s data is stored and (potentially) abused.
📰 Three things worth your attention
1. ‘The Biggest Student Data Privacy Disaster in History’: Canvas Hack Shows the Danger of Centralized EdTech — 404 Media
Note: this is one of any number of articles on this. I have picked this one as an interview, rather than just reporting, given the evolving nature of the story.
On Thursday, millions of students across thousands of universities and schools were locked out of Canvas — the learning management platform used by over 8,000 institutions globally. ShinyHunters had hacked Instructure, Canvas’s parent company, and claimed to have stolen data from 275 million people: names, email addresses, student IDs, and the messages students exchange with teachers about absences, medical conditions, disability accommodations, and more serious things.
This specific article is a brief interview with Ian Linkletter, a digital librarian who has spent 20 years in edtech. He describes it as the biggest student data privacy disaster in history. His explanation for why it could happen at this scale: the move from self-hosted, institution-controlled systems to centralised US tech companies roughly a decade ago put everything in one place, held by one company, in a way that was not strictly necessary.
The breach also creates an immediate phishing risk. Canvas messages contain exactly the material — a student’s name, the thread of a prior conversation — that makes a fraudulent follow-up email convincing. If you’re worried about this for your own child, I wrote a post on Substack about talking to kids about phishing here.
2. UK schools should remove pupils’ online photos as AI blackmail threat grows, say experts — The Guardian
Criminals used AI to manipulate photographs from an unnamed UK secondary school’s website into child sexual abuse material, then sent the images to the school with a demand for money. The Internet Watch Foundation identified 150 of the resulting images as CSAM under UK law. The school was not the only known target.
The guidance that followed — from an advisory body including the NSPCC, the NCA, and the IWF — advised schools to consider removing face-on photographs of pupils from their websites entirely. They should ask whether a milestone can be celebrated without showing a child’s face. They should audit their images regularly. They should avoid publishing names alongside photographs.
This raises an interesting question: how do you make a school website appealing or engaging without pictures of children on it?
3. Instagram privacy tech is turned off today — what does this mean for your DMs? — BBC News
Instagram direct messages are no longer end-to-end encrypted (E2EE), as of 8 May. Meta had pledged E2EE on Instagram in 2019, completed the rollout on Facebook Messenger in 2023, and then abandoned it on Instagram via a terms-and-conditions update in March.
The NSPCC welcomed the reversal: E2EE makes it harder to detect grooming and abuse in private messages. Big Brother Watch condemned it: E2EE is one of the main ways children keep their data safe online. Meta gave the reason that too few users had opted in to E2EE. Commentators noted that opt-in predictably produces low uptake, and that there is a concern that this is a way into monetising this data. Meta has already begun collecting employee activity for AI training.
Instagram says direct messages are not used to train AI. The company declined to comment further.
🔁 ICYMI
Philly middle schoolers are examining AI — and questioning its impact on their lives — Chalkbeat
Middle school students at Marian Anderson Neighborhood Academy in Philadelphia last week presented their AI research to parents, teachers, and state and local officials. This was research into how governments use AI, its environmental costs, its role in creative fields, and whether it might be an economic bubble. They presented their findings and what they felt about them.
Views covered the impact on learning that the students had noted — both positive and negative — and the fact that it is impossible not to use AI because of its integration into search engines. The students also commented that they felt like they knew more than the adults in their lives.
This model — where the entire school community comes together to listen to the children’s experiences and thoughts — is fundamental to CAISE’s research model. It’s really exciting to see examples like this working well elsewhere!
🔬 What’s new with CAISE
Camera-ready versions of an IDC work in progress and workshop position paper were submitted; lots of planning for the social media consultation research (which will be happening over the next couple of weeks) is underway!
→ What are you seeing in your school, your research, or your own use of AI this week?
Let me know, or share this with someone who is trying to figure it out.