On Privacy at School

Wired published an article of advice for students about how to resist surveillance by their schools.

The advice it gives is valid as far as it goes, but it falls far short of what students need to know to resist all the threats.

The article poses the question:

How is student data secured?

This question invites confusion. If someone claims to keep data about you “secure,” what does that mean? Secure from whom? The school's computers are unlikely to keep anyone secure from snooping EdTech companies that operate with the school's cooperation.

“Using your own personal device” usually means using a snoop-phone. It may protect you from snooping by the school and by EdTech companies, provided you never use it to visit a site that has anything to do with the school or an EdTech company and never do unencrypted communication [1]. But the device was made by a computer company—usually Apple or Google—that also made the operating system in it. That system always contains nonfree software that snoops on you plenty. Most apps for that snoop-phone are nonfree, and they snoop for various companies, often behind the back of the organization that commissioned development of the app itself. Encryption features or apps, if they are part of that nonfree operating system or nonfree themselves, are likely to snoop on users too.

The only way to protect yourself against this is to reject nonfree programs (programs that are not free/libre) in your device. (Alas, iPhones entirely prohibit free software.) And even then, the hardware may have a back door, such as Microsoft's Pluton chip or the Intel Management Engine.

Connecting a phone or computer to USB, even “for charging,” makes it vulnerable. Some security conferences, with the purpose of educating the public about security issues, have installed a place full of USB sockets which were set up also to snoop on any computer (including a snoop-phone) plugged in there. The participants saw a USB jack and thought, “This is where we should charge our devices,” and assumed it was safe to use. When the conference organizers revealed the snooping, they taught these users a lesson about security.

Privacy is not only for children and teenagers. We need to demand privacy for adults, too. This means that schools, stores, clinics, transportation companies, and other organizations people deal with must not demand you tell them who you are unless that is directly necessary, and must not otherwise try to find out.

[1] To be secure for you, encryption has to be done with a free program that you have installed into your computer. If a nonfree program running in your computer does the encryption, including JavaScript sent to the browser by an online “service,” or if it is done in the online “service” server itself, it is not secure.

To learn more: