In a perfect world, workplaces would provide adequate equipment and training for employees to do their jobs safely. During this global pandemic, however, we are ‘making do’ with what we have. Teachers who haven’t received school-issued laptops are using their personal devices to provide online education to their students while schools are closed.
Because teachers are using their personal devices to access school-required software, schools and technology companies are getting unfettered access to teachers’ personal data. In the Little Rock School District (LRSD,) for example, teachers are required to use a service called ClassLink when they log in for work.
Data Collection and Online Impersonation
ClassLink automatically installs a browser extension called OneClick. Once it is installed, the OneClick extension has permission to “read and change” absolutely everything LRSD teachers do online, at all times, even when they are not logged into school-related websites.
Yes, this includes financial institutions. This browser extension can collect teachers’ bank login credentials, and it can initiate bogus transaction requests on “their” behalf. Essentially, as a very smart and experienced hacker friend of mine explained it to me, adding the OneClick extension gives ClassLink permission to “look like you and act like you” on the web.
Someone with administrative privileges could even impersonate a teacher and send violent or pornographic content to students, getting the teacher fired and arrested for something she never actually did.
These are unsafe conditions for both teachers* and students. Does LRSD’s insurance policy protect the district from liability when data breaches hurt people?
How can teachers protect themselves?
Even if ClassLink never abuses its power, it’s still collecting all the LRSD teachers’ data. Once a company owns your internet data, it’s not a question of “whether” that data will fall into malicious hands. It’s a question of when.
For protection, my tech-savvy friends and I recommend:
- Use two different browsers. One browser (say, Firefox) will be for everything except work. The other browser (say, Chrome) will be just for work. Install the ClassLink OneClick extension only on your work browser.
- Even better, set up a virtual machine for teaching, so that work data stays in a “sandbox,” away from personal data.
Good luck, and stay safe!
*If you’re an LRSD teacher who wants to find out exactly what data is being gathered, you could try Wireshark. I can’t do it for you, because that’s the sort of thing that gets activists arrested. However, don’t get your hopes up. The OneClick extension is probably encrypting your data as it’s being collected, so you’re unlikely to get a useful answer.
Thank you Elizabeth for exposing this. This is also what is really happening with the governor’s restructuring. Arkansas is the wild, wild west with tech. companies mining data and usurping everything from its citizens.