Learning software hack bolsters the case for digital sovereignty

Just when you thought the end of term could not get more stressful, you log into your familiar course management software, only to encounter a ransomware notice. 

That unpleasant scenario played out for staff and students at thousands of post-secondary institutions — including several in Canada — in early May, when the widely used Canvas learning management system was infiltrated by hackers. The online service is developed and managed by the U.S.-based company Instructure, which first reported trouble on May 1. After the company initially assured its clientele the problem had been resolved, the ransomware notice turned up the following week. Finally, on May 11, the company indicated it had reached a deal with the hackers, and said that the cyber-thieves had destroyed all the data — including names, student IDs, and email addresses — they’d stolen. 

By now, most Canvas users will be back to dealing just with the usual challenges of the season, as this powerful software platform helps them handle a wide range of essential tasks, including delivering course content, storing grades, and providing communication between students and professors. And while the hack could recede in most people’s memories like an annoying power outage, Matt Hatfield wants it to serve as a reminder of the choices we make with the technology dominating our day-to-day lives. 

“While a hack could happen to any vendor in any country, moments like this reveal how much Canada is ceding of meaningful sovereignty and digital autonomy by so many of our critical systems being operated by closed platforms outside the country,” he says. 

Hatfield is the executive director of OpenMedia, a Vancouver-based non-profit organization weighing the economic, political and social threats to the internet in Canada. It has previously mounted public awareness campaigns around topics like the privacy implications of legislation such as Bill C-22, but it has most recently taken up the call to promote digital sovereignty.

U.S. corporations entrusted with decision-making 

The term “digital sovereignty” has become widely used in discussion about how Canada will build major data centres or implement AI, but Mr. Hatfield stresses the technologies threatening our sovereignty are not just the ones coming, but many that are already here, like the learning management systems implemented by universities over the past 20 years. Nor is he convinced by Instructure’s simplified account of the hack’s resolution, which points to a need to regard sovereignty as more than just installing hardware. 

“Simply storing data on Canadian servers, as the thinnest type of sovereignty recommends, would not have changed the reality of the meaningful decisions that led to this security failure and management of the resulting crisis being made by a U.S. entity without real say from any Canadian school or authority,” he argues. 

For his part, Instructure CEO Steve Daly subsequently offered a public apology for his company’s initial reticence to inform users about the hack, suggesting he and others wanted to determine all the facts before speaking publicly. 

“That instinct isn’t wrong, but we got the balance wrong,” he stated in a message on Instructure’s website. “We focused on fact-finding and went quiet when you needed consistent updates. You’ve been clear about that, and it’s fair feedback. We will change that moving forward.”

Non-commercial alternatives exist 

At the University of British Columbia — one of at least seven Canadian universities affected by the cyberattack — the Learning Technology Innovation Centre directed instructors to consider preparing course materials with an open-system platform called Moodle.

“Open source” refers to software whose underlying code is freely available, in contrast to commercial products like the Microsoft or Apple operating systems, which remain almost entirely inaccessible to anyone outside of those firms. Even the most technically skilled users are therefore restricted in the kinds of changes they can impose on such proprietary software, while anyone with sufficient expertise can re-write open software to suit their particular purpose. On the other hand, commercial systems are much easier for less skilled users to work with, while open systems generally demand greater knowledge of computer programming. 

As with any open system alternative, Moodle calls for more work on the part of its users, who are bound to find Canvas far more convenient. That difference is reflected in statistics assembled by the learning management system industry’s EdTech Newsletter, which last year put Canvas as being adopted by some 50 per cent of the market, while Moodle claims just nine per cent.

Nevertheless, that minority option resonates with Jake Hirsch-Allen, director of partnerships with the Dais, a public policy think tank at Toronto Metropolitan University (TMU). TMU did not experience any hacking difficulties, since it employs the learning management tool Brightspace, provided by the Canadian firm Desire2Learn (D2L). While he has no complaint with that choice, he insists the effort required with open systems options will yield advantages when it comes to digital sovereignty.

“They make us think differently, they make us think harder,” he says. “And, even more importantly with regard to sovereignty, they allow us to control who owns our data, who is informing the values behind our algorithms. And in the age of generative AI, which is built into the vast majority of these learning management systems, that is incredibly important.”