Dusseldorf Teachers can distribute homework, students prepare lectures together, parents chat with the teaching staff: The school cloud of the Hasso Plattner Institute (HPI) offers schools a platform for digital learning – with strong data protection, as the initiators always emphasize. However, this image suffered. The ARD magazine “Contrasts” reported in mid-May about data protection problems that gave external people access to the names of students.
The HPI developers have resolved the problems within a few hours, according to their own statements. The institution does not want to leave it at that: the development of new functions to strengthen security is currently suspended, says director Christoph Meinel. There are also talks with individual federal states regarding external audits, in the technical jargon called audits. “Security and data protection have been a high priority for the school cloud from the start of the project and we are now further strengthening it,” says Meinel.
The HPI started developing the platform in 2016, funded by the Federal Ministry of Education and Research (BMBF). So far, Thuringia, Brandenburg and Lower Saxony have opted for nationwide use. Due to the corona crisis, the Ministry of Education has opened the system to all schools that cannot use a comparable offer within the state or the school authority. 3000 have registered since then.
In the midst of this rush, two problems emerged. This allowed external parties to create unauthorized user accounts and read user names. However, an intruder only got a list with the names of 103 students, Meinel emphasized. In addition, certain information could be read from the ticket system, which is used in IT projects to report problems. According to the HPI, this gap had already been closed before the notice.
The criticism was nevertheless violent. “It rains data from the school cloud,” wrote, for example, the “Frankfurter Allgemeine Zeitung”. Meinel annoys the presentation in the media, he considers it partially misleading. The incident is unfortunate, but the damage is minor, especially when compared to other hacker attacks. At a similar point in time, hackers captured the data of nine million users, including email addresses and credit card details, from Easyjet, for example.
One thing is clear: the school cloud is now under special observation. Lower Saxony temporarily stopped the introduction of the system because of the incidents. Meinel therefore promises significant improvements. “With the countries that use the school cloud, we are considering how we can ensure the best possible security and trust in the course of further development,” says the HPI director. “In any case, we are doing our best.”
The conclusion: “If you develop something new, something can go wrong.” It is part of the open source principle to disclose the source code and invite others to participate and improve. Indications from the outside are even necessary for this. The criticism does not come out of the blue: “I always focus on data protection – that’s why I have now got the shame,” said Meinel.
More: Competition for the digitization of schools