We are reminded almost daily – whether by the gossip magazine we idly browse at the newsagent, morning television, or the casual chat with colleagues – our habitual use of social media has reached dizzying heights. Facebook alone has 1.4 billion daily active users around the world. But in the face of increasingly data-hungry governments and corporations, can we trust social media sites to keep our private information safe?

What is Cambridge Analytica?

If you’ve watched the news at any point over the past few weeks, you’ll know two things: that certain Australian cricketers been very naughty boys, and that Mark Zuckerburg and his fellow Facebook executives may also have been very naughty boys. Zuckerburg has been accused of failing to prevent a massive privacy breach by analytics and marketing firm, Cambridge Analytica (CA). Facebook announced that up to 87 million users have been affected by the scandal, including more than 300,000 Australians whose private data may have been used without their knowledge or permission.

CA shot to worldwide infamy as the campaigning powerhouse behind Donald Trump’s successful election as President in 2016, and later, the Brexit campaign. Since the news broke that CA harvested the data of 50 million Facebook users to target US voters, commentators have been debating the ethicality of its modelling techniques.

The modelling technique used by CA builds what are referred to as ‘psychometric’ profiles. This is a form of very intensive profiling that CA uses to personalise and better target political messaging. Long gone are the days of Myers-Briggs tests and targeted surveys – IBM now has a tool that can infer your personality from Tweets and emails!

While psychometric profiling is pretty common practice, this is the first instance where it has attracted such widespread attention – largely because some claim that it directly influenced two of the most historic votes of the century so far.

Where does Facebook come in?

The trail of breadcrumbs back to Facebook starts with a psychology professor, Aleksandr Kogan, from the University of Cambridge. Kogan created a personality testing app, and Facebook gave him permission to collect participant’s Facebook data, including information on their friends who had not participated in the test. Kogan allegedly sold that data to CA, who subsequently used it in their campaigns, despite this being a breach of Facebook’s rules.

The loophole in Facebook’s Application Programming Interface (API) that allowed Kogan to access the data of the friends of those who used his app has since been closed. But Zuckerberg is still facing questions about Facebook’s conduct. Should Facebook be more transparent with users about how their information is being used? Does Facebook have obligation to keep tabs on how third parties are using our data?

In Facebook we trust?

Unfortunately, using Facebook involves a trade-off between privacy and continuing to use the platform for free.

Facebook’s entire business model is built on selling its user data to other companies so that they can better target their adverts. That’s why you’re seeing the ad for that clothing site you were just browsing and the gym you just googled.

In the aftermath of the scandal, critics have been calling for more regulation of social media platforms, or at the very least, giving users more control over what information Facebook can sell to advertisers.

Zuckerburg will testify before Congress in the coming weeks, a critical first step on the road towards transparency.

Facebook also unveiled a new privacy policy last week that goes some way towards appeasing critics. The policy aims to explain to users what data it gathers but does not change what data the company collects or how it continues to use that data.

Facebook will, however, remove the option to find people using their phone or email address, disallow apps from accessing user data if that person has not used the app for three months, and restrict the information about users’ events that apps are party to.

A need for regulation?

The recent scandal is just the tip of the privacy iceberg and has uncovered an issue that is much bigger than Zuckerberg or even Facebook itself. Chances are, this will not be the last major privacy breach by a corporate giant that we see in our lifetimes.

This week, Australia’s Privacy Commissioner has launched a formal investigation into Facebook to determine whether the Cambridge Analytica scandal has breached the Australian Privacy Act. Under the Notifiable Data Breaches scheme, the Privacy Commissioner, Angelene Falk, has the power to issue fines of up to $2.1 million to organisations that fail to comply with the Act.

Perhaps part of the problem is the lack of regulation, and discrepancies in regulation, when it comes to the usage of private data and social media platforms around the world. From May this year, the European Union will implement the General Data Protection Regulation (GDPR), which addresses the export of personal data outside the EU. The GDPR will not only ensure consistency in data regulation across the EU but will also aim to give citizens and residents more control over their personal data. It may be time that Australia looks into the development of similar legislation.

In the meantime, as social media plays an increasingly integral, and largely unregulated, role in our day-to-day lives, it is up to users of these platforms to start demanding more accountability, transparency and responsible use of our data.

Lead image via Thought Catalog.

The University of Melbourne is reportedly monitoring student movements around campus using mobile Wi-Fi networks, while the University of Sydney apparently matches their student online activities with demographic data to forecast which students may be predisposed to dropping out.

The idea is to assist universities in more accurately predicting a student’s study habits, boost engagement, anticipate susceptibility to failing or withdrawing from subjects and facilitate early intervention.

One of the major issues with the way learning analytics are currently being used in Australia is that students are likely not being informed about this data collection agenda nor providing meaningful consent.

Learning analytics an unreliable predictor of overall student performance

The increasing use of learning analytics among Australian tertiary institutions raises a number of possibly serious ethical, privacy and discrimination concerns.

The University of Sydney is trialling programs that combine first year student demographics from enrolment details with information about engagement during the first 6-weeks of the semester (with online materials, discussions and resources), checking how often a student logs into e-learning systems, submits assessments and attends lectures to determine if the student is at high risk of failing or dropping a course. Students identified as high risk, are contacted by phone by the university and offered additional support.

But aren’t students already under enough pressure to perform in compulsory exams and assessments without the added stress of knowing universities are tracking their every movement around campus, assessing backgrounds and monitoring engagement with online learning and group discussions?

**For the record, some of the most successful graduates have been known to spend most of their undergraduate degrees at the Uni Pub having animated discussions about current affairs rather than spending 8-hours per day in the library.

Those students who are identified as at risk or who appear to be ‘disengaged’ really don’t need the extra burden of having every move on campus watched. This type of ‘surveillance’ could well be a tipping point for many students, even those who are not thinking of dropping out.

Additionally, does learning analytics factor in the kaleidoscopic range of student lifestyles, commitments, personalities and varying study or learning styles?

Unlike high school, university students are adults and capable of self-directed learning. Most students have a range of responsibilities that extend beyond the realm of campus life and which have no bearing on their capacity to complete a degree. For example:

• What if you work in an office job and physically cannot attend lectures but are still able to catch up on recorded materials, readings and complete the required assessments at night?

• What if you are a single mum who puts in enough hours to pass each unit but cannot commit to attending every tutorial or actively participating in online content or discussions?

• What if you are suffering from study burn out, and take a few weeks off to regroup, but have no intention of stopping your course of study?

• What if you are an international student with English as your second language and don’t feel comfortable regularly participating in online discussions but are still able to excel at assessments?

Under the learning analytics scheme, the behaviour of students who happen to not spend much time on campus or participate in online discussions may raise a number of red flags that trigger unnecessary or inappropriate university intervention.

For students already balancing a number of competing life priorities (as most do), this additional expectation which requires students to be seen to be studying according to the university’s preconceived idea of a model student has the potential to cause harm. 

It’s a strategy that could result in a negative study experience for many students. Aside from the potential to undermine personal rights and cause damage to student morale and wellbeing, the continued use of learning analytics is likely to erode student confidence in higher education institutions.

Student privacy rights

Now, this whole justification for improved student retention probably sounds a bit odd or, more to the point, an invasion of privacy.

In the light of the recent Federal Court case Privacy Commissioner v Telstra Corporation Limited [2017], it would seem that if data collected in the learning analytics process is ‘about an individual’ then it is governed by Australia’s privacy laws.

The digital tracking process involved with learning analytics is certainly focused on monitoring the behaviour and performance of individual students (potentially including student IDs) with a view to ultimately identifying those individuals who may be predisposed to dropping out.

According to Australian privacy legislation, this means that universities should be obtaining the consent of every student before they collect and use individual student data.

What does the recent Privacy Commissioner v Telstra case mean?

The Privacy Act 1988 places limitations on the collection of personal information and provides everyone with a range of privacy rights, including the right to know about, and the ability to access, information that is being held about them.

‘Personal information’ is defined in the Privacy Act as:

information or an opinion (including information or an opinion forming part of a database), whether true or not, that is recorded in a material form or not, about an individual whose identity is apparent, or can be reasonably ascertained, from the information or opinion.”

This case focused on whether anonymous mobile network data, including phone network information such as the IP address, URLs visited on the account, cell tower locations during web use, and data on inbound calls was ‘about’ a person.

The Federal Court decided that the data Telstra holds about customers is only ‘about’ a person when it is linked to other data, which makes it possible to ascertain that person’s identity. As such, the data in question could not be considered ‘personal information’ for the purposes of this case.

While some analysts consider the outcome of the case to be a poor result, it seems clear that this appeal concerned only a narrow question of statutory interpretation which was whether the words ‘about an individual’ had any substantive operation. It was not concerned with when metadata would be considered to be about an individual.

So what does this mean for universities using learning analytics?

Linking students’ online activity to demographic data through learning analytics without permission surely leaves universities that employ learning analytics at risk of being found to breach the Privacy Act.

Such data seems to fall within the scope of ‘personal information’ when compared with the circumstances of the Privacy Commissioner v Telstra case above. Here your identity ‘is apparent and can be reasonably ascertained’ from the learning analytics process.

Unlike Privacy Commissioner v Telstra, in some instances, the data universities are collecting isn’t anonymous. Data linkage isn’t just a hypothetical here, it’s the whole rationale.

To me, this feels like an invasion of privacy masquerading as an altruistic concern for the ‘student experience’. Until we have a case that tests this hypothesis, we will just have to live with the uncomfortable feeling that we are being watched and are helpless to do anything about it.

That is, until, someone decides to make a complaint to their university or to the Privacy Commissioner.

What do you think? Is data collection on university students justifiable, or a clear invasion of privacy? Let us know in the comments!