‘Privacy is not yet anchored into the UU’s mind’

Photo: 123rf

The man speaking is Artan Jacquet, officer for data protection at Utrecht University. In no uncertain terms, he commented on DUB’s article about the discussion in the University council about Zoom, proctoring, and privacy, posted in late April. Zoom is used in education to teach large groups of students, and proctoring is an instrument for surveillance during exams.

Jacquet wrote that the rector’s arguments to keep using Zoom and proctoring feel like the arguments of a drunk driver to him. “Yes, it was a harsh reaction,” he says when DUB talks to him in early May. “But what I meant to say was that years ago, some drivers thought it was nonsense that they weren’t allowed to drink and drive. They could still drive well even after drinking a few glasses of alcohol. And they only did it when there was no other option, others did the same, they’d never had an accident, etcetera. Now, everyone thinks it’s completely normal that if you drink and drive, you’re punishable by law. The General Data Protection Regulation (GDPR) has been in place for four years now, so you should be able to assume that everyone has accepted the law, and is adhering to it?”

Utrecht University appointed Jacquet in May 2018, as its ‘privacy watchdog’. That’s when the General Data Protection Regulation, after two years of ‘getting used to it’, became enforceable. In his position as data protection officer, Jacquet has to ensure that the university is adhering to privacy laws. To that end, he provides the university board with advice, whether it be by request or unasked for. It’s with a heavy heart that he sees that privacy just doesn’t seem to be anchored into the board’s minds yet. “They’re not thinking about privacy enough yet. It could help that when policies are being created, the question of ‘and what about personal data protection’ is present on the checklist by default.”

Important steps have been skipped

Jacquet realises that there are situations at the university in which privacy isn’t as important because a greater good is at stake, for instance regarding Zoom or proctoring. “But if you feel like privacy has to yield, then you need to provide a good argument and substantiation. That’s what I’m missing in the discussion surrounding proctoring and Zoom. The constitutional right to privacy is not absolute. It’s not a zero-sum game; it’s not either privacy or proctoring. You have to look at what’s the most doable option. There are good procedures for this, and you can follow these procedures at an increased pace.”

Other universities are doing exactly that, he says. “If privacy does have to yield at times, at least in those cases you’ve thoroughly considered this, and you can explain the arguments for doing so. In the case of Zoom and proctoring at this university however, it seems that’s not being carefully done. They’re programmes that were trial run at a small scale, and then were suddenly used UU-wide when all education had to be moved online. Some important steps were skipped in this process, despite the fact that we did know great risks and deficiencies – from other universities, for example. For the time being, therefore, I’ve advised negatively regarding the use of these programmes.”

Zoom has countless leaks

He can be succinct in his assessment of Zoom. “That programme was already as leak as a sieve. Together with the other privacy officers at other universities, we spent a few weeks exchanging daily messages in our Signal group about new, proven privacy issues. I think it’s a bad thing that we’re not banning the use of this programme at the UU. Teams is a good alternative, and if it’s used well, it also offers the necessary privacy. For any functionality that might be lacking, there are other practical solutions for nearly everything. The argument that switching would increase teachers’ workloads might be true, but isn’t immediately decisive. Switching to other software always takes a while to get used to, but Zoom and Teams are very similar, so it can’t be that insurmountable of an obstacle.”

Proctoring is a little more complicated. For the use of this tool, Jacquet can imagine the university ends up choosing this programme over the privacy issues it presents. “But then the university does have to have studied whether there are any alternatives to this programme, and it hasn’t yet. That means the university is in violation of the rules.”

The purpose of a tool has to be clear

Contrary to popular thought, the question is almost never whether something’s allowed under the GDPR, Jacquet says, but instead, how you can use something so it is in fact allowed under the GDPR. In short, since the introduction of the GDPR, you have to show why a certain programme is being used. That takes a step-by-step plan. “First, it has to be clear what the purpose of a certain tool is. Then, you have to look at whether the tool does what you’re using it for, and whether that goal can be achieved by using a different tool. Then, you check whether it protects users’ privacy. You have to assess the software, but also, for instance, make arrangements with the provider about what should and should not be done with the data.”

Such procedures also have to be embedded into the policy. “For proctoring, that means, among other things, that you have a good decision tree for under which conditions you use it. And you have to provide clear instructions to ensure everyone can use it correctly and safely. You inform all relevant parties about all this, clearly and concisely, so they understand the how and the why, and what data of theirs we use. And only if you have a clear overview of this entire field, you can give a proper answer to the question of whether or not to do this.”

The UU is risking a large fine

Jacquet says the Executive Board’s arguments in themselves make sense. “Not wanting to increase teachers’ workloads, and preventing study delays, are good reasons for wanting to utilise a tool like proctoring. But by blatantly dismissing privacy concerns on the other side, and not substantiating the decisions with the required carefulness, the board is unnecessarily penalising the involved parties, and with it, risking a large fine. The regulatory authority – The Dutch Data Protection Authority (AP) – comes to check, you have to have this file in order, and if not, the AP can theoretically issue a fine of 4 percent of your revenue. In the UU’s case, that would mean millions of euros. That’s how important we as a society feel privacy is these days.”

A proper exam doesn’t necessarily have to be a test of knowledge that needs proctoring

Moreover, Jacquet isn’t convinced proctoring is necessary, even in a time in which all educations and exams have to be done online. “The goal Utrecht University has is to use good education and proper exams to finally deliver reliable degrees. A proper exam doesn’t necessarily have to be a test of knowledge that you need to use proctoring for. But say you want to use a knowledge test – you have to know that students aren’t able to cheat. In a test conducted by another Dutch university, hired students managed to commit fraud in all kinds of ways without being noticed by the programme the UU wants to use. In that case, the tool doesn’t do what you want it to do. You would buy a minimal level of certainty about fraud with a lot of collateral privacy damage – those things are not in balance with each other.”

Jacquet says the university is indeed studying in which way personal data is in danger. “But what to think of remote access to your desktop, looking into your browser history, incoming chat messages… Some programmes even monitor your exact mouse and eye movements. But also: being obligated to show your entire living room via webcam, including possibly controversial books in your bookcase, the cross above your door, the political or naughty poster on the wall, or that rebel flag. And if you have to identify yourself as a student, they see your entire ID card. Is a call to censor your social security number sufficient in that case? How do you do that anyway, and shouldn’t you perhaps also censor your place of birth and the document number?”

I often have to tell people about which things aren’t being done correctly

Jacquet’s position exists to ensure the university follows privacy regulations. He does this by – either requested or unasked for – testing whether the university’s policies adhere to regulations regarding privacy. It’s meant to prevent the UU from breaking the law. He reports back to the AP, but his salary is paid for by the university. His work isn’t always fun, he says. “I often have to tell people about which things aren’t being done correctly. And they often respond with things like ‘oh come on, is that GDPR really that strict’, or ‘aren’t the steps we’ve already taken just good enough, like a 6 out of 10’, but unfortunately, even that barely passing grade is often not the case at the UU. There’s usually still a lot of work to be done. Proctoring is only one example of that.”