Should I Trust The Cloud?

https://www.flickr.com/photos/dherholz/450303689/

I received an email recently from a colleague asking about data sovereignty, and in particular asking about how schools deal with the  need to store all personal data on Australian servers to be compliant with the law. This was my reply…

When deciding whether to do a thing – any thing – you need to assess the relative risk. There is NOTHING that can have it’s risk mitigated to zero. So while we can have debates about the security of the cloud, the fact is that ANY service is generally only as safe as the password that protects it. It’s far simpler to socially engineer your way into a system than to hack it, and it’s easier to follow someone through an open doorway before the door shuts than to crack the lock. There are security risks involved with every system.

What makes you think that data saved on a server that happens to be geographically located on Australian soil is any safer than data on a server located on the other side of some imaginary geographical dividing line? What policies make Australian servers impervious to security issues?  What is it about Australian passwords that are safer than non-Australian passwords?

It’s interesting that whenever I hear the security argument from someone, I ask them whether they use 2-factor authentication on their online accounts. The answer is almost invariably never. I find it hard to take someone seriously when they bleat about security and yet do nothing to secure their own stuff using the safest and simplest technology we have available; 2 factor authentication.

I also find it amusing that these same people who bang on about not trusting the cloud, also almost always have a bank account. When I ask them where their money is stored, they say “in the bank”. When I ask where is it actually stored, they have no idea. They don’t know where their money – or the digital records that define the concept of money – is actually stored. They never stop to consider than when they go to an ATM and withdraw $50, it’s not the same $50 note that they actually put into the bank. There is no magical shoebox under the bank’s bed that stores their actual money… it’s all just computer records, kept on a server, somewhere, and I guarantee that they have no idea where that somewhere is.

That’s why the debate about whether we should be allowing our data to be stored offshore is such a laughable concept. It shows a real lack of understanding about the way the Internet actually works.

The truth is, it doesn’t matter WHERE your data is stored. What matters is WHO is storing it, and whether you trust them with it. I’d rather trust my data to major cloud provider offshore who offer privacy policies that I trust, along with strongly encrypted and sharded data storage techniques, virtual and physical security over their datacentres, and a proven track record of doing the cloud right, than to some minor player in the cloud storage space just because they happen to have servers in Australia.

I’m also not a lawyer.  However, I’ve done enough research into the Australian data sovereignty laws to feel satisfied that I’m interpreting them the right way. And contrary to all the Fear, Uncertainty and Doubt being spread around regarding these laws, they do NOT say that cloud services cannot be used unless the servers are in Australia. What they say is that the cloud service USER – that’s you – needs to feel satisfied that the cloud service PROVIDER is offering a service that meets your expectations of safety, security, privacy and redundancy.  If you do your due diligence, and come to the conclusion that you’re satisfied with your cloud service provider is giving you a level of service you can trust, then you are free to use it and in turn offer it to your users. If you don’t believe they are offering this level of service, then don’t use them. It’s as simple as that.

Your choice will never be able to come with a 100% guarantee. Nothing does. But if you do your research carefully and make your choices well, the chances are as good as they will ever be that you have made the right decision. The cloud offers amazing possibilities, and I’m completely convinced it IS the future of computing. I’m all in on the cloud as the platform.

To me, there is really only one obvious choice in picking a cloud provider. You want someone whose entire infrastructure is built for the cloud, whose entire business model is built on doing it right, managing data with security and integrity and maintaining the trust of their users. I’m not mentioning names because I’m sure you can make your own decisions about who you trust and how well they do this cloud thing.

What I don’t want to do is to place my data with a cloud provider who is still playing catchup, whose cloud infrastructure run on legacy platforms that were never built for the cloud, and whose business practices in slagging their competition I find completely distasteful.

I don’t care where their servers are located.

Header image by Dave Herholz – CC BY-SA

Not Opinions. Facts.

We all see the world through our own personal lens. Consequently, we all form our own opinions about the world and depending on the sorts of experiences you’ve had in the past, your view of the world and how it works can easily be coloured by those experiences.  Sometimes, we form opinions about things based on experiences that are limited or incomplete or biased one way or the other, and the interesting thing is that we still believe those opinions are correct, even when they can be completely wrong.

There’s a lot to be said for real expertise. One of my favourite examples of pitting a narrow opinion against broad expertise is from the movie Cool Runnings.  In one scene, the team coach Irving Blitzer (played by John Candy) is having an exchange with Sanka Coffie (played by Doug E Doug), where they are arguing about who should be the driver of the bobsled. Sanka is a Jamaican pushcart champion and sees himself as the obvious choice. But Jamaica is a small island and Irv has a slightly bigger perspective about it…

Sanka: I’m the driver.

Irv: You’re not. You’re the brakeman.

Sanka: You don’t understand, I am Sanka Coffie, I am the best pushcart driver in all of Jamaica! I must drive! Do you dig where I’m coming from?

Irv: Yeah, I dig where you’re coming from.

Sanka: Good.

Irv: Now dig where I’m coming from. I’m coming from two gold medals. I’m coming from nine world records in both the two- and four-man events. I’m coming from ten years of intense competition with the best athletes in the world.

Sanka: That’s a hell of a place to be coming from!

It happens in education too. There are a lot of people who have all sorts of opinions about what it takes to keep kids safe online. There are still many schools around the world who block, filter and prohibit access to parts of the web on the basis that it’s not safe for children to have access. Other schools take a very liberal approach to the web. Both these viewpoints are based on their own unique understandings and perceptions. If we could just step back a bit, and be a bit more objective, we’d realise that many of our beliefs about the world are rooted in fairly limited experiences, and yet we allow those beliefs to dictate many of the things we do. We think we are the best pushcart driver in all of Jamaica.

When I was in New Zealand last year for ULearn, I was seated at dinner next to a guy called Brett Lee. Brett had given a spotlight talk at the conference about cybersafety and online bullying. While I’ve heard many people talk about this topic in the past (and have even talked to students myself about it), what made Brett’s viewpoint different was the place he was coming from. Unlike most of the “experts” I’d heard talk about this topic, Brett had been a police officer in the Queensland Police Force for 22 years, 16 of those as a Detective predominantly in the field of Child Exploitation. In his last five years of service, he was a specialist in the field of undercover internet child exploitation investigations, and spend his days masquerading as underage children online.  One day he’d play the part of a 12 year old girl, the next a 15 year old boy, the next a 10 year old girl, and so on. For five years he’d go into chatrooms and hang out in all the places that young kids go online, and some of the stories he was telling were pretty chilling. Over the course of those five years, he was personally involved in the arrest of numerous child abusers and pedophiles.

To quote Sanka Coffie, “that’s a hell of a place to be coming from!

Since leaving the Police Force, Brett started his own company called INESS and goes around to schools all over Australia sharing his perspective with students.  He recently presented to our Year 9 and 10 students at PLC Sydney and the feedback from both students and staff was incredibly positive.

Now I think I know a fair bit about the Internet, and I have my own opinions on many aspects of it, but when it comes to this side of the Net there is nothing in my own personal experience that comes even remotely close to this sort of expertise. I daresay there’s not much in your personal experience that does either. While there are many Internet safety “experts” out there, few have this unique perspective that Brett is able to bring to the conversation.

What I like about his message is that it’s not about scare tactics and prohibition. Sure, there are some pretty chilling stories, but the underlying message is that the Internet is a wonderful place, with lots of incredible opportunities, but there are risks that can be managed with a bit of common sense and a few simple steps. It’s not a message of fear and scaremongering, but about understanding the risks and assuming some responsibility for your own online safety. When he spoke to our kids he used a number of examples that related directly to our students (it’s amazing just what you can find on Facebook when you look), which made it all the more powerful.

I hear people ask all the time for recommendations on someone to talk to their students about cybersafety and cyberbullying (both terms I don’t much like, by the way). I’d suggest you take a look at Brett’s website and see if maybe his message is what your kids need to hear.  I suspect that most students would get a great deal out of what he has to say.

Here’s a video clip of Brett from the Edtalks series that gets recorded each year at ULearn.

Public Visibility

I have an RSS feed set up that automatically scans the Google news feeds for the phrase “PLC Sydney” or “Presbyterian Ladies College“, so anytime either of those phrases appear in a news publication worldwide I get notified of it.  (Which, if you want to monitor your school’s online public image, is a useful thing to set up by the way!)  While I do get the occasional mention of other Presbyterian Ladies Colleges such as the ones in Melbourne or Perth, and occasionally the abbreviation PLC Sydney turns up some non-related stuff, having the RSS feeds scanning the news for mentions of your school is handy.

Recently, I spotted this article in one of the local papers.  It was a project that I didn’t even even realise was taking place in the school so I was surprised when I spotted it.  (I also like the idea that some of our teachers are now doing interesting projects that use ICT and they don’t need me to make it happen!  Yay! The good kind of redundant!)

What I find amusing is that the newspaper has published the name of the school and the full names of the students, along with a photo… three pieces of information that the cybersafety experts will all tell you should not be made available online.  I suspect that if one of our teachers got their students to do an in-class online project that published their full name, school and photo, they would get a stern talking to.  However, there is still a belief that, because it was published “in the paper” (which also happens to be online) then it’s ok.

We do, in fact, have a “Do Not Publish” list of students, which is derived from a form that all parents fill out at the start of their enrolment at school.  On this form they give advance permission – or not – for their child’s photo and name to be used in school publications.  We keep a record that covers both print and online separately, and before any child’s details can be published we check the Do Not Publish list.  In reality, out of a school of 1300 kids K-12, we have maybe less than 10 whose parents have elected for them to remain unpublishable.

Personally, I think that the benefits of getting some press for the students, either online or in a more traditional format, is enormous. Sporting achievements, success in interschool competitions, musical events, academic successes, etc… these things are all worthy of celebrating and telling the world about. The boost that these kids get to their self esteem, their reputation and their public visibility is a positive thing and these sorts of publications can start to form the basis of their longer term footprint, digital or otherwise.  While we have to respect the wishes of parents who choose not to allow their children to be published (and sometimes those wishes are based on valid reasons and sometimes it’s just paranoia and fear) the kids who do get published “in the paper” really love seeing themselves there.

In a world where being “in the paper” also means being online, this opens a real can of worms. We tell the kids one thing as we drill cybersafety into them – don’t give away details like your name or school – yet we gladly celebrate them being published online in other more traditional forums using all of these very same details.  It’s an interesting double standard.  The local paper is published to the open web with no passwords, no restrictions, yet we baulk at getting kids to publish the same information about themselves to other formats that are equally as open and public.

Thank goodness that all those fears about online safety are so blown out of proportion or this might actually be a real problem.

PS: By the way, if you haven’t seen it, the students’ final work is online at http://plcvasproject.blogspot.com and is worth seeing.  I’m sure they’d love a comment or two if you get a chance.

Photo embedded from the Inner West Courier

Data lives Forever

It’s sometimes difficult getting kids to understand the full implications of something as seemingly harmless as putting their photo online. They often don’t realise that, just like The 500 Hats of Bartholomew Cubbins, once something goes online it is near impossible to remove it. This video makes a pretty good point of showing the effect of this behaviour…

[kml_flashembed movie="http://www.youtube.com/v/iwBz-hxjSLU" width="425" height="350" wmode="transparent" /]

It’s something that both children and adults need to understand well. This is a post-Google world we live in. It’s no longer unusual that an employer Googles the name of a potential hire to check their reputation and see what they have done (or equally, not done). When you go out with a new person, it’s likely that your date has Googled you, MySpaced you or FaceBooked you to get a little bit of “background” on the sort of person you are. In a digital world you leave a trail behind you, often whether you mean to or not. Forum posts, blog posts, (and the comments you make to them), online projects you’ve taken part in, occasions your name has been mentioned in various online and printed publications, photos… if it ends up online, it’s probably there and it’s probably searchable. And you’d be amazed at how you can take lots of little pieces of data to form a fairly thorough picture of someone’s activities and reputation.

This can work in your favour too of course. As I was applying for jobs recently, I was actually hoping that potential employers would Google me as there is, fortunately for me, lots of positive stuff online – lots of technology projects and events I’ve taken part in which I imagine would have been relevant and supportive to the positions I was applying for. But the point is that had there been lots of negative stuff, there would have been virtually nothing I could have done about it. Try it with your own name and see what you get… wrap your name in quote marks to get Google to search it as a single entity, and of course it helps if your name is a little bit unusual as you will probably get more relevant results.

Get your kids to try this too. I recently encouraged my students to do a vanity search on their own name and while for many it turned up nothing, others were shocked at just how easy it was for their past to be dug up. There is probably not much you can do about ending up in the Google database (or any database for that matter), and in lots of cases it could even be a positive thing, but the lesson is to be aware and be careful of what you put online about yourself.

Do this exercise with your students. It’s a lesson worth learning early because if they learn it later it may be too late.

Wrapped in Cotton Wool

As a parent, it’s a fine line we walk sometimes in knowing where the boundaries are for your kids. We want to protect them from danger and shield them from hurt. At the same time, we need to allow them to experience the world and learn to interact with it in meaningful ways. This paradox of safety versus experience is a tricky balance to get right, but I’m convinced that we are probably the most overprotective generation of parents in history. A recent post here listed a number of tongue-in-cheek example of how much we seem to overreact to things that would have been much less of a drama a few years ago. How many of you went out playing all day when you were a kid, and the only rule was to be home by dark? No “Call me when you get there to let me know you arrived ok”… just “Bye dear, have fun playing!”

This video from the TED Talks series, called “5 Dangerous Things you should let your Children do” makes a similar observation that maybe we need to just lighten up a bit on our kids. Take a look…


In our schools I find we are developing the same, if not worse, overprotective behaviours. My last school insisted on having staff members walking the children across the road after school (it’s a high school!) – I found this laughable… we have them in class all day teaching them to be mature and independent thinkers and then we won’t let them cross a street without assistance. Our excursion (field trip) program became impossibly hard to work with over the past few years due to all the excessive safety regulations and the need to “guarantee” a safe environment outside the school. You can never get a total guarantee that a situation will be 100% safe – of course you want it to be as safe as possible – but when you start to compromise the creation of situations and environments in which to learn because there may be a small risk involved… I don’t know, that just seems silly to me. Life has sharp edges. Deal with it.

No one wants to see children get hurt, that’s for certain. Regardless of whether your role is that of teacher or parent, I’m sure we all want to see our children stay safe. My own daughter was bitten on the face by a dog a few years ago and the feeling of sheer panic and distress I felt as a parent as I looked down as the blood streaming out of the huge gash torn in her cheek was an indescribable anguish. But would I say to her to now stay away from all dogs? No way. She loves dogs. She’s fallen off a bike and skinned her leg a few times, but that doesn’t mean she should never ride a bike again. In the process of living, sometimes you’ll get a bit knocked around. That, quite literally, is life.

Kids – just like adults – need to occasionally go through some of the painful parts of life if they are to experience the wonder of what it means to live.