Browsing Twitter this morning I came across a Tweet by well known IT security guru Troy Hunt regarding passwords and schoolchildren, and immediately jumped to reply but realised I had a lot more to say about it than could adequately be compressed into a Tweet. So, here is my new blog, set up entirely so I could share my thoughts about this Tweet.
Having read this Tweet, the original quoted Tweet and all of the comments in replies to both I realised something – most of the people commenting didn’t appear to have any experience of working with children, nor experience of IT in the context of children. Many people replying simply jumped to the conclusion that advising children to share a single password across platforms was negligence by the school, bad practice or a missed teaching moment. Others talked about SSO and password managers/vaults as if they would resolve the issue. I would suggest that all of these people have missed a few key issues at play here.
How schools in the UK deal with IT
I have now been working in IT in schools in the UK for 14 years. I have worked as the network manager of a single Middle School, the Network Manager of at a foundation school consisting of 4 distinct schools on one site (primary, seconday, special school, and an exclusion unit), and now I work as the IT Manager for a multi-academy trust with 4 first schools, 2 middle schools. 2 nurseries and 2 pre-schools. So, I’ve had experience of providing IT for children across the full sprectrum of EYFS to KS4. I have not worked in KS5, so will not be commenting on that age group.
In each of these schools, I have had a single consistent experience regarding staffing and funding. The levels of staffing are low, and the funding is as minimal. At the same time, the IT provision is expected to be equivalent to any modern enterprise network. Throw in the salaries being lower than in the private sector generally and you end up where we are today – with schools struggling to keep up with the IT demands of the 21st century.
Now, I am not placing blame on schools for this situation specifically, no, but it goes some way to explain how schools can send out information that doesn’t follow the best security practices of the day. To put it bluntly, teachers don’t have time to figure this stuff out. Schools don’t have the funds to have enough staff or technology to make sure things like this don’t happen.
IT staffing in schools is often seen as a necessary evil; a group of staff using up valuable resources whilst not directly affecting teaching and learning. Some schools deal with this by eliminating it altogether and outsourcing to one of the many managed service providers in the UK, or by using their Local Education Authority to provide that support. Others have a minimal staff of IT support to keep everything going. A cursory search on Edugeek will throw up loads of threads discussing staffing levels. As an example, my current employer has a team of 2 at present, covering 8 physical sites, around 1700 children and around 400 staff. We have roughly 600 Chromebooks in use, 300 iPads, and 500 Windows PCs across the sites. So, dear reader, I hope you can see how something like the initial Tweet can come about.
One sign on to rule them all
Historically, education software and web services have been fairly poor in thinking about how they’ll actually be used. Tales of nightmare installation procedures, labyrinthine set up and maintenance processes, and confusing synchronisation tools will be common if you have a chance to talk to any education IT professional. However, with the introduction of cloud computing, all this should be behind us now shouldn’t it? We can now use SSO to handle everything? Not quite.
Many services now support SSO in one form or another. A great step forward. However, this is still not universal. Many such sites still refuse to implement this technology – some through lack of knowledge (a significant number of online education resources were created by teachers, who don’t have any IT knowledge beyond what they taught themselves to create those resources), some through misplaced fears, and some through misunderstanding of how SSO works.
One service I have recently set up to use SSO is Adobe’s Creative Cloud. Great, you’d think, they’re a huge company, they must know what they’re doing? Well… Not quite. Whilst we can have SSO enabled via Google G Suite, there are limitations. Firstly, it adds a shortcut icon titled “Adobe” to the Google menu with the generic “new app” icon G Suite uses. Clicking this leads to an error message as Adobe don’t support this icon yet. And secondly, whilst the tool synchronises users across, there is no way to automatically assign licenses to them. This has to be done entirely manually. So, SSO yes, an improved management process, no…
Take that experience with Adobe and expand it across the many thousands of education services in use today. Schools are in for a fun time setting everything up. Remember that many such services don’t accept SSO at all still. It isn’t so simple is it?
I’ve seen some people suggest that IT staff should reject purchases of sites and services that doesnn’t properly support SSO. A idealistic view to say the least. Some of the most popular tools for teaching and learning are the worst for their technological capabilities. How can we in IT turn around to a teacher and say “you can’t have this excellent teaching tool because it would mean children have to have another account”. Headteachers would never support such an approach.
One password to bind them
Another of the suggestions was to introduce password managers or vaults for children to use. Not a bad idea you’d think. Except it isn’t as simple as just saying “use a password manager” and training the children to use them. You have to remember that school devices are restricted – children can’t install their own extensions or software for various reasons (that’s a topic for another post I feel). So, we would have to pre-select a password manager for them to use.
OK, so we go and look at what tools are available and we hit an immediate speed bump – data protection. Storing those passwords in a third party system would be a high risk activity in any Data Protection Impact Assessment as required by GDPR regs. So, we have to treat it as such. Throw in the recent ruling regarding the EU-US Privacy Shield being invalid, and therefore transfers of information out of the UK & EU being illegal, and you have a problem. Most of these services are US based. OK, we’ve found one that is in the EU, which takes us to the next issue. Management.
If we install software for children to use, we ultimately need a central mechanism to manage it. Children forget passwords – that’s kind of what kicked this entire thing off in the first place – so we need to be able to reset them for them, we also need access from a safeguarding standpoint (schools have a list of very specific things we must comply with in regards to child safeguarding) – we can’t go giving them access to a service without having a way in ourselves. As far as I can tell, to get that capability, it costs money in one way or another. Either by the school having to pay for the service, or by running our own server (which costs in either cloud hosting fees, or in physical kit). For this I would direct you back to my earlier comment about budget – schools have to prioritise their funding, especially at the moment. Paying what is quite a lot of money for something that can be resolved by what is seen as a compromise solution will simply not be accepted by school leadership. A password manager for children or half a dozen Chromebooks for disadvantaged children. That’s the sort of balancing act at play here.
After all that is said, most in the Tweet thread ignore the rather large issue that not all children are old enough to understand any of this. Sure, you can teach them to sign in with the Google button or Microsoft button. Sure, you can teach them the importance of not sharing passwords. But if they’re 7? They still need access to all these services. but in my experience, some of them don’t even reliably know how to spell their own name yet. It takes them 4 tries to log in because they are still developing their fine motor control and keyboards are tough to use at that age.
A perfect mess
Finally, remember also what year this is. We’re in the middle of a worldwide pandemic. Schools are struggling with staffing issues due to rising infections. They’re rolling out technologies they’ve not used before at lightning speed to try and ensure your children are educated as best as possible, whilst not being given any more funding or time. In fact, the UK government have just made it illegal for schools not to be immediately capable of providing remote learning to anyone having to isolate at home.
So, yes, sometimes, the most sensible option is to ask children to use the same password across multiple websites. It isn’t ideal. It isn’t what schools always teach. It isn’t best practice, but sometimes you have to do what’s best to get the most children to access their remote learning tools.