Mo’ Tech Mo’ Problems
Oct 25, 2018
District 219’s recent effort to enroll Chromebooks may not drastically improve student safety. Even though it will block unsafe websites, it will also open up a security vulnerability for student information that didn’t exist before.
This change poses a fundamental problem: all of our traffic gets funneled through District 219 servers. To fully understand the issue with this, we first turn to how modern encryption works. Each transmitter of information has two keys: a private key, and a public key. The public key is visible to anyone who wishes to communicate, while the private key is kept secret by each communicator. The reason for this is that information encrypted using a user’s public key can only be decrypted using that user’s private key (it would many lifetimes using modern methods to break this encryption). So, given that the district is partially decrypting student internet traffic, they must have access to our private keys. This isn’t a reason for huge alarm, however, since these keys are changed frequently on devices.
Cyber attackers think in terms of effort and reward. By attacking one student’s Chromebook through an attack on the user operating system, the reward is minimal. After all, what could one high school student have that’s of value or interest to a thief? However, if an attacker infiltrates the District 219 servers, where all of our internet traffic is funneled, there they could access a digital gold mine: encrypted information for thousands of students, and the tools — private keys — to decrypt it.
Chances for this happening are, in reality, very low. Cyber attackers with the sophistication to break through firewalls and slip through unnoticed aren’t focused on a high school’s internet traffic. But what concerns me is the possibility of something I couldn’t prevent. When students have un-enrolled Chromebooks, their information is generally too low value to care about, and the most likely way that their information can get stolen is through a virus on their Chromebook. However, Chrome OS is so barebones that getting a virus is nearly impossible. The only real threat would be dangerous extensions, but once you delete them all of their data and access to your data is gone as well. So this creates a vulnerability in the system, takes away student privacy, and blocks sites that students either 1) wouldn’t access at school, or 2) will continue to access using secondary devices or mobile hotspots.
I respect that the changes are the result of trying to catch up to standards of local school districts. Looking back, in my opinion, the changes aren’t very effective. They limit internet access to websites students otherwise wouldn’t need, and add a vulnerability to all the student Chromebooks that wouldn’t exist otherwise. If it were up to me, I’d stay with what used to work for years and go back to less regulated devices, allowing for CIPA (Children’s Internet Protection Act) fulfillment to come from the restrictions on school WIFI rather than school devices.