Thank you, your payment will be 3 data points.

Photo by Charles Deluvio on Unsplash

In response to @bonstewart https://www.insidehighered.com/blogs/university-venus/why-higher-ed-needs-data-ethics

I struggle with the idea that any organization has the option of remaining within its respective fortress of IT systems and still remain relevant in the coming years. I absolutely appreciate the litany of egregious breaches of trust demonstrated in cases such as Clearview AI and Cambridge Analytica, and I empathize with the motivation to hide like a mugging victim who fears going outside after a traumatic event, but don’t we risk agoraphobia if we give into the fear?

I too wish all users understood “where there data is stored”, but I feel that would be both unrealistic and ultimately unhelpful. In order to truly comprehend state of the art data storage and management, the user would need to know about virtualization and real-time data warehousing , back-ups, off-site storage practices that allow for maximum uptime, redundancy, and reactive server capacity. This is a very technical point, but suffice it to say its not something that non IT professionals need to know about. The question is, if these critical decisions and functions are left to the IT Professionals, how can we know that they are being professional? What even is an IT Professional? Who governs them? What happens when they act unethically?

Since so much of EdTech is moving outside the direct control of the teacher and in some cases even outside the institution, the question should be more about the professionalism and ethics of the companies involved than a narrow focus on the data itself. Where data is actually stored is very difficult to determine from the outside and a heavily guarded proprietary secret to anyone without an explicit need to know. Even if the primary database servers are colocated with the web servers, the backup and off-site servers may not be in the same place. It is unlikely that these details will be made available and are susceptible to change invisibly in the background even if a point in time configuration can be nailed down.

It’s not overly difficult to do some simple sleuthing. If the service, say a Learning Management System (LMS) or Blog site is hosted as a web application and accessed by a web browser, a few easy commands may give you some breadcrumbs to follow to know at least who to talk to about the service you are using.

Using the blog from www.insidehighered.com as an example, enter the command whoiswhois insidehighered.com” and it some info. In this case it shows who registered the site and shows the name servers to be Cloudflare.

# whois.verisign-grs.com

Domain Name: INSIDEHIGHERED.COM
Registry Domain ID: 133656948_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.networksolutions.com
Registrar URL: http://networksolutions.com
Updated Date: 2020-08-26T07:05:00Z
Creation Date: 2004-10-25T22:36:57Z
Registry Expiry Date: 2025-10-25T22:36:57Z
Registrar: Network Solutions, LLC
Registrar IANA ID: 2
Registrar Abuse Contact Email: abuse@web.com
Registrar Abuse Contact Phone: +1.8003337680
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: LIA.NS.CLOUDFLARE.COM
Name Server: LLOYD.NS.CLOUDFLARE.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2021-02-13T19:40:50Z <<<

Next, (this is using the built-in Terminal app in a mac) Enter the command “ping insidehighered.com” and it returns “64 bytes from 104.25.118.53: icmp_seq=0 ttl=56 time=45.260 ms“. This may not look like much, but it exposes an important bit of information in the IPv4 network address (104.25.118.53). This is a unique public address connected to a network. This is important because it is impossible to know where on Earth the Domain Name System (DNS) entry www.insidehighered.com is pointing to just by itself. If the IP address that returns is the same as your local network, then the IT System is likely hosted by your internal organization. If it points to a public address, like this, it could be many different possibilities of ownership.

So what next. Enter the command “whois 104.25.118.53” and it returns a bunch of info. This is a very quick way to try to track down who owns the infrastructure where the service is hosted. but most importantly this reveals that it is not your organization, but a commercial Internet Service Provider (ISP):

NetRange:       104.16.0.0 – 104.31.255.255
CIDR:           104.16.0.0/12
NetName:        CLOUDFLARENET (This can usually be used to figure out which company is the host)
NetHandle:      NET-104-16-0-0-1
Parent:         NET104 (NET-104-0-0-0-0)
NetType:        Direct Assignment
OriginAS:       AS13335 (This is the Autonomous System number which identifies the Internet Service Provider associated with this service.

Organization:   Cloudflare, Inc. (CLOUD14)
RegDate:        2014-03-28
Updated:        2017-02-17
Comment:        All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse
Ref:            https://rdap.arin.net/registry/ip/104.16.0.0

OrgName:        Cloudflare, Inc.
OrgId:          CLOUD14
Address:        101 Townsend Street
City:           San Francisco
StateProv:      CA
PostalCode:     94107
Country:        US
RegDate:        2010-07-09
Updated:        2021-01-11

This information can be crossed checked by going to the web browser and clicking on the Secure HTTP (HTTPS) lock icon in the corner of the address bar.

The Secure Socket Layer (SSL) certificate says (Valid) and indicates the end website is what is registered with the Certification Authority.

Click on the word “Certificate” and it pops up details. In this case the Certificate Authority is Cloudflare itself.

The Final tip to try is ICANN.com

A search on the ICANN site for “insidehighered.com” reveals the final component, which is who owns the software on the platform. It also confirms the link to Network Solutions.

Contact Information

Registrant:

  • Name: Inside Higher Ed Inc.
  • Organization: Inside Higher Ed Inc.
  • Email: insideihe@insidehighered.com
  • Tel: +1.2024486127
  • Fax: +1.2026599381
  • Mailing Address: 1015 18TH ST NW STE 1100, WASHINGTON, DC, 20036-5226, US

Technical:

  • Name: Network Solutions
  • Organization: Network Solutions
  • Email: customerservice@networksolutions.com
  • Tel: +1.8666557679
  • Mailing Address: 5335 Gate Pkwy, Jacksonville, FL, 32256, US

Administrative:

  • Name: Inside Higher Ed Inc.
  • Organization: Inside Higher Ed Inc.
  • Email: insideihe@insidehighered.com
  • Tel: +1.2024486127
  • Fax: +1.2026599381
  • Mailing Address: 1015 18TH ST NW STE 1100, WASHINGTON, DC, 20036-5226, US

Abuse:

  • Email: abuse@web.com
  • Tel: +1.8003337680

Once you have this information you can investigate the reputation of the organizations involved. This example used one fairly simple and straight forward application, but it demonstrates both the relative ease and complexity included in an IT risk assessment. This is really just the tip of the iceberg, but without getting into risk management and more complex IT checks, it provides a good start. Try this if you are interested in more aspects of the overall web security of your provider. Anything more is outside he scope of this article.

This type of due diligence should be standard practice when investigating IT solution vendors, but the question is WHO. Who is responsible for, and who has the authority to, complete an adequate system wide analysis and make decisions about it? I agree with the author that this approach must bring together experts in education, ethics, technology, and law in order to understand what is desired and what is possible, the question remains, who is responsible when something goes wrong and how can service level agreements with multinational companies be enforced to ensure protection of the end users?

Leave a Reply

Your email address will not be published. Required fields are marked *