Canvas is open source, but its cloud services ransomware attack really hurts
It's "the biggest student data privacy disaster in history" - even though the core platform is open source.
I started in edtech. When I graduated with my Computer Science degree, I returned to the university to work at the Media and Learning Technology Service. There, I discovered that all the edtech software at the time was so bad — the learners hated it, the teachers hated it, the administrators hated it, and I have to assume the people who made it also had a deep-seated contempt for it — that it actively made learning worse. Worse, these platforms were charging institutions huge amounts of money for the privilege.
Because I was an avid blogger at that time and knew that people were learning from each other on the web all the time, I built a prototype social network for learning and tried to give it to them. They told me they didn’t want it (in a way that was much ruder than that). So I quit my job and ended up releasing it under an open source license so it wouldn’t be centralized and hold institutions hostage. That act of hubris set up the entirety of the rest of my career.
Which brings me to this article:
“Thursday afternoon, millions of students at thousands of universities and K-12 schools were locked out of Canvas, a piece of catch-all education technology software that has become the de facto core of many classes. ShinyHunters, a ransomware group, hacked Canvas’s parent company and apparently stole “billions” of messages and accessed more than 275 million individuals’ data, according to the hacking group. The group also locked students out of Canvas.”
Ian Linkletter — a librarian who has been an active, and in my opinion, unceasingly correct edtech critic — is quoted as calling this “the biggest student data privacy disaster in history”. It need not have been the case; Canvas is theoretically open source. But you can’t make money with open source alone, and self-hosting is not something most institutions want to undertake. Canvas is a huge codebase with real quirks that is non-trivial to self-host, and the maintenance and infrastructure costs are real.
It’s also not clear that self-hosted infrastructure would be more resilient: a university could be subject to a ransomware attack with very little recourse. At the same time, the centralized nature of Canvas’s core offering means every institution that uses it, including over half of all US higher education institutions, were in a hard place right in the middle of final exam season. Access is coming back, but at the time of writing, it hasn’t been fully restored. It’s a hard lesson about the dangers of putting everything in the cloud.
