Remote learning security concerns as strangers enter online classrooms
Uninvited and threatening people joined online Google Classroom sessions with Victorian school students on at least three separate occasions last year, amid privacy concerns from parents and schools.
Victorian Department of Education documents obtained under freedom of information laws revealed the incidents, including one in which a teacher was forced to shut down a lesson after an abusive stranger entered an online classroom and attempted to engage in what was described as concerning sexual behaviour.
The incidents were reported to police, who told The Citizen their investigations were continuing.
“Police can confirm that Brimbank sexual offence and child abuse investigation team detectives received a report that an unknown teenager made inappropriate comments towards a teacher and indecently exposed themselves in an online forum classroom in April last year,” a police spokesperson said.
An inappropriate email was also sent to a student distribution list from an external Gmail account.
The breaches came amid complaints from parents and schools over online privacy and security relating to the use of Google applications and almost a year after the department was warned of risks to student emails.
The Google education suite, which includes Google Classroom, is a set of popular online learning tools used by public and private schools in Victoria to assist with remote learning.
In May 2019 the eSafety Commissioner wrote to education ministers and department secretaries with concerns that children’s email addresses may be easy to guess, increasing the likelihood “of a person who presents a risk to a child using their school email address to initiate contact with them”.
In March 2020, before COVID-19 took hold and remote learning began, data rights activist Asher Wolf made an official complaint to the Office of the Victorian Information Commissioner regarding the department’s use of a single Google directory listing thousands of teacher and student names and email addresses.
Ms Wolf said the directory contained 278,233 email addresses and inappropriately disclosed her child’s personal information. She said the department’s slow response to her complaint meant children were at risk for an extended period.
“Somebody needs to be held to account in the Department of Education,” Ms Wolf said.
A number of parents and schools raised concerns during the year about Google Classroom, freedom of information documents show.
One parent called the directory a “privacy and security nightmare”, containing “everyone’s full names, photos, if available, and a direct mechanism to contact that student”.
One school said it was concerned teachers’ emails were visible, writing: “Already we have a parent emailing a teacher directly.”
Cyber safety expert Susan McLean said most parents accepted the use of digital platforms without understanding the risk. “Parents need to question the use of a lot of these apps and platforms and ask these types of questions,” she said.
Kylie Auld, the department’s director of knowledge, privacy and records, told the Office of the Victorian Information Commissioner the directory was originally created for cross-school collaboration but the department was moving to a school-specific directory model, to be completed by the end of June last year.
The promised transition did not occur until April this year. The single directory still exists, but can now be seen only by teachers.
Google said its education platform used counter-abuse measures such as 10-character meeting codes and gave teachers control over whether external participants could join video meetings.
Following the incidents in April and August, the Education Department immediately took steps to address the issues, a spokeswoman said.
“This has involved extensive work with the technology vendor, which is still ongoing,” she said.
“In the interim, the department has disabled the G Suite directory for students so that students can no longer search and find other users within the G Suite directory.”
In a response to the Office of the Victorian Information Commissioner, Ms Auld said email addresses were created for students to allow them to access apps used for classwork, but the ability to send or receive emails was disabled by default. The system was also configured to block emails sent to or from individuals outside the department’s directory.
However, the freedom of information documents show an external email was able to reach a student distribution list in April last year.
This story is co-published with The Age.