By: Corbett Gildersleve, Opinions Editor

It’s been an interesting few weeks since SFU announced that there was a cyber-related incident affecting Canvas Cloud on May 5. An estimated 9,000, some during their exam period. ShinyHunters claimed they had information from 275 million accounts. With all these university customers concentrating on Instructure’s software service makes it a juicy target for hacker groups like ShinyHunters. This is why Canadian universities need to work together to develop and host their own software solutions instead of relying on the same third-party companies. 

On May 9, SFU had alerted us that Instructure — the company that develops and runs Canvas — told them that the system breach included students name, ID number, email addresses, and messages sent on Canvas. SFU decided to restrict the use of Canvas Cloud to everyone on May 11 and gave instructors time to download their course materials. However, after Instructure made a deal with the hackers, ShinyHunters, which included them destroying the information they obtained, SFU changed its course and reinstated Canvas Cloud access on May 19. 

Universities in Canada are not under one Federal Privacy Act, instead they follow provincial laws. These acts include BC’s Freedom of Information and Privacy Act (FIPPA) and Alberta’s Protection of Privacy Act (POPA). Private companies must follow the Personal Information Protection and Electronic Documents Act (PIPEDA) or a provincial equivalent like BC’s Personal Information Privacy Act (PIPA). So any company that universities contract services to or use their software tools should follow these laws. However, what if those companies exist outside of Canada? Instructure has offices in the US, England, and the Philippines. That’s three different legal jurisdictions that your data might be transferred to and stored in. 

Upper Harbour maps software tools to their legal justification and if they’re exposed to the US CLOUD Act. This act compels US-based companies through a warrant or subpoena to turn over data stored on servers regardless of their location. According to the mapping, Canvas is exposed to it, as is Slack, Zoom, Discord, Turnitin, and a whole host of other software that students regularly use. Additionally, Upper Harbour constructed a provincial data sovereignty exposure index by looking at their privacy legislation and found that only Québec had strong laws with BC and Alberta coming in next. 

SFU should work with other Canadian post-secondary institutions to develop their own software and infrastructure solutions.

They can collaborate on the privacy requirements they all need to follow, share the knowledge, skills, and costs, through their different IT and web departments. Larger institutions like the University of Toronto could lead the project as they have more resources than smaller colleges and universities. They have servers, networks, and other existing infrastructure that just needs to be connected for this purpose. 

Our private information should only be accessible to organizations that aren’t exposed to other countries’ privacy laws, as we don’t elect their lawmakers and can’t hold them accountable. It wouldn’t be useful for every university to have their own individual Canvas-like software or email system, as that would waste a lot of money by more-or-less creating multiple email or course delivery software. Cyber security is challenging but 109 Canadian universities would be a smaller target compared with the 9,000-ish currently affected, and our personal data wouldn’t be automatically shared with the US government through a warrant or subpoena.