Are the European Schools digitally spying on you?

An article by Laszlo Molnarfi S5HUA. To the best of my knowledge, all written statements in my article are true, and thus they cannot be considered defamation. All my work falls within the European spectrum of free speech.

Did you ever stop to think about how your school treats your digital privacy? It is almost always overlooked, yet it is something that should be a top worry. For the past year, I, Laszlo Molnarfi, have been studying the European School’s organizational structure, including its digital governance. I can say with full confidence, it is my personal opinion that the European Schools could be spying on you and can breach your privacy. It is also my opinion that even if they were not spying on you, there are issues with the European School’s IT security.

Without a single doubt, computers during ICT lessons and in the library are riddled with monitoring software, at least in EEB1. These software, such as LanSchool and nxFilter, log what you do on the computer, and allow the teacher to view what you are doing on the computer. They are designed to keep you focused in class. LanSchool, for example, logs keystrokes¹ (what you type on the keyboard), which is an especially problematic action because many students often use their personal emails for ICT work. Again, not only does it allow the school to spy on students, it also stores this data for further usage, and is completely vulnerable to 3^rd parties (hackers in this case) stealing that keystroke data². In addition to this, they can also view some of your activities on your personal devices. While the school Wi-Fi theoretically can’t view your website communications for most sites (unless they are not encrypted, which is still the case for many sites unfortunately), it can view the name (domain) of the site you are viewing³ and can identify your device if they wish to do so⁴. I had done an interview with the Head of IT at EEB1 (which I can provide on request), but I was not able to get a clear answer on monitoring policy – Most answers given to me were ‘It is set by internal EURSC policy’ and ‘I cannot answer that question’ in addition to ‘The EEB1 ICT charter grants rights to administrators to monitor students’. Unfortunately, the charter does indeed – students cannot take part in ICT classes unless they sign that charter, and neither can they use the Office365 system without it⁸. All European Schools have similar charters. This puts students who refuse to accept the invasive charter at a disadvantage.

Before the big Office365 project undertaken by Roland Pirnay, Head of ICT and Statistics Unit at the EURSC, every school had a different email system. Some had Google, some had Microsoft, and some had a custom made one. In a specific school that had encountered many problems before, one upset parent decided to blog about the daily struggles that the parents and students face in that school. The one I am talking about is of course the European School of Luxemburg II (Mamer), a real administrative train wreck that has shown the world the fundamental problems of monolithic bureaucracy – but, that is for another article, because I will be talking about a specific incident with their Email system. In a blog post by Gregor Prajs, titled ‘Breach of personal data protection at European school Luxembourg 2’⁵ an eye-opening privacy violation is described that was committed against the Mamer students. Apart from the usual quirks, which I am not surprised about by the way (the email system does not comply with the Luxemburgish privacy laws, with internal regulations of European Institutions), the administration and IT staff consciously took part in reading personal email exchanges between students and punishing them if they found swear words. As Gregor puts it, ‘European school Luxembourg should only hope parents won’t pursue legal actions against them.’.

These types of breaches can also be attributed possibly to incompetency. Without going into too much detail at this time, it is known that the European Schools (and let’s face it, most schools) are having great difficulties with navigating in this world full of digitalism, and even the so-called ‘experts’ in important positions fail to understand this new environment. The Office365 system was a huge step forward for the European Schools in terms of digital maturity; it would have been a perfect execution, if not for the tiny little mistake of not respecting the European privacy laws.  Well, who expected it to respect the privacy laws when it’s terms and conditions include:

The network administrator may need to monitor user sessions in case of suspicious activities. S/he reserves the right to block the account of one or more pupils.

This line prompted the APEEE of Brussels (the parent’s association, it is one of the external democratic powers that keeps the monolithic European School’s in check), to launch a full-scale investigation into how the European Schools are going to treat their children’s data. Some of the APEEE parents contacted an independent law firm, Marx Van Ranst Vermeersch & Partners, who drafted a report⁶, which was, to say it gently, very surprising. In short, the European Schools have failed to meet the European privacy laws (On a side note, they could have used the German Office365 which is specifically designed to avoid such illegalities) relating to the following criteria:

1. Failed to notify the Belgian data protection authority
2. Failed to correctly issue a consent form to the students and parents
3. Failed to issue a privacy policy relating to the system
4. Failed to transparently communicate to the data subjects (students and parents) the mandatory information that should be provided to them as per Belgian law

The draft also mentions that ‘If major data protection breaches are noticed, one could also even lodge a claim to start criminal prosecution against EEBI’. It seems like the suits have finally gotten a taste of their own legislative medicine. Ironically, the whole project was started to, and I quote Mr. Roland Pirnay; ’firstly, because of increasing pressure from several schools which wished to provide their students also with an email address’ and ‘because of the urgent need to comply with the legislation in force on personal data protection [..] many schools had over the years implemented local solutions that did not comply with that legislation’⁷.

As any good investigative journalist, I had contacted Mr. Roland Pirnay with my questions and requests for comment⁹. As it turns out, I, as a student in my private capacity cannot contact the Office (EURSC/OSG) because ‘there’s a hierarchy and he’s not permitted to respond to me in an official capacity’. I got into contact with the CoSup who submitted my email, albeit with some modifications, but they received no reply either.

Sources:

¹ From the official LanSchool website: https://www.lanschool.com.hk/monitor-students/

²  LanSchool keylogger vulnerability: https://forums.hak5.org/topic/15087-lanschool-keylogger-vulnerability/

³  How did my network admin identify my iPhone and how can I hide my ID? : https://security.stackexchange.com/questions/62663/how-did-my-network-admin-identify-my-iphone-and-how-can-i-hide-my-id

⁴  Does TLS/SSL hide url’s being accessed?: https://security.stackexchange.com/questions/7705/does-ssl-tls-https-hide-the-urls-being-accessedhttps://forums.hak5.org/topic/15087-lanschool-keylogger-vulnerability/

⁵Breach of personal data protection at European School of Luxemburg II https://europeanschooluxembourg2.eu/breach-of-personal-data-protection-at-european-school-luxembourg-2/

⁶ Report of the law firm: https://drive.google.com/file/d/0ByLvwg6dJUM3bC1xT3VIM3liOUk/view

⁷ ICT Report for 2016 issued by the EURSC: https://www.eursc.eu/Documents/2017-02-D-20-en-3.pdf

⁸ EEB1 ICT Charter: http://eceuropbxl1.wixsite.com/charteict/anglais

⁹ Email to Mr. Roland Pirnay: https://drive.google.com/file/d/1P0fPUju6L0VwUDX5wA9JeMPch2DBzIk5/view?usp=sharing