In a recent Holyrood magazine article, John McCarney (head of education services at RM Education – the current Glow provider) demonstrated a lack of understanding of the “security issues” and technical detail surrounding the possible integration of social networking tools (such as Facebook and Twitter) into the next generation of Glow.
I think that Mr McCarney is engaged in a little bit of scaremongering when he says:
“You’re talking about pupil data being made available, and whether it should be through social media sites is very open to debate.”
The ICT Excellence Group report makes two clear suggestions on the use of social media.
1. As an extension of the existing authentication service so that users may sign in with their social media accounts.
2. As a means to share achievements and success with a wider audience.
I’ll explain clearly how the technology works and point out that no pupil data would actually leave the GlowPlus system .
Sign in With Facebook
This would work as follows. When a GlowPlus user goes to sign in to GlowPlus he/she could select the “Sign in With Facebook” option. This would send an authorisation request to Facebook. The user would then login to his/her own Facebook account and be asked to authorise the GlowPlus application to allow it to use the login status from Facebook.
What’s actually happening is that the user is allowing GlowPlus to ask “Are you signed into Facebook?” and get an answer back. No user identifiable data is exchanged.
Once GlowPlus is approved by the user, an authentication token is set by Facebook and it releases information to GlowPlus (not the other way round). We could retrieve as little as the user’s unique Facebook ID (a number called the UID).
Now we know that the user is logged in correctly to Facebook and we have his/her unique ID, Facebook returns the user to GlowPlus. The user then logs in using his/her GlowPlus credentials. Once we have carried out this second set of authentication we can store the Facebook UID with the user’s account in GlowPlus so that in future, if the user is signed into Facebook, then he/she can be automatically signed in to GlowPlus. No personally identifiable data has been exchanged between Facebook and GlowPlus. Facebook has provided us only with a unique ID for the user. It’s exactly the same with a sign-in with Twitter and most other social networks.
Posting to Twitter or Facebook
Posting to Twitter or Facebook works in a very similar way. Within GlowPlus we would have complete control over which content we would allow to be shared on external social networks. We would control which data a user could share. The example given in the ICT Excellence Report is an achievement badge which is then shared in a social network. How would this work?
On the achievement badge is a link which is labelled, for example, “Post to Twitter”. When clicked the GlowPlus application (previously approved by the user as indicated above) would generate a link to the public view of the Achievement hosted in GlowPlus. The GlowPlus Application would launch, connect to Twitter and post this link to the user’s own Twitter Account. Again, no personally identifiable data has moved from GlowPlus to the external social network.
As long as we carefully consider how we craft the interaction with external social media then sensitive personal pupil data will always remain inside GlowPlus as it should.