Proposal for a more sustainable, inclusive and secure IT infrastructure at the University of Oslo25 Jan 2023
The Department of Informatics (IFI) at the University of Oslo (UiO) is working on a “Strategy and action plan 2023-2026” and asked their students and employees for comments. This is a slightly modified version of my comment from November 15th, 2022. I’m publishing it, because the problems and solutions I outline can be of general use for universities. Very little of what I say here is specific to UiO or IFI.
I want to underline that IFI is not responsible for UiO’s infrastructure. However, since UiO did not act on previous critique, I used IFI’s call for comments to raise my concerns, again.
IFI’s preliminary “Strategy and action plan 2023–2026” opens up with Sustainability as the first mentioned fundamental value. I couldn’t agree more with the opening sentence: “Raising awareness about sustainability has an important educational aspect in it; technology is not value neutral and can never be.” I’d like to underline a sustainability aspect that I feel is underrepresented in the general discussion: The concept of sustainability is not limited to so-called “green IT” and fighting climate change. As the UN’s 17 sustainable developent goals (SDG) provide, sustainability also includes goals like inclusive, secure and resilient infrastructure and accountable institutions. Goals that I do not see sufficiently fulfilled with UiO’s current IT infrastructure.
Research and campus life are strongly governed by a simple need: communication. Not least since the corona pandemic hit our campus in 2020, our communication crucially relies on digital communication tools. In this context, I’m critical towards the outsourcing of key digital infrastructures to commercial gatekeepers like Microsoft, Zoom and Facebook.
In the following I will elaborate on the status quo, where I see certain risks for security and privacy, barriers for an inclusive campus and study life, as well as in some aspects clear breaches of European privacy law. I will – based on other European universities as a role model and with reference to open standards and open source platforms – propose ways to improve the situation and to create long-term viable, cost-efficient and sustainable digital infrastructure that respects their students’ and employees’ freedoms, gives back control to the responsible institutions and encourages a participative and collaborative campus life.
Dependence on unstable providers and lack of control
Before I go on with issues I see with the use of particular providers, let me mention that outsourcing, while often cost-efficient in the short-term, generally leads to a lack of control, uncertainty and attached long-term costs. The chaotic acquisition of Twitter by Elon Musk has impressively shown how a single billionaire’s midlife crisis can lead to the destruction of any commercial platform, of a political ecosystem, to risks for security and continued maintenance and to severe damage to its users. While Twitter itself is certainly not critical for UiO’s infrastructure, other tech giants are facing uncertainty and destructive restructuring as well, in the light of a general Silicon Valley tech-selloff. The situation is further complicated by the Schrems II verdict that declared most EU-US data transfers unlawful. Some of the affected providers are currently crucial for UiO’s and IFI’s ability to operate:
Unlike stated by UiO, Zoom is not hosted on a Nordic platform, but on Amazon
In the beginning of the corona pandemic, UiO hastily decided to primarily use Zoom for digital teaching. Two years later, alternative solutions have, to my knowledge, not been offered by UiO.
Using the Zoom client is a security risk
Since the web client of Zoom was not fully developed at that time (and still lacks full Firefox support), students had to download the Zoom client to their private computers. This was decided even though the app wasn’t running stable on Linux, and against the advice of well-known security experts: At that time, Zoom opened client ports for a public-facing webserver with root privileges on our private devices. An implementation risk so obviously unnecessary and ill-considered for a video conferencing app, it could be an example from a Bachelor-level security exam. While companies like Google reacted and banned Zoom entirely for security reasons, we were and are still forced to use this software for our studies and teaching. While some security issues have been fixed now, there has been a long, subsequent list of embarassing vulnerabilities in the Zoom client (some of which were not fixed for eight months) that originate in bad security practices.
Someone in the supply-chain lies about the privacy risks of Zoom
~UiO’s data processing agreement with Uninett/SIKT
It would be nice if these statements were true. In reality, it is easy to check that they’re not. UiO’s “own” Zoom instance (
uio.zoom.us) is not provided on Nordic infrastructure, nor is is it run by SIKT or NORDUnet…
~> nslookup uio.zoom.us uio.zoom.us canonical name = eu01web.zoom.us. Name: eu01web.zoom.us Address: 126.96.36.199
~Unlike claimed, this IP does not belong to NORDUnet, and not to any Nordic platform
…but simply links to
eu01web.zoom.us, the central Zoom server for all European Zoom users, owned by Zoom and hosted by Amazon Web Services (188.8.131.52). Both of them are US companies or subsidiaries.
Joining a UiO Zoom call using
uio.zoom.us/join (open it in a browser) presents us with the following terms all students and employees have to agree to:
By clicking "Join", you agree to our <a target="_blank" href="https://zoom.us/terms">Terms of Services</a> and <a target="_blank" href="https://zoom.us/privacy">Privacy Statement</a>
~HTML snippet from
That such an issue should not be taken lightly becomes apparent in Denmark, where entire schools were running Chromebooks and Google Workspaces, until Datatilsynet suspended their use and data transfers to the US. On top of the ongoing intrusion into student’s privacy, such an abrupt requirement to use privacy compliant services at UiO would imply a major cost factor, interruption of teaching and a loss of trust and image.
The use of Microsoft as a central Identity provider is less of a concern for me as a user, but more one for the general security of UiO’s systems. It is easy to fill an entire lecture with Exchange security vulnerabilities from the last 6 months. However, what disturbs me even more is that in order to login to studentweb (UiO’s student portal), I have to disregard everything I have learned and teach my parents about basic internet security.
Unlearning best practices regarding Phishing
Every time I want to login to UiO services, I have to provide my Email address and my 2FA token to
login.microsoftonline.com that masks itself as a UiO login page, a UiO logo included. The first time I tried to login, I literally believed someone is trying to phish me. From a security perspective, training people to give out their login credentials to a website that masks itself as another institution is a terrible idea. Now that people get used to accepting weird URLs as legit login sites, it will be easy to lure them to give their password to
login.uioonline.com (which is still available by the time of writing). Since Microsoft just provides a closed system “as a Service”, I doubt it’s possible to change this particularly dangerous property without moving from the entire service.
When I first joined UiO as an exchange student in 2020, I was surprised by how heavily Norwegian campus life depends on Facebook’s platforms. In order to participate in the traditional “Buddy week”, it was necessary to install Whatsapp, and most student organizations and study circles are organized on Facebook. Even UiO’s events are primarily announced here. A dilemma for me, as well as for some other exchange students who were uncomfortable with using Facebook’s services. Leading a student organization myself, I still ocassionally receive positive feedback from internationals, just for providing a simple, independent communication channel. The social pressure to be on Facebook’s platforms is not only problematic, because Facebook is an advertizing company that creates personal profiles that include surprisingly intimate data like health information – even SiOs chlamydia testing website loads scripts from Facebook. But also, studies have found correllations and a causal link between using Facebook and mental health issues, including depression and anxiety among college students. Having to choose between a negative impact on your mental health and social isolation – that is not a choice humans should have to take. On top, of course, Facebook’s business model primarily relies on selling advertizing and thereby stimulating unnecessary and unsustainable consumption.
Proposal to the strategy plan
An IT strategy is a difficult thing: IT systems have grown over time, there are multiple stakeholders, responsibilities and users that have gotten used to their tools. Therefore, my first proposals are rather general:
- In their strategy plan, the Department of Informatics (IFI) should acknowledge the presented issues as blocking factors for many other declared strategy goals, including inclusiveness, trust-based leadership, a communicative environment and compliance with privacy law
- IFI leadership should raise awareness for the mentioned issues with the responsible parties at UiO and USIT
- The university’s IT concept should consider the inclusiveness of social life and student organizations’ communication platforms
- For resilience and sustainability, all future IT investments should, where possible, be based on open source software and/or open protocols. In the long term, this will be a cost-reducing measure, as these tools can be independently improved and developed, instead of replacing them
- These efforts could be coordinated within a Norwegian/Nordic effort to support independent and improved academic communication and collaboration inside and between institutions
Even though the primary responsibility for IT infrastructure lies with UiO and USIT, I think that the Department of Informatics (IFI) can play an important role in making a change:
- IFI, given they work with technically interested students, should be an evaluation arena for alternatives to the currently used IT infrastructure. Solutions that prove to be successful at IFI can then be implemented at UiO
- IFI should ask UiO for appropriate funding for such a venture and also apply for public funding, possibly even in terms of research on social and sustainability aspects of IT
- IFI’s infrastructure development should be linked with IFI’s classes: Improving an open source tool is both a great and meaningful course project, gives students some real-world experience, but also benefits IFI with better digital infrastructure, customized to IFI’s needs
From my personal experience, I can recommend a number of tools that could be evaluated for many different aspects of academic and campus communication:
- Internal organization and communication
- I was made aware that IFI runs a Mattermost, that’s great!
- I even more recommend Matrix / Element, which allows native (video-)calls and inter-institutional communication, and therefore suits academia’s needs for exchange with external researchers. It’s used by academic institutions, the French government, as well as inside the German health system. I’ve written down further thoughts about Matrix in my blog post “We need new communication infrastructure for academia”
- Video conferencing
- Any video conferencing tools should be feature complete in the Browser and fully support Firefox- as well as Chromium-based browsers. It is a pain to force external guests to download Microsoft Teams or Zoom, before they can join a simple call.
- My recommendation goes to Jitsi, which nowadays scales just as well as Zoom, thanks to the implemented Selective Forwarding Unit
- Another option might be BigBlueButton
- Social life, events and outreach
- The previously mentioned Matrix / Element also makes for a great replacement for Whatsapp and Snapchat, and would therefore positively influence the inclusiveness of general campus communication
- Events and public, social communication could happen on Mastodon, or any other part of the decentralized network called the Fediverse
- More complex student organizations could benefit from the use of Discourse, a structured community platform that can be used in different ways – e.g. like a mailing list or a web forum
- Nextcloud Hub is my undisputed recommendation for file sharing, collaboration and many further productivity applications. It’s used by the German and French government
I’ve seen all of these tools and standards being used in production, in schools, universities, companies and public bodies. As a German citizen, I can assure that the central-European university infrastructure – specifically in Germany and France – works well, and is to a significant extent based on the tools I proposed here. The required cost and maintenance of these systems on own or rented infrastructure, running on cheap, green Norwegian energy, could easily be offset by the savings from licensing and service cost we are currently paying for proprietary solutions.
If all relevant decisions and profits are made by the same five Silicon Valley companies, respectively their investors, studying IT seems kind of pointless.
Also, from a general perspective (and from my personal experience), taking control over infrastructure is important for the spirit of an IT student: If all relevant decisions and profits are made by the same five Silicon Valley companies, respectively their investors, studying IT seems kind of pointless. Being optimistic towards the possibility of making a change or towards starting a business in Europe can be positively influenced by seeing infrastructure being used that’s not under quasi-monopolistic control.