The author's github picture

derhagen

A blog I quickly set up to get writing

© 2023. CC BY-ND 4.0 derhagen

Proposal for a more sustainable, inclusive and secure IT infrastructure at the University of Oslo

25 Jan 2023

The Department of Informatics (IFI) at the University of Oslo (UiO) is working on a “Strategy and action plan 2023-2026” and asked their students and employees for comments. This is a slightly modified version of my comment from November 15th, 2022. I’m publishing it, because the problems and solutions I outline can be of general use for universities. Very little of what I say here is specific to UiO or IFI.

I want to underline that IFI is not responsible for UiO’s infrastructure. However, since UiO did not act on previous critique, I used IFI’s call for comments to raise my concerns, again.

IFI’s preliminary “Strategy and action plan 2023–2026” opens up with Sustainability as the first mentioned fundamental value. I couldn’t agree more with the opening sentence: “Raising awareness about sustainability has an important educational aspect in it; technology is not value neutral and can never be.” I’d like to underline a sustainability aspect that I feel is underrepresented in the general discussion: The concept of sustainability is not limited to so-called “green IT” and fighting climate change. As the UN’s 17 sustainable developent goals (SDG) provide, sustainability also includes goals like inclusive, secure and resilient infrastructure and accountable institutions. Goals that I do not see sufficiently fulfilled with UiO’s current IT infrastructure.

Research and campus life are strongly governed by a simple need: communication. Not least since the corona pandemic hit our campus in 2020, our communication crucially relies on digital communication tools. In this context, I’m critical towards the outsourcing of key digital infrastructures to commercial gatekeepers like Microsoft, Zoom and Facebook.

In the following I will elaborate on the status quo, where I see certain risks for security and privacy, barriers for an inclusive campus and study life, as well as in some aspects clear breaches of European privacy law. I will – based on other European universities as a role model and with reference to open standards and open source platforms – propose ways to improve the situation and to create long-term viable, cost-efficient and sustainable digital infrastructure that respects their students’ and employees’ freedoms, gives back control to the responsible institutions and encourages a participative and collaborative campus life.

Dependence on unstable providers and lack of control

Before I go on with issues I see with the use of particular providers, let me mention that outsourcing, while often cost-efficient in the short-term, generally leads to a lack of control, uncertainty and attached long-term costs. The chaotic acquisition of Twitter by Elon Musk has impressively shown how a single billionaire’s midlife crisis can lead to the destruction of any commercial platform, of a political ecosystem, to risks for security and continued maintenance and to severe damage to its users. While Twitter itself is certainly not critical for UiO’s infrastructure, other tech giants are facing uncertainty and destructive restructuring as well, in the light of a general Silicon Valley tech-selloff. The situation is further complicated by the Schrems II verdict that declared most EU-US data transfers unlawful. Some of the affected providers are currently crucial for UiO’s and IFI’s ability to operate:

Zoom

Unlike stated by UiO, Zoom is not hosted on a Nordic platform, but on Amazon

In the beginning of the corona pandemic, UiO hastily decided to primarily use Zoom for digital teaching. Two years later, alternative solutions have, to my knowledge, not been offered by UiO.

Using the Zoom client is a security risk

Since the web client of Zoom was not fully developed at that time (and still lacks full Firefox support), students had to download the Zoom client to their private computers. This was decided even though the app wasn’t running stable on Linux, and against the advice of well-known security experts: At that time, Zoom opened client ports for a public-facing webserver with root privileges on our private devices. An implementation risk so obviously unnecessary and ill-considered for a video conferencing app, it could be an example from a Bachelor-level security exam. While companies like Google reacted and banned Zoom entirely for security reasons, we were and are still forced to use this software for our studies and teaching. While some security issues have been fixed now, there has been a long, subsequent list of embarassing vulnerabilities in the Zoom client (some of which were not fixed for eight months) that originate in bad security practices.

Someone in the supply-chain lies about the privacy risks of Zoom

In UiOs Zoom-specific privacy note, it states that “UiO runs its own installation of Zoom via its subcontractors. This means that UiO is not subject to Zoom’s general privacy policy”. In the data processing agreement between UiO and SIKT (formerly Uninett), it indeed says that all infrastructure is deployed in Nordic datacenters, and that there are no subcontractors except for NORDUnet, a Nordic infrastructure collaboration, involved in the provision of the special UiO-Zoom.

~UiO’s data processing agreement with Uninett/SIKT

It would be nice if these statements were true. In reality, it is easy to check that they’re not. UiO’s “own” Zoom instance (uio.zoom.us) is not provided on Nordic infrastructure, nor is is it run by SIKT or NORDUnet…

~> nslookup uio.zoom.us

uio.zoom.us	canonical name = eu01web.zoom.us.
Name:	eu01web.zoom.us
Address: 134.224.82.224

~Unlike claimed, this IP does not belong to NORDUnet, and not to any Nordic platform

…but simply links to eu01web.zoom.us, the central Zoom server for all European Zoom users, owned by Zoom and hosted by Amazon Web Services (134.224.82.224). Both of them are US companies or subsidiaries.

Joining a UiO Zoom call using uio.zoom.us/join (open it in a browser) presents us with the following terms all students and employees have to agree to:

By clicking "Join", you agree to our
<a target="_blank" href="https://zoom.us/terms">Terms of Services</a> and
<a target="_blank" href="https://zoom.us/privacy">Privacy Statement</a>

~HTML snippet from uio.zoom.us/join

As evident from the links, “our” of course means the Terms of Service and Privacy Policy of Zoom (US), not those of UiO (Norway).

That such an issue should not be taken lightly becomes apparent in Denmark, where entire schools were running Chromebooks and Google Workspaces, until Datatilsynet suspended their use and data transfers to the US. On top of the ongoing intrusion into student’s privacy, such an abrupt requirement to use privacy compliant services at UiO would imply a major cost factor, interruption of teaching and a loss of trust and image.

Microsoft

The use of Microsoft as a central Identity provider is less of a concern for me as a user, but more one for the general security of UiO’s systems. It is easy to fill an entire lecture with Exchange security vulnerabilities from the last 6 months. However, what disturbs me even more is that in order to login to studentweb (UiO’s student portal), I have to disregard everything I have learned and teach my parents about basic internet security.

Unlearning best practices regarding Phishing

Every time I want to login to UiO services, I have to provide my Email address and my 2FA token to login.microsoftonline.com that masks itself as a UiO login page, a UiO logo included. The first time I tried to login, I literally believed someone is trying to phish me. From a security perspective, training people to give out their login credentials to a website that masks itself as another institution is a terrible idea. Now that people get used to accepting weird URLs as legit login sites, it will be easy to lure them to give their password to login.uioonline.com (which is still available by the time of writing). Since Microsoft just provides a closed system “as a Service”, I doubt it’s possible to change this particularly dangerous property without moving from the entire service.

Facebook/Whatsapp

When I first joined UiO as an exchange student in 2020, I was surprised by how heavily Norwegian campus life depends on Facebook’s platforms. In order to participate in the traditional “Buddy week”, it was necessary to install Whatsapp, and most student organizations and study circles are organized on Facebook. Even UiO’s events are primarily announced here. A dilemma for me, as well as for some other exchange students who were uncomfortable with using Facebook’s services. Leading a student organization myself, I still ocassionally receive positive feedback from internationals, just for providing a simple, independent communication channel. The social pressure to be on Facebook’s platforms is not only problematic, because Facebook is an advertizing company that creates personal profiles that include surprisingly intimate data like health information – even SiOs chlamydia testing website loads scripts from Facebook. But also, studies have found correllations and a causal link between using Facebook and mental health issues, including depression and anxiety among college students. Having to choose between a negative impact on your mental health and social isolation – that is not a choice humans should have to take. On top, of course, Facebook’s business model primarily relies on selling advertizing and thereby stimulating unnecessary and unsustainable consumption.

Proposal to the strategy plan

An IT strategy is a difficult thing: IT systems have grown over time, there are multiple stakeholders, responsibilities and users that have gotten used to their tools. Therefore, my first proposals are rather general:

Even though the primary responsibility for IT infrastructure lies with UiO and USIT, I think that the Department of Informatics (IFI) can play an important role in making a change:

From my personal experience, I can recommend a number of tools that could be evaluated for many different aspects of academic and campus communication:

I’ve seen all of these tools and standards being used in production, in schools, universities, companies and public bodies. As a German citizen, I can assure that the central-European university infrastructure – specifically in Germany and France – works well, and is to a significant extent based on the tools I proposed here. The required cost and maintenance of these systems on own or rented infrastructure, running on cheap, green Norwegian energy, could easily be offset by the savings from licensing and service cost we are currently paying for proprietary solutions.

If all relevant decisions and profits are made by the same five Silicon Valley companies, respectively their investors, studying IT seems kind of pointless.

Also, from a general perspective (and from my personal experience), taking control over infrastructure is important for the spirit of an IT student: If all relevant decisions and profits are made by the same five Silicon Valley companies, respectively their investors, studying IT seems kind of pointless. Being optimistic towards the possibility of making a change or towards starting a business in Europe can be positively influenced by seeing infrastructure being used that’s not under quasi-monopolistic control.