Opinion: U of T’s partnership with Alibaba raises privacy concerns

COVID-19 has changed the way we learn, as many U of T students are studying completely online for this academic year. Beyond the numerous administrative headaches and technological glitches this introduces, this move also opens the door to another complication: data privacy.

On July 9, the University of Toronto initiated a partnership with Chinese conglomerate Alibaba to use its Cloud Enterprise Network (CEN). This service was designed to provide students studying from mainland China with faster, more reliable, and more consistent access to U of T services like Quercus and Blackboard Collaborate.

However, Alibaba has been embroiled in the same kinds of privacy controversies that have plagued companies like Facebook, Google, and Huawei. With this in mind, the U of T partnership announcement leaves many questions unanswered.

A questionable record

In January 2018, Alibaba was reprimanded by the Chinese government for having “inadequate” privacy protections. In September 2019, Chinese government officials were dispatched to work inside 100 private tech companies — including Alibaba. Under Chinese law, organizations can be forced to hand over data to the state if requested.

Alibaba has been implicated in domestic Chinese surveillance programs. These include the social credit system, where collected data will be used to give and take away individuals’ privileges based on online and real-world behaviour.

Alibaba is one of the targets of the United States’ Clean Network initiative, aimed at preventing Chinese tech firms from gaining access to sensitive information. A key concern for American state officials is the influence of the Chinese government over companies like Alibaba and Huawei.

Finally — and of particular concern for users of the Alibaba CEN — Chinese cybersecurity laws allow the government to control the kind of data that is transferred out of the country. According to The Atlantic, this policy is complemented by unwritten rules which reward companies for storing data on local Chinese servers.

How does cloud computing work?

Cloud computing works by storing data on remote servers. A central server then ensures connectivity between devices linked via the cloud, providing users with a faster connection and better access to the stored data. Given the increased latency that China’s ‘Great Firewall’ introduced, the use of a service like the Alibaba CEN is extremely valuable in providing students in mainland China with a quality connection and better online instruction.

Alibaba is the largest provider of public cloud services in China and is growing globally at a rapid pace. In July, Alibaba announced that its cloud technology was supporting 38 per cent of Fortune 500 companies worldwide, and plans to continue expanding.

According to the Office of the Privacy Commissioner of Canada, cloud computing opens up several risks with regard to data security. Users are often unaware of where their information is being stored, how long it is being kept, and with whom it is being shared.

Since there are no standardized rules surrounding cloud services, cloud providers’ terms of service can vary greatly in their security and privacy policies. Large cloud providers can access better security technologies, but these systems are never perfect and there is still much work to be done to ensure the reliability of cloud data security.

U of T’s remarkable silence on privacy issues

Currently, students have no access to information regarding what kinds of data will be stored on Alibaba servers. None of the publicly available information on the partnership mentions privacy concerns, nor does it provide any details on the terms of service users engage with when using the cloud.

Given that the CEN will provide students with access to services like Quercus, important information like student numbers, names, grades, and records could be at risk. U of T classifies this kind of data as non-public, meaning that it can only be disclosed with proper permission.

Students with concerns about who can see their data, how it will be stored, and whether students not using the CEN will be affected are out of luck: U of T has not made any answers available.

The university is, however, aware of these problems. “We recognize that there are particular challenges regarding online learning for students located in other countries. Questions about privacy, surveillance, and free inquiry may arise among students who reside in countries with different laws, cultural norms, and monitoring by law enforcement,” wrote Susan McCahan, Vice-Provost Academic Programs and Vice-Provost Innovations, and Isaac Straley, U of T Chief Information Security Officer in an August 12 memo.

“For example, there is a far greater likelihood of surveillance in some countries outside of Canada and this may impact a student’s ability to engage with some course material.”

The memo ends with the recommendation to “increase awareness and understanding of the issues that [the university’s] students may face wherever they are,” — a statement made ironic by the lack of published information regarding CEN security concerns.

While the use of a service like the Alibaba CEN will prove invaluable in improving the quality of education for students in mainland China, it behooves the university to be more transparent about the kinds of risks this service might entail for students, faculty, and staff — whether abroad or in Canada. U of T should make the details of its agreement with Alibaba public and should act decisively to reassure students of the security of their personal data.