Month: January 2018

Social networking and GDPR

Posted on January 25, 2018January 25, 2018 by Doug Belshaw

Note: I’m writing this post on my personal blog as I’m still learning about GDPR. This is me thinking out loud, rather than making official Moodle pronouncements.

I have to admit to EU directive fatigue when it comes to technology (remember the ‘cookie law‘?) so when I heard about the General Data Protect Regulation (GDPR), I didn’t give it the attention it deserved.

The GDPR is actually pretty awesome, and exactly the kind of thing we need in this technologically-mediated world. It has wide-ranging impact, even beyond Europe. In fact, it’s likely to set the standard for the processing of user information, privacy, and security from May 2018 onwards.

So, on the advice of Gavin Henrick, I’m in the midst of Futurelearn’s course on Understanding the General Data Protection Regulation. The content is great but, unlike Mary Cooch‘s excellent videos for the Learn Moodle Basics 3.4 course (which I’m also doing at the moment) I don’t find the videos helpful. They don’t add anything, so it’s a more efficient use of my time to read the transcripts.

All of this is prologue to say that GDPR affects the work I’m leading at the moment with Project MoodleNet. It may be in its early stages, but privacy by design (PDF) means that we need to anticipate potential issues:

The Privacy by Design approach is characterized by proactive rather than reactive measures. It anticipates and prevents privacy invasive events before they happen. PbD does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred − it aims to prevent them from occurring. In short, Privacy by Design comes before-the-fact, not after.

Project MoodleNet is a social network for educators focused on professional development and the sharing of open content. As such, it’s a prime example of where GDPR can protect and empower users.

Article 5(1) from the official document states:

Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

We’re kicking off Project MoodleNet by looking at all of the different components we’ll be building, and really zeroing-in on user control. A key part of that is the way(s) in which users can authenticate and are authorised to access different parts of the system. We’re exploring open source approaches such as gluu (which has been GDPR-ready since November) that make it both easy for the user while protecting their privacy.

In addition, and as I’ve touched on while writing at the project blog, we’re going to need to ensure that users can, at the very least:

see what data is held on them
choose whether to revoke consent around storage and processing of that data
request a data export
ask for any of their personal data to be securely destroyed.

I actually think Google do a pretty good job with most of this with Download your data in your account settings (formerly ‘Google Takeout’).

One challenge, I think, is going to be global search functionality. To make searching across people, resources, and news reasonably fast, there’s going to be some pre-caching involved. We need to explore to what extent that’s compatible with purpose limitation, data minimisation, and storage limitation. It may be that, as with the authentication/authorisation example above, it may already be somewhat of a solved problem.

A related issue is that different functionality may be used to a greater or lesser extent by users. Some (e.g. crowdfunding) may not be used by some educators at all. As such, we need to ensure that, perhaps through an approach that leans on microservices and APIs, we ensure integrity and confidentiality of user data, while again adhering to the principle of data minimisation.

I’m delighted to be working on this project at such an exciting time for user control and privacy. Organisations that have been wilfully neglecting controls and safeguards around user data, or monetising it in unethical ways, are going to be in for a rough ride. Those, however, that have a commitment to openness and follow the principles of privacy by design are going to find that it’s a competitive advantage!

Image by Sanwal Deen available under a CC0 license

Weeknote 03/2018

Posted on January 20, 2018January 20, 2018 by Doug Belshaw

This week I’ve been:

Updating Thought Shrapnel, my blog and weekly newsletter of the same name. You can subscribe there via a variety of methods. You’ll like it.
Meeting with the local Scouts Executive Committe. I’m Secretary, so I introduced them to Google Docs and Calendar, and showed them the new (basic, but functional and fast) website.
Continuing work around Project MoodleNet. I spoke with Verena Roberts, Pivotal Labs, wrote a couple of posts on the project blog, started the risk register, did some whiteboarding with Martin Dougiamas, Ryan Wyllie, and Marina Glancy, and presented about the project on the all-hands call.
Agreeing to fly to Perth for a Moodle Team Leads work week next month the week before I’m in Washington DC for a consultancy gig. Jetlagged Doug will be jetlagged.
Spending Thursday and Friday in London with my We Are Open Co-op colleagues at Bryan Mathers’ house. We also held a meetup at a pub near London Bridge, where it was great to catch up with Jade Morley, Jamie Allen, Josie Fraser, Maren Deepwell, and Oliver Quinlan.
Writing:
- Principles underpinning Project MoodleNet: 5. ‘Transparent’ (Project MoodleNet blog, 17th January 2018)
- Principles underpinning Project MoodleNet: 4. ‘Ethical’ (Project MoodleNet blog, 16th January 2018)
- On the difference between people-centric and resource-centric social networks (Open Educational Thinkering, 15th January 2018)

Next week I’m working from home from Monday to Thursday, then I’ll be at the Bett Show in London on Friday.

Photo taken today as my son and I headed to Kielder to pick up an ex-hire hybrid bike he’s getting for his birthday on Monday.

On the difference between people-centric and resource-centric social networks

Posted on January 15, 2018January 16, 2018 by Doug Belshaw

Something Tom Murdock said recently resonated enough with me that I felt the need to write it down in a place that I can reference. Here is as good a place as any!

I’m leading Project MoodleNet, which is currently described as “a new open social media platform for educators, focused on professional development and open content”. Tom mentioned that he saw an important difference between ‘people-centric’ and ‘resource-centric’ social networks.

(Note: it’s been a couple of weeks since that conversation, so anything witty or clever I say in the next few paragraphs should be attributed to him, and anything confusing or stupid should be attributed to me)

I should also point out that I blog about things I’m thinking about here, whereas the official project blog can be found at blog.moodle.net.

What is a resource-centric social network?

A people-centric social network is something like Facebook or LinkedIn. Users have a single identity and want to follow or connect with you as a person. A resource-centric social network is something like Pinterest or Thingiverse where people interact and engage with you through the resources you’re sharing.

I think most people reading this will understand how Facebook and LinkedIn work. Imagine them towards one end of the spectrum, and Pinterest and Thingiverse towards the other. Twitter is an interesting case here, as users can have multiple accounts and follow non-human accounts. I suppose it would probably be somewhere in the middle of the spectrum.

A quick tour of Thingiverse

I think Project MoodleNet is more of a resource-centric social network. To illustrate that, I want to explore Thingiverse, a wonderful site I came across recently after acquiring a 3D printer. Here’s what the About page says:

MakerBot’s Thingiverse is a thriving design community for discovering, making, and sharing 3D printable things. As the world’s largest 3D printing community, we believe that everyone should be encouraged to create and remix 3D things, no matter their technical expertise or previous experience. In the spirit of maintaining an open platform, all designs are encouraged to be licensed under a Creative Commons license, meaning that anyone can use or alter any design.

So it’s:

A registered trademark
Owned by a company
Focused on makers
Allows the sharing of open content
Encourages remixing

In that sense, it’s a very interesting model for Project MoodleNet.

Let’s look a little more closely. Below you can see the home page. The site is obviously curated by real human beings, as they’ve featured particular designs, and created collections which include designs from different users. There’s a feed of latest activity, the calls to action in the top menu bar make it obvious that this is a living community full of creative people.

The next thing you notice when you click through onto a particular design is that there’s a lot of information here to help orient you. There’s a clear call-to-action below ‘DOWNLOAD ALL FILES’ but also we can see how many times it’s been liked, watched, commented upon, and remixed.

Click on the remix button and you get to see those who have remixed the original design in some way. If the design you’re looking at is itself a remix, it also allows you to look at the original, too.

Naturally, you want to know a little bit about the person who created it. Perhaps they’ve created some other things you’d like? Clicking on the user name reveals their Thingiverse profile.

There’s lots of information about the person here: their username, location, Twitter profile, website, short biography. However, the focus is still on their resources. What have they designed? What have they shared?

The last thing to highlight is how Thingiverse deals with openly-licensed resources. When you click to download the files, the first thing that pops up is a windows that tells you in no uncertain terms about the license under which this resource has been made available.

In addition, it encourages you to ‘show some love’ to the designer. You can tip them using money via PayPal, and you can take a photo to ‘document’ your 3D print of their design, and you.

Final thoughts

I’m very impressed with the thought that’s been put into Thingiverse. I don’t know the history of the community, but it feels like something that has responded to users. In turn, I should imagine that when those who are regular users of Thingiverse come to purchase their next 3D printer, Makerbot will be top of their list. It’s a virtuous circle.

So there’s a lot to learn from here that we can apply to Project MoodleNet. I like the way that they make it easy for people new to the community. I love the ease by which you can use the fork-remix-share approach that developers are used to on GitHub, but many educators are still yet to discover. And I adore the way that they encourage users to ‘show some love’ to original resource creators, educating them on how to use openly-licensed content appropriately.