We’re back to two articles again this week, both about transparency. First up, the Canvas breach and the human face of what's stored inside an LMS. Second, another report on tuition pricing transparency and the contradiction sitting underneath the sector's response to it. Third, three new Sparks about AI, ED investigations, and career “pathways.” 

Canvas Hack 

From ‘PAY OR LEAK’: Hackers Target Big Higher Ed Vendor | Inside Higher Ed 

Instructure has been breached (twice!) by ShinyHunters, a criminal hacker group.   

Our Thoughts  

Yikes! I wrote a response to this original news article on Wednesday, and the hackers struck again before we could even get this week’s issue posted. It seems unlikely that anyone is unaware of these cyberattacks at this point. Not only has it made the national news, but there’s also already a Wikipedia page about it. As this story is unfolding, there might even be an update before we can get this post live on our website.  

While various news sites cover the breach itself from a technical perspective, I want to talk about the human side of the story. First, though, this is not going to be a Canvas bashing post. It didn’t earn 41 percent of the LMS market by being a bad product. This isn’t even going to be about Instructure as a company. I’ll let those smarter than me decide whether Instructure should have done something differently to prevent these attacks. Which raises a real question: what does it mean for our sector when we concentrate this much information with one vendor?  

Learning management systems are a rich source of data, perhaps more so than many people realize. Learning analytics researchers have spent the past couple of decades figuring out how to mine LMS log and trace data because it captures so much of what students do that other systems don’t see. Essentially, almost every interaction in the system is tracked. This is in addition to rich data the LMS itself contains (grades, submissions, course materials, etc.). Given the wealth of information held by the LMS, it's unsurprising that a hacker group would seek to monetize that exposure. PII is part of what they're after, but the messages, the conversations, and the relational data layered underneath the names and email addresses are arguably what make this breach different from one that exposes only student records. 

Like I said, I want to talk about the human face for this story. Now, most of the news and the Instructure press releases will focus on how the breach was contained and whether any PII was taken. What gets missed in that frame is the kind of information that lives inside an LMS that doesn't show up on a regulatory disclosure. A student emailing her professor at 11 p.m. to explain that her father is in the hospital and she can't make tomorrow's deadline. A faculty member documenting an accommodations conversation with a student who didn't want it formalized through the disability office. A discussion-board post a student wrote in a first-year seminar about their experience in foster care, intended for a class of fifteen people and a professor they trusted. None of that is PII in the technical sense. All of it could end up on a leak forum, and once it does, no software patch removes it from public view. And the unintended consequences for those individuals are unknowable.  

The deeper issue isn't just what's in the LMS. It's how completely we've allowed the LMS to become the classroom itself over the last decade. When I started in higher education, the LMS was where you posted a syllabus and turned in an occasional paper. Today, faculty design entire courses inside it, even when those courses happen in person. The LMS contains discussion boards full of personal student writing, peer reviews where students give each other honest feedback under their real names, recorded synchronous sessions with full transcripts, integrated publisher tools that track which textbook pages a student opened and for how long, and direct messaging that has replaced email. Additionally, every supplemental tool now has to integrate with the LMS to be usable, which means that as the integrations multiply, the potential data available to bad actors expands each academic year. The LMS isn't a tool that simply supports the classroom anymore; for many faculty and students, it has become an extension of the classroom (or in some cases, the classroom itself).  

What does all of this mean going forward? The LMS is too entrenched in many courses to walk away from, and few campuses have the operational capacity to develop their own homegrown system. But this situation calls for reevaluating our relationship with the LMS and treating it the way we treat any system that holds genuinely sensitive information. That means reminding faculty and students about the types of information that should and shouldn't be there, and auditing what's been accumulating in a system you've had for ten or fifteen years. It's also about the specific people whose private conversations are sitting in a vendor's database waiting to be exposed next: the student who disclosed a family illness, the one who wrote about being in foster care, the faculty member who handled an accommodation off the books. Narrowing what's in the system now is the most concrete thing we can do for them before the next breach forces the issue. This data is already gone; the next batch is still up to us. 

Sticker Pricing (Again) 

From Confusing College Pricing Sows Mistrust in Higher Ed | Inside Higher Ed 

A new report from Strada finds that students and their families struggle to understand the true cost of higher education, weakening their trust in institutions. 

Our Thoughts  

Regular readers know I have repeatedly discussed and called for greater price transparency in our sector. Here’s another article reporting on research that yet again shows how damaging tuition discounting is to the public’s perception of higher education. Fewer than half of students and parents say they trust colleges to charge them a fair price, and the more confusing they find the financial aid process, the more likely they are to believe institutions care more about making money than educating students. That’s a sobering result from the Strada Education Foundation report.  

I don’t want to rehash previous arguments I’ve made about this topic. Instead, I want to focus on something related, but far more interesting (at least for me). On the same day the news article ran, IHE also published an opinion piece by three enrollment management leaders. In that piece, the authors named the trust problem directly and proposed a student-centered set of principles designed to address this issue. The principles are endorsed by ACE, AACRAO, NACAC, NASFAA, and others, which is a meaningful coalition. The authors are honest that institutions can't coordinate on actual prices because of antitrust risk, so the principles coordinate on what information families receive and when, rather than on price itself. On the surface, this seems like positive progress. 

Last week, though, Hechinger's Meredith Kolodner reported on a bipartisan bill that would have added real clarity to the financial aid process for students and families and just got gutted in Congress. The original bill required one standard financial aid offer letter, like a nutrition label, that families could use to compare costs across schools. The revised bill keeps standard definitions for terms like "loans" and "grants" but strips out the requirement that all institutions use the same letter format. The reason it got stripped, according to the reporting, is that college associations lobbied against it. The same associations whose endorsement gives the new principles their weight are the ones who just successfully blocked the most concrete consumer-protection fix on the table. What does that say about how serious the sector is about transparency? 

That contradiction, though, is not a reason to dismiss the principles, which are better than nothing. However, we should be honest that they are a softer alternative to what was on the table. Too often, we lean on institutional autonomy and mission diversity as a shield whenever standardization comes up. That’s not to say that campuses aren’t different. A small private liberal arts college isn't a regional public, isn't a community college, isn't an R1, and forcing identical practices across that variation produces real harm. But "we're all different" is also an argument we use to avoid doing something hard, and it prevents our sector from making real progress that would positively impact students.  

Look, trust isn’t built by what we say we value. Trust is built by our actions. Voluntary principles let institutions opt in and out or declare their own version of compliance. That’s the appearance of accountability without the substance of it, and families know the difference. We had an opportunity to give families one thing they've been asking for, but we lobbied against it. The next report on public trust will tell us what that cost.   

Sparks 

• Another Undergrad Is Trying to Disrupt College With AI. He Says His Version Isn’t Cheating. (The Chronicle of Higher Education) - A student at the University of Notre Dame has developed another app designed to view a student’s course materials in Canvas. I feel like we’ve read this somewhere before. Again, dear students, difficulty is part of the learning process. The whole point is that you leave college changed by the work, and not just credentialed by it.
• Why We Are Suing the Department of Education (ProPublica) - ProPublica is suing the Department of Education because ED will not make public a list of schools and colleges it is investigating for possible violations of students’ civil rights. The substantive issue is that this information has always been publicly available. It's how the public knows which investigations are being prioritized and which institutions are under scrutiny. 
• Do career ‘pathways’ work? Delaware offers early clues (The Hechinger Report) - A new report tracked 6,000 Delaware students who enrolled in a high school "pathways" program and found fewer than half stayed on the same track after graduation. If pathways are supposed to channel students into specific career fields, the early evidence is that students don't stay channeled. Worth watching as more states pour money into the model.