Whether you care where your data goes or not, it’s safe to say our world has become increasingly digitalised. When Critic Te Arōhi asked 623 students if they felt they had a good understanding of how their data is used online, 52% admitted that they had “no idea”. Only 11% felt that they thought they knew, with a further 37% reckoning they had “some understanding”. Out of 513 students, only 27% felt that how their data was used online was something that interested or concerned them, with another 27% saying that they “really didn’t care” about how their data was used.
Despite it all, the majority of students do seem to care about where their data goes, given that 46% indicated that they’d like to know more. Given the increasingly digital environment we operate in, the short answer to where your data goes is “everywhere”. However, what we can do is think about the institutions and agencies we interact consistently with, and evaluate how our data is used by them. After that, we can begin to question why our data is used in that way.
Generation Z are commonly referred to as “digital natives”. It is widely regarded that we are the first cohort of students to grow up with widespread, accessible technology. For many, our digital interactions first began in primary school, where getting your pen license was swapped for typing games on the classroom Chromebooks. We were issued school emails for the likes of Google Classroom, passwords for learning platforms, and portals to submit our assignments. Schoolyard friendships forged groupchats instead of playdates, trading boardgames for onlinelobbies. The COVID-19 pandemic further accelerated a shift toward online education, with digitally driven and distance learning becoming increasingly mainstream. Academic qualifications, programmes and degrees are easier to earn without ever setting foot in a physical classroom. The digitalisation of learning was fueled by its own successes, introducing a plethora of benefits that greatly increased access to education. The University of Otago is one of many educational institutions that embraced this acceleration to the digital.
The use of technology within educational settings has now graduated beyond a mere enhancement to learning, and rather places itself as a prerequisite to progression throughout education. It’s a far cry from the paper and pen exams our parents sat, or the days of begging your classmate to please send through the notes for a lecture you needed to skip – but it all seems so normal now. Perhaps part of being a “digital native” is a lack of critical evaluation of the digital world around us, given it's all we’ve ever been a part of. The large institutions around us end up knowing a hell of a lot about us, all through the constant interaction and use of online platforms owned and operated by those institutions. The price for use of online tools generally is your own personal data, which doesn’t just disappear. Your data persists, but you don’t own it – the institutions that collect it do. But it’s still information about you – information that could be used to influence the way that you think and behave. It’s worthwhile trying to keep up with where it all ends up, given tech is so embedded in nearly every aspect of our lives.
What The University Collects and Why
The University of Otago is one example of an institution that knows our personal data as students. Like any other institution that gathers personal data, the University has a privacy statement. A privacy statement sets out what personal information an agency will collect and what they will use it for. The statement basically communicates this information to individuals to ensure that they’re aware of the ways in which their personal information is being used.
The Privacy Commissioner defines personal information as “information about an identifiable individual”. That’s any information that tells us something specific about an identifiable person. So, for example, your student ID number. That’s information about you because it’s a number linked to you. Even though your student ID number doesn’t name you, it can still be used to identify you.
If you Google through the hoops to find the University’s privacy statement, they outline three broad ways they collect your personal information. The first way is when you give it to them yourself. For instance, when you do your enrolment and application process to become a student at Otago. They may also collect information from third parties, such as your high school marks. The third source is personal information that is generated using University services, such as use of Aoroa, or use of their wifi.
For every instance of collection of personal data, there’s a corresponding purpose of collection. Generally, personal information is collected for the purposes of carrying out the University’s “operations, functions and activities”.
Some of the purposes for collection are obvious, such as considering applications for study, or enabling academic progression. The University has to collect some information out of contractual and legal necessity too, like to comply with health and safety requirements, provide services requested of the University or to meet obligations under the Education and Training Act.
The Privacy Statement specifically outlines our rights (drawn from the Privacy Act) in relation to our personal information. You can ask the University for a copy of the personal information they have processed, and to correct any information that you think is wrong. You can also request for your personal information to be erased if it is no longer needed, or you have withdrawn your consent. Erasure will depend on whether the University accepts your objection to the processing of your information, and if they have no other lawful basis for retaining it. You can’t really force them to give it up, but you can ask nicely.
Aoroa – Otago’s Learning Management System
We all know about our new learning management system (LMS). Aoroa, powered by Brightspace, replaced LMS Blackboard. Alongside Evision (soon to be Aonui), Aoroa is critical in ensuring students can oversee, manage and interact with their degrees. It’s where we submit our assignments, find the lecture readings and engage in discussions.
Using an LMS is nothing new. As previously mentioned, we’ve been learning within a digitalised educational framework for a while now – all throughout primary, up until tertiary, and then beyond. Given that we interact with this LMS on the day to day, it might be worth having a think about how much it knows about you.
To learn some more about how our LMS operates with regards to our personal info, Critic Te Ārohi consulted Professor Tim Cooper, the Dean of Learning and Teaching at Otago University. Compared to Blackboard, Tim told us that Aoroa has “increased learner-analytics” functionality that was not previously available. These analytics are commonly known as “learner insights”. Brightspace, through your interactions with Aoroa, keeps track of a whole bunch of learner insights and activity information. Insights include log-ins and course access times, time spent in course areas, access to content such as lecture notes and readings, quiz and test activity, whether students have viewed feedback on assignments or quizzes. If you’re a little on the backfoot with readings, Aoroa would know that too. Reading lists show how many times an item was accessed and the approximate time spent viewing a reading.
Tim assured that the data collected were “simple indicators of digital activity”, which help the University understand patterns of engagement. As we discovered accidentally, students can actually view a snapshot of the data that is being collected about them under the ‘My Progress’ tab in Aoroa. Look on the right side of your Aoroa Home Page for the progress tab. It contains sections for Content Visited, Course Access, System Access, Discussions (posts read, replied to and authored), to name a few. According to Tim, we were a bit behind the information gathering curve, as “every other university in New Zealand already uses these tools.”
Some features are specific to online lecture recordings. Echo360, Otago’s video management platform, derives learner insights in the form of number of views and total viewing time of lectures, whether recordings were watched live or later, participation in video polls (if used), whether slide decks appended to recordings were viewed and whether students placed ‘confusion flags’. You might have also noticed that watching lectures on Aoroa via Echo360 requires students to allow cookies and/or cross site tracking, as it interferes with Echo360’s functionality. Additionally, various forms of ad-blockers or “wide-spectrum blocking programs” can interfere with Echo’s ability to collect accurate viewing data for media. “This can result in you not receiving proper credit for watching videos on our platform,” Echo360’s site explains. “We certainly want our users to be able to block unwanted ads or user tracking on their browsers. But we strongly suggest you disable these blocks for the EchoVideo domain.” It’s another example of how complex tech requires our personal info to function, and a side effect of an increasingly digitalised education.
Tim explained that the primary purpose of Aoroa’s data collection is to support students. It helps the lecturers to plan teaching, as well as giving the University a heads up to reach out to those that are struggling. “International evidence shows that early, supportive outreach to students who may be disengaging, for reasons such as illness, anxiety, financial difficulty, or housing instability, can significantly improve wellbeing and academic success,” Tim explained. “Our aim is to be able to identify these patterns early and offer help, not to surveil students.”
The ability to access all of these insights are strictly monitored and governed by the University’s data-security and privacy policies. To break it down, course lecturers are given access to a limited view of data for the papers they teach and administer. The Student Experience team is granted access to a subset of information to support individual students that may be struggling. Digital Services, who manages Aoroa, has access to everything, but cannot access student activity without strict authorisation. The data is not used for “surveillance purposes” or to “disadvantage students in any way”, including judging students, enforcing discipline or penalising people for the way they study.
When asked if the University would ever consider the insights about lectures watched or readings complemented in an application for an extension or special considerations, the short answer was “no”. “Information from the LMS would not be used when considering an application for an assessment extension or for special consideration,” Tim continued. Those kinds of decisions are based solely on “documented personal circumstances and their impact on the student”, and not on “digital engagement patterns.” A small caveat here would be circumstances in which IT data logs could be used to verify issues where students reportedly have had IT and access issues to digital systems, “in support of applications.”
Additionally, Aoroa does not record data relating to in-person learning, a student’s notes, tutorials and labs. According to Tim, the insights reflect “only one small part of student learning”, and are “one indicator among many”. In fact, Critic talked to one student who was emailed by their paper staff due to analytics showing that they hadn’t looked at any course material for two weeks. So, if you’re a crammer, or went into the exam without watching a single lecture, you won’t get in trouble. However, that data is still collected, and it’s not exactly like Aoroa is shouting its collection capabilities from the metaphorical Richardson rooftop to students.
University Websites and Applications
When you visit University public facing websites and applications (anything ending with an otago.ac.nz), you may volunteer your IP address, domain name, address of your server, the type of browser and operating system you’re using, the date and time you’re visiting, the pages you access and documents you download. Furthermore, you may show the sites you visited before accessing University sites, access details for restricted websites and any other information you provide via online forms, surveys, and so on. Bit of a mouthful.
This data is primarily collected through cookies – a small text file that is sent to your browser from the University’s web server. While the University uses some of their own cookies, they also use third-party cookies, such as the Google Analytics cookie. According to the privacy statement, third party cookies are used to “improve our services, enhance your online experience with us, maintain the secure connection between your browser and our servers while you are using our websites, and for marketing purposes”.
According to Tim, the University undertakes digital advertising activity aimed at raising awareness of the study options, degrees, majors, pathways, events, and key information relevant to prospective and current students. By using data related to page visits or engagement with content, the data is primarily used for “aggregated reporting” and, in some cases, to “retarget audiences who have previously engaged with University content in order to provide them with relevant information.”
Policies regarding profiling, advertising and marketing are sprayed all over the Privacy Statement. The statement explicitly says that the University may share personal information with marketing service providers, such as Facebook, Google (the University’s chosen data processor) and The Trade Desk so they can “deliver personalised ads to you on various platforms and devices… To help you see ads about things we think you will be interested in.”
Additionally, “with your consent” upon enrolling, the University uses your school email to create a Unified Identifier. A Unified Identifier is a special identifier assigned to an individual user which allows the University to track their behaviour across connected devices, like a codename. The fascinating thing about a Unified Identifier is that it can be used by advertisers to recognise us across all of our devices: laptop, tablet, phone, desktop, connected TVs – you name it. This means targeted advertising can be delivered across our whole network of devices, so long as you are signed in using your email and disguised with that Unified Identifier. “This allows advertisers to create a more complete picture of a user's interests and preferences, which can be used to deliver more relevant and personalised ads,” the privacy statement reads. Unified Identifiers also allow the University to generate aggregated insights about their audiences, including in relation to their location and demographics, “but these will not identify individuals.”
This means the University can send us advertising online, via social media, mail, email or text message, to provide us with ads that are “more relevant” based on our interactions with University sites. Tim explained that this ‘retargeting’ of audiences that had previously engaged with University content is meant to make us aware of study options, programmes and pathways that we may never have found on our own. He said that the intent of this advertising is not to “profile or influence individual student’s personal education records or academic activity”, but rather to “support awareness and discovery.”
Tim also confirmed that although the University uses Google as their data processor, they do not provide any personal student data to third parties. This includes any student data from Aoroa/Brightspace, which is not used for any advertising purposes. It also does not make any profit from providing data to marketing service providers. Basically, the University is not selling our data. It’s just giving our data to these companies to produce advertising relevant to us.
Maybe you don’t think this sounds too bad at all. Data collection appears to basically be confined to the use of the University’s websites and applications. Maybe it’s a good thing to have personalised ads, interacting with an internet curated just for you. It can be really helpful to be in the know about what the University has on offer for you, delivered right in front of your face. Ignorance can be bliss – but not in the rat race.
Putting It All Together
No matter how you feel about the amount of data education systems and services like Aoroa or otago.ac.nz collect on you, you may still wonder if you could opt out of it all. The advertising and the constant collection, for better or for worse, may seem extensive.
In theory, the University gives you an out: just install the “Google Analytics Opt-out Browser Add-on”. However, if you do so, it may restrict your ability to access some web pages, and the statement isn’t super clear on what this means. You also have to download a file onto your computer. If nothing else, the collection of your data appears to be the default.
Furthermore, even if you just let it happen, the data you give over will still stick around. While the Privacy Act encourages agencies not keep information for longer than is reasonably necessary, the length of time the University stores this collected information depends on the type of personal information collection. For example, the Public Records Act requires the University to retain our degree certificates and academic transcript forever, which makes sense given that we rely on universities to validate certifications, especially if we head overseas. Scholarship awards and programme enrolment typically needs to be held for a minimum of 7-10 years. Additionally, some pieces of legislation such as the Education and Training Act 2020 makes some personal information mandatory to supply to the University, so you wouldn’t be able to get out of that one.
In terms of everything else, the Privacy Act requires that the University retain “other personal information” only for as long as necessary for a legitimate purpose. Tim told us that would include personal information in the LMS. But if we think back to the University’s purposes for collecting information in the first place, such as “[managing] recruitment, marketing and fundraising activities”, maintaining an “engaged community of students, alumni, and donors” and “[monitoring], [evaluating] and [improving] our performance and effectiveness, and the quality of our services”, things kind of get muddy again.
Maybe the real gag of this all is that you can’t really escape or opt out of this all if you want a tertiary education, at least in Aotearoa. And that’s just some data collection, from one place that you voluntarily signed up to be a part of. Forget about education – think about other agencies, such as supermarkets, which you need to visit. Consider loyalty programmes, and memberships. All of your data ends up somewhere, and it can be a little hard to decode all of it based on a Privacy Statement that goes on for pages. Even though you might consent to that collection by ticking some box somewhere, actually understanding what you were giving over and whether saying ‘no’ was a practical option for you is a separate matter.
Living without tech is pretty hard unless you smash all your devices and live on a mountain cursing technology for the rest of your days with zero friends. But there was once a time of paper tests, unrecorded lectures, ‘brick’ phones and computers, and when “cookie” referred to a sweet treat, not a data collection tool. At some point, something changed. And now, the reason why we are in an age where personal information has become so critical to the use and continued survival of technology is more important than ever to examine.
The Rise and Use of Online Personal Information
Let’s take a short break to consider some tech history. For starters, computer use only became normal and widespread in households during the mid-to-late 1990s. While personal computers (PCs) first started gaining momentum in the late 1970s, growing into the 1980s, the explosion of the internet, the launch of Windows 95, and lower costs for PCs made them a near-necessity for home and schoolwork by the end of the 90s. With the PC boom, other companies began wanting to hitch a ride off of what was looking to be the best invention since toast.
Created in 1998, one such company was a budding search engine, called Google. According to Shoshana Zuboff, the author of The Age of Surveillance Capitalism, Google started off quite humbly, collecting data on their users’ searches. This information wasn’t stored, but was used to continuously improve its services for the sake of its users. It was like a loop: Google kept track of what you Googled, so you could Google better next time.
However, what comes up pretty much always comes down. In 2001, people realised all the hype about the rising use of the Internet was kind of just that – hype. Stocks invested in the newfound internet peeled away like a landlord special in a mouldy bathroom, revealing overvalued companies lacking profits or viable business models. There wasn’t much real capital (money) behind any of it, leading to a massive market crash. For tech startups like Google, it was time to sink or swim – and more capital was their life jacket.
Google made a gamble and decided to try to increase advertisement revenue by leveraging its analytical abilities and repurposing the information they held about users’ searches to match with keywords. While the information collected from searches had been pretty much a waste beforehand (only used to improve their users’ experience), Google had just created something that would change how personal data is used forever. Google repurposed the data to deliver personally tailored targeted advertising, and that small gamble made them a lot of fucking money. Advertising suddenly got a whole lot smarter. Through Google, advertisers could reach their target audience directly. The capital came from the user information.
Changing what was previously thought to be data ‘waste’ into revenue was fucking genius, and nowadays targeted advertising is pretty much the norm. You’ll see it everywhere – one search online about shoes will miraculously cause a Platypus ad to play before you watch a YouTube video. Or, in a University setting, a visit to a Master’s in Zoology page for example, means it pops up on the side of the website you visit next. That surveillance of your activity and collection of information meant Google’s revenue went from $86 million in 2001, to $3.2 billion in 2004. And that’s where the continued survival of technology became so dependent on personal information.
What Does This Mean For Me?
For any Politics students reading this, you may notice a few familiar features to the Google story. Karl Marx noticed that nothing good seems to stick around for free if a profit can be made off of it, like labour. Just like how most of the Western world survives off of the surplus profit that can be made through labour, the tech world figured out that it could survive from the surplus profit that could be made through personal data. This is called surveillance capitalism. The mining, storing, and analysing of private user data which is packaged into commercial products is bought and sold, often occurring without our explicit consent – or even our knowledge. And just like how it’s pretty damn hard to get out of capitalism generally, it’s hard to get out of globalised surveillance capitalism.
There are three main practices surveillance capitalism employs to remain purposefully hard to understand and hard to get out of. Firstly, surveillance capitalism uses free-to-use services, such as social media. In doing so, the surveillance capitalist gains access to loads of behavioural data that you consent to giving over by using the platform (when you likely blindly agree to the terms and conditions). Secondly, the surveillance capitalist encourages the shifting of physical, in person socialisation to digital socialisation, which means giving over your behavioural data becomes a prerequisite to engage with society. Thirdly, surveillance capitalism entrenches and rewards early adopters of surveillance. Surveillance capitalists get bigger and better through the virtuous cycle of data collection.
Circling back to the fact that 52% of students said that they had no idea about what their data is used for, we don’t actually blame you. Again, given how challenging it was to unpack the University’s privacy statement, imagine how hard it would be to unpack every privacy statement that impacts you. It’s exhausting. And that’s a good thing for anyone who’s in the business of data – perhaps surveillance capitalism wouldn’t be doing so hot if everyone realised what it actually meant. The opaqueness pays off.
However, the University of Otago is not an outright surveillance capitalist. They lack the direct information-to-profit pipeline surveillance capitalists employ. While they use your information to target advertising, our data is not provided or sold to third parties for a profit. While it could be argued that the advertising leads to people enrolling and spending money on degrees at Otago, that’s just advertising. As Tim said, “the intent of this advertising is not to profile or influence individual students’ personal education records, or academic activity.” Learning insights are not used to surveil you.
But more broadly, it’s worth noting that the price we pay for having the entire internet at our fingertips is that every single search, page we view, time we spend on a certain webpage is data which can be collected and sold to advertisers. Surveillance capitalism has done pretty well at tricking users into thinking that use of social media platforms is a free product, the best way to engage with society. It turns out that us, the users, were actually the product all along.
As put by Shoshana Zuboff, the most major author of surveillance capitalism literature (we did our research), technology (smart phones, watches, rings, laptops, social media, Alexa’s, ChatGPT) were all a Trojan horse. And once that Trojan horse made it beyond the walls of our society, something was waiting within – disguised and ready to embed itself. Within the shiny technological horse was surveillance capitalism.
The defining feature, the reason why surveillance capitalism is incapable of destruction, is that it flows through the same channels that we rely on to exist in society. Remember that a key feature of surveillance capitalism is that it posits itself as a prerequisite to engage with society by shifting everything to the digital. And yeah – that’s what it's become. You have to use technology, and technology uses you right back.
The University of Otago is a place of learning, a pathway to get your degree, and also a part of a twenty-first century world that has embraced surveillance capitalism with open arms. The point is not whether it’s a good or bad thing. Rather, we have to understand that surveillance capitalism and the use of our data exists all around us, and opting out isn’t really an option. The key to mitigating these effects is being able to see how it affects you. By knowing where our data goes, and how it’s collected, we have some authority over the process. We can challenge the opacity of the system that’s become embedded in our lives.
