It’s no secret that Kopano is being critical of proprietary software solutions. Digital sovereignty is our top priority and all Kopaneros and Kopaneras work every day with verve to implement this. That is why articles like this one in the FAZ do not leave us untouched. On the one hand, one is happy that assumptions and hypotheses are correct. On the other hand, we are annoyed that digital sovereignty is progressing so slowly or, as in the current case, is even being hindered.
Microsoft is not for schools
“Microsoft is too risky for schools” is the headline of the FAZ, referring to MS 365, the Microsoft cloud solution that was increasingly used for distance learning in schools during the Corona pandemic. Baden-Württemberg had launched a pilot project based on this in the autumn of 2020, which was strongly supported by the former Minister of Education and Cultural Affairs, Susanne Eisenmann. Even before it began, the project drew criticism not only from data protectionists, but also from a number of initiatives such as the state student association, the state parents’ association, the state teachers’ association and the philologists’ association, which published a joint statement against the use of MS 365. The core criticisms were – in addition to the inadequate data protection situation – one-sided media education and a lack of digital sovereignty (source: https://www.swr.de/swr2/wissen/baden-wuerttemberg-kein-platz-fuer-microsoft-an-schulen-100.html).
In the current press release of the data protection commissioner of Baden-Württemberg Stefan Brink from 07 May 2021, he now officially advises against MS 365:
“BildungsplattformBW: LfDI advises against the use of the tested version of Microsoft Office 365 at schools due to high data protection risks – alternatives should be strengthened”.
(Source: https://www.baden-wuerttemberg.datenschutz.de/wp-content/uploads/2021/05/20210507_PM_Empfehlung-LfDI_Pilotprojekt_Bildungsplattform.pdf )
In this context, it is interesting to note that this is not the standard version of MS 365, but a solution configured especially for school operations. I.e. not even in this special version can MS 365 offer a sufficiently sovereign solution.
Specifically, the following points were examined:
- Remedial measures to minimize the risks of the Microsoft software.
- Measurability of data flows during pilot operations (detectability of unwanted or unsolicited data processing, e.g., telemetry, diagnostic (or otherwise designated) data)
- Detectability of processing of personal data of teachers and students for Microsoft’s own purposes
- Data leakage to third countries outside the scope of the GDPR
- Possibilities to restrict access by the provider or third parties through secure encrypted communications
According to the assessment of the data protection officer, the responsible schools (according to Art. 4 No. 7 DS-GVO) have neither complete control over the overall system nor the US software provider. Furthermore, they “…cannot sufficiently understand what personal data is processed, how and for what purposes, and they cannot demonstrate that the processing is reduced to the minimum necessary for that purpose.”
Brink does not hypothetically rule out the possibility that further modifications to the product could lead to legally compliant use, but this does not seem feasible with Microsoft:
“However, it has not been possible to find such a solution in recent months, even after intensive cooperation and with a high level of personnel input.”
False assumptions and blind spots
People concerned with digital sovereignty should not be surprised by this assessment; on the contrary. What always strikes us in this context is that the virtually universal use of Microsoft in business enterprises is cited as a positive reference for its fit in other areas. Thus, Brink also had the assumption that “what has proven itself over decades in businesses and administrations should actually also work smoothly in schools.” (Source: FAZ article).
At this point, it should be critically noted that just because something appears to be tried and tested in constant use does not mean that it is good or secure. According to my observations, the decision to use Microsoft products in the company is not an active and reflected decision. It seems to be more of a herd behavior: People do it because they don’t know any other way, because the products have been on the market for so long, because they lack knowledge of alternatives. As an employee, you normally have no say in the operating system or office software. That’s why you have to fit into the existing infrastructure. The shared swearing about Office products sometimes even strengthens the feeling of team spirit among colleagues.
It is therefore understandable that economic sectors are now criticizing the results of the data protection commissioner. It does save time and money if students are already familiar with Microsoft products. Their knowledge is of direct benefit to companies.
However, awareness of digital dependency is growing, especially among a younger generation that is concerned about its future and prefers to set up companies itself rather than being employed. A responsible school should therefore not make itself a supplier to the economy.
In other words: No dependent software from a single supplier in system-relevant structures such as administrations, schools and universities!
For further reading: