Victoria’s Department of Education is extending its monitoring of internal traffic from staff devices to student devices in a number of schools.
The extension will cause Zscaler SSL root certificates to be installed not only on school-provided devices, but also on student personal devices if they connect locally to a school network.
The certificate allows student browser traffic to be decrypted for inspection, while presenting itself to the user as if protected by HTTPS.
A ministry spokesperson said iTnews that Zscaler is disabled in situations where the device connects remotely to the school network, such as downloading an assignment from home.
However, the spokesperson declined to comment on whether Zscaler monitors staff traffic from home or when the policy was first implemented.
“The Department uses the Zscaler application on all Department-owned computers and devices as a cloud-based security measure when accessing the Internet,” the spokesperson said.
“This certificate acts as an additional security measure by helping to determine if a website is safe to open while using the school internet.”
“The health and safety of all staff and students is the Department’s top priority. This includes online security.
The Department said iTnews a privacy impact statement had been prepared but declined to publish it or summarize the details.
Organizations use Zscaler to monitor users’ web browsing and online activity, protect against the deliberate or accidental transmission of confidential data, and detect malware hiding in HTTPS traffic.
Cenitex, a Victorian state-owned ICT shared services provider, has launched deployment of Zscaler’s secure cloud platform for the IT services of 36,000 civil servants in 2019.
Gartner Principal Analyst Bjarne Munch said iTnews “The increase in remote working also means an increase in cloud-based applications, which also requires always-on security solutions.”
“In order to better control who can access specific applications and have access to various types of Internet content, we are also seeing an increased focus on access to the zero-trust network, as this enables individual security policies,” said Munch.
Electronic Frontiers Australia Chairman Justin Warren said iTnews Zscaler creates as many security threats as it solves and is a serious breach of student privacy.
“Treating 17-year-olds like they’re five is not a good approach, and it’s not a good way to teach someone about their privacy and how to take their own risk decisions.”
Warren said students should be trained in security awareness and organizations opt for surveillance instead of more effective protections against phishing and downloading malware.
“Don’t give everyone the domain admin, make sure all your systems are auto-patched, update your systems, use application whitelisting, use encryption instead of breaking it like Zscaler does .”
“We’re not saying students should be allowed to have free access and do whatever they want, but that also depends on their age.”
“They said they monitor ‘inappropriate content’, what are the monitoring mechanisms? Who decides what content is allowed on the system? What transparency is there regarding blocked content? »
Warren gave the example of how “LGBT issues are consistently flagged by content monitoring systems as inherently sexual when they are not.”
Unlike Victoria’s Department of Education, NSW’s Department of Education uses Zscaler’s SSL inspection at home, but not on student devices in schools.
The NSW department has entered into a $1.1 million contract in July 2020 to use Zscaler’s private access network to allow company personnel to remotely connect to the Department’s network as part of its response to the Covid lockdowns.
“ZPA logs user access activity, consistent with cybersecurity best practices when enterprise users access the enterprise environment remotely,” an Education Department spokesperson said. from NSW. iTnews.
The Department said iTnews there are currently no plans to extend Zscaler use to students.
“An in-depth analysis of Zscaler has been undertaken, including privacy and cybersecurity aspects.”