Tag Archives: cybersecurity

The dark side of using ICTs in education

Much evidence has been adduced to suggest that ICTs enhance not only the quantity but also the quality of education and learning; those selling such technologies have skilfully created an atmosphere where it is usually unquestioningly assumed that ICTs do indeed have a beneficial impact.  However, the opportunity to undertake research recently for UNICEF on the future of ICT use in education provided me with the chance to explore some of the darker aspects of such use, and I summarise my thoughts here to encourage a more balanced approach to discussions about ICTs and education.

In recent years there has been an increasing amount of evidence that sheds doubt on the claimed benefits of ICTs for education, and also highlights their limitations and dangers (see for example UNICEF’s recent report on Children in a Digital World).  Four themes are particularly pertinent:

  • doubts about the overall efficacy of ICTs in enhancing learning;
  • the distractions that they provide;
  • their use for behaviours intended to harm children; and
  • the increasingly blurred interface that they create between humans and machines

Do ICTs necessarily improve learning outcomes?

One of the first major studies to examine the overall impact of ICTs on learning outcomes was an OECD report in 2012 that concluded that “Overall, the results of the estimates presented in this report point to a generalized negative correlation between the use of ICT (in terms of either intensity or deviations from the mean) and PISA test scores”. The authors were very cautious about their findings, and PISA scores are only one measure of learning, albeit a one that many governments treat very seriously.

More recently, the OECD has produced a comprehensive report on Students, Computers and Learning, that also questions the overall impact that ICTs have on learning.  This shows that the exposure of children to computers in schools varies considerably between countries and within countries.  Most significantly, though, it concludes that the use of computers does not seem to be an important factor in explaining the variation in student performance in mathematics, reading or science as reflected in the PISA scores.  The report concludes (p.15) cautiously that “the connections among students, computers and learning are neither simple nor hard-wired; and the real contributions ICT can make to teaching and learning have yet to be fully realised and exploited”.

One important conclusion from this and associated research is that if poorer countries outside the OECD invest substantially in the use of ICTs in schools there is no guarantee that it will improve traditionally defined learning outcomes.  Moreover, it seems evident that ICTs by themselves do not necessarily have a clear and positive impact on learning outcomes.

Other research has gone further and shown that many educational skills, especially relating to memory, are not as good when using ICTs as when using more traditional methods.  Kirschner and Neelan have thus reported that handwritten notes are much more effective for learning than those made using a digital device, and Mangen et al. have also shown that students who read texts in print score significantly better in reading comprehension than do those who read them digitally.  Much more research is needed about the impact of different methods, particularly with and without ICTs, on the learning achievements of children.

Mobiles as distractions

A decade ago, in the early days of mobile devices, it was often argued that bring-your-own devices could be a means of enabling schools to introduce ICTs without having to expend large amounts on hardware. Such schemes have been widely criticised because of the inequalities that they can perpetuate, but an increasing amount of evidence is available to suggest that the use of mobile devices in classrooms also has a negative impact on children’s learning, especially because of the distractions that they cause.  Much of the opposition to mobiles in classrooms comes from frustrated teachers and parents, and finds its expression in popular news media.  Headlines in mainstream media such as “Schools ponder classroom ban on ‘distracting’ mobile phones” (The Times) are increasingly common. This is closely related to concerns about the digital distractions that are now seen as harming labour productivity later in life.

There is a growing body of research that supports such general concerns.  In a ground-breaking study, Kuznekoff and Titsworth, for example, have shown in a small-scale study that university “Students who were not using their mobile phones wrote down 62% more information in their notes, took more detailed notes, were able to recall more detailed information from the lecture, and scored a full letter grade and a half higher on a multiple choice test than those students who were actively using their mobile phones”. Likewise, in a survey of schools in four English cities, Beland and Murphy have shown convincingly that student performance in high stakes exams significantly increases after mobile ‘phones have been banned, and the these increases in performance are generally driven by the lowest-achieving pupils.  As a result, they suggest that restricting mobile phone use in schools can be a low-cost way to reduce overall educational inequalities.

In the light of such general concerns, several countries have sought to prohibit the use of mobiles in schools.  In much of China, secondary pupils in boarding schools are only permitted to use their ‘phones for short periods each day, and they are not allowed to use them in classes.  Likewise, a decision by the French government to ban mobile ‘phones in school from September 2018 has received widespread publicity.  Reasons for the ban include a general concern about the health implications of children regularly using ‘phones before the age of 7, about the desirability of them physically playing in breaks rather than just being on their devices, and the perception that they cause distraction during lessons.  It is salient to note that attempts to introduce a similar ban in New York City in 2006 largely failed, and it was lifted in 2015.

The dark side of digital devices: addiction, bullying and harassment

UNICEF’s important review Children in a Digital World, highlights three forms of digital risk to children: content, contact, and conduct.  In particular, it emphasises the threats of cyberbullying, online child sex abuse and exploitation.

In most instances, when children use ICTs in schools they are usually subject to some kind of control or supervision.  However, when they are outside school, they are very much freer to use such technologies, despite the potential control measures that some parents seek to impose.  Hence, it is very easy for children to be subject to abuse or harassment from their peers and others once they have left the confines of their schools.  This raises important questions about the relative balance of responsibility between schools and parents in helping children grow up safely in a digital world.

In all uses of ICTs in education, it is essential that the highest priority should be given by schools to:

  • The secure management of children’s data;
  • Digital relationships between teachers and pupils, especially on social media;
  • Behaviours of children online, especially to one another; and
  • The potential for external individuals or organisations to influence children in their care.

Above all, though, it is essential that schools provide extensive training for children in the wise use of digital technologies, covering not only the above  requirements but also issues around critical thinking relating to information on the internet, the use of search engines, social media, privacy, and all aspects of their interface with ICTs.  These need to be balanced, and stress both the positive potential of ICTs alongside their dangers and threats.  Schools cannot do this alone, and there needs to be extensive collaboration between governments, companies, civil society, and parents, but schools are very well-placed to be the central point through which such education and training are provided.

Increasingly, national governments are providing regulations as well as guidance for schools about keeping children safe online at schools and at home.  The UK, for example, announced new measures to tackle this in 2015, requiring all schools to have in place filters and monitoring systems to prevent access to potential harmful material, and to ensure that children are taught about online safeguarding.  Many poorer countries, though, do not have such systematic regulations in place, and there is an urgent need for all governments to create systems of support for schools to help them share good practices relating to child online protection.  It is also important that examples of good practice are widely shared, and sources such as those provided by the European Commission’s Better Internet for Kids service platform, and the ITU’s guidelines on child online protection should be more widely known and acted upon.

Globally, there is insufficient awareness of the significance of many of these issues (see for example the work of the UK-based Internet Watch Foundation).  Whilst overt bullying, harassment and exploitation are becoming increasingly discussed, insufficient attention has been paid until recently on the rising impact of digital addiction on children.  South Korea, for example, sees Internet addiction as a national health crisis, with there being an estimated 2 million addicts, most of whom are children or young adults.  It is estimated that one in ten South Korean children is a digital addict and there is increasing evidence that excessive screen time is damaging developing brains.

Recent warnings in the UK likewise highlight the addictive dangers of giving children smartphones, with a third of children between 12 and 15 admitting that they have difficulty balancing their use of smartphones with other aspects of their life. A particularly worrying aspect of this addiction is the normalisation of sexting, whereby young children are convinced into believing that sending nude pictures of themselves us completely normal.  One survey reported in 2017 has suggested that around two-thirds of primary teachers said they were aware of pupils sharing inappropriate sexual material.

Responsibility for this addiction, and how best to deal with it, are topics that require detailed consideration by all those interested in education.  The design of social media platforms is thus increasingly being seen as problematic, and gives rise to considerable debate.  It has, for example, been claimed that Facebook was explicitly designed as an addictive form of social media, which exploits a vulnerability in human psychology through its social-validation feedback loop.  Others, though, see the value that such social media platforms offer, and suggest that only a relatively few people become seriously addicted to it.  Most recently, following the launch of Messenger Kids for children under 13, a group of 100 leading academics, practitioners and organisations have written an open letter to Facebook claiming that young children are not ready to have social media accounts, that it will increase the amount of time young children spend with digital devices, and that the app’s overall impact on families will be negative.

Moreover, there is also growing evidence that the recent rise in depression amongst people born after 1995 in the richer countries of the world, and especially the USA, can be directly linked to the dramatic increase in smartphone use since 2012.  Twenge, for example, has found that teens who spent more than 5 hours a day online were 761% more likely to have at least one suicide risk factor than were those who spent only an hour a day online.

Another general issue that requires further discussion is the use of children’s data by companies providing educational services.  All data are potentially hackable, and school generated data are often seen as being particularly vulnerable because of lax cybersecurity.  In 2017, high profile hacks in school systems across the USA brought the ease of this, as well as the damage that it could cause, to public awareness. UK school systems have also been targeted with relatively simple scams that defraud them of large sums of money. More worrying is the vast amount of data that governments and companies, such as ClassDojo, gather on a regular basis through digital educational systems and platforms, especially relating to examination performance and children’s personal backgrounds.

Cyborgs and transhumanism

A final, and much deeper, ethical question that also needs to be considered is the ways through which the use of ICTs in schools may be influencing the long-term relationships between humans and machines.  The notion of cyborgs, organisms that combine organic and biomechatronic parts and have enhanced abilities through the integration of components that rely on feedback systems, has been discussed heatedly since the 1960s. However, the rapidity of recent technological development has meant that some now see all human life as inevitably becoming more entwined with that of machines.  Elon Musk, the serial scientific inventor and business magnate, has thus argued that humans must indeed become cyborgs if they are to stay relevant in a future dominated by artificial intelligence, and he is not alone in his thoughts.  Such life-changing rhetoric requires vociferous challenging by those who do not wish to see such a future, and it is important that there is a balanced and open debate about transhumanism and the desirability of humans becoming cyborgs.

Those with pacemakers, artificial limbs and cochlear implants, are already combinations of machine and humans, and companies such as Calico, a business within the Alphabet group that also owns Google, are already undertaking research that will use technology to enable people to lead much longer and healthier lives.  Those who wear “fitbits” that transmit their bodies’ physical data to companies that then use it to generate revenue from marketing or insurance are already virtually cyborgs.  It will not be long before more people start arguing for humans to be chipped with their digital identities just like their pets, so that they no longer have to have physical biometric identity cards. Transhumanism (also known as H+) is an extreme form of such thinking that seeks to transform humans by using technology to enhance human intellect and physiology.  Companies such as Kernel are seeking to develop a wave of new technologies that will be able to access, read and write from the human brain.  Even if most people reject the extremes of H+, the general argument that ICTs should be used to enhance humans is now becoming much more widely accepted than it was previously.

This has very significant implications for education systems, especially in terms of the ways that humans store and process memory.  Children are increasingly relying on digital memories, especially access to the Internet or the memories on their digital devices.  They are also being encouraged to use their brains for skills other than merely acquiring knowledge, although good traditional education systems were never merely about simple knowledge acquisition as is often claimed.  We know that brains adapt remarkably quickly to their environments, but insufficient research has yet been done on the systematic way through which ICTs are changing brain function.


This is the third in a series of short summaries of aspects of the use of ICTs in children’s education across the world based on my work for UNICEF (the first was on Interesting practices in the use of ICTs for education, and the second was on Why we don’t really know very much about the influence of ICTs on learning and education).  I must stress that these contain my own opinions, and do not in any way reflect official UNICEF policy or practice.  I very much hope that they will be of use and interest to practitioners in the field.  The original report for UNICEF contains a wealth of references upon which the above arguments were based, and will be available should the report be published in full.



Filed under cybersecurity, Education, ICT4D, ICTs, Transhumanism

Ten things not to do when developing national cybersecurity policies

The Commonwealth Telecommunications Organisation held its 2015 Cybersecurity Forum on 22nd-24th April at the BT Centre in London.  During this, several of us thought it would be an interesting idea to draft a set of ten “not-to-do” things relating to various aspects of cybersecurity, and the first to be prepared (by Stuart Aston, Mike St. John-Green, Martin Koyabe and myself) is on ten things not to do when developing cybersecurity strategies.

We have deliberately focused on the “not-to-do” approach because we feel that such lists can serve as very useful simple reminders to people. As a check-list of negatives, they act as salient caviats for all those involved in developing cybersecurity strategies.

Our “don’ts” should be easy to remember:

  1. Don’t blindly copy another’s Cybersecurity strategy
  2. Don’t expect everything in your strategy to be under your control
  3. Don’t expect to remove all risks
  4. Don’t delegate your strategy to the IT experts
  5. Don’t focus your team only on the threats and the technology
  6. Don’t develop your strategy in a security bubble
  7. Don’t develop your strategy in a government bubble
  8. Don’t overlook the needs of your diverse stakeholders, particularly your citizens
  9. Don’t cover just the easier, tactical quick wins
  10. Don’t expect to finish after the first year

The full version of the recommendations, which includes the positive things that need to be done alongside the negatives, can be downloaded by clicking on the image below:

Ten things not to doDo print this off and share with colleagues you know!  I very much hope that it will act as a useful checklist for all those involved in cybersecurity policy making.

Leave a comment

Filed under Commonwealth, ICT4D, Politics

On “cyber” and the dangers of elision.

The use of the word “cyber” to refer to all matters relating to computers and the Internet has become ubiquitous.  Hence, the terms “cyberspace”, “cybergovernance”, “cybersecurity”, “cybercrime”, “cyberporn” and many other “cybers-” are commonplace, and feature prominently in current rhetoric about ICTs and governance of the Internet.

This has always made me uneasy for two basic reasons:

  • the original meaning of “cybernetics” had little to do with computers; and
  • there is a real danger of elision of meaning, when people use one cyber-word to refer to what other people use another cyber-word for.

A blog is no place for a detailed exegesis on these matters, but I have so often been asked about my views on them that I thought I would briefly summarise them here.

The meaning of “Cyber”
The word “cyber-” is usually seen as being taken from the concept of  “cybernetics”, which itself is derived from the ancient Greek κυβερνήτης, meaning steersman, pilot, or governor.  Hence, “cyber'” is fundamentally to do with governing or steering.  It is used in this sense to refer to the governance of peoples in the First Alcibiades, usually ascribed to Plato.

Cybernetics in its modern form came to be used in the first half of the 20th century to refer to control systems in biology, engineering, applied mathematics, electronics and other such fields, and so was always a very much broader concept than just relating to the field of computing.  As a discipline, cybernetics emerged in the late-1940s and 1950s, especially in the USA, the UK and France, championed by people such as Norbert Wiener and John von Neumann.  The importance of this is to emphasise that in origin, and even until very recently, “cyber-” has been associated with a very broad field of intellectual enquiry, across many disciplines, focusing especially on systems and their control mechanisms.

It therefore seems to me to be inappropriate for the term to have been appropriated quite so aggressively in the field of digital technologies, ICTs and the Internet, first because it causes confusion, and second because in some instances it is tautologous:

  • with respect to confusion, why do we need to speak about terms such as cybergoverance, cybersecurity and cybercrime, especially when there are other terminologies already in existence, such as e-governance, Internet governance, computer crime?  As discussed further below, the lack of consensus and agreement on terminology is problematic.
  • second, though, and of much more concern, it seems to me that the notion of cybergoverance is fundamentally flawed because it is tautologous.  If “cyber-” in essence is to do with governing, then all “cybergovernance” means is governing governance.

There have been many detailed critiques of the use of “Cyber-” in other fields, with Mark Graham’s critique of concepts of cyberspace in the Geographical Journal, being particularly useful.  However, few people have sufficiently emphasised this tautology in the notion of “Cybergoverance”.

Dangers of Elision
When concepts are used in such a slippery way, with meanings being appropriated and adapted so frequently, there is a considerable danger of misunderstanding, overlap, and ultimately of failure to deliver on practical action.  Moreover, behind every use of a concept there is also an interest.  This is very well illustrated by confusion over the terms cybergoverance, cybersecurity and cybercrime (or even cyber-goverance, cyber-security and cyber-crime).  All too often they seem to be used interchangeably, and there really must be clarity of meaning and understanding of such terms if progress in reaching consensus on these very important issues is to be made.  One person’s cybercrime is another’s cybersecurity, and an initiative set up to focus on just one aspect can readily seek to expand into another, thereby causing confusion, duplication of effort, and indeed mistrust.

Although, for the reasons above, I think that the term “Cyber-” should no longer be used at all with respect to work on the Internet, digital security, computer crime and the like, because it is far too broad, I recognise that unfortunately it is now in such common use that this plea will fall on deaf ears.  There are powerful interests who like this ambiguity, and wish to use such terms for their own ends!  Hence, let me offer a simple structure whereby some clarity might be injected into the discourse.  At least for me, there is a nested hierarchy of such terminology:

  • “cybergovernance” (ugh, the tautology still hurts me) should be used (if at all!) for the overarching notion of governance of ICT systems, including concepts such as Internet governance and e-governance;
  • “cybersecurity” can be seen as a subset of cybergoverance, and should be used to refer to all aspects of security with respect to ICT systems.  The concept of “cyber-resilience” can be seen as being closely allied to this, and might actually be a better term, since it is more positive, and takes away the sense of threat around security and the role of the military.
  • “cybercrime”, accordingly, is a subset of cybersecurity, focusing just on the aspects of criminality with respect to the use of ICTs.

Of course there is overlap between these terms, because fully to understand cybercrime, one needs to have a knowledge of cybersecurity, and to understand and act on that one needs to consider wider cybergoverance issues.

My preference is to abandon the use of this “Cyber-” terminology altogether and to use clearer more specific words for what we are talking about and seeking to implement.  Then, we might actually make some progress in ensuring that the poorest and most marginalised can indeed benefit from the potential of ICTs.  However, if these terms continue to be used, let’s first try to reach some better agreement on their bounds and contents.  Cybergovernance, cybersecurity and cybercrime are categorically different concepts, and the interests that seek so often to elide them need to be challenged!


Filed under Commonwealth, ICT4D

Passwords, PIN numbers and cybersecurity

Ever since one of my websites was hacked a few months ago, I have taken a much more personal interest in issues of cybersecurity.  Whilst I have spoken and written many times on the subject, it is only when things really affect you in a personal way that you begin to gain different understandings of the issues.  It represents a shift from a theoretical understanding to a practical one!

I thought I knew most of the various recommendations concerning password and PIN security, and that I had indeed followed them.  However, no digital system is ever completely secure, and the level of sophistication now being used by those intent on stealing identity data, particularly with respect to banking information, is becoming very much more sophisticated.

There are many well known organisations providing advice and recommendations, such as Sophos, Symantec and Kaspersky Lab, but there are rather few places where all of this information is brought together in a single place.  The level of insecurity, and the apparent disinterest among vast numbers of people in doing much about their digital security is not only surprising, but is also deeply concerning.  So, in this posting, I have tried to bring together some of the more interesting observations that have recently been made about passwords and PIN numbers, in order to try to persuade people to take action on this really rather important topic!

Most popular PIN codes and iPhone passcodes
There are numerous articles on the most popular PIN codes – in other words the ones that no-one should actually use! One of the best is Daniel Amitay‘s experiment, where he used Big Brother’s passcode set up screen as a surrogate to estimate iPhone passcode usage, and discovered that the top ten codes listed below represented 15% of all passcodes used:

  1. 1234
  2. 0000
  3. 2580
  4. 1111
  5. 5555
  6. 5683
  7. 0852
  8. 2222
  9. 1212
  10. 1998

None of these are surprising, given that they represent easily remembered structures around the keypad. The passcode 1998 features because it is a year of birth and as Amitay goes on to point out other birth years also feature highly among passwords.

What is perhaps even more worrying is that research by Sophos in 2011 suggested that 67% of consumers do not even use any passcode on their ‘phones, so that a passer-by can access all of the information on the ‘phone without even having to bother to hack the code.

Four digit codes are also commonly used by banks to enable customers to access money through cashpoint machines (ATMs).  Research summarised by Chris Taylor (on Mashable) notes that 27% of people use one of the top 20 PINs for their banking, with the most popular number (1234) being used by a massive 11%.  The top 20 PIN codes he lists are as follows:

  1. 1234 (10.7%)
  2. 1111 (6.0%)
  3. 0000 (1.9%)
  4. 1212 (1.2%)
  5. 7777 (0.7%)
  6. 1004 (0.6%)
  7. 2000 (0.6%)
  8. 4444 (0.5%)
  9. 2222 (0.5%)
  10. 6969 (0.5%)
  11. 9999 (o.5%)
  12. 3333 (0.4%)
  13. 5555 (0.4%)
  14. 6666 (0.4%)
  15. 1122 (0.4%)
  16. 1313 (0.3%)
  17. 8888 (0.3%)
  18. 4321 (0.3%)
  19. 2001 (0.3%)
  20. 1010 (0.3%)

Chris Taylor goes on to comment that although there are 10,000 possible combinations of four digits, 50% of people use the most popular 426 codes!  As he says, “Pick up an ATM card on the street, and you have a 1 in 5 chance of unlocking its cash by entering just five PINs. That’s the kind of Russian Roulette that’s going to be attractive to any casual thief”.

There is therefore  really quite a high probability that even without watching someone enter their PIN number and then stealing the card, or using sophisticated technology to ‘crack’ someone’s PIN code, criminals would have a pretty good chance of accessing someone’s bank account just by using the most popular codes above.  The implication for users is clear: use a PIN code that is not among the most common!

The situation is scarcely better with passwords that people use for their online digital activities. Numerous surveys have all pointed to the same conclusion, that a very small number of passwords continue to be used by large numbers of people.  These change a bit over time, and vary depending on cultural context and country, but the message is clear.  Even without sophisticated programmes to crack passwords, those wishing to access personal information can achieve remarkable success just by trying to use the most common passwords!  The most common passwords, in other words those to be avoided, are listed below:

Splashdata 2012

Sophos Naked Security 2010, based on leaked Gawker Media passwords












































































A slightly more sophisticated approach is that adopted by those wishing to break into networks by testing them automatically against a much larger number of different passwords.  One of the best publicised accounts of this was the Conficker worm, which used the passwords in the chart below to try to access accounts (Sophos, 2009):


Again, this clearly indicates that considerable care needs to be taken in choosing passwords, and ensuring that they are at the very least more complex than those listed above.

Tips to reduce the risk of fraud through mobile devices and digital technologies
Much has been written about sensible advice for reducing the risk of fraud through mobile passcodes, banking PINs and online login passwords.  Such tips will never eliminate really determined people from hacking into your identity, but a few simple steps can at least make it more difficult for the less determined.  These include:

  • Always secure your ‘phone with a PIN code, or better still a password (iPhone users can do this simply in Settings>General>Passcode Lock).  This will help to prevent all of your contacts, photos, e-mails and other personal information being accessed immediately by anyone who picks up your ‘phone.
  • Reduce the time before your ‘phone automatically locks so that it is as short as possible, preferably no more than a minute
  • Always use complex passwords, that preferably include lower case and upper case letters, numbers and special characters
  • Use passwords that are at least 8 characters and preferably more than 12 characters in length
  • Frequently change your passwords at random intervals, so that possible hackers are unaware when to expect changes
  • Use different passwords for different accounts, so that if one password is ‘broken’ this will not permit access to your other accounts
  • Think about using a service that tests the strength of a proposed password (such as The Password Meter, Microsoft’s password checker, or Rumkin’s strength test) – for the hyper-security-conscious person, it is probably best to do this from a computer other than your own!
  • Never, under any circumstances give your passwords or PIN codes to other people

Ultimately, passwords and PIN numbers are just part of a wider defence needed against digital theft.  Human action, be it using the ‘phone in an unsafe public place or unfortunately responding to a phishing attack, is still the cause of much digital grief.  As I write, Sophos has just for example reported a phishing attack through a security breach on the Ethiopian Red Cross Society’s website purporting to be a Google Docs login page.

If the worst happens, and you do lose a ‘phone there are at least two important things to do:

  • Ensure you have software on the ‘phone that can enable you to track it (as with the Find My iPhone app, or for Android ‘phones there are apps such as Sophos’ Mobile Security app)
  • If there is no chance of getting the ‘phone back, then remotely delete all of its content as swiftly as possible, remembering that if it has been backed up on a laptop or cloud facility, then all of the data can be restored at a later date.

Working together, and sharing good practices in personal digital security we can do much to help reduce digital identity theft.


Filed under 'phones, ICT4D general