Go to my main page at alanmacek.com
[PLEASE NOTE: This page was set up in the fall of 2001 and may no longer accurately reflect the setup of WebCT at UBC.]Contents of this document - General Problems:
The WebCT web system is designed by WebCT and is used at many educational institutes for providing online courses. It organizes course content, bulletin boards, quizzes etc. The University of British Columbia (UBC) uses WebCT with many of its courses. This document describes several of the problems with the one of the implementations of WebCT at UBC. I have only used WebCT hosted on 'orange' so other WebCT versions may be different. According the IT Services WebCT info page, the 'orange' server is running WebCT version 3.1.3 and only 2 of the WebCT servers (orange and blue) are integrating UBC email usernames and passwords with their own authentication.
Return to top.
WebCT requires a user name and password to access individual course content. This information is prompted by clicking on the 'my WebCT login' button on the main screen and entering the user name/password in the pop up dialog box. The web site used 'Basic Authentication' protocol of HTTP which is the most insecure log in method for user names and passwords using HTTP. There is absolutely no encryption and the protocol makes it very easy for someone to 'grab' the login information in transit. This information is especially vulnerable on cable modem systems since anyone in your neighbourhood could easily 'sniff' your login information as it passes through the network. There is no warning anywhere on the WebCT website warning users to be cautious about logging in over insecure networks such as cable modems.
There are many alternative log in processes available. As far as I know, WebCT is only UBC system where I am forced to log in insecurely with my UBC email user name/password.
Interestingly, WebCT support does not see these security issues as particularly urgent issue. Their response to my enquiry was, "[WebCT administrators] have been discussing it and they are most likely going to implement the security features in the next version of webct." You can read the full transcipt of my emails with the UBC WebCT Administrators.
Return to top.
WebCT uses the same user name and password as the UBC email system. While this means students have less user name/password combinations to remember, it does mean that any problems with WebCT result in problems with the email system. The section on log in security, discusses how vulnerable the WebCT system is. If someone manages to 'grab' your WebCT user name/password, not only can they read all your marks on WebCT, post comments in your name on WebCT, they can also read all your UBC email and send email in your name from your interchange account.
While most students do not use their UBC email account in a secure manner (i.e. POP3 is not a secure protocol), it is possible to never have your UBC email user name/password pass unencrypted over the network. WebCT forces students to use their UBC email user name/password insecurely.
Since I could not persuade WebCT that they need to secure their log in process, I managed to persuaded a WebCT administrator to give a separate WebCT account not associated with UBC email. The administrator was not happy about doing this, saying, "The Netinfo ID [for UBC email] are specifically for these purposes." I am not sure what 'these purposes' refers to since I assume that using them insecurely is not what the administrator implied. I agree that having a single sign-on for UBC servers would be a worthy goal but do not think security needs to be compromised to achive it.
Return to top.
WebCT does not have a log out procedure. Unlike most other web sites, there is no log out button. This means if you log in to WebCT and then leave the web site, anyone with access to your computer can access WebCT in your name, post message, read your marks, etc. The only way to avoid this is to shutdown your browser. (Due to integration between MS Internet Explore and MS Outlook, you have to shutdown both IE and Outlook.) There is NO warning message on WebCT about this risk. UPDATE: On November 23, 2001, a warning message was added to the WebCT welcome page warning users to shutdown their web browsers.
Many security conscious web sites suggest you shutdown your browser after using the site but that is because the 'Back' button can be used to see what you did. In WebCT, not only can you use the 'Back' button but they can do things in WebCT as if they were you. The WebCT system has no idea if it is the same person or not.
Return to top.
WebCT tracks which pages individuals visit and builds a personalized database of usage. Under 'Student Profile->Tracking Record' you can see a summary of which sections of the site you have visited including the date and time that you visited. See a sample of some of the information it tracks below3.
UBC privacy policy falls under the BC Freedom of Information And Protection of Privacy Act since the university is considered a public organization. The Act states that the university can only collect information that "relates directly to and is necessary for an operating program or activity"1. Also, the university must tell students "the purpose for collecting [personal information]"2.
It is hard to understand how recording all previous activity on WebCT is "necessary" for the operation of WebCT or even how it could be used. Certain aspects, such as the last page you visited might be required to implement the 'Go to last page' functionality but storing the date and time of every access for each student goes way beyond that. Having aggregate information for the entire class could foreseeable be useful for improving the website by noticing which parts are being used and which parts are not.
It is easy to imagine situations where this tracking information could be abused. If you post a question on the bulletin board about a homework assignment, the professor or TA could possibly check if you had read the relevant section of the course material before answering your question. If you do poorly on an exam and question the fairness of certain questions, the professor could check if and when you had looked at the relevant sections of the material. A policy statement, laying out what this tracking information is being gathered for, is required.
A quick search of the WebCT portal and course pages reveals that there is no privacy policy or contact information for policy information except for a generic 'student' help information email address. This lack of information appears to violate the requirements of the BC Privacy Act.
Return to top.
To resolve the issues I have mentioned above, there are several things the WebCT administrators at UBC should do:
Return to top.
If you are UBC student who is forced to use WebCT for your courses there are several things you can do.
I hope that as more people become aware of these issues, IT Services might be more inclined to do something about it.
Return to top.
To discuss any of these issues or for more information, contact me. I put together this document to point out what I feel are major problems with the current implementation of WebCT at UBC. If any of my points mentioned above are in error or have been addressed I will be glad to hear about it and will immediately update this document.
I am senior year student at the University of British Columbia who was currently required to use WebCT for one of my courses. [at the time this website was created in the fall of 2001. - AM]
Alan MacekReturn to top.
Return to top.
1 - Section 26 of the Freedom of Information and Privacy Act (the entire Act can be found here)
26 No personal information may be collected by or for a public body unless
- (a) the collection of that information is expressly authorized by or under an Act,
- (b) that information is collected for the purposes of law enforcement, or
- (c) that information relates directly to and is necessary for an operating program or activity of the public body.
2 - Section 27.2 of the Freedom of Information and Privacy Act (the entire Act can be found here)
27.(2) A public body must tell an individual from whom it collects personal information
- (a) the purpose for collecting it,
- (b) the legal authority for collecting it, and
- (c) the title, business address and business telephone number of an officer or employee of the public body who can answer the individual's questions about the collection.
3 - Example of Tracking Information:
Full Name: Allan Macek User ID: macek First login: Sep 23, 2001 08:52 Last login: Oct 13, 2001 16:29 Total number of accesses: 119 Last page visited: Break Even Rate
History of Content Pages Visited by Allan Macek (macek)
Previous 10 Visits Next 10 Visits
Page Name Time of Access 2 Break Even Rate Oct 13, 2001 16:20 1 Break Even Rate Sep 29, 2001 15:07
Important Security Information for WebCT Users (Orange) If you are using a public terminal, or any computer where others have access, it is very important to close your Web browser at the end of your session. This will terminate your connection to WebCT, preventing unauthorized access to your course information.