Add course-level & account-level permissions for LTI installation

  This idea has been developed and deployed to Canvas

 

         
  Idea open for vote Wed. August 3, 2016 - Wed. November 2, 2016  Learn more about voting...

Currently, all users with editing access to a course site (via the course-level and account-level "Manage all other course content" permission) have the ability to install a third-party LTI tool within a course. This setting bundles together Modules, Collaborations, LTI, Home Page, Chat, Attendance into a single permission.

 

Unlike all the other content types included in this permission, which are all native to Canvas, LTI tools have the ability pass through a great deal of student data to a third-party site. This can create legal risks around FERPA and other laws related to student records and privacy.

 

Currently, some universities use Javascript in order to suppress the options to add an external app when a page is rendered within Canvas. However, this does not have any impact on a user's ability to add an LTI tool, and they can still do so via workarounds including importing a course archive that already has the tool enabled.

 

Adding granularity to this permission would allow institutions to better fulfill their obligations to protect the privacy of student data, and make decisions locally about who should have the ability to install tools that pass student information outside of Canvas.

 

        

  Comments from Instructure

 

For more information, please read through the Canvas Production Release Notes (2016-11-19)

30 Comments
Chris_Munzo
Partner
Partner

My company, Alliance Partner - AspirEDU​, provides an LTI application that does access and store student data.  However, the school does sign a contract with us detailing data protections.  While you are technically correct that "This can create legal risks around FERPA and other laws related to student records and privacy," I would imagine that every contract signed by your school that gives such access would have gone through a legal review.  I'm not aware of any systems that could access student data without legal permission by the school.

I would suggest that this request be amended to strike wording about legal issues between third-party applications and schools, and focus solely on how Canvas handles permissions.  Those are two markedly different issues.

stevenwilliams
Community Participant

Hi, Chris:

You stated above that "I'm not aware of any systems that could access student data without legal permission by the school." However, Canvas currently allows all users with editing permission in a course site to add LTI tools to a course; these tools then have the ability to pull personally identifying information (such as name, email address, etc.) into their systems in order to manage user accounts and information in the external tool. Some schools have taken steps to reduce the risks surrounding this, such as using Javascript to hide the "Add App" button, but Canvas does not currently offer any permissions for institutions to restrict which users should have this ability.

This ability for instructors to add third-party tools -- without them having gone through the legal, privacy, security, and accessibility reviews associated with a formal contract -- creates risks. As I mentioned in the related feature request I submitted ( ), institutions should have a clearer way to disclose to users when they are accessing a tool that has not been reviewed by their institution, and ideally could exempt tools (such as yours) that have gone through a formal review and are bound by their institution's usual policies around user privacy and security.

Stef_retired
Instructure Alumni
Instructure Alumni

 @stevenwilliams , wouldn't schools be able to use the EduApps whitelist to manage this? How do I manage an Edu App Center whitelist in Canvas?

kmeeusen
Community Champion

Hi  @Chris_Munzo ​ and  @williamsst ​

The permissions idea is a great addition, but I have some reservations about limiting faculty use of tools. stefaniesanders​ suggestion is a very good one, as it only limits access to tools that have not yet been vetted by the school. I see this primarily as a policy and training issue, and strongly advocate for faculty training in the QM Standards as I mentioned in your companion idea Steven. School policy should address this issue, and the policies should include faculty training, better informing of students in how their personal information may be shared and used, and better vetting of all instructional tech.

I too am a strong advocate of FERPA and the protection of student privacy rights. FERPA permits the sharing of student information when supported by student instructional needs, and does not mandate the limiting of valid instructional tools when other FERPA obligations are met in conjunction with those tools.

KLM

Chris_Munzo
Partner
Partner

Steven --

I'm not a highly technical guy, so maybe someone smarter than me can comment.  But to my knowledge, LTI is a display-only integration.  Popping up a YouTube screen is an LTI integration -- display-only.  To actually retrieve data from a school's instance of Canvas, we have to access the Canvas API, which means you would have to have issued an access token to us, which means the school is giving permission for us to get that data.  We can't get a bit or byte of data from you without that access token.

My solutions are not student-facing.  The reason I'm commenting on this is that as a partner, I do not want users to see a big red "warning" button when they're using my solution.  That runs counter to the eco-system that Canvas has created.

stevenwilliams
Community Participant

My institution uses whitelisted apps, which display on the Apps tab of the setting page -- however, instructors can then proceed to click View App Configurations and Add App to add any LTI tool to their course, whether or not it has been reviewed by our campus or Instructure.

stevenwilliams
Community Participant

Hi, Chris -- as demonstrated by  @brent_shaw ​ in his Instructurecon 2016 session LTIs and FERPA, the various LTI configuration options have the ability to pass through a great deal of personally-identifying information to a vendor. (I'm hoping Brent will share his slides, and the tool he built to display all the various fields associated with LTI configuration.) This can be functionally useful for a third-party tool to know who is accessing it and from what context, but can also pass through quite a bit of additional information about the user to the third-party vendor.

This permission would support institutions' ability to determine who should have the ability to pass user information through from Canvas, and allow individual schools to decide whether this should be allowed for teachers or only for  administrators.

Renee_Carney
Community Team
Community Team

This idea will open for voting with the August cohort.  We are exploring permissions that allow admins to restrict or allow a role to have access to the 'add app' button and the LTI configuration 'edit' button.  Please be sure to provide clear use cases, in the comments of this thread, if you are voting it up.

mark_b_jones
Community Novice

I wanted to voice my agreement with Steven, and to point out that the 'whitelist' feature is misleading in that implementing whitlisting does not actually prevent the use of LTIs not on the list.  This feature should be renamed or be changed such that it actually limits what can be installed.

biray
Instructure Alumni
Instructure Alumni

This idea has moved to the next stage and will be open for voting among the Canvas Community, from Wed. August 3, 2016 - Wed. November 2, 2016.

Check out this doc for additional details about how the voting process works! Smiley Wink