cancel
Showing results for 
Search instead for 
Did you mean: 

Add course-level & account-level permissions for LTI installation

Add course-level & account-level permissions for LTI installation

  This idea has been developed and deployed to Canvas

 

         
  Idea open for vote Wed. August 3, 2016 - Wed. November 2, 2016  Learn more about voting...

Currently, all users with editing access to a course site (via the course-level and account-level "Manage all other course content" permission) have the ability to install a third-party LTI tool within a course. This setting bundles together Modules, Collaborations, LTI, Home Page, Chat, Attendance into a single permission.

 

Unlike all the other content types included in this permission, which are all native to Canvas, LTI tools have the ability pass through a great deal of student data to a third-party site. This can create legal risks around FERPA and other laws related to student records and privacy.

 

Currently, some universities use Javascript in order to suppress the options to add an external app when a page is rendered within Canvas. However, this does not have any impact on a user's ability to add an LTI tool, and they can still do so via workarounds including importing a course archive that already has the tool enabled.

 

Adding granularity to this permission would allow institutions to better fulfill their obligations to protect the privacy of student data, and make decisions locally about who should have the ability to install tools that pass student information outside of Canvas.

 

        

  Comments from Instructure

 

For more information, please read through the Canvas Production Release Notes (2016-11-19)

28 Comments
Chris_Munzo
Community Champion

My company, Alliance Partner - AspirEDU​, provides an LTI application that does access and store student data.  However, the school does sign a contract with us detailing data protections.  While you are technically correct that "This can create legal risks around FERPA and other laws related to student records and privacy," I would imagine that every contract signed by your school that gives such access would have gone through a legal review.  I'm not aware of any systems that could access student data without legal permission by the school.

I would suggest that this request be amended to strike wording about legal issues between third-party applications and schools, and focus solely on how Canvas handles permissions.  Those are two markedly different issues.

stevenwilliams
Community Participant

Hi, Chris:

You stated above that "I'm not aware of any systems that could access student data without legal permission by the school." However, Canvas currently allows all users with editing permission in a course site to add LTI tools to a course; these tools then have the ability to pull personally identifying information (such as name, email address, etc.) into their systems in order to manage user accounts and information in the external tool. Some schools have taken steps to reduce the risks surrounding this, such as using Javascript to hide the "Add App" button, but Canvas does not currently offer any permissions for institutions to restrict which users should have this ability.

This ability for instructors to add third-party tools -- without them having gone through the legal, privacy, security, and accessibility reviews associated with a formal contract -- creates risks. As I mentioned in the related feature request I submitted ( ), institutions should have a clearer way to disclose to users when they are accessing a tool that has not been reviewed by their institution, and ideally could exempt tools (such as yours) that have gone through a formal review and are bound by their institution's usual policies around user privacy and security.

Stefanie
Community Team
Community Team

 @stevenwilliams , wouldn't schools be able to use the EduApps whitelist to manage this? How do I manage an Edu App Center whitelist in Canvas?

kmeeusen
Community Coach
Community Coach

Hi  @Chris_Munzo ​ and  @williamsst ​

The permissions idea is a great addition, but I have some reservations about limiting faculty use of tools. stefaniesanders​ suggestion is a very good one, as it only limits access to tools that have not yet been vetted by the school. I see this primarily as a policy and training issue, and strongly advocate for faculty training in the QM Standards as I mentioned in your companion idea Steven. School policy should address this issue, and the policies should include faculty training, better informing of students in how their personal information may be shared and used, and better vetting of all instructional tech.

I too am a strong advocate of FERPA and the protection of student privacy rights. FERPA permits the sharing of student information when supported by student instructional needs, and does not mandate the limiting of valid instructional tools when other FERPA obligations are met in conjunction with those tools.

KLM

Chris_Munzo
Community Champion

Steven --

I'm not a highly technical guy, so maybe someone smarter than me can comment.  But to my knowledge, LTI is a display-only integration.  Popping up a YouTube screen is an LTI integration -- display-only.  To actually retrieve data from a school's instance of Canvas, we have to access the Canvas API, which means you would have to have issued an access token to us, which means the school is giving permission for us to get that data.  We can't get a bit or byte of data from you without that access token.

My solutions are not student-facing.  The reason I'm commenting on this is that as a partner, I do not want users to see a big red "warning" button when they're using my solution.  That runs counter to the eco-system that Canvas has created.

stevenwilliams
Community Participant

My institution uses whitelisted apps, which display on the Apps tab of the setting page -- however, instructors can then proceed to click View App Configurations and Add App to add any LTI tool to their course, whether or not it has been reviewed by our campus or Instructure.

stevenwilliams
Community Participant

Hi, Chris -- as demonstrated by  @brent_shaw ​ in his Instructurecon 2016 session LTIs and FERPA, the various LTI configuration options have the ability to pass through a great deal of personally-identifying information to a vendor. (I'm hoping Brent will share his slides, and the tool he built to display all the various fields associated with LTI configuration.) This can be functionally useful for a third-party tool to know who is accessing it and from what context, but can also pass through quite a bit of additional information about the user to the third-party vendor.

This permission would support institutions' ability to determine who should have the ability to pass user information through from Canvas, and allow individual schools to decide whether this should be allowed for teachers or only for  administrators.

Renee_Carney
Community Team
Community Team

This idea will open for voting with the August cohort.  We are exploring permissions that allow admins to restrict or allow a role to have access to the 'add app' button and the LTI configuration 'edit' button.  Please be sure to provide clear use cases, in the comments of this thread, if you are voting it up.

mark_b_jones
Community Member

I wanted to voice my agreement with Steven, and to point out that the 'whitelist' feature is misleading in that implementing whitlisting does not actually prevent the use of LTIs not on the list.  This feature should be renamed or be changed such that it actually limits what can be installed.

biray
Community Champion

This idea has moved to the next stage and will be open for voting among the Canvas Community, from Wed. August 3, 2016 - Wed. November 2, 2016.

Check out this doc for additional details about how the voting process works! Smiley Wink

dsheryn
Community Member

It would be great if Brent could share his slides for the benefit of those of us who weren't able to participate originally 🙂  Thanks.

brent_shaw
Community Participant

Thank you for your kind words Steve and David.  You can find my slides at https://reach.ucf.edu/shaw/instructurecon2016/

Even though I'm the guy that did the "FERPA and LTIs" talk about how much personally identifying information (PII) LTIs can send to 3rd party systems, I'm loath to block instructors from adding their own LTIs to individual courses.

A brief talk with a Canvas developer (who shall remain nameless because it was an informal conversation) who had a great idea - when a user clicks through an LTI, display the information being sent and perhaps allow the user to prevent selected data elements from being sent (ie an opt out of sorts).

It's important to understand that builders of LTIs can do everything they need to with the "Anonymous" setting (including grade pass back) that does not send what most schools would consider PII.  (I can't see anyone reasonably thinking the Canvas ID is PII.)

I've got to believe there are better solutions to issues surrounding FERPA and LTIs beyond just saying "NO!"  Preventing access to LTIs is the easy way out.

Cheers,

Brent

stevenwilliams
Community Participant

Thank you for sharing your slides,  @brent_shaw ​!

At InstructureCon 2015, I saw a demo of the LTI 2.0 spec that included an "Android-like" screen that automatically displayed when an instructor added an LTI tool to their course, showing the specific permissions and information that would be passed through to the tool (Android example: http://www.androidcentral.com/sites/androidcentral.com/files/articleimage/684/2012/02/permissions/gm...​). Since then, it sounds like work by Instructure and vendors on supporting the LTI 2.0 spec has slowed a bit, but I'm hopeful that the emergence of this standard will better support instructor understanding of the permissions required by any particular tool.

chriscas
Community Champion

I'll upvote almost any requests that have to do with adding more granular permissions to Canvas, including this one.  The LTI and FERPA session at InstructureCon was enlightening and has me thinking about a formal approval/vetting process for LTIs here (especially at an the account level).

John_Lowe
Community Champion

I plugged this idea in my recent blog post - The Need For Privacy: FERPA and Title IX .

ronmarx
Community Contributor

Great idea! Instead of commenting on my own, I simply mirror what Chris Casey said about "adding more granular permissions to Canvas." In a K-12 district, this feature would be particularly useful in cases where a subject PLC, or individual teacher purchased an LTI solution. Very happy to UPvote this!

iRon_Mrx

mary_speight
Community Participant

Our university is piloting Canvas in the spring, so I'm very new to all of the permissions. We would also limit the LTIs for support reasons. Disabling "manage all other course content" seems to prevent faculty from adding LTIs, but what else does it restrict them from doing?

stevenwilliams
Community Participant

 @mary_speight ​, Canvas outlines course permissions in this document​ -- "Manage all other course content" has quite a few essential tasks bundled in with LTI tool management (including manage modules, edit syllabus, and access chat/attendance). More granularity in these permissions would be helpful for LTI tools among other use cases.

mark_b_jones
Community Member

With the permissions as they are, it is my understanding that anyone who can edit course content can install an LTI.  And there are three ways (as i understand) FERPA data can be communicated to the LTI provider: via the LTI privacy configuration setting, the custom fields configuration setting, or by presenting the user web forms in iFrames that collect personal information and, to the user, appear to be part of Canvas.  My concern is that many LTIs are free, where we are not likely to have any contractual relationship, and that many who are tasked with developing course content will be unaware of or unconcerned with FERPA and the ramifications of specific LTI configuration settings.
So even if an LTI is being used in support of student instructional needs, that LTI can be configured such that more user data is communicated to the third party than is necessary, and, though I am not a FERPA expert, I doubt that the sharing of FERPA data, with parties without contractual agreements, would fall under an 'instructional needs' clause.

Adding granularity to permissions that govern editing of course content would allow us to limit who can install LTIs to those who have received training without completely preventing the development of course content for those who have not.

tbunag
Community Champion

Although saying, "No!" may be the easy way out, I think it is a beneficial and useful option.  I could imagine it also being useful in the early stages of training faculty on how to use LTIs properly.  Providing the option to limit addition of LTIs is a far cry from universally saying, "No!"  It simply allows institutions to monitor how and what information is shared with 3rd parties.

There's another aspect of this that hasn't been considered - accessibility.  Some LTIs have accessibility issues, and they could open up the institution to liability.

About Idea Conversations
In the Canvas Community Ideas space, you can share, converse, and rate idea conversations related to software improvements to Canvas products.