Just when you thought the end of term could not get more stressful, you log into your familiar course management software, only to encounter a ransomware notice. That unpleasant scenario played out for staff and students at thousands of post-secondary institutions—including several in Canada—in early May, when the widely used Canvas learning management system was infiltrated by hackers. The online service is developed and managed by the U.S.-based company Instructure, which first reported trouble on May 1. After the company initially assured its clientele the problem had been resolved, the ransomware notice turned up the following week. Finally, on May 11, the company indicated it had reached a deal with the hackers, and said that the cyber-thieves had destroyed all the data—including names, student IDs, and email addresses—they’d stolen. By now, most Canvas users will be back to dealing just with the usual challenges of the season, as this powerful software platform helps them handle a wide range of essential tasks, including delivering course content, storing grades, and providing communication between students and professors. And while the hack could recede in most people’s memories like an annoying power outage, Matt Hatfield wants it to serve as a reminder of the choices we make with the technology dominating our day-to-day lives.
"While a hack could happen to any vendor in any country, moments like this reveal how much Canada is ceding of meaningful sovereignty and digital autonomy by so many of our critical systems being operated by closed platforms outside the country," he says. Hatfield is the executive director of OpenMedia, a Vancouver-based non-profit organization weighing the economic, political and social threats to the internet in Canada. It has previously mounted public awareness campaigns around topics like the privacy implications of legislation such as Bill C-22, but it has most recently taken up the call to promote digital sovereignty.
The Canvas Cyberattack: A Timeline of Disruption
The cyberattack targeting Instructure’s Canvas learning management system, a platform relied upon by a significant portion of North American educational institutions, unfolded over several critical days in early May. The incident sent ripples of anxiety through academic communities, particularly as it coincided with the high-stakes period of final exams and assignment submissions.
May 1, 2024: Instructure, the U.S.-based company behind Canvas, initially acknowledges a service disruption impacting its clients. At this early stage, the nature and extent of the issue were not fully disclosed to users. This initial communication, while aiming to inform, would later be criticized for its lack of detail.
Early May (following May 1): Reports emerge of ransomware notices appearing on Canvas platforms. This indicates that the disruption was not merely a technical glitch but a malicious cyberattack involving data exfiltration and extortion. Students and faculty at numerous post-secondary institutions, including several in Canada, began to experience restricted access to course materials, grades, and communication channels.
May 11, 2024: Instructure publicly announces it has reached an agreement with the cybercriminals. Crucially, the company states that the hackers have destroyed all the stolen data. This included sensitive personal information such as names, student identification numbers, and email addresses. The company’s CEO, Steve Daly, subsequently issued an apology for the initial lack of transparency, admitting that the company had prioritized fact-finding over immediate and consistent user updates, a balance they acknowledged was misjudged.
The disruption, though seemingly resolved for many by the latter half of May, left a lingering concern about the security and autonomy of digital infrastructure within educational settings.
Beyond Technical Glitches: The Sovereignty Debate
The Canvas ransomware incident has ignited a broader conversation in Canada about "digital sovereignty," a concept that extends far beyond simply housing data within national borders. Matt Hatfield, Executive Director of OpenMedia, a Vancouver-based digital advocacy group, argues that the reliance on foreign, proprietary platforms for critical educational infrastructure represents a significant erosion of Canada’s ability to control its digital destiny.
"Digital sovereignty" is increasingly discussed in the context of national policies on artificial intelligence and data centre development. However, Hatfield emphasizes that the vulnerabilities are not solely in future technologies but are deeply embedded in the systems currently in use. He points to learning management systems (LMS) like Canvas, which have become ubiquitous in Canadian universities over the past two decades, as prime examples of this challenge.
Hatfield is critical of simplistic interpretations of digital sovereignty that focus solely on data localization. He argues that even if Canadian universities were to store their Canvas data on Canadian servers, it would not address the fundamental issue of decision-making power residing outside the country.
"Simply storing data on Canadian servers, as the thinnest type of sovereignty recommends, would not have changed the reality of the meaningful decisions that led to this security failure and management of the resulting crisis being made by a U.S. entity without real say from any Canadian school or authority," Hatfield explained. This perspective highlights that true digital sovereignty involves not just data ownership but also control over the architecture, development, and operational decisions of the technologies that underpin vital societal functions.
The Landscape of Learning Management Systems: Proprietary vs. Open Source
The Canvas attack has brought to the forefront the ongoing debate between proprietary and open-source learning management systems and their implications for institutional control and security. Canvas, developed by the U.S. company Instructure, is a dominant player in the market, capturing an estimated 50% of the learning management system adoption last year, according to EdTech Newsletter data. Its widespread use is attributed to its user-friendly interface and comprehensive features, making it a convenient choice for both educators and students.
However, the proprietary nature of Canvas means that its underlying code is not publicly accessible. This "closed platform" approach, while often simplifying user experience, limits the ability of institutions to scrutinize, modify, or independently secure the software. In contrast, open-source alternatives, such as Moodle, offer a different paradigm. Moodle’s code is freely available, allowing institutions with the necessary technical expertise to adapt, enhance, and audit the software to meet their specific needs and security requirements.
The University of British Columbia, one of at least seven Canadian universities impacted by the cyberattack, directed instructors to consider Moodle as an alternative. This suggestion underscores a growing awareness within academic circles of the benefits that open-source systems can offer in terms of customization and potential control.
While Moodle represents a powerful open-source option, its adoption rate is significantly lower than Canvas, standing at approximately 9%. This disparity is often linked to the increased technical expertise and resources required to manage and customize open-source platforms. Proprietary systems like Canvas tend to be more accessible for users with less technical proficiency, offering a more streamlined out-of-the-box experience.
The Advantages of Open Systems for Digital Sovereignty
Despite the convenience and market dominance of proprietary platforms, the push for greater digital sovereignty is fostering renewed interest in open-source solutions. Jake Hirsch-Allen, director of partnerships with the Dais, a public policy think tank at Toronto Metropolitan University (TMU), believes that the effort involved in adopting and managing open systems yields significant long-term advantages. TMU itself employs Brightspace, a learning management tool provided by the Canadian firm Desire2Learn (D2L), and has not experienced similar hacking incidents.
"They make us think differently, they make us think harder," Hirsch-Allen stated, referring to the process of engaging with open-source technologies. This cognitive shift, he argues, is crucial for developing a more robust understanding of and control over digital infrastructure.
More importantly, from a sovereignty perspective, open systems empower institutions to exert greater control over their data and the underlying algorithms that shape educational experiences. "And, even more importantly with regard to sovereignty, they allow us to control who owns our data, who is informing the values behind our algorithms," Hirsch-Allen emphasized.
This point is particularly pertinent in the current technological landscape, where generative artificial intelligence (AI) is increasingly integrated into learning management systems. The algorithms driving these AI features, whether for content generation, personalized learning pathways, or assessment tools, are often proprietary and opaque in commercial platforms. With open-source systems, institutions have the potential to understand, audit, and even influence the ethical frameworks and biases embedded within these AI components. This level of transparency and control is a cornerstone of meaningful digital sovereignty, ensuring that educational technologies align with Canadian values and priorities rather than being dictated by external corporate interests.
Broader Implications for Canadian Institutions
The Canvas cyberattack and the subsequent discussions around digital sovereignty have far-reaching implications for Canadian post-secondary institutions. The incident serves as a stark reminder of the inherent risks associated with outsourcing critical IT infrastructure to third-party vendors, particularly those based outside of Canada. While these vendors often offer cost efficiencies and advanced features, the control over data security, incident response, and the fundamental architecture of these platforms can be significantly diminished.
The reliance on a single, dominant platform like Canvas also raises concerns about systemic vulnerabilities. A successful attack on such a widely used system can have a cascading effect, impacting thousands of institutions and millions of students simultaneously. This highlights the importance of diversification in technological adoption and the exploration of a wider range of solutions, including Canadian-developed alternatives or robust open-source platforms.
For Canadian universities and colleges, the path forward involves a strategic re-evaluation of their digital infrastructure. This includes:
- Enhanced Due Diligence: Thoroughly vetting vendors for their security protocols, data handling practices, and incident response capabilities.
- Prioritizing Open-Source Solutions: Actively exploring and investing in the development and adoption of open-source learning management systems where feasible, acknowledging the need for associated technical expertise and support.
- Strengthening In-House Capacity: Building internal expertise in cybersecurity, data management, and IT infrastructure to reduce reliance on external providers for critical decision-making and operational control.
- Advocating for National Digital Strategies: Engaging with government initiatives to promote Canadian digital sovereignty, support domestic technology development, and establish clear regulatory frameworks for data protection and cybersecurity in the education sector.
The Instructure CEO’s apology, while a step towards acknowledging missteps in communication, underscores the need for a more proactive and transparent approach from technology providers. However, the ultimate responsibility for ensuring the security and autonomy of educational data and systems lies with the institutions themselves. The Canvas incident, therefore, is not just a cybersecurity event; it is a catalyst for a critical national conversation about how Canada can build a more resilient and sovereign digital future for its educational landscape. The choices made today regarding technological reliance will undoubtedly shape the educational experiences and data security of future generations of Canadian students.
