Victoria installing Zscaler on students' personal devices to monitor traffic

Packet inspection extended to BYOD.

Victoria’s Department of Education is expanding its monitoring of devices’ internal traffic from staff to students’ own devices at a number of schools.

The expansion will result in Zscaler SSL root certificates being installed on not only school-provided devices, but students’ personal devices if they connect locally to a school network.

The certificate allows student browser traffic to be decrypted for inspection, while still presenting to the user as if they were protected by HTTPS.

A Department spokesperson told iTnews that Zscaler is disabled in situations where the device connects to the school’s network remotely, such as uploading an assignment from home.

However, the spokesperson refused to comment on whether Zscaler monitors staff traffic from home, or when the policy was first implemented. 

“The Department uses the Zscaler application on all Department-owned computers and devices as part of cloud-based security measure when accessing the internet,” the spokesperson said. 

“This certificate acts as an extra safety measure by helping to determine if a website is safe to open while using the school’s internet.”

“The health and safety of all staff and students is the Department’s top priority. This includes being safe online.” 

The Department told iTnews a privacy impact statement had been conducted but refused to release it or summarise its details. 

Organisations use Zscaler to surveil users’ web browsing and online activity, protect against the deliberate or accidental transmission of confidential data, and detect malware hiding in HTTPS traffic.

The Victorian, state-owned ICT shared services provider Cenitex began rolling out Zscaler’s secure cloud platform for 36,000 public servants’ IT services in 2019.

Gartner principal analyst Bjarne Munch told iTnews “the increase in remote working also means an increase in cloud-based applications, which also requires permanent security solutions.”

“In order to gain better control on who can access specific applications and have access to various types of Internet content we are now also seeing increased focus on zero trust network access, as this enables individual security policies,” Munch said.

Electronic Frontiers Australia chair Justin Warren told iTnews Zscaler creates as many security threats as it resolves and is a grave violation of students’ privacy.

“Treating 17-year-olds as if they’re five-year-olds is not a good approach, and it’s not a good way to teach someone about their privacy and how to make their own decisions about risks.”

Warren said students should be trained in security awareness, and that organisations are opting for surveillance instead of more effective protections against phishing and downloading malware.

“Don’t give everyone domain admin, make sure all your systems are patched automatically, update your systems, use application whitelisting, use encryption instead of breaking it as Zscaler does.”

“We’re not saying students should be allowed to have free access and do whatever they want, but it also depends on their age.”

“They’ve said they’re monitoring for ‘inappropriate content’, what are the oversight mechanisms? Who decides what content is allowed over the system? What transparency is there regarding what content is being blocked?”

Warren gave the example of how “LGBT issues are constantly flagged by content monitoring systems as being inherently sexual when they’re not.”

In contrast to the Victorian Department of Education, the NSW Department of Education is using Zscaler’s SSL inspection at home, but not on students’ devices at schools.

The NSW Department entered a $1.1 million contract in July 2020 to use Zscaler’s private access network to allow corporate staff to connect to the Department’s network remotely as part of its response to Covid lockdowns.

“ZPA records user access activity, in accordance with cyber security best practice when corporate users access the corporate environment remotely,” a NSW Department of Education spokesperson told iTnews.

The Department told iTnews it has no current plans to extend the use of Zscaler to students. 

“An extensive analysis of Zscaler was undertaken including privacy and cyber security aspects.”

Source –