Here are some news and articles we followed in the last week.

The European Union upholds its data protection laws, against itself

This article captures the bulk of the information. Effectively, registration for an EU conference had a "Sign in with Facebook" option which resulted in the IP address of the individual being sent to Meta servers in the US. According to the ruling

However, as regards that person’s registration for the ‘GoGreen’ event, the General Court finds that, by means of the ‘Sign in with Facebook’ hyperlink displayed on the EU Login webpage, the Commission created the conditions for the transmission of his IP address to Facebook. That IP address constitutes personal data which, by means of that hyperlink, were transmitted to Meta Platforms, an undertaking established in the United States. That transfer must be imputed to the Commission.

The complainant had pushed for other potential violations which were found to be without merit. One was related to the United States not having adequate controls to protect EU citizen data and the other was in relation to non-material damages that was caused by the transfer of that information.

This case sheds some light on the ability of individuals to hold companies, and even the government, accountable for data access practices. It also sheds light on the depth of the investigation that could be conducted.

PowerSchool was powerhacked?

This article contains a good rundown and timeline of the events along with expected action plans by the company in question. Effectively, PowerSchool ran a support portal with what seems to be weak authentication controls. An account on that platform was compromised and automated scripts were used to download exports of both teacher and student data. The company stated that this was only for "affected customers". From the article:

To harden the PowerSource platform, PowerSchool has deactivated the compromised credential and restricted PowerSource access, while also conducting a full password reset and increasing password length and complexity requirements. While none of the customer communications or FAQ documents have mentioned MFA, during the Jan. 7 webinar McCowan mentioned that MFA has been implemented for PowerSource. As of Jan. 8 at least, MFA is not required for customer PowerSource accounts. It was also mentioned during the webinar that the remote access export feature has been disabled for PowerSchool-hosted tenants, but that self-hosted tenants that wish to disable the feature will need to do so manually.

At time of writing, PowerSchool's security page still quotes the following:

PowerSchool is committed to being a good custodian of student data, taking all reasonable and appropriate countermeasures to ensure data confidentiality, integrity, and availability.

Sure Jan.

The bigger questions here remain:

• At what point do US legislators take more formal actions against companies who don't follow basic security protocols and controls?
• Should consumer protection laws be better used to force companies to be truthful about their security practices?
• Should individual teachers/students have the right to refuse transfer of data to 3rd parties (or at least, have a say in WHAT is transferred) even if it is for "business purposes"?
• Should the certifying bodies (CISSP, SOC2, ISO27001) issue immediate retractions for the company and individuals responsible?

Another Ethical AI Standard

The Digital Governance Standards Institute (DGSI) has released the second edition of CAN/DGSI 101:2025, a standard focused on the ethical design and use of artificial intelligence (AI) by small and medium-sized enterprises (SMEs). This standard provides a comprehensive framework for integrating ethics into AI systems, covering risk management, ethics by design, deployment strategies, and continuous monitoring.

Key features include a risk management blueprint, principles for ethics by design, and best practices for responsible AI deployment. The standard was developed collaboratively by over 225 experts, ensuring it addresses the multifaceted challenges of AI governance.

The scope of the standard:

This Standard specifies minimum requirements for incorporating ethics in the design and use of artificial intelligence by small and medium organizations, which typically have fewer than 500 employees. This Standard is limited to artificial intelligence (AI) using machine learning for automated decisions and includes generative AI. Artificial intelligence includes internally developed tools and third-party tools deployed for internal use by the organization

We are planning a newsletter focused on ethical technology and might include this one in that review.