Ofsted downplays site security concerns

Feedback mechanism for parents/students on shaky ground

UK school regulator Ofsted has downplayed security concerns about its website, adding that its policies will be further involved once a planned revamp is completed.

El Reg learnt of the concerns from parent Oli, who approached us after failing to receive a response to his concerns either from Ofsted (Office for Standards in Education, Children's Services and Skills) or data privacy regulators at the ICO (Information Commissioner's Office).

Oli's main concern was the complete absence of any form of identity validation on the Ofsted-run Parent View site. The site is used by parents to provide feedback that contributes to a school's Ofsted report. Anyone can use disposable email addresses, sign up and submit multiple responses for a school, negative or positive.

"There is no mechanism for verifying the person providing feedback is a parent, no token or means of identifying the person, any email address can be used to sign up and the process could easily be automated," according to Oli.

"I raised this concern to the school my child goes to when we were asked to post responses on the site about the school as part of the Ofsted inspection process. And now a few months later I have been informed that following a grievance raised about the process by the school, an investigation has shown that 50 per cent of the responses from online were tampered with."

As part of the same process parents are asked to get their kids to leave voice recordings about the school. "Ofsted claimed to have received 1 recording for this school but 55 (or so) parents have stated their children left recordings," according to Oli. "I'm not sure of the details of what's happened here as it's not my data to contact them about, but if they've lost the voice recordings of a number of children that obviously represents a DPA [Data Protection Act] breach."

Oli was also concerned that the site provided no option to opt out from receiving cookies, and faulted the site for allegedly poor accessibility.

Experienced security consultant Paul Moore downplayed Oli's concerns. "There's nothing really substantial here," Moore told El Reg. "There's no proof that any data has been lost, so far as I can see ... and although the report process could be refined, it's not exactly a security concern."

In response to queries from El Reg, an Ofsted spokesman said it was in the process of revamping its site. This was not directly related to the security concerns raised by Oli, but ought to serve to reassure nonetheless. In a detailed response it said it already had systems in place to prevent trolling by imposters or other forms of abuse of the Parent View feedback mechanism.

We introduced Parent View in 2011 to enable parents and carers to give their views about their child's school at any time of the year. As well as being useful to Ofsted, we know that many schools find this feedback helpful in terms of identifying areas of strength and relative weakness. In September 2015, a free text facility was added to support the gathering of views by our inspectors at the point of inspection only.

Parents wishing to submit a review must first register with a password, verify their email address and accept the terms of use. Our aim in designing the system was to strike the right balance between security and ensuring the log-on process was simple enough to encourage as many parents as possible to share their views.

We have put in place a range of measures to minimise the risk of abuse by individuals or groups and ensure that all schools are treated fairly. This includes systems to flag up signs of potential misuse. If a school has any concerns about responses on Parent View, we ask the headteacher to contact Ofsted and we will investigate the issue within 24 hours. We also monitor IP addresses to check that individuals are not creating multiple user accounts to circumvent security and try to influence results.

While we are never complacent, our experience has been that despite more than a million reviews completed, cases of abuse are rare. There have only been a handful of occasions where we have had to take action to remove reviews. However, our current redesign project is an opportunity to assess whether we are maintaining the right balance between security on the one hand, and ease of use on the other.

Parent View is just one of many sources of evidence that Ofsted inspectors draw on to inform their view of a school's performance. Reviews submitted to the site would never, on their own, lead to an unfairly negative judgement. Inspectors always weigh the views submitted by parents against the other first-hand evidence they gather, in order to reach their final judgement about the overall effectiveness of the school.

Ofsted also said that it did not ask for feedback in the form of voice recordings from pupils.

We do not ask schools to provide feedback from pupils in the form of voice recordings. Prior to an inspection, a letter is emailed to the school requesting they gather the various information and documents inspectors will need to review. This includes a request for pupils at the school to complete an anonymised online questionnaire. This written questionnaire is confidential and complements the other evidence inspectors gather from talking to pupils. In the case of this particular school, 81 completed questionnaires were submitted and all were taken into account by inspectors.

The school's inspector said it was changing its policy on cookies. "Up until now, we have opted for a non-disruptive approach, based on the 'implied consent' of users," it said. "However, as part of our current website rebuild and redesign project, we are committed to reviewing both our use of cookies and the methods for obtaining user consent."

Ofsted acknowledged that Oli had a point about accessibility, which it hoped to improve with the redesign of the site. "We're aware that our sites do not currently comply fully with the latest accessibility standards. Indeed, improving usability and accessibility is one of the principal aims of our redesign project," it said. ®


Biting the hand that feeds IT © 1998–2017