Victorian Schools are now requiring a privacy breaching VPN installed on your device to access the internet. How is this okay?

We’ve recently been told the department is requiring that to connect to an education network, you must install a VPN program call Zscaler (effective 10th of April, without it means no internet). This is under the cover of “protecting teachers from scams and viruses”, but really it allows them to track whatever you access online. On a work laptop this is fine, however for the many of us who use personal laptops, it’s a complete breach of privacy. The VPN cannot be turned off and is incredible difficult to work around when at home. Meaning that whenever you access the internet at home with your personal device, you can (and likely will) be tracked by the department. Again there is no way to turn it off.

This also means you can no longer use your phone or iPad (I use a personal iPad as well for student testing/misc things as we share 1 set of iPads for 4 classes) as there is no app for the Vscaler.

Breach of privacy aside, are there any actions we can take against this? Is there anything the union can do? (Contacted the union rep already). My school has no more work laptops, and won’t have funding for them till term 3, meaning from next term I will no longer have a device that can connect to the internet.

Why isn’t your school providing you with a laptop? Not having the budget to provide staff with laptops is rubbish.

but really it allows them to track whatever you access online.

I don’t want to alarm anybody, but they can already see everything you do online on their network. Not only do you traverse through their network, but you will also be accessing the web through their (transparent) proxy.

If you have secured or encrypted connections to third party sites it’s unlikely that the VPN provier will engage in certification authority misuse or compromise encryption. So, communications to your bank should be fine.

The VPN cannot be turned off a

That’s a problem.

Another problem is that they probably need root authority to install it and manage it, right?

Realistically, they probably haven’t considered use cases for why anybody uses technology that wasn’t provided for.

Is there anything the union can do?

The union can talk to the department about how this works with third-party hardware.

It makes sense that work computers use VPNs to access school networks remotely. It is arguable if it is the right process on campus, too. It is problematic for BOYD and makes a lot of things harder.

EDIT:

For personal devices - especially at home : check to see if you can install it in an VM and make that your work environment.

On a side note:

For the people who are “don’t use personal devices” - while I agree Teachers shouldn’t buy things that should be provided for them I’d like to remind you that Teaching is a diverse career with many different roles being incorporated into one title. Some specific roles could easily have specific edge cases where having your own device makes a lot of sense.

For example, my role in teaching senior secondary students cyber security effectively requires me to use linux as super user to manage the computer labs and the cyberrange with a range of automation and administrational/engineering tools that aren’t on the SOE.

While my school’s IT guy is like “I don’t give a shit what you do to your staff computer” he does want me to keep the windows partition on the drive so he can easily recover it if I am hit by a bus. That’s a problem because the education department / school is cheap and gets laptops with almost no drive space, so by the time they build the SOE there is no room left over for a new operating system.

I could use a lab computer to do all of this on, but it’s nice to throw up a virtual machine and test my lab ideas on my computer so I can build my deployment chain up before deploying onto the network and it’s nice to be able to do this even if I am not in the lab.

I manage the IT dept at my school and there has been no messaging about this. It doesn’t sound true.
This would be hugely problematic and I imagine the union would have something to say about this…

The demand is grossly unreasonable and should absolutely be refused. If this leaves you unable to perform your duties that’s on them.

I’ve said this before. I’m going to say it again.

Stop using your personal computer to do your job.

Seriously. Your personal device isn’t covered by school insurance if it gets damaged at work. Its almost certainly not in compliance with laws around student privacy and data protection. And doing work on a personal device opens you up to device and data seizure in an (admittedly very rare) court case.

My school has no more work laptops, and won’t have funding for them till term 3, meaning from next term I will no longer have a device that can connect to the internet.

Not your problem. If the department doesn’t give you the proper tools to do the job, you do the job the best you can without the tools. Go back to paper rolls and force the front office to enter attendance data into the computer. Do board work only, no worksheets or power points.

Is there anything the union can do? (Contacted the union rep already).

The union stance is, and has been for a long time, that laptops are an essential tool of the trade and must be provided by the school. That will be there stance here, and you may be able to leverage that to get your school to provide you with a computer.

I also teach at a department school, and I’ve checked the DET’s available policies on information security (here) and they don’t mention VPNs in general, or that specific one. Nor have I had any communication from my IT professional about it, possibly something with your school OP, but doesn’t appear to be system wide.

EDIT: Reading over again, why would it be effective as of 10th April when that is during the term break, meaning that the IT tech at your school will not have access to staff laptops that have been taken home? If it is effective as of then why are you only hearing about it now when you, therefore, can’t do anything?

We were informed about it last year and I felt the same as you do. I was told that the department laptops won’t track when you’re at home but because they have less control over the interface on a personal laptop they can’t turn it off when you’re offsite in the same way that they can on the department website. Therefore the dept laptops won’t track you or block you at home but it will on personal laptops. Not sure if that’s bullshit or not. One of my colleagues put it on her personal laptop and then found websites like Facebook became inaccessible at home. Very clunky.

After my colleagues experience (as well as the general ick that my workplace tracking my usage gives me!) those of us using our own personal laptops refused and the topic was dropped. The only issue has been that a lot of websites are blocked (we did a “design your dream house” kind of project and even sites like Kmart and IKEA are blocked. Even some department recommended/adjacent websites!). I just use my hotspot in the moment and then ask our IT guy to unblock and that seems to be allowed…

I agree though.

You do not have to install it on your personal laptop. That’s all that matters. If that is actually the case (I know nothing about computer), and you’re uncomfortable with the idea of it, don’t comply. The school cannot force you. Believe me, they could find you a laptop if they absolutely had to. I’m sure they have a responsibility to provide all staff with the equipment required to do the job. Chill.

I remember something about that being installed but I pretty much use my work computer for nothing but work, sometimes logging in to personal emails to keep up to date with family commitments in the weekends. I have a personal iPad but I bought it for school and that’s all
It’s used for except Netflix. Definitely not having my phone connected like other teachers do. If they have a go for personal email and Netflix usage, I’ll have a go at having by to buy my own devices to bring into work

Zscaler can be turned off. It turns itself back on about 15 minutes later.

Previous employer had a similar requirement at one point, where we had to install seriously intrusive software to be able to access work email on personal phones, and we had to actually hand the phone over for 24 hours, unlocked, to allow them to install it. Everyone just simply stopped having work email on their personal phones, and it was quite refreshing.
I would not be allowing them to install that on your personal equipment, they will just have to supply you something to do the job they require you to do.

(tldr at bottom)

I’m going to preface this by noting that

1. I do not know what program exactly Victoria is implementing, however according to this article it appears to be the same as the one I am familiar with. If what you are referring to is something completely different (perhaps another zscaler product), then please ignore me. and
2. This absolute wall of text is not a dig at you. Your concerns as you’ve written them are very valid. I’m just hoping to maybe clarify some things and maybe put at ease some of your worries about it.

This viewpoint is coming from someone working in a NSW school that uses zscaler SSL root certificates.

firstly, a zscaler root cert (and the system requiring it) is not really a VPN. its actually more like the opposite. all internet traffic from the school is pushed through “zscaler” before going out to the internet. What you install on your computer is a security certificate that is used to authenticate the results you get back. without it, your computer will freak out because it sent a request to google, but got one back from “zscaler”. (IT people, please dont lynch me for this over simplification!) the security certificate you install tells your computer that results from “zscaler” are safe to open.

to use an analogy, zscaler is a security guard at a club, and you need to have a VIP membership card (SSL cert) to get in. the membership card sits in your wallet, and is only used if you visit this club. it doesn’t hinder your ability to go to any other club, and if you do go to another club, the membership card stays in your wallet unused and the security guard cant watch what you do because hes not at whatever club you go to.

As for installing it on personal devices, I agree with you that they shouldn’t be able to force you to install it, but I also believe that (in an ideal world) you should not be required to use personal devices to do your job. if staff are expected to use laptops/other devices, they should be provided. At our school at least, most devices are school supplied, and those that use personal devices do so willingly. Some opt to bring in ipads for ease of use, others are casual staff who elect to use their own device instead of the casual device we offer them. in all situations those personal devices require the ssl cert to be installed, but at no point are they forced to do so. If the school is not providing you with adequate equipment to teach/do your job then that first and foremost sucks but also outside my experience on the topic.

TL:DR is that (again, assuming its the root cert, and not some other actual work VPN) they can only monitor traffic on the school network and installing the cert won’t have any effect on connectivity at home. Oh and also, fwiw, the ssl cert can be installed on basically any internet connected device (laptop/chromebook/ios/android etc) so at the very least don’t be worried that you wont be able to get your device working in the new system.

If you’re able to clarify on what zscaler system is being implemented I’m definitely interested to hear, because if it is actually a full blown work VPN that cant be turned off, there’s no way in hell I’d put that on any of my personal devices and you bet your ass I’d die on that hill.

A VPN doesn’t change what can and can’t be tracked.

They need to provide you with a laptop or it’s no go.

Dual boot ya laptop. Ez

Our school was going to do it but my IT guy told me that it won’t work with our firewall or something, so we’re not doing it any time soon until the issue is addressed (and whatever the exact issue was, DET did not account for it)

I think the issue you need to chase up is regarding the work notebook a tranche just started so there is no excuse for not getting you one in the last month or so. Zscaler is coming whether you like it or not. It’s part of secured connected learners (SCL). Mind you I think your notebook should work without it just will have student filtering.

The only thing the union still support you with is the notebook.

Considering schools dont pay for notebooks and we just tick a box against your name to get one…this sounds more like a case of a teacher wanting to use their own notebook vs the school not supplying.

Your mentioning lenovo laptops that DE hasn’t run for 10 years now

You still have internet access if you don’t sign in to it, you will just be on a student profile.

They aren’t using it to track you, they are just using it for internet filtering.

If you must use a personal device and are concerned, set up a different profile or virtual machine to run the work stuff.

Breach of privacy aside, are there any actions we can take against this? Is there anything the union can do?

There is no breach of privacy for them to install it on a work machine. There are no actions you can take to stop them running Zscaler on work machines, it is their internet filtering solution to prevent inappropriate content being accessed in schools. There is nothing the union can do to stop them using internet filtering software and nothing that the union should do.

Update: those with concerns may wish to read this.
Sign in to your account (DET login required)

We’ve been told it’s a department thing, but it’s sounding more like a school only thin the more I’m hearing from here and other places. Doesn’t sound particularly honest hey.