After two CampusBase privacy breaches, the AMS hasn’t released promised privacy assessment

The AMS has still not released its privacy assessment of CampusBase after two privacy breaches despite promises to do so.

CampusBase is the AMS’s replacement for the old Clubhouse system. In August, the email addresses or student numbers of the almost 40,000 members were visible to any other member. Another breach occurred last month when a student found a vulnerability letting them log into any account.

Both were fixed soon after their discovery, but raised concern about the system’s security.

AMS Privacy Officer Sheldon Goldfarb submitted a letter to Council on November 25 that included a commitment to monthly meetings between the AMS and Novalsys, the company behind the CampusGroups system running CampusBase, regarding the work being done to improve its security measures.

In light of these privacy breaches, some students have called for the AMS to release a privacy impact assessment (PIA) it said it conducted prior to the system’s launch. AMS President Cole Evans promised to release the assessment at the AMS’s annual general meeting on October 29, but the society has still not done so.

AMS VP Administration Sylvester Mensah Jr said that the privacy officer’s statement to Council had information from this privacy assessment.

”It’s the case that the PIA is quite technical … We have conducted a PIA, and our privacy officer submitted a statement with recommendations and an analysis of the platform that was presented to Council at the last Council meeting. And hence, we do believe that the contents of that PIA were shared through that report as well as my statement accordingly.” he said.

Mensah said another cause of students’ concern is the fact that CampusGroups is based in the United States. Under the BC Freedom of Information and Protection of Privacy Act, public organizations are required to store users’ personal information in Canada. However, the AMS is not a public organization and isn’t bound to the act.

AMS VP Administration Sylvester Mensah said that Novalsys plans to move its databases.

“They did promise that in Q1 of 2021, we’ll be able to move into our own database server that would be hosted in Canada, which we believe would put an end to a lot of the server issues that we have been encountering,” he said.

In a statement CampusGroups said it was pursuing numerous measures to ensure the platform’s security, including intrusion detection systems, logging policies that identify security issues, and weekly vulnerability scans conducted by outside vendors.

Mensah expressed confidence in the measures that CampusGroups is taking to prevent future breaches.

“We have been in extensive communication with CampusGroups and we do believe that the measures that they have promised will help to alleviate the chances of issues like this repeating themselves.”