About 660 Stanford students were given “creator” status for 15 hours in classes they were enrolled in on Panopto, a video-managing platform that partners with Stanford, as a result of a software defect on Nov. 4.
As creators for a class, students gained the ability to edit, upload and delete recordings, as well as view recordings that were not scheduled to release yet. No private data or student information was exposed, according to a Panopto representative.
Stanford’s Panopto license is managed by the Stanford Center for Professional Development (SCPD). Judith Romero, SCPD’s senior director of communications and marketing, who confirmed that 660 students were affected, wrote in a statement to The Daily that there was “no security breach” and “no error by Stanford.” She added that the “Panopto software glitch was the result of a code defect that caused an error in logic.” Due to this error, if enrolled students clicked on the Panopto link within the Canvas learning management system they would be granted creator status.
In an email to The Daily, Panopto acting Marketing Vice President Sherman Griffin confirmed that the incorrect statuses were a result of a Panopto software defect in the latest Panopto release, and that students who accessed videos for a class in Canvas received creator rights for that folder.
“I logged onto Canvas on the evening of Nov. 4 to download lecture slides from CS 103 so that I could complete the homework,” Evan Baldonado ’23 told The Daily. “I noticed then that I was able to upload and delete videos, view statistics, see private folders and more with Panopto. I realized it was a larger issue after verifying with my p-set partner that she had the same permissions and seeing that I could do the same thing with Panopto for EARTHSYS 10.”
The issue was reported to Panopto 12 hours after the release, and the “inappropriate permissions were revoked within three and a half hours of reporting,” Griffin wrote.
During this time period, Griffin wrote that one student accessed five videos of future lectures in their course that were not yet available to students.
Creators can also access individual viewing analytics for videos in the folder for which they have creator status.
“Initially, I was worried for student privacy after realizing that students could access everyone else’s information,” Baldonado wrote. “I was also shocked to see how much data Panopto and teachers have, including how many times and for how long each student has watched each video for. I discovered this as I was taking screenshots necessary to let course staff and Panopto know the extent of the permissions issue.”
Griffin told The Daily that “no private data or student information was exposed.”
Romero added that “no student data was altered,” but Stanford will review the matter: “We are not aware that any private student data has been exposed, however, out of an abundance of caution, we are conducting a thorough review to confirm it,” Romero wrote.
Lisa Yan M.S. ’15 Ph.D. ’19, who teaches CS 109: “Intro to Probability for Computer Scientists,” among other courses, records pre-lecture videos and uploads them to Canvas using Panopto. She was not “aware that students had creator status,” but added that due to how the class is structured, it did not have too much of an effect.
“In our case, we only host publish-ready videos on Panopto, so at worst, students would be ‘reading ahead’ if they viewed or accessed any materials that were accessible only to Creators,” Yan wrote.
“That being said, we’re very happy that nothing out of the ordinary happened,” she wrote, adding that if students had accidentally deleted Panopto content, like live lecture videos, it would have created problems for students who are unable to attend synchronous lectures.
The glitch was not limited to Stanford, affecting other schools that use Panopto “with this specific combination of LMS configuration settings,” according to Sherman.
“While this was a small and limited occurrence, Panopto takes this very seriously,” Griffin wrote. “This was not acceptable, and we are committed to maintaining Stanford’s trust as a core technology partner.”
Contact Ujwal Srivastava at ujwal ‘at’ stanford.edu.