Canvas Didn’t Fail—It Did What It Was Designed to Do: Surveil, Extract, and Breach

Canvas is an LMS where teachers post assignments, course syllabi, readings, and announcements, and where students submit homework and check grades. While these systems were largely optional before COVID-19, courses were moved online without faculty input to accommodate pandemic-era social distancing procedures. This transition was paved by years of Big Tech lobbying.

Under the administrations of Presidents George W. Bush and Barack Obama, the once-pivotal Family Educational Rights and Privacy Act (FERPA), a law created and strengthened through decades of student activism to protect educational privacy, was steadily weakened. Lobbying efforts from Big Tech helped reshape the law and its enforcement, creating new rules that allowed “educational partners” contracted by schools to access student data without explicit consent. What was originally designed as a safeguard against institutional overreach has increasingly evolved into a surveillance framework that accommodates the data-harvesting ambitions of private companies. These contracts favor corporate stakeholders—usually private equity firms like Thoma Bravo, which bought Instructure in 2019, or KKR and Dragoneer, which acquired it two years ago—allowing them to collect and monetize data.

Under the guise of FERPA compliance, instructors are often prohibited from using any platform with which the school does not have a formal contract. However, this leads to absurd data-sharing practices. For example, because students in higher education are legal adults, privacy laws prohibit an instructor from even acknowledging a student’s enrollment to a parent or guardian. Yet, while the faculty is barred from basic communication with a student’s family, Big Tech’s ed-tech companies are granted total insight into every digital move that same student makes.

Standardization, Surveillance, and the Administrative Takeover

Sold as a 21st-century efficiency measure, it was actually a realization of the industry’s dream of entering the classroom. Indeed, corporate America has long viewed schools not as public institutions for democratic learning, but as captive and largely untapped markets of compulsory consumers. Where companies once used cereal box contests or scoreboard logos to enter schools, Apple pioneered the model by “donating” hardware to hook lifelong customers.

For the PMC—the expanding layer of administrators, compliance officers, consultants, and technocrats tasked with enforcing executive priorities across educational institutions— ed-tech tools provide a convenient mechanism for monitoring, standardizing, and policing faculty labor under the guise of accountability and efficiency. Restricting faculty to school-approved “partners” forces educators into tightly controlled digital environments where virtually every click, communication, and pedagogical decision can be monitored by their employer. The PMC can monitor how much time instructors spend in Canvas to determine whether they are “doing their job,” while also using the same infrastructure to surveil email communications. Indeed, some institutions punished faculty for using school emails to share scholarship on Israel’s post-October 7, 2023, assault in Gaza.

During the pandemic, the PMC mandated pedestrian LMS training for all faculty. This homogenous design was implemented to simplify faculty evaluation: instructors either adhered to the preordained template or they did not. This trend toward centralization is accelerating. California’s community colleges are currently rolling out a universal course numbering system that effectively strips each campus of its autonomy and creativity. In parallel, at the behest of the federal government, members of the PMC are enforcing compliance with rigid ADA digital accessibility standards that dictate everything from font types and video captions to navigation structures and the specific placement of hyperlinks.

Determining whether these changes and mandates actually improve learning is difficult because most empirical studies rely on grades, a poor measure of improvement given decades of grade inflation. Relatedly, there is a dearth of evidence that digital systems have improved learning. Research suggests digital ed-tech systems may be harming rather than improving learning. Indeed, the long-term negative impact of shifting to digital ed-tech was recently summed up in Fortune: “The U.S. spent $30 billion to ditch textbooks for laptops and tablets: The result is the first generation less cognitively capable than their parents.”

Labor Exploitation and the Moral Necessity of Privacy

ADA digital compliance mandates and standard online course templates are part of the PMC’s long-term strategy of wrapping labor exploitation in the language of altruism, accessibility, and “student success.” Much of the education sector’s well-meaning liberal class swallows this managerial propaganda whole, mistaking bureaucratic surveillance and corporate outsourcing for social justice and progress.

What is sold as inclusion too often functions as institutional outsourcing. By handing course design and accessibility enforcement over to automated corporate systems, universities force faculty to surrender intellectual property in the name of legal compliance and technological efficiency. For example, achieving digital ADA compliance requires faculty to devote substantial unpaid labor to retrofitting courses according to rigid checklists, despite little compelling evidence that these changes improve learning. Institutions then instruct instructors to upload lectures, assignments, readings, and other course materials into third-party platforms such as UDOIT, which scan for “compliance,” turning education into a bureaucratic obstacle course mediated by software.

At best, this creates endless busywork for a bloated PMC that drains public resources while congratulating itself on “innovation” and “inclusivity.” At worst, faculty are effectively training the very systems intended to replace them by feeding assignments, lectures, course structures, and pedagogical methods into profit-hungry AI platforms owned by tech companies eager to convince administrators that a chatbot can someday “teach” a course just as well as the human being who spent years mastering the subject.

This entire narrative unfolds within a system fueled by the steady erosion of privacy for faculty and students alike. Many institutions have downplayed recent breaches by offering the hollow reassurance that only classroom communications were compromised, yet this defense misses the fundamental point that privacy is the baseline for human autonomy. It is not a luxury but a vital shield for victims of stalking, individuals with contested immigration status, and those with unpopular opinions whose livelihoods might otherwise be at risk. Beyond mere safety, privacy provides the breathing room people need to explore their beliefs and behaviors without the chilling effect of constant surveillance or the fear of immediate punishment.

Privacy is an essential part of being a free and autonomous human. Throughout history, and within the chilling pages of 1984, the erosion of privacy has been a hallmark of oppressive systems such as plantation slavery, patriarchy, and heteronormativity enforced through surveillance, as well as authoritarian regimes from the USSR to Nazi Germany. As the ShinyHunters Canvas breach laid bare, handing the keys to our digital lives over to private equity firms and LMS providers has compromised not only privacy but also the integrity and public-good mission of education.