Week 4 — Social & Ethical Considerations

The network connects everyone. The question is whether it connects them equally — and safely.

Background

This week you studied how networks work: the infrastructure that carries data across the Internet, the protocols that make communication reliable, the applications that run on top, and the threats that exploit every layer. These are deeply technical topics — but they are also deeply human ones.

Networks are not neutral infrastructure. They are owned, controlled, and shaped by decisions made by companies, governments, and institutions. Those decisions determine who gets access, at what speed, at what cost, and on whose terms. They determine what data is collected about you as you use the network and what happens to that data. They determine how well schools, hospitals, and communities are protected when attackers come for them.

The scenarios below connect directly to the technical content of this week. Each one asks you to look at a situation where network technology — or its failure, or its deliberate misuse — had consequences for real people.

How to Use These Scenarios

Use the same approach we established in Weeks 1 and 2: read each scenario carefully, write down your initial thoughts using the five guiding questions, and come prepared to discuss in your small group. A full description of the process is available on the SEC scenario discussion guide.

Scenarios

Scenario 1 — The Fast Lane

The Internet was designed around a principle called net neutrality: all data packets should be treated equally by the network, regardless of their source, destination, or content. An email from a small nonprofit travels on the same terms as a video from a major streaming company. A student's homework submission receives the same treatment as a commercial transaction. The network does not pick winners.

This principle has been contested for years. Internet Service Providers argue that they should be allowed to manage their networks as they see fit — including charging content providers for faster delivery, throttling (slowing down) services that consume large amounts of bandwidth, and blocking services that compete with their own offerings. In the United States, net neutrality protections have been enacted, rolled back, and debated repeatedly at the federal level. In 2024, the FCC voted to restore net neutrality rules; those rules faced immediate legal challenges.

In this environment, consider a rural school district in an area served by only one ISP. The ISP offers a discounted education plan but throttles video streaming to speeds that make tools like YouTube and video conferencing unreliable unless the district pays for a premium tier. The district cannot afford the premium tier. Teachers report that lesson plans depending on video have become unusable. Students in the district fall behind peers in urban areas with competitive ISP markets where throttling is less common.

Scenario 2 — The Click That Cost the District

A school district's business manager receives an email that appears to be from the district's superintendent. The email explains that a time-sensitive vendor payment must be processed immediately and asks the manager to log into the district's financial system using a link provided in the email. The email addresses the manager by name, references a real ongoing project, and uses the superintendent's name and signature block.

The manager is busy, the request seems consistent with a project she knows about, and the urgency is plausible. She clicks the link and enters her credentials. The link led to a convincing fake login page. Within hours, the attacker uses her credentials to initiate a wire transfer of $487,000 from the district's operating fund to an overseas account. The money is not recovered.

Investigation reveals that the district had no mandatory cybersecurity training for staff, the financial system lacked multi-factor authentication, and no transaction verification protocol required a second approval for large transfers. The superintendent's email account had been compromised weeks earlier, which is how the attacker knew the project details.

Scenario 3 — Schools Under Attack

This scenario is based on real events. For background on the Hartford attack, see: Education Week — Ransomware Attack Postpones Start of School in Hartford, Conn. (2020).

In September 2020, the Hartford, Connecticut school district was hit by a ransomware attack the night before the first day of school. The attack encrypted servers managing student transportation routing, leaving the district unable to operate its bus system. The first day of school was postponed for 35,000 students. Recovery took weeks.

Hartford's experience was not unusual. Between 2016 and 2022, hundreds of K–12 school districts in the United States experienced ransomware attacks. In some cases, stolen student data — including social security numbers, medical records, and disciplinary histories — was published online when districts refused to pay ransoms. Attackers specifically target schools because they often have limited IT budgets, outdated systems, and large quantities of sensitive personal data.

Federal cybersecurity agencies have issued guidance for K–12 institutions, but compliance is voluntary and implementation requires resources many districts do not have. Some states have passed laws requiring minimum cybersecurity standards for public schools; many have not.

Scenario 4 — The Free Tool That Was Not Free

A middle school adopts a free, browser-based reading comprehension platform for its English classrooms. The platform is well-reviewed, easy to use, and genuinely improves student engagement. Teachers love it. The district deploys it to all 1,200 middle school students.

Two years later, an investigative report reveals that the platform's privacy policy — which the district's technology coordinator signed without reading carefully — permitted the company to collect detailed behavioral data about students: how long they spent on each passage, which questions they answered incorrectly, their reading speed, and their response patterns over time. This data was aggregated and sold to educational publishers and assessment companies. The students were minors. Their parents were never informed. No individual student was identified by name in the sold data, but the data was linked to school ID numbers that, combined with other sources, could be re-identified.

The company argues it disclosed everything in its privacy policy and complied with applicable law. The district argues it was not aware the data was being sold. Parents argue they had no opportunity to consent. The data has already been sold and cannot be retrieved.

These scenarios are intended as starting points for discussion, not definitive case studies. You don't need to cover all four in depth — two discussed well is better than four skimmed. Bring your reactions — including disagreements — to your small group session.