Background
This week you studied how networks work: the infrastructure that carries data across the Internet, the protocols that make communication reliable, the applications that run on top, and the threats that exploit every layer. These are deeply technical topics — but they are also deeply human ones.
Networks are not neutral infrastructure. They are owned, controlled, and shaped by decisions made by companies, governments, and institutions. Those decisions determine who gets access, at what speed, at what cost, and on whose terms. They determine what data is collected about you as you use the network and what happens to that data. They determine how well schools, hospitals, and communities are protected when attackers come for them.
The scenarios below connect directly to the technical content of this week. Each one asks you to look at a situation where network technology — or its failure, or its deliberate misuse — had consequences for real people.
How to Use These Scenarios
Use the same approach we established in Weeks 1 and 2: read each scenario carefully, write down your initial thoughts using the five guiding questions, and come prepared to discuss in your small group. A full description of the process is available on the SEC scenario discussion guide.
Scenarios
Scenario 1 — The Fast Lane
The Internet was designed around a principle called net neutrality: all data packets should be treated equally by the network, regardless of their source, destination, or content. An email from a small nonprofit travels on the same terms as a video from a major streaming company. A student's homework submission receives the same treatment as a commercial transaction. The network does not pick winners.
This principle has been contested for years. Internet Service Providers argue that they should be allowed to manage their networks as they see fit — including charging content providers for faster delivery, throttling (slowing down) services that consume large amounts of bandwidth, and blocking services that compete with their own offerings. In the United States, net neutrality protections have been enacted, rolled back, and debated repeatedly at the federal level. In 2024, the FCC voted to restore net neutrality rules; those rules faced immediate legal challenges.
In this environment, consider a rural school district in an area served by only one ISP. The ISP offers a discounted education plan but throttles video streaming to speeds that make tools like YouTube and video conferencing unreliable unless the district pays for a premium tier. The district cannot afford the premium tier. Teachers report that lesson plans depending on video have become unusable. Students in the district fall behind peers in urban areas with competitive ISP markets where throttling is less common.
- Who are the decision-makers in this scenario, and what incentives are shaping their choices?
- Is it appropriate for an ISP to treat different types of traffic differently? Does your answer change if the ISP argues it is managing network congestion rather than favoring certain content?
- How does the rural school district's lack of ISP alternatives change the ethical analysis compared to a market with multiple competing providers?
- What obligations, if any, should ISPs have toward educational institutions? Should broadband Internet access be treated as a public utility, like electricity or water? What are the arguments on each side?
- How does this scenario connect to the ISP hierarchy you studied in Topic 4b, and to the idea that the Internet was designed as an open, neutral network?
Scenario 2 — The Click That Cost the District
A school district's business manager receives an email that appears to be from the district's superintendent. The email explains that a time-sensitive vendor payment must be processed immediately and asks the manager to log into the district's financial system using a link provided in the email. The email addresses the manager by name, references a real ongoing project, and uses the superintendent's name and signature block.
The manager is busy, the request seems consistent with a project she knows about, and the urgency is plausible. She clicks the link and enters her credentials. The link led to a convincing fake login page. Within hours, the attacker uses her credentials to initiate a wire transfer of $487,000 from the district's operating fund to an overseas account. The money is not recovered.
Investigation reveals that the district had no mandatory cybersecurity training for staff, the financial system lacked multi-factor authentication, and no transaction verification protocol required a second approval for large transfers. The superintendent's email account had been compromised weeks earlier, which is how the attacker knew the project details.
- The manager made a mistake — but is she the primary responsible party? Identify all the decision points at which this attack might have been prevented and who was in a position to act at each one.
- The district had no mandatory cybersecurity training. Is this a reasonable cost-saving measure, or a foreseeable failure of duty of care to staff and the community?
- Should financial software used by public institutions require MFA and dual authorization for large transactions? Who should mandate this — vendors, institutions, or governments?
- The attack succeeded partly because the superintendent's email was already compromised. What does this suggest about the interconnected nature of security vulnerabilities?
- The $487,000 came from public funds intended for student education. Who is ultimately harmed, and how should accountability be structured in cases like this?
Scenario 3 — Schools Under Attack
This scenario is based on real events. For background on the Hartford attack, see: Education Week — Ransomware Attack Postpones Start of School in Hartford, Conn. (2020).
In September 2020, the Hartford, Connecticut school district was hit by a ransomware attack the night before the first day of school. The attack encrypted servers managing student transportation routing, leaving the district unable to operate its bus system. The first day of school was postponed for 35,000 students. Recovery took weeks.
Hartford's experience was not unusual. Between 2016 and 2022, hundreds of K–12 school districts in the United States experienced ransomware attacks. In some cases, stolen student data — including social security numbers, medical records, and disciplinary histories — was published online when districts refused to pay ransoms. Attackers specifically target schools because they often have limited IT budgets, outdated systems, and large quantities of sensitive personal data.
Federal cybersecurity agencies have issued guidance for K–12 institutions, but compliance is voluntary and implementation requires resources many districts do not have. Some states have passed laws requiring minimum cybersecurity standards for public schools; many have not.
- Who bears responsibility when a school district is successfully attacked: the district's IT department, district leadership, the state, the federal government, or the software vendors whose products were vulnerable?
- Attackers deliberately target schools because they are under-resourced. Is there a moral distinction between attacking a school and attacking a corporation? Does the presence of children's data change the ethical weight of the attack?
- Should cybersecurity standards for schools be mandatory and federally enforced, or should this remain a local decision? What are the tradeoffs?
- When student data that was stolen in an attack is published online, who is harmed and how? Consider students whose disciplinary records, medical information, or family financial situations are now publicly accessible.
- As a teacher, what is your role in your school's cybersecurity posture? What could you personally do — or advocate for — that would reduce risk?
Scenario 4 — The Free Tool That Was Not Free
A middle school adopts a free, browser-based reading comprehension platform for its English classrooms. The platform is well-reviewed, easy to use, and genuinely improves student engagement. Teachers love it. The district deploys it to all 1,200 middle school students.
Two years later, an investigative report reveals that the platform's privacy policy — which the district's technology coordinator signed without reading carefully — permitted the company to collect detailed behavioral data about students: how long they spent on each passage, which questions they answered incorrectly, their reading speed, and their response patterns over time. This data was aggregated and sold to educational publishers and assessment companies. The students were minors. Their parents were never informed. No individual student was identified by name in the sold data, but the data was linked to school ID numbers that, combined with other sources, could be re-identified.
The company argues it disclosed everything in its privacy policy and complied with applicable law. The district argues it was not aware the data was being sold. Parents argue they had no opportunity to consent. The data has already been sold and cannot be retrieved.
- The platform was genuinely educationally useful. Does that change the ethical analysis of how the data was collected and used?
- "Free" educational tools are often paid for with data. Is this an acceptable business model when the users are minors? Who should decide?
- The district's technology coordinator signed the privacy policy without reading it carefully. Is this a reasonable shortcut given the volume of contracts districts manage, or a failure of professional responsibility?
- The data was sold in aggregate, without names. Does anonymization eliminate the ethical concern? What does "re-identification risk" mean, and why does it matter?
- What due diligence should a school district perform before deploying any digital tool to students? Who in the district should be responsible for that review?
These scenarios are intended as starting points for discussion, not definitive case studies. You don't need to cover all four in depth — two discussed well is better than four skimmed. Bring your reactions — including disagreements — to your small group session.