These parents built a school app. Then the city called the cops

  News
image_pdfimage_print
Öppna Skolplattformen hoped to succeed where Skolplattform had failed.
Enlarge / Öppna Skolplattformen hoped to succeed where Skolplattform had failed.
Comstock | Getty Images

Christian Landgren’s patience was running out. Every day the separated father of three was wasting precious time trying to get the City of Stockholm’s official school system, Skolplattform, to work properly. Landgren would dig through endless convoluted menus to find out what his children were doing at school. If working out what his children needed in their gym kit was a hassle, then working out how to report them as sick was a nightmare. Two years after its launch in August 2018, the Skolplattform had become a constant thorn in the side of thousands of parents across Sweden’s capital city. “All the users and the parents were angry,” Landgren says.

The Skolplattform wasn’t meant to be this way. Commissioned in 2013, the system was intended to make the lives of up to 500,000 children, teachers, and parents in Stockholm easier—acting as the technical backbone for all things education, from registering attendance to keeping a record of grades. The platform is a complex system that’s made up of three different parts, containing 18 individual modules that are maintained by five external companies. The sprawling system is used by 600 preschools and 177 schools, with separate logins for every teacher, student, and parent. The only problem? It doesn’t work.

The Skolplattform, which has cost more than 1 billion Swedish Krona, SEK, ($117 million), has failed to match its initial ambition. Parents and teachers have complained about the complexity of the system—its launch was delayed, there have been reports of project mismanagement, and it has been labeled an IT disaster. The Android version of the app has an average 1.2 star rating.

On October 23, 2020, Landgren, a developer and the CEO of Swedish innovation consulting firm Iteam, tweeted a hat design emblazoned with the words “Skrota Skolplattformen”—loosely translated as “trash the school platform.” He joked he should wear the hat when he picks his children up from school. Weeks later, wearing that very hat, he decided to take matters into his own hands. “From my own frustration, I just started to create my own app,” Landgren says.

He wrote to city officials asking to see the Skolplattform’s API documents. While waiting for a response, he logged into his account and tried to work out whether the system could be reverse-engineered. In just a few hours, he had created something that worked. “I had information on my screen from the school platform,” he says. “And then I started building an API on top of their lousy API.”

The work started at the end of November 2020, just days after Stockholm’s Board of Education was hit with a 4 million SEK GDPR fine for “serious shortcomings” in the Skolplattform. Integritetsskyddsmyndigheten, Sweden’s data regulator, had found serious flaws in the platform that had exposed the data of hundreds of thousands of parents, children, and teachers. In some cases, people’s personal information could be accessed from Google searches. (The flaws have since been fixed and the fine reduced on appeal.)

In the weeks that followed, Landgren teamed up with fellow developers and parents Johan Öbrink and Erik Hellman, and the trio hatched a plan. They would create an open source version of the Skolplattform and release it as an app that could be used by frustrated parents across Stockholm. Building on Landgren’s earlier work, the team opened Chrome’s developer tools, logged into the Skolplattform, and wrote down all the URLs and payloads. They took the code, which called the platform’s private API and built packages so it could run on a phone—essentially creating a layer on top of the existing, glitchy Skolplattform.

The result was the Öppna Skolplattformen, or Open School Platform. The app was released on February 12, 2021, and all of its code is published under an open source license on GitHub. Anyone can take or use the code, with very few limitations on what they can do with it. If the city wanted to use any of the code, it could. But rather than welcome it with open arms, city officials reacted with indignation. Even before the app was released, the City of Stockholm warned Landgren that it might be illegal.

In the eight months that followed, Stockholms Stad, or the City of Stockholm, attempted to derail and shut down the open source app. It warned parents to stop using the app and alleged that it might be illegally accessing people’s personal information. Officials reported the app to data protection authorities and, Landgren claims, tweaked the official system’s underlying code to stop the spin-off from operating at all.

Then, in April, the city announced it was getting the police involved. Officials claimed the app and its cofounders may have committed a criminal data breach and asked cybercrime investigators to look into how the app worked. The move took Landgren, who had been meeting with city officials to address concerns about the app, by surprise. “It was quite scary,” he says of the police involvement.

https://arstechnica.com/?p=1810819