Why are Third Party Vendors Such Arses?

The short answer is that they’re not. They’re experiencing culture shock between higher education and capitalism. Their goals and higher education’s are entirely different, and sometimes diametrically opposed. Sometimes they’re not, but I’ll leave that for the Marxists out there to critique.

I’ll outline a few examples, no names except for where I need a name for a tool because it’s too hard to keep using “middleware” that could mean anything from a database to a API connector to something like IFTTT. I’m not writing this to shame edtech vendors or name call, but if you are a vendor and you do these sorts of things – maybe consider stopping.

Hyper aggressive sales.

You’ve all seen this, or gotten emails day after day from the same vendor telling you about their great product. Or, you’ve been a teacher, and they call you periodically. Or more frequently. Daily even. I’ve gotten relentless edtech bros emailing me on LinkedIn then at work. By the way, if you do this and it’s part of your company culture, you do know that I mark that stuff as spam, right? All it does is create one of two things for a relationship… you either gain someone who just capitulates to you (but resents you) or you anger someone (who then holds a grudge for longer than an eon). Neither of those are great, but one is a sale. In an extreme case, you might get a cease and desist from a CIO who is tired of your harassment.

Circumventing process.

EdTech workers have definitely been asked for this sort of stuff continually. Move fast and break things is not a good mantra for education, nor public institutions. If your company wants to do it your way, rather than a standard LTI 1.3 kind of way, and then refuses to budge because your API way (to simply manage single-sign-on!) is already built, you’re an ass. If you are ever told, “we don’t just enable every option in LTI 1.3 settings” and you turn around and suggest you need all those data options – you most definitely don’t. If we have a process that we tell you takes months to go through, no, it can’t go quicker. It’s literally my job to ensure the security of the data in the system you’re trying to connect to, so work with me, not against me. It’s not my fault you left it to the last minute before semester and are trying to rush the integration through, literally using teachers as a sacrificial wedge to bypass security, privacy and accessibility. You know what that makes you.

Oh, and when the vendor agreement allows an instructor to sign off for an entire institution? That’s no good.

Data greediness.

Outlined above a little bit, but when you ask for an API integration, you should be able to easily answer “What API calls are you making?”. If you have an LTI 1.3 integration, and we ask “what do you use this data for?” you should be able to answer that within minutes of asking. Dancing around that question just raises my suspicions. You might actually need all that data. In 20 years of doing this work, and probably working on 100+ integrations with the LMS and other tools, it’s happened twice. Those two vendors were very quick to respond with what they use each data point for, how long they kept it, and why they needed it for those functions. That’s excellent service. Also that wasn’t the sales person… so yeah. Oh, and 99% of integrations between the LMS and something else can be done with LTI 1.3. Vendors out there, please use the standards. And get certified by IMS Global/1EdTech. It goes a long way to building your reputation.

Third-party malfeasance.

OK, it’s not that bad, but a new trend I’ve started seeing is a vendor using another vendor to manage something (usually data). EdLink is the sort of thing I’m thinking about here. EdLink allows easy connections between two unrelated vendors with no established connection method. So think, connecting McGraw Hill to your Student Information System (not the actual example I’m thinking of to be clear, we don’t have, or want, to connect McGraw Hill to our SIS). To be honest, this doesn’t bother me as much as some of the other grievances I’ve got – but obfuscating your partnerships and running all your data through a third-party that we don’t have an agreement with, is definitely something that raises an eyebrow or three. As one starts to think about what-if scenarios (also my job) it makes clarity around who has your data at what time and for how long all the more difficult. The service doesn’t bother me, as long as the middle-person in the scenario is an ethical partner of the vendor you’re engaging with. In many cases, you need to have a level of trust in the partner, and if they’ve shown themselves as less than trustworthy, then well, you’ve got a problem.
Again, I’m sure EdLink is fine, but when a vendor uses EdLink, and is presented with that fact, it’s a challenge for security experts as they not only have to do one analysis, but two. I understand why a vendor might try to frame EdLink as their own service, but it’s undeniable that it isn’t. So just be honest and upfront. You may pass by a team that doesn’t prioritize this level of detail, but we are not blind. We will figure it out.

One other big challenge with third-parties acting on behalf of a vendor is that if there’s a problem, you typically have to go through the vendor to access the middle person’s support team to get it rectified. This adds a layer of complexity AND time to something that was likely intended to save time and hassle for the vendor.