Covid restrictions have had an impact on pretty much everything. Most, if not all, universities across the globe moved from face-to-face to online teaching. The University of Malta is home to 11,850 students on a range of 930 courses, including 1,242 international students from 119 different countries. Nevertheless, and in line with many other educational institutions, the start of this academic year saw ‘most students come back physically to campus’.
It’s a little surprising then to find the American University of Malta has been on remote teaching for Fall 2021. Its current student intake is approximately 128 and, with such slim numbers, the spacious historical building in which they pursue their studies is tailor-made for social distancing. Last year, at the height of the pandemic, the Provost stated that programmes were ‘being conducted both in lecture rooms, with the necessary safety requirements, and remotely’.
In the AUM’s Student Orientation Video 2021, there’s no indication that the AUM isn’t going to be offering face-to-face classes. The Student Affairs Manager, Dave O’Shaughnessy, reminds the (invisible) students to put on their masks before entering the building as he takes the ‘new students on a little trip around our fabulous university’. The lonely receptionist, Richard Azzopardi, is there to help the invisible students, whose anticipated presence is diminished by remote teaching. There are sanitising areas in the vast interior where the remote students can protect their hands before entering via Zoom.
O’Shaughnessy pauses briefly in front of one of those motivational pictures I saw during my visit to the AUM’s Open Day 2019. He reads a quote from Nikola Tesla: ‘If you want to find the secrets of the universe, think in terms of energy, frequency and vibration.’ All 3 echo around the empty university premises he guides us through. The student lounge area ‘is currently closed due to Covid 19’, but remote teaching effectively removes the need for on-campus relaxation.
In the silence of the library, you can ‘reach out’ to the librarian and her scarcity of books, yet ‘a bit of etiquette’ is required when it comes to people’s offices. Knocking on doors is ‘something we do here at AUM’ because all those hordes of staff ‘might be busy in meetings or something’. There’s a moment of shared laughter when O’Shaughnessy introduces us to the Registrar, Akin Moroglu, who’s ‘really busy right now, getting ready for registration’. Sitting alone in his big office doing nothing, the comedy factor shines through.
In a theatrical removal of the fourth wall, we get a glimpse of the man behind the camera, Jesmar Zammit. As well as graphic design and photography, Zammit does web maintenance and updating, presumably complying with the EU’s data protection law as stipulated in the GDPR Policy on the AUM’s website.
We also get a glimpse of the Admissions and Recruitment Office where, says O’Shaughnessy, ‘as you can see, everyone is busy in there at this moment in time, you know.’ If knowing is reflected by seeing then busy isn’t how I’d describe the solitary person who interrupts a moment of nothingness to give us a wave from inside another massive empty office.
After an introduction to the IT guys – hopefully also familiar with GDPR – there’s a special add-on extra at the end when we’re taken to ‘the deck’ – an outside balcony with chairs and tables positioned in line with Covid regulations where we’re shown ‘the million dollar view here that we have at AUM’. According to figures reported a year ago, ‘the American University of Malta has racked up a total of €11.27 million in losses in the space of two years’ – €5.89 million in 2018 and €5.37 million the following year. If it’s continued down the same path, it will have racked up a further €11.26 million by now, with the question being who’s paying for the view and how?
The promo video was made in August 2021 and O’Shaughnessy’s bids us farewell with the hope he sees us soon, either in person or online. Presumably the AUM knew then which it would be, particularly as August 23rd is cited as the first day of class and the deadline for tuition and fee payment. If I was paying, I’d want to know if this was for real or not.
I’d also want to know that Jesmar Zammit – the website dude who’s also in charge of photography for the ID cards – is a responsible kind of guy and not some flashy DJ who might ID me at a place like Hugo’s Terrace. I’d want to know he’s a man I can trust.
I’d want to know that the GDPR policy available on the website which DJ Jesmar updates is being faithfully adhered to and my data is safe with him and with the IT guys and with anyone else at the Jordanian University of Baksheesh.
If past performance is anything to go by, I’d have my doubts. It seems there was a hacker in Hani Salah’s midst. This hacker wasn’t only gaining access into the university system, but he was busy prying into private emails, too. Despite being hoodwinked by Keith Schembri’s feigned interest in enrolling on an MBA, even the former rector, Professor John Ryder, could smell a rat. In a memo detailing various issues, including unpaid salaries and rent, he writes:
‘There is reason to believe that at least my emails are being read by someone at Sadeen. I expect that activity to end immediately. I assume it goes without saying that there can also be no bugged rooms or phones.’
Bugged rooms? Bugged phones? In a university where the AUM Honor Code is there ‘to promote a stronger sense of mutual responsibility, respect, trust, and fairness among all members of the AUM community’? Is espionage outlined or outlawed in its Code of Ethics?
Back in October 2016, before the AUM opened its doors to a mass influx of students, Tha’er Salah gave reassurance that he had control of both the AUM’s info mail box ([email protected]) and ‘the other one related to Sadeen Malta.’
Not long after, Ryder emailed Tha’er Salah saying he’d installed TeamViewer and sent his ID and password as requested. However, Ryder expresses concerns about Tha’er Salah having ‘to reach into the computer in each case…especially since those devices are personal’.
Ryder further states that he must be able to access the Sadeen education address from his home computer, his iPad and his iPhone. Happy to ‘crate’ (sic) all emails at Ryder’s request, Tha’er Salah continues to reassure him that help is just a click away.
Usually, hackers have to crack passwords and codes but, as these emails show, Tha’er Salah merely asked for what he needed on the basis of trust. After all, Tha’er was not only the IT specialist at the AUM but he’s also Hani Salah’s nephew.
Daphne Caruana Galizia saw little to trust when she posted pictures of Tha’er Salah, ‘the man to whom the American University of Malta website is registered’, way back in May 2015. ‘Our government is becoming scarier by the day,’ she wrote.
The extent of the hacking and KGB-style surveillance at the AUM – a Malta government initiative – is terrifying. Unconfirmed reports suggest that phones were indeed bugged and used to listen in to conversations in private offices. Email evidence of hacking is conclusive and extensive.
Hacking is a cyber-crime, punishable by law. In response to the revelations about Pegasus spyware being used to infect journalists’ phones, the EU Commissioner, Didier Reynders, was very clear:
The AUM may pretend to be American while run by Jordanians but its location in Malta means it must abide by EU laws. Seems not as an email sent by a faculty member to Ryder was intercepted and forwarded to Louai Twal (then legal representative for Sadeen), Nasser Zayyat (originally academic head of the AUM) and Khaled El-Zayyat (the AUM’s first Vice-President of Global Initiatives) from H.S. (Hani Salah?) at gcscontracting.com. GCS – Gulf Co-Operation Symbols – is a member of Sadeen Group.
Sent from an iPhone, nothing was safe and if any faculty members were ‘leaking information to the press’ then their every move was being watched.
Emails from ex-Times of Malta journalist, Ivan Camilleri, to John Ryder were also being intercepted and forwarded.
Nothing in this hallowed academic institution was sacred. In the following email, Walid Soudi – an accountant brought to the AUM from the Sadeen Group in Jordan – reports to Louai Twal that 2 staff members ‘are still contacting with the media’ and requests advice on ‘proper action’ to be taken. As well as copying 4 others into this email, 11 attachments are included, hacked from one staff member’s private email address. When Walid Soudi sent this email, both staff members mentioned had already been fired.
And shame on those who didn’t heed Tha’er Salah’s warning not to use their personal email, although what did it matter when he had access to them all?
According to an email originally sent by AUM’s IT support and then forwarded by the quick-fingered Tha’er Salah, not using personal email will increase ‘the credibility and take you out of suspicion zone being a company that is not well known or being a fraud or not a trusted company.’ God forbid you might reveal yourself as a fake university which breaches GDPR, all known privacy codes and the conditions under which you came into existence.
As for being a trusted company, not only did the AUM fire most of its faculty just before their six-month probationary period was up but – again courtesy of Tha’er Salah – it took full backup of their computers before they left. The extent of this scandal is mind-blowing.
The AUM failed its most recent Quality Assurance Audit (2020) and one of the many areas needing improvement was Information Management. The assessment panel observes that:
‘in the documentation provided, there was a link to a platform (http://learning.aum.edu.mt/studsect.cfm); the use of this platform, however, was not mentioned during the audit. Furthermore, it has also been observed that the website was not secure. During the audit, the panel has been notified that such a system is not in service anymore and not being used by the university.’
Ryder took Tha’er Salah’s word for it when asked to supply confidential information. Staff members used their work and personal computers assuming their privacy was secured. When I tried to access the offending weblink, the message was far from reassuring:
Amongst its ‘Recommendations for improvement’, the Audit states that:
‘The institution shall, before the beginning of the 2021/2022 academic year, make sure that any systems which are not being used anymore, are decommissioned so as to reduce risks, such as security breaches.’
But these security breaches were, and possibly still are, a matter of course for the AUM, its modus operandi. They were carried out with the full knowledge and blessing of those in charge of, and responsible for, the institution. The security breaches were carried out by Sadeen’s AUM.
In the AUM’s Proposed GDPR Policy Document published on their website, they say ‘AUM will appoint a Data Protection Representative to who shall serve as the contact person in relation to data protection matters.’ There is no sign of this person on the list of staff provided on their website and, according to his Linkedin profile, Tha’er Salah is still the IT Regional Manager for Sadeen Group, a position he’s held since 2010.
Organisations in breach of GDPR can face fines of up to 4% of their annual global turnover or €20 million, whichever is greater. Given the AUM is already in serious financial hot water, this would be a serious blow to them alongside the resulting reputational damage to a reputation damaged from its inception.
The normalisation of surveillance and hacking at the AUM intensifies alarm at the appointment of the wife of Adrian Hillman (the latter now charged with money laundering, fraud and bribery) as director of the AUM’s only academic institute: the Data, Media and Society Centre. Promising an ‘education for various members of society to help them learn more about digital media technologies’ implications, risks and opportunities’, all evidence indicates the risks come from within.
Having failed its external quality assurance audit, perhaps the NCFHE under its new guise of the Malta Further and Higher Education Authority might want to rethink the one-year extension on the AUM’s license. Cybercrime is punishable by law, through fines and/or imprisonment.