Former DHS Boss Puts University Of California Employees Under Secret Surveillance
from the you-didn't-see-anything-so-you'd-better-not-say-anything dept
Former DHS boss Janet Napolitano -- who once stated she "doesn't use email" (for many reasons, but mainly to dodge accountability) -- is now showing her underlings at the University of California why they, too, might not want to "use email": someone might be reading them over their shoulders.
UC professor Christopher Newfield has the inside details of the recently-exposed monitoring system secretly deployed by the University of California (and approved by school president Napolitano) to keep tabs on the communications, web surfing and file routing of its employees. The SF Chronicle has an article on the secretly-installed spyware behind its paysieve [try this link], but Newfield has the internal communications.
The installation of the third-party monitoring software was so secretive that even the university's campus information technology committee was forbidden from discussing it with other staff. The committee has now decided to go public.
UCOP would like these facts to remain secret. However, the tenured faculty on the JCCIT are in agreement that continued silence on our part would make us complicit in what we view as a serious violation of shared governance and a serious threat to the academic freedoms that the Berkeley campus has long cherished.The official excuse for the installation of intrusive spyware is "advanced persistent threats" possibly related to a cyberattack on the UCLA Medical Center last summer. How monitoring staff emails plays into the thwarting of "threats" hasn't been explained. Now that the secret's out, the university is claiming it's all good because policies prevent the university from using any intercepted information/communications for "nonsecurity purposes."
Some salient facts:
- The UCOP had this hardware installed last summer.
- They did so over the objections of our campus IT and security experts.
- For many months UCOP required that our IT staff keep these facts secret from faculty and others on the Berkeley campus.
- The intrusive hardware is not under the control of local IT staff--it sends data on network activity to UCOP and to the vendor. Of what these data consists we do not know.
- The intrusive device is capable of capturing and analyzing all network traffic to and from the Berkeley campus, and has enough local storage to save over 30 days of *all* this data ("full packet capture"). This can be presumed to include your email, all the websites you visit, all the data you receive from off campus or data you send off campus.
The university may have a policy forbidding this activity, but that's not really the same thing as guaranteeing abuse of this surveillance will never happen. Its belated not-an-apology offers no contrition for keeping this a secret from a majority of its staff. And the statement does not name the third party in charge of the collection and monitoring.
While it certainly isn't unusual for employers to monitor employees' use of company computers and devices, it's normally clearly stated in policy manuals, rather than installed surreptitiously and cloaked in deep secrecy.
As Newfield points out, no one was apprised of the monitoring until after it was underway. Some heard a few weeks after the monitoring was put in place (August of last year) when the university updated its security policies following the medical center breach. Many more heard nothing until the first week of December. Following the wider exposure, staffers were assured by the school's vice president that the monitoring would cease and the software would be removed.
The VP said one thing and the school did another.
On Jan. 12, 2016, The Berkeley Joint Committee on Campus Information Technology (JCCIT) met with Larry Conrad and others. The committee was informed that contrary to the Dec. 21, 2015 statements, UCOP had decided to continue the outside monitoring and not disclose any aspects of it to students or faculty.At this point, the decision was made to go public. A letter was drafted and sent to school administration. It was also sent to the New York Times. This prompted the generation of bullshit from the Executive VP's office.
On Jan. 19, 2016, UCOP Exec. VP and COO Rachael Nava sent a letter to those who signed the Jan. 15, 2016 letter. The original version was marked "CONFIDENTIAL: DO NOT DISTRIBUTE" and invoked "Attorney-Client privilege". After several recipients responded to her via email questioning who is the client and why her letter must be kept secret, a revised version of the letter was sent the next day removing that language, stating: "All: Please accept my apologies with regard to the confusion on the attorney client privilege language on the letter. It was a clerical error and was not intentional. Please find a revised version of the letter with the language removed."The full letter contains some truly incredible statements.
With respect to privacy, the letter and structure of the University’s Electronic Communications Policy (ECP) reflect the principle that privacy perishes in the absence of security. While the ECP establishes an expectation of privacy in an individual’s electronic communications transmitted using University systems, it tempers this expectation with the recognition that privacy requires a reasonable level of security to protect sensitive data from unauthorized access.Privacy does not "perish" in the absence of security. This conflation of the two is ridiculous. If a malicious party accesses private communications, that's a security issue. If an employer accesses these communications, that a privacy issue. Claiming to value privacy while secretly installing monitoring software (and then lying about removing said software) only serves to show the university cares for neither. By adding a third party to the monitoring process, the university has diminished the privacy protections of its staff and added an attack vector for "advanced persistent threats." It has effectively harmed both privacy and security and, yet, still hopes to claim it was necessary to sacrifice one for the other.
The other statement, tucked away as a footnote, absurdly and obnoxiously claims the real threat to privacy isn't the school, but people making public records requests.
Public Records Act requesters may seek far more intrusive access to the content of faculty or staff records than what the ECP permits for network security monitoring. The limits on the University’s own access to electronic communications under the ECP do not apply to Public Records Act requests.Meanwhile, the school's tech committee has pointed out its IT staff is more than capable of handling the privacy and security of the network and, quite obviously, would show more respect for their colleagues' privacy while handling both ends of the privacy/security equation.
It's perfectly acceptable for entities to monitor employees' use of communications equipment. But you can't do it this way. You can't install the software secretly, swear certain employees to secrecy, not tell anyone else until the secret is out in the open, promise to roll it back and then secretly decide to do the opposite, etc. And when challenged, you can't play fast and loose with "security" and "privacy" as if they were both the same word spelled two different ways.
[Update: a TD reader has given us a copy of Janet Napolitano's response to the outcry over the school's secret surveillance efforts. A new post on that letter is on the way. If you'd like a head start, it's embedded below.]
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: deep packet inspection, dhs, janet napolitano, surveillance
Companies: university of california
Reader Comments
Subscribe: RSS
View by: Time | Thread
Put your money, medical data and emails where your mouth is
Given this seems to be a pretty common defense of indiscriminate spying, sometimes private, usually governmental, I think it would be only fair for those making the claim to show how much they believe what they're saying, by putting their own private data on the line.
Demand that anyone using that excuse have all of their private data collected and stored as well, and if the collected data is ever used in a way that violates the 'policies' against misuse, or if someone hacks in and gets the data, then the private data, all of it, of the one making that excuse is made public.
It's easy to defend indiscriminate data collection when your personal data isn't on the line, but I imagine if it were there would be a lot less people doing so.
[ link to this | view in chronology ]
Is anyone shocked to see someone from DHS decide that the best course of action is to secretly spy on those they have power over and sharing that data with an outside 3rd party? Deny it is happening, find some "legal" way to justify it, say you are stopping and double down.
So who is going to use the Public Records Act request to start digging into what Big Sis has been up to and look for the secret list of people they needed to monitor more?
[ link to this | view in chronology ]
Just the tip of the iceberg
[ link to this | view in chronology ]
Re: Just the tip of the iceberg
I've been telling people for decades to get their own net connection and not simply mooch it off their employer. There are far too many ways for that to blow up in your face, and rightly so. Employers have both the right and the duty to protect their network. Our privacy and security, not so much.
[ link to this | view in chronology ]
You're doing it wrong
The university has -- quite effectively -- compromised itself. There's really no need for an attacker to go through all the trouble and tedium of setting up comprehensive surveillance of university systems/networks: it's already been done for them, for free.
All they have to do is tap into the goodies, either on the campus or at the vendor. (The latter's probably easier, since they're outsiders with no professional association. A suitable bribe would probably suffice. Why not? Who would know?)
I've done IT work, including security, at several major universities over the past few decades. This is one of the most appallingly stupid things I've ever seen a campus do to itself, and there's a lot of competition for that dubious honor.
[ link to this | view in chronology ]
Re: You're doing it wrong
How many universities have a president or other senior officer who used to work for the US government? Any correlation between that and the stupidity? Or am I just seeing a big coincidence?
[ link to this | view in chronology ]
Re: Re: You're doing it wrong
[ link to this | view in chronology ]
Re: Re: You're doing it wrong
There was a lot of silly stuff that came out of those hippies in Berkeley back in the sixties. Seeing this level of fascist dumbth come out of there too is pretty surprising. That pendulum sure has swung.
[ link to this | view in chronology ]
"It's perfectly acceptable for entities to monitor employees' use of communications equipment." As university faculty myself, I point out that the expectations of freedom in access to information (and attendenant freedom from unreasonable or potientally coresive monitoring of this access) are considerably higher at an academic institution than in a private business, as both of these are prized cornerstones of university culture.
[ link to this | view in chronology ]
Re: perfectly acceptable??
No, it really isn't that way at all. How naive.
You can go read this professor's book
http://www.abc.net.au/radionational/programs/latenightlive/algorithms-gone-wild/7136948
Frank Pasquale
Professor of Law
University of Maryland
The Black Box Society:
The Secret Algorithms That Control Money and Information
[ link to this | view in chronology ]
Re: Re: perfectly acceptable??
[ link to this | view in chronology ]
Re: Re: Re: perfectly acceptable??
It can be, but it's usually not very good at it.
[ link to this | view in chronology ]
Does anyone else see the irony here?
[ link to this | view in chronology ]
Re:
They needed to set up an advanced persistent threat, and did so. Now all that any outsider has to do to gain survey intel needed for a targeted attack is to infiltrate the vendor and sift through the already-captured data.
That pretty much sums up what APTs are for.
[ link to this | view in chronology ]
And then they're sending all this data... to an outside vendor. Aside from the obvious security risk, will an outside vendor be bound by the same legal restrictions on sharing private information as a state university? Would a private vendor fight a subpoena for, say, someone's library records as strongly as a university would?
No wonder President Napolitano's office was so eager to keep this secret.
[ link to this | view in chronology ]
Legality?
Sure it might be for a private institution, but it's been found by multiple courts that public schools have the same restrictions as the government does. I mean, these universities get there own sanctioned police force for crying out loud. That' means they're bound by the U.S. Constitution.
It'll be interesting to see if there is a lawsuit. I can just see campus lawyers cringing. Especially given the likelihood that FERPA was violated.
[ link to this | view in chronology ]
Re: Legality?
[ link to this | view in chronology ]
Re: Re: Legality?
[ link to this | view in chronology ]
Networks are hostile
[ link to this | view in chronology ]
It isn't just email
[ link to this | view in chronology ]
Privacy perishes in the absence of security.
There is security in the "national security" sense, which means exactly the opposite.
The phrase, "...privacy perishes in the absence of security," conflates these. When this is used, the correct thing is to ask, "I need clarification: when you say 'security,' did you mean 'eliminating my encryption, ignoring my access protections and disdaining my legal rights?"
[ link to this | view in chronology ]
Re: Privacy perishes in the absence of security.
If privacy perishes in the absence of security, that crucial distinction has apparently been lost on her.
[ link to this | view in chronology ]
Re: Re: Privacy perishes in the absence of security.
Sure, there are exceptions, but it's always a tradeoff, and the balance always falls on the "decrease" side.
[ link to this | view in chronology ]
Re: Re: Re: Privacy perishes in the absence of security.
Surveillance on its own decrease security, but then we are back to ignoring the potential benefits, like the tech-race (It improves security to prevent surveillance), the scientific effects (Surveillance is making data-comparison easier and therefore increase the chance of finding tendencies and therefore provide an opportunity for rulers to act on these tendencies before they become apparent in other ways) and the notion should be that surveillance is temporary and targeted to avoid haystack problems and permanent reliance on it, which most surveilance nutters haven't understood.
Because of that the balance is always on the "decrease" side in the short term. In the long term, surveillance can be an "increase"-tool if used with caution and care.
[ link to this | view in chronology ]
However: in all of that time, every senior university administrator that I encountered was absolute scum, and the more senior they were the worse it got.
[ link to this | view in chronology ]
But...the IT staff
[ link to this | view in chronology ]
Re: But...the IT staff
Given some of the APT alerts I've seen coming out of the FBI, it seems that they might possibly have at least had access to this data....
[ link to this | view in chronology ]
Re: Re: But...the IT staff
The CIA's been known for a long time for owning front companies and hiding that ownership from everyone. This wouldn't be the first time. This is a pretty sleazy way to make an end run around the Constitution.
[ link to this | view in chronology ]
Napolitano, what did anyone expect?
[ link to this | view in chronology ]
Re: Napolitano, what did anyone expect?
But apparently she is above the law along with every other government employee.
[ link to this | view in chronology ]
Re: Re: Napolitano, what did anyone expect?
I've been trying to understand this phenomenon too. Experts say it's unlikely Hillary Clinton will be charged with anything because they believe she thought she wasn't breaking any law.
Why didn't that excuse work for Aaron Swartz? He didn't believe he was doing anything wrong either.
[ link to this | view in chronology ]
Really?
Sounds like a challenge to me. Find the largest (or the most appropriate) file available on the campus and start running wget/curl against it. Ever hear of "while (true)" loops?
On every system. All of the time. Oh, so the school systems are managed? I'm sure someone or two in the dorm has their own personal system.
And make sure it's NOT HTTPS so they can more easily read the file, especially if an old piece of trash is being fetched, say the Constitution.
Why are we importing terrorism? We've already got our own. (We have met the enemy, and he is us.)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Maybe prospective students should read their contracts,
Branding is pretty much the same in education as in commercial services. The bigger the brand the more sordid the history. The only reason they have as much market share as they do, is because most consumers don't do their research. Advertising isn't about reputations, it is about HIDING reputations.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
When you are as dumb as a hammer ...
[ link to this | view in chronology ]
Who's running the show?
After all, DHS is all in favor of US citizens not having any, and they've gone to great lengths to prove it.
Their motto is "See something? Say something." Spying on one another is true test of citizenship.
That includes universities and their employees.
[ link to this | view in chronology ]
Spying' purpose
*It’s Never to Protect Us From Bad Guys*
No matter which government conducts mass surveillance, they also do it to crush dissent, and then give a false rationale for why they’re doing it.
http://www.washingtonsblog.com/2014/01/government-spying-citizens-always-focuses-crushing-dissent -keeping-us-safe.html
[ link to this | view in chronology ]
Then all of this data/info should be handed over to the students
[ link to this | view in chronology ]