Napolitano Says She's Always Wanted To Talk About The Secret Surveillance She Hasn't Talked About Since Last August

from the it's-all-just-a-big,-opaque,-pitch-black,-secretive-misunderstanding! dept

A Techdirt reader has sent us a copy of former DHS head/current University of California President Janet Napolitano's official response to the outcry over the secret surveillance of UC staffers -- surveillance she personally approved.

Napolitiano's letter to UC-Berkeley employees immediately ties the secretive surveillance implementation to the UCLA Medical Center cyberattack, just in case anyone (and it's a lot of anyones) feels the effort was unwarranted.

A group of faculty members at the Berkeley campus has articulated concerns regarding some of the security measures we adopted in the wake of the UCLA cyberattack last year. The concerns focus on two primary issues: whether systemwide cyber threat detection is necessary and whether it complies with the University’s Electronic Communications Policy (ECP); and why University administrators failed to publicly share information about our response to the cyberattack.
If your privacy is being compromised, the real villains here are the people behind the cyberattack. As for the secrecy surrounding it, Napolitano seems to indicate she'd like to discuss it, but immediately abandons that line of inquiry to blame disgruntled staffers and the media for misrepresenting her snooping initiative.
The Berkeley faculty members have shared their concerns with colleagues at other campuses and with various media outlets. Unfortunately, many have been left with the impression that a secret initiative to snoop on faculty activities is underway. Nothing could be further from the truth.
Please explain.
I attach a letter from Executive Vice President and Chief Operating Officer Nava explaining the rationale for these security measures.
Great, except that Nava's letter arrived five months after the program was implemented and two months after a university official said the program would be shut down -- a statement which itself preceded (by a month) the news that the program has actually been allowed to continue uninterrupted.

Napolitano claims there was no secrecy.
As you know, leadership at all levels, including The Regents, Academic Senate leadership, and campus leadership, has been kept apprised of these matters, including through the establishment and convening of the Cyber Risk Governance Committee (CRGC). The CRGC, comprises each campus’s Cyber Risk Responsible Executive (CRE), as well as a representative of the University’s faculty Senate, the General Counsel, and other individuals from this office with responsibility for systemwide cybersecurity initiatives.
Yes, look at all the people who were informed! And were apparently informed they could not pass this information on to anyone else!

From our earlier post on the subject -- directly from some of those on Napolitano's "approved" list.
UCOP would like these facts to remain secret. However, the tenured faculty on the JCCIT are in agreement that continued silence on our part would make us complicit in what we view as a serious violation of shared governance and a serious threat to the academic freedoms that the Berkeley campus has long cherished.

[...]

For many months UCOP required that our IT staff keep these facts secret from faculty and others on the Berkeley campus.
This assertion directly contradicts Napolitano's depiction of the events.
I have from the beginning directed my staff to make every effort to actively engage with all stakeholders and to minimize to the extent possible the amount of information that is not shared widely.
This seems highly unlikely, considering no one began publicly talking about this secret surveillance until just recently. If the information had been widely disseminated (as Napolitano's claims she directed), the backlash would have begun months ago.

And, of course, Napolitano is all about that privacy.
Personal privacy and academic freedom are paramount in everything we do. But we cannot make good on our commitment to protect individual privacy without ensuring a sound cybersecurity infrastructure. While we have absolutely no interest in the content of any individual’s emails or browsing history, we must accept that active network monitoring is a critical element of a sound cybersecurity infrastructure and the interconnectedness of the University and all of its locations requires that such monitoring be coordinated centrally.
School officials -- at least those allowed to see email content/web browsing history -- may claim they have "no interest" in seeing it, but that doesn't change the fact that any of them can access it without fear of repercussion. Not only that, but a third party has access to this same data -- a third party Napolitano won't identify.

She closes her official "this is all fully justified because cyber" letter with the same assertion so many officials make when secret goings-on are dragged out into the sunlight: "I've always wanted to have this discussion I'm now being forced to have!"
I invite further robust discussion and debate on this topic at upcoming meetings of the CRGC and COC.
That's just disingenuous. Don't extend an invitation to a conversation you can no longer avoid.

As the TD reader who sent this over explains, they're not exactly thrilled the former DHS head is using a privacy breach to further undermine UC staffers' privacy.
This sort of thing, by the way, is exactly the reason that everyone had the "say what?" reaction when Napolitano was appointed. This is why people were concerned.

P.S. I'm one of the people whose information was compromised in the UCLA Med Center hack, and don't appreciate their screw-up then being used as an excuse to screw us over now.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cyber attacks, cybersecurity, dhs, janet napolitano, surveillance, transparency
Companies: university of california


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 4 Feb 2016 @ 7:36am

    'To better protect your privacy, we will be violating it as much as we can.'

    Personal privacy and academic freedom are paramount in everything we do. But we cannot make good on our commitment to protect individual privacy without ensuring a sound cybersecurity infrastructure.

    In other news an unnamed university official was heard saying that to better protect the dignity of those on campus, mandatory strip-searches will be implemented, and to better protect the diversity and ecology of the flora and fauna of the surrounding area, all plants and animals would be lit on fire and killed respectively.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Feb 2016 @ 9:39am

    Not at all surprised. This is the same UC head that's attempted to criminalize certain strains of activism as hate speech...

    link to this | view in chronology ]

  • identicon
    Anonymous Anonymous Coward, 4 Feb 2016 @ 10:05am

    Distance Learning

    Has anyone else noticed that UCLA and UC-Berkeley are like some 500 miles apart? If there is a potential breech of UCLA's network, wouldn't it be better to address it in say...LA rather than Berkeley, just north of Oakland, across from San Francisco? While they are part of the same state university system they are NOT the same campus.

    Could it be that Berkeley has a reputation of being a bit more radical (at least in some peoples point of view) and got included because of that? What about the rest of the UC system. Were they included or excluded? Should they be upset because they were included or because they were excluded? Or, should their ire be because of the enormous entitlement of any administrator who had the hutzpa to implement such a shameful act of intrusion?

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Feb 2016 @ 10:29am

      Re: Distance Learning

      Has anyone else noticed that UCLA and UC-Berkeley are like some 500 miles apart?
      500 miles x 5280 feet/mile x 1 nanosecond/foot = about 2½ milliseconds

      Geography is not network topology.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Feb 2016 @ 10:36am

        Re: Re: Distance Learning

        500 miles x 5280 feet/mile x 1 nanosecond/foot = about 2½ milliseconds
        Should correct for speed in a dialectric. 67% is close enough.

        2½ milliseconds x 1½ = 3¾ milliseconds. Round to 4 milliseconds in fiber, give or take.

        Geography is still not network topology.

        link to this | view in chronology ]

      • identicon
        Anonymous Anonymous Coward, 4 Feb 2016 @ 10:52am

        Re: Re: Distance Learning

        Neither UCLA or UC-Berkeley are small entities. I bet they have dedicated IT departments in each location.

        Do you think the firewalls for the UCLA medical clinic are in Berkeley, or in LA? Which would be a cheaper implementation, a firewall in Berkeley and an uninterrupted fiber line to LA or Internet in-between with firewalls in both locations using VPN's for interconnection? Even the UC system has monetary restraints. The cost of dedicated lines over that kind of distance is significant.

        I once had the chief architect for a large bank explain how they put together their fail-over system between data centers in Minnesota, Arizona, and California and how it worked. Two dedicated fiber lines on each leg of the triangle with two ISP's at each location. Not cheap, it took a long time to complete, and a bank is not a university.

        Think also about HIPPA compliance issues.

        link to this | view in chronology ]

    • icon
      sorrykb (profile), 4 Feb 2016 @ 10:56am

      Re: Distance Learning

      It's my understanding that has been (or will be) rolled out across all 10 University of California campuses.

      So it could affect (using 2013 stats, rounded):
      240,000 students
      195,000 faculty and staff (inc. medical centers)
      + Unknown # of external researchers, general public, and med ctr patients

      link to this | view in chronology ]

      • icon
        sorrykb (profile), 4 Feb 2016 @ 10:58am

        Re: Re: Distance Learning

        Also for clarification: The "Chancellors" addressed in the first letter are the heads of each of the individual UC campuses, and the other letter is for ALL UC faculty.

        link to this | view in chronology ]

      • icon
        tqk (profile), 4 Feb 2016 @ 7:56pm

        Re: Re: Distance Learning

        You forgot about all those poor, certainly innocent employees of the CIA front Op that Napolitano was having do this, where the data was going.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Feb 2016 @ 2:03pm

      Re: Distance Learning

      Has anyone else noticed that UCLA and UC-Berkeley are like some 500 miles apart?
      Btw, I checked. I get about 550 kilometers between campuses. Not miles. Kilometers.

      link to this | view in chronology ]

    • identicon
      aerilus, 5 Feb 2016 @ 4:05am

      Re: Distance Learning

      i know in nc there is a centralized fiber network called ncren that all universities and hospitals connect to then all traffic flows out of it to the internet. if things are similar in california this should be viewed as a bigger deal. using layer 4 stuff to analyze packet content has nothing to do with good security and it just a bunch of crap imo.

      link to this | view in chronology ]

  • icon
    TomStone (profile), 4 Feb 2016 @ 10:27am

    Napolitano

    We had to destroy the University to save it.

    link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 4 Feb 2016 @ 10:28am

    "engage with all stakeholders"

    Also read as, I told the people in power because the rest of you don't matter. I told them all of the wondrous things it would do for us and never mentioned an downsides. Total surveillance on our serfs is the proper response, so that we can make sure they don't do anything wrong as defined by our whims.

    You're doing a heck of a job Big Sis...

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Feb 2016 @ 10:50am

      Re:

      "All stake holders" apparently means anyone holding a big enough stick with which to beat anyone else who questions their authority into submission.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Feb 2016 @ 10:44am

    When that lack of discussion with the main interests of the common students and professors is the main problem, you are merely fueling the conspiracies by not calming the discussion with facts or at least something resembling it so people defending her has at least a party-line to grab!

    With this she comes off looking like a lobbyist trying to force her secret companys snakeoil on a university!

    link to this | view in chronology ]

  • icon
    Jeremy Lyman (profile), 4 Feb 2016 @ 10:57am

    cyber cyber cyber

    Whenever I see someone using "cyber" that much I can't help but think they've paid someone altogether too much money for something they cannot possibly understand.

    link to this | view in chronology ]

  • icon
    Groaker (profile), 4 Feb 2016 @ 12:03pm

    Voyeur

    link to this | view in chronology ]

  • identicon
    Rich Kulawiec, 4 Feb 2016 @ 1:04pm

    Ahem...

    While we have absolutely no interest in the content of any individual’s emails or browsing history, we must accept that active network monitoring is a critical element of a sound cybersecurity infrastructure and the interconnectedness of the University and all of its locations requires that such monitoring be coordinated centrally.

    Bullshit. All of it: bullshit.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Feb 2016 @ 3:40pm

    Napolitano still has the stink of government on her.

    link to this | view in chronology ]

  • identicon
    Cpt Feathersword, 4 Feb 2016 @ 4:19pm

    Don't worry, we disclosed it to our secret Committee

    "Leadership at all levels... has been kept apprised" by convening a "Cyber Risk Governance Committee (CRGC)" which comprises one nameless administrator from each campus ("each campus’s Cyber Risk Responsible Executive"), one "representative of the University’s faculty Senate," and unspecified minions from Napolitano's office.

    A single, unnamed faculty member from one of the ten campuses was let in on the secret. That is how Napolitano keeps the faculty "apprised."

    She appoints her pet committee to be the venue within which she invites "robust discussion and debate". Of course everyone on the committee works for her, except the lone faculty representative.

    I suppose the Med Center incident simply gave the Napolitano administration a plausible excuse to cover something they were preparing to do anyway.

    link to this | view in chronology ]

  • icon
    tqk (profile), 4 Feb 2016 @ 8:11pm

    Who hired her?

    Perhaps we should start with firing the entire board of regents who hired this nincompoop who dragged the name of a distinguished institution of learning into the mud and sold all of its employees and customers' PII to a commercial third party in an insane and imbecilic abuse of "security" in order to protect the institution itself. I'd love to learn the name of the person who first nominated her for the job. Off with their head!

    What a mess.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Feb 2016 @ 10:22pm

    I am fairly certain she could probably be arrested for violating people's rights, or at the very least charged now that this is a private corporation doing it and not as part of the government.

    Unless of course she is still treated as exempt from the laws the little people have to follow.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Feb 2016 @ 5:03am

    Jack Ass.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Mar 2016 @ 3:37am

    I have from the beginning directed my staff to make every effort to actively engage with all stakeholders...


    This seems very likely. Considering it from her being my boss and who she is, I am the stakeholder who could very quickly become a non-steak holder

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.