Former DHS Boss Puts University Of California Employees Under Secret Surveillance

from the you-didn't-see-anything-so-you'd-better-not-say-anything dept

Former DHS boss Janet Napolitano — who once stated she “doesn’t use email” (for many reasons, but mainly to dodge accountability) — is now showing her underlings at the University of California why they, too, might not want to “use email”: someone might be reading them over their shoulders.

UC professor Christopher Newfield has the inside details of the recently-exposed monitoring system secretly deployed by the University of California (and approved by school president Napolitano) to keep tabs on the communications, web surfing and file routing of its employees. The SF Chronicle has an article on the secretly-installed spyware behind its paysieve [try this link], but Newfield has the internal communications.

The installation of the third-party monitoring software was so secretive that even the university’s campus information technology committee was forbidden from discussing it with other staff. The committee has now decided to go public.

UCOP would like these facts to remain secret. However, the tenured faculty on the JCCIT are in agreement that continued silence on our part would make us complicit in what we view as a serious violation of shared governance and a serious threat to the academic freedoms that the Berkeley campus has long cherished.

Some salient facts:

– The UCOP had this hardware installed last summer.

– They did so over the objections of our campus IT and security experts.

– For many months UCOP required that our IT staff keep these facts secret from faculty and others on the Berkeley campus.

– The intrusive hardware is not under the control of local IT staff–it sends data on network activity to UCOP and to the vendor. Of what these data consists we do not know.

– The intrusive device is capable of capturing and analyzing all network traffic to and from the Berkeley campus, and has enough local storage to save over 30 days of *all* this data (“full packet capture”). This can be presumed to include your email, all the websites you visit, all the data you receive from off campus or data you send off campus.

The official excuse for the installation of intrusive spyware is “advanced persistent threats” possibly related to a cyberattack on the UCLA Medical Center last summer. How monitoring staff emails plays into the thwarting of “threats” hasn’t been explained. Now that the secret’s out, the university is claiming it’s all good because policies prevent the university from using any intercepted information/communications for “nonsecurity purposes.”

The university may have a policy forbidding this activity, but that’s not really the same thing as guaranteeing abuse of this surveillance will never happen. Its belated not-an-apology offers no contrition for keeping this a secret from a majority of its staff. And the statement does not name the third party in charge of the collection and monitoring.

While it certainly isn’t unusual for employers to monitor employees’ use of company computers and devices, it’s normally clearly stated in policy manuals, rather than installed surreptitiously and cloaked in deep secrecy.

As Newfield points out, no one was apprised of the monitoring until after it was underway. Some heard a few weeks after the monitoring was put in place (August of last year) when the university updated its security policies following the medical center breach. Many more heard nothing until the first week of December. Following the wider exposure, staffers were assured by the school’s vice president that the monitoring would cease and the software would be removed.

The VP said one thing and the school did another.

On Jan. 12, 2016, The Berkeley Joint Committee on Campus Information Technology (JCCIT) met with Larry Conrad and others. The committee was informed that contrary to the Dec. 21, 2015 statements, UCOP had decided to continue the outside monitoring and not disclose any aspects of it to students or faculty.

At this point, the decision was made to go public. A letter was drafted and sent to school administration. It was also sent to the New York Times. This prompted the generation of bullshit from the Executive VP’s office.

On Jan. 19, 2016, UCOP Exec. VP and COO Rachael Nava sent a letter to those who signed the Jan. 15, 2016 letter. The original version was marked “CONFIDENTIAL: DO NOT DISTRIBUTE” and invoked “Attorney-Client privilege”. After several recipients responded to her via email questioning who is the client and why her letter must be kept secret, a revised version of the letter was sent the next day removing that language, stating: “All: Please accept my apologies with regard to the confusion on the attorney client privilege language on the letter. It was a clerical error and was not intentional. Please find a revised version of the letter with the language removed.”

The full letter contains some truly incredible statements.

With respect to privacy, the letter and structure of the University’s Electronic Communications Policy (ECP) reflect the principle that privacy perishes in the absence of security. While the ECP establishes an expectation of privacy in an individual’s electronic communications transmitted using University systems, it tempers this expectation with the recognition that privacy requires a reasonable level of security to protect sensitive data from unauthorized access.

Privacy does not “perish” in the absence of security. This conflation of the two is ridiculous. If a malicious party accesses private communications, that’s a security issue. If an employer accesses these communications, that a privacy issue. Claiming to value privacy while secretly installing monitoring software (and then lying about removing said software) only serves to show the university cares for neither. By adding a third party to the monitoring process, the university has diminished the privacy protections of its staff and added an attack vector for “advanced persistent threats.” It has effectively harmed both privacy and security and, yet, still hopes to claim it was necessary to sacrifice one for the other.

The other statement, tucked away as a footnote, absurdly and obnoxiously claims the real threat to privacy isn’t the school, but people making public records requests.

Public Records Act requesters may seek far more intrusive access to the content of faculty or staff records than what the ECP permits for network security monitoring. The limits on the University’s own access to electronic communications under the ECP do not apply to Public Records Act requests.

Meanwhile, the school’s tech committee has pointed out its IT staff is more than capable of handling the privacy and security of the network and, quite obviously, would show more respect for their colleagues’ privacy while handling both ends of the privacy/security equation.

It’s perfectly acceptable for entities to monitor employees’ use of communications equipment. But you can’t do it this way. You can’t install the software secretly, swear certain employees to secrecy, not tell anyone else until the secret is out in the open, promise to roll it back and then secretly decide to do the opposite, etc. And when challenged, you can’t play fast and loose with “security” and “privacy” as if they were both the same word spelled two different ways.

[Update: a TD reader has given us a copy of Janet Napolitano’s response to the outcry over the school’s secret surveillance efforts. A new post on that letter is on the way. If you’d like a head start, it’s embedded below.]

Filed Under: , , ,
Companies: university of california

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Former DHS Boss Puts University Of California Employees Under Secret Surveillance”

Subscribe: RSS Leave a comment
39 Comments
That One Guy (profile) says:

Put your money, medical data and emails where your mouth is

Now that the secret’s out, the university is claiming it’s all good because policies prevent the university from using any intercepted information/communications for “nonsecurity purposes.”

Given this seems to be a pretty common defense of indiscriminate spying, sometimes private, usually governmental, I think it would be only fair for those making the claim to show how much they believe what they’re saying, by putting their own private data on the line.

Demand that anyone using that excuse have all of their private data collected and stored as well, and if the collected data is ever used in a way that violates the ‘policies’ against misuse, or if someone hacks in and gets the data, then the private data, all of it, of the one making that excuse is made public.

It’s easy to defend indiscriminate data collection when your personal data isn’t on the line, but I imagine if it were there would be a lot less people doing so.

That Anonymous Coward (profile) says:

Its like a simulation of what happened with the Patriot Act.

Is anyone shocked to see someone from DHS decide that the best course of action is to secretly spy on those they have power over and sharing that data with an outside 3rd party? Deny it is happening, find some “legal” way to justify it, say you are stopping and double down.

So who is going to use the Public Records Act request to start digging into what Big Sis has been up to and look for the secret list of people they needed to monitor more?

Anonymous Coward says:

Just the tip of the iceberg

I believe that the ever more pervasive spying is only going to get worse. First the government did it, now private parties will do it. I am a firm believe in the idea that just because you can do something doesn’t mean you should. Wholesale spying at all levels will not make for a better society, only a paranoid, secretive one.

tqk (profile) says:

Re: Just the tip of the iceberg

I am a firm [believer] in the idea that just because you can do something doesn’t mean you should.

I’ve been telling people for decades to get their own net connection and not simply mooch it off their employer. There are far too many ways for that to blow up in your face, and rightly so. Employers have both the right and the duty to protect their network. Our privacy and security, not so much.

Rich Kulawiec (profile) says:

You're doing it wrong

Put aside for a moment the horribly unethical conduct of the personnel involved in sabotaging the privacy of faculty, staff, and students. Let’s just think about this from a security standpoint.

The university has — quite effectively — compromised itself. There’s really no need for an attacker to go through all the trouble and tedium of setting up comprehensive surveillance of university systems/networks: it’s already been done for them, for free.

All they have to do is tap into the goodies, either on the campus or at the vendor. (The latter’s probably easier, since they’re outsiders with no professional association. A suitable bribe would probably suffice. Why not? Who would know?)

I’ve done IT work, including security, at several major universities over the past few decades. This is one of the most appallingly stupid things I’ve ever seen a campus do to itself, and there’s a lot of competition for that dubious honor.

Anonymous Coward says:

Re: You're doing it wrong

…This is one of the most appallingly stupid things I’ve ever seen a campus do to itself, and there’s a lot of competition for that dubious honor…

How many universities have a president or other senior officer who used to work for the US government? Any correlation between that and the stupidity? Or am I just seeing a big coincidence?

Anonymous Coward says:

Great article on an important topic, however:

“It’s perfectly acceptable for entities to monitor employees’ use of communications equipment.” As university faculty myself, I point out that the expectations of freedom in access to information (and attendenant freedom from unreasonable or potientally coresive monitoring of this access) are considerably higher at an academic institution than in a private business, as both of these are prized cornerstones of university culture.

@b says:

Re: perfectly acceptable??

>it’s normally clearly stated in policy manuals, rather than installed surreptitiously and cloaked in deep secrecy

No, it really isn’t that way at all. How naive.

You can go read this professor’s book
http://www.abc.net.au/radionational/programs/latenightlive/algorithms-gone-wild/7136948

Frank Pasquale
Professor of Law
University of Maryland

The Black Box Society:
The Secret Algorithms That Control Money and Information

sorrykb (profile) says:

What still hasn’t been made clear is the exact scope of the surveillance. It seems apparent that faculty and staff are included, but what about students or student organizations? What about patients at the medical centers? What about library searches or loans? (Keep in mind that UC libraries are used not just by the campus community but also by the general public.)

And then they’re sending all this data… to an outside vendor. Aside from the obvious security risk, will an outside vendor be bound by the same legal restrictions on sharing private information as a state university? Would a private vendor fight a subpoena for, say, someone’s library records as strongly as a university would?

No wonder President Napolitano’s office was so eager to keep this secret.

Arthur Moore (profile) says:

Re: Legality?

The big question is if this is even legal.
Sure it might be for a private institution, but it’s been found by multiple courts that public schools have the same restrictions as the government does. I mean, these universities get there own sanctioned police force for crying out loud. That’ means they’re bound by the U.S. Constitution.

It’ll be interesting to see if there is a lawsuit. I can just see campus lawyers cringing. Especially given the likelihood that FERPA was violated.

Coyne Tibbets (profile) says:

Privacy perishes in the absence of security.

There is security that keeps my information private: encryption, access limits, and legal warrants.

There is security in the “national security” sense, which means exactly the opposite.

The phrase, “…privacy perishes in the absence of security,” conflates these. When this is used, the correct thing is to ask, “I need clarification: when you say ‘security,’ did you mean ‘eliminating my encryption, ignoring my access protections and disdaining my legal rights?”

Anonymous Coward says:

Re: Privacy perishes in the absence of security.

If security perishes in the absence of secrecy, you have to wonder if she doesn’t shoot her own point down even more fundamentally: Surveillance is not security. It can be a means, but never the ends!

If privacy perishes in the absence of security, that crucial distinction has apparently been lost on her.

Anonymous Coward says:

Re: Re: Privacy perishes in the absence of security.

Actually, Surveillance is not even a means — surveillance is generally reactive, and is used in forensics to figure out what happened and help craft future-looking security policies. Surveillance by itself only decreases security.

Sure, there are exceptions, but it’s always a tradeoff, and the balance always falls on the “decrease” side.

Anonymous Coward says:

Re: Re: Re: Privacy perishes in the absence of security.

Surveillance is certainly reactive in nature and a brainstorming tool for future ideas.

Surveillance on its own decrease security, but then we are back to ignoring the potential benefits, like the tech-race (It improves security to prevent surveillance), the scientific effects (Surveillance is making data-comparison easier and therefore increase the chance of finding tendencies and therefore provide an opportunity for rulers to act on these tendencies before they become apparent in other ways) and the notion should be that surveillance is temporary and targeted to avoid haystack problems and permanent reliance on it, which most surveilance nutters haven’t understood.

Because of that the balance is always on the “decrease” side in the short term. In the long term, surveillance can be an “increase”-tool if used with caution and care.

tqk (profile) says:

Re: Re: Napolitano, what did anyone expect?

But apparently she is above the law along with every other government employee.

I’ve been trying to understand this phenomenon too. Experts say it’s unlikely Hillary Clinton will be charged with anything because they believe she thought she wasn’t breaking any law.

Why didn’t that excuse work for Aaron Swartz? He didn’t believe he was doing anything wrong either.

Suomynona (user link) says:

Really?

“and has enough local storage to save over 30 days of *all* (“full packet capture”).”

Sounds like a challenge to me. Find the largest (or the most appropriate) file available on the campus and start running wget/curl against it. Ever hear of “while (true)” loops?

On every system. All of the time. Oh, so the school systems are managed? I’m sure someone or two in the dorm has their own personal system.

And make sure it’s NOT HTTPS so they can more easily read the file, especially if an old piece of trash is being fetched, say the Constitution.

Why are we importing terrorism? We’ve already got our own. (We have met the enemy, and he is us.)

Anonymous Coward says:

Maybe prospective students should read their contracts,

and to take it a step further, perhaps students should review which schools have sued their own students over Intellectual Property rights over the years.

Branding is pretty much the same in education as in commercial services. The bigger the brand the more sordid the history. The only reason they have as much market share as they do, is because most consumers don’t do their research. Advertising isn’t about reputations, it is about HIDING reputations.

FM Hilton (profile) says:

Who's running the show?

I have no idea why any who would hire a former DHS head and not expect this kind of invasion of privacy.

After all, DHS is all in favor of US citizens not having any, and they’ve gone to great lengths to prove it.

Their motto is “See something? Say something.” Spying on one another is true test of citizenship.

That includes universities and their employees.

Agent76 says:

Spying' purpose

January 9, 2014 500 Years of History Shows that Mass Spying Is Always Aimed at Crushing Dissent

*It’s Never to Protect Us From Bad Guys*

No matter which government conducts mass surveillance, they also do it to crush dissent, and then give a false rationale for why they’re doing it.

http://www.washingtonsblog.com/2014/01/government-spying-citizens-always-focuses-crushing-dissent-keeping-us-safe.html

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...