Former DHS Boss Puts University Of California Employees Under Secret Surveillance

from the you-didn't-see-anything-so-you'd-better-not-say-anything dept

Former DHS boss Janet Napolitano -- who once stated she "doesn't use email" (for many reasons, but mainly to dodge accountability) -- is now showing her underlings at the University of California why they, too, might not want to "use email": someone might be reading them over their shoulders.

UC professor Christopher Newfield has the inside details of the recently-exposed monitoring system secretly deployed by the University of California (and approved by school president Napolitano) to keep tabs on the communications, web surfing and file routing of its employees. The SF Chronicle has an article on the secretly-installed spyware behind its paysieve [try this link], but Newfield has the internal communications.

The installation of the third-party monitoring software was so secretive that even the university's campus information technology committee was forbidden from discussing it with other staff. The committee has now decided to go public.

UCOP would like these facts to remain secret. However, the tenured faculty on the JCCIT are in agreement that continued silence on our part would make us complicit in what we view as a serious violation of shared governance and a serious threat to the academic freedoms that the Berkeley campus has long cherished.

Some salient facts:

- The UCOP had this hardware installed last summer.

- They did so over the objections of our campus IT and security experts.

- For many months UCOP required that our IT staff keep these facts secret from faculty and others on the Berkeley campus.

- The intrusive hardware is not under the control of local IT staff--it sends data on network activity to UCOP and to the vendor. Of what these data consists we do not know.

- The intrusive device is capable of capturing and analyzing all network traffic to and from the Berkeley campus, and has enough local storage to save over 30 days of *all* this data ("full packet capture"). This can be presumed to include your email, all the websites you visit, all the data you receive from off campus or data you send off campus.
The official excuse for the installation of intrusive spyware is "advanced persistent threats" possibly related to a cyberattack on the UCLA Medical Center last summer. How monitoring staff emails plays into the thwarting of "threats" hasn't been explained. Now that the secret's out, the university is claiming it's all good because policies prevent the university from using any intercepted information/communications for "nonsecurity purposes."

The university may have a policy forbidding this activity, but that's not really the same thing as guaranteeing abuse of this surveillance will never happen. Its belated not-an-apology offers no contrition for keeping this a secret from a majority of its staff. And the statement does not name the third party in charge of the collection and monitoring.

While it certainly isn't unusual for employers to monitor employees' use of company computers and devices, it's normally clearly stated in policy manuals, rather than installed surreptitiously and cloaked in deep secrecy.

As Newfield points out, no one was apprised of the monitoring until after it was underway. Some heard a few weeks after the monitoring was put in place (August of last year) when the university updated its security policies following the medical center breach. Many more heard nothing until the first week of December. Following the wider exposure, staffers were assured by the school's vice president that the monitoring would cease and the software would be removed.

The VP said one thing and the school did another.
On Jan. 12, 2016, The Berkeley Joint Committee on Campus Information Technology (JCCIT) met with Larry Conrad and others. The committee was informed that contrary to the Dec. 21, 2015 statements, UCOP had decided to continue the outside monitoring and not disclose any aspects of it to students or faculty.
At this point, the decision was made to go public. A letter was drafted and sent to school administration. It was also sent to the New York Times. This prompted the generation of bullshit from the Executive VP's office.
On Jan. 19, 2016, UCOP Exec. VP and COO Rachael Nava sent a letter to those who signed the Jan. 15, 2016 letter. The original version was marked "CONFIDENTIAL: DO NOT DISTRIBUTE" and invoked "Attorney-Client privilege". After several recipients responded to her via email questioning who is the client and why her letter must be kept secret, a revised version of the letter was sent the next day removing that language, stating: "All: Please accept my apologies with regard to the confusion on the attorney client privilege language on the letter. It was a clerical error and was not intentional. Please find a revised version of the letter with the language removed."
The full letter contains some truly incredible statements.
With respect to privacy, the letter and structure of the University’s Electronic Communications Policy (ECP) reflect the principle that privacy perishes in the absence of security. While the ECP establishes an expectation of privacy in an individual’s electronic communications transmitted using University systems, it tempers this expectation with the recognition that privacy requires a reasonable level of security to protect sensitive data from unauthorized access.
Privacy does not "perish" in the absence of security. This conflation of the two is ridiculous. If a malicious party accesses private communications, that's a security issue. If an employer accesses these communications, that a privacy issue. Claiming to value privacy while secretly installing monitoring software (and then lying about removing said software) only serves to show the university cares for neither. By adding a third party to the monitoring process, the university has diminished the privacy protections of its staff and added an attack vector for "advanced persistent threats." It has effectively harmed both privacy and security and, yet, still hopes to claim it was necessary to sacrifice one for the other.

The other statement, tucked away as a footnote, absurdly and obnoxiously claims the real threat to privacy isn't the school, but people making public records requests.
Public Records Act requesters may seek far more intrusive access to the content of faculty or staff records than what the ECP permits for network security monitoring. The limits on the University’s own access to electronic communications under the ECP do not apply to Public Records Act requests.
Meanwhile, the school's tech committee has pointed out its IT staff is more than capable of handling the privacy and security of the network and, quite obviously, would show more respect for their colleagues' privacy while handling both ends of the privacy/security equation.

It's perfectly acceptable for entities to monitor employees' use of communications equipment. But you can't do it this way. You can't install the software secretly, swear certain employees to secrecy, not tell anyone else until the secret is out in the open, promise to roll it back and then secretly decide to do the opposite, etc. And when challenged, you can't play fast and loose with "security" and "privacy" as if they were both the same word spelled two different ways.

[Update: a TD reader has given us a copy of Janet Napolitano's response to the outcry over the school's secret surveillance efforts. A new post on that letter is on the way. If you'd like a head start, it's embedded below.]


Reader Comments (rss)

(Flattened / Threaded)

  1. icon
    That One Guy (profile), Feb 3rd, 2016 @ 9:57am

    Put your money, medical data and emails where your mouth is

    Now that the secret's out, the university is claiming it's all good because policies prevent the university from using any intercepted information/communications for "nonsecurity purposes."

    Given this seems to be a pretty common defense of indiscriminate spying, sometimes private, usually governmental, I think it would be only fair for those making the claim to show how much they believe what they're saying, by putting their own private data on the line.

    Demand that anyone using that excuse have all of their private data collected and stored as well, and if the collected data is ever used in a way that violates the 'policies' against misuse, or if someone hacks in and gets the data, then the private data, all of it, of the one making that excuse is made public.

    It's easy to defend indiscriminate data collection when your personal data isn't on the line, but I imagine if it were there would be a lot less people doing so.

    reply to this | link to this | view in thread ]

  2. icon
    That Anonymous Coward (profile), Feb 3rd, 2016 @ 11:55am

    Its like a simulation of what happened with the Patriot Act.

    Is anyone shocked to see someone from DHS decide that the best course of action is to secretly spy on those they have power over and sharing that data with an outside 3rd party? Deny it is happening, find some "legal" way to justify it, say you are stopping and double down.

    So who is going to use the Public Records Act request to start digging into what Big Sis has been up to and look for the secret list of people they needed to monitor more?

    reply to this | link to this | view in thread ]

  3. identicon
    Anonymous Coward, Feb 3rd, 2016 @ 11:59am

    Just the tip of the iceberg

    I believe that the ever more pervasive spying is only going to get worse. First the government did it, now private parties will do it. I am a firm believe in the idea that just because you can do something doesn't mean you should. Wholesale spying at all levels will not make for a better society, only a paranoid, secretive one.

    reply to this | link to this | view in thread ]

  4. identicon
    Rich Kulawiec, Feb 3rd, 2016 @ 12:05pm

    You're doing it wrong

    Put aside for a moment the horribly unethical conduct of the personnel involved in sabotaging the privacy of faculty, staff, and students. Let's just think about this from a security standpoint.

    The university has -- quite effectively -- compromised itself. There's really no need for an attacker to go through all the trouble and tedium of setting up comprehensive surveillance of university systems/networks: it's already been done for them, for free.

    All they have to do is tap into the goodies, either on the campus or at the vendor. (The latter's probably easier, since they're outsiders with no professional association. A suitable bribe would probably suffice. Why not? Who would know?)

    I've done IT work, including security, at several major universities over the past few decades. This is one of the most appallingly stupid things I've ever seen a campus do to itself, and there's a lot of competition for that dubious honor.

    reply to this | link to this | view in thread ]

  5. identicon
    Anonymous Coward, Feb 3rd, 2016 @ 12:07pm

    Great article on an important topic, however:

    "It's perfectly acceptable for entities to monitor employees' use of communications equipment." As university faculty myself, I point out that the expectations of freedom in access to information (and attendenant freedom from unreasonable or potientally coresive monitoring of this access) are considerably higher at an academic institution than in a private business, as both of these are prized cornerstones of university culture.

    reply to this | link to this | view in thread ]

  6. identicon
    Just Another Anonymous Troll, Feb 3rd, 2016 @ 12:11pm

    The official excuse for the installation of intrusive spyware is "advanced persistent threats"
    Does anyone else see the irony here?

    reply to this | link to this | view in thread ]

  7. icon
    sorrykb (profile), Feb 3rd, 2016 @ 12:26pm

    What still hasn't been made clear is the exact scope of the surveillance. It seems apparent that faculty and staff are included, but what about students or student organizations? What about patients at the medical centers? What about library searches or loans? (Keep in mind that UC libraries are used not just by the campus community but also by the general public.)

    And then they're sending all this data... to an outside vendor. Aside from the obvious security risk, will an outside vendor be bound by the same legal restrictions on sharing private information as a state university? Would a private vendor fight a subpoena for, say, someone's library records as strongly as a university would?

    No wonder President Napolitano's office was so eager to keep this secret.

    reply to this | link to this | view in thread ]

  8. identicon
    Anonymous Coward, Feb 3rd, 2016 @ 12:32pm

    Re: You're doing it wrong

    ...This is one of the most appallingly stupid things I've ever seen a campus do to itself, and there's a lot of competition for that dubious honor...

    How many universities have a president or other senior officer who used to work for the US government? Any correlation between that and the stupidity? Or am I just seeing a big coincidence?

    reply to this | link to this | view in thread ]

  9. identicon
    Anonymous Coward, Feb 3rd, 2016 @ 12:36pm

    Networks are hostile

    I assume any network I don't control is doing this type of surveillance. Does anyone actually have an expectation of privacy in their workplace?

    reply to this | link to this | view in thread ]

  10. identicon
    Anonymous Coward, Feb 3rd, 2016 @ 12:37pm

    It isn't just email

    The monitoring is for ALL data packets on the network, and there is storage for 30 days worth of such data at any given time.

    reply to this | link to this | view in thread ]

  11. icon
    Arthur Moore (profile), Feb 3rd, 2016 @ 12:52pm

    Legality?

    The big question is if this is even legal.
    Sure it might be for a private institution, but it's been found by multiple courts that public schools have the same restrictions as the government does. I mean, these universities get there own sanctioned police force for crying out loud. That' means they're bound by the U.S. Constitution.

    It'll be interesting to see if there is a lawsuit. I can just see campus lawyers cringing. Especially given the likelihood that FERPA was violated.

    reply to this | link to this | view in thread ]

  12. icon
    Coyne Tibbets (profile), Feb 3rd, 2016 @ 1:00pm

    Privacy perishes in the absence of security.

    There is security that keeps my information private: encryption, access limits, and legal warrants.

    There is security in the "national security" sense, which means exactly the opposite.

    The phrase, "...privacy perishes in the absence of security," conflates these. When this is used, the correct thing is to ask, "I need clarification: when you say 'security,' did you mean 'eliminating my encryption, ignoring my access protections and disdaining my legal rights?"

    reply to this | link to this | view in thread ]

  13. identicon
    Mulder, Feb 3rd, 2016 @ 1:22pm

    Re: Re: You're doing it wrong

    Sounds all X-Filey

    reply to this | link to this | view in thread ]

  14. identicon
    Anonymous Coward, Feb 3rd, 2016 @ 1:39pm

    I spent most of the last twenty years working and studying at assorted universities. I love the academic environment, and I'd still be there if my health hadn't failed.

    However: in all of that time, every senior university administrator that I encountered was absolute scum, and the more senior they were the worse it got.

    reply to this | link to this | view in thread ]

  15. identicon
    Anonymous Coward, Feb 3rd, 2016 @ 1:39pm

    Re: Legality?

    It's always legal until someone takes them to court and a Judge or Jury says otherwise.

    reply to this | link to this | view in thread ]

  16. identicon
    Anonymous Coward, Feb 3rd, 2016 @ 1:46pm

    Re: Privacy perishes in the absence of security.

    If security perishes in the absence of secrecy, you have to wonder if she doesn't shoot her own point down even more fundamentally: Surveillance is not security. It can be a means, but never the ends!

    If privacy perishes in the absence of security, that crucial distinction has apparently been lost on her.

    reply to this | link to this | view in thread ]

  17. identicon
    John, Feb 3rd, 2016 @ 1:56pm

    But...the IT staff

    If the data wasn't sent to the IT staff responsible for the network, how can they do their job of protecting the network from threats? Was the vendor analysing the data?

    reply to this | link to this | view in thread ]

  18. identicon
    Anonymous Coward, Feb 3rd, 2016 @ 2:38pm

    Re:

    Irony?

    They needed to set up an advanced persistent threat, and did so. Now all that any outsider has to do to gain survey intel needed for a targeted attack is to infiltrate the vendor and sift through the already-captured data.

    That pretty much sums up what APTs are for.

    reply to this | link to this | view in thread ]

  19. identicon
    Anonymous Coward, Feb 3rd, 2016 @ 2:44pm

    Re: Re: Privacy perishes in the absence of security.

    Actually, Surveillance is not even a means -- surveillance is generally reactive, and is used in forensics to figure out what happened and help craft future-looking security policies. Surveillance by itself only decreases security.

    Sure, there are exceptions, but it's always a tradeoff, and the balance always falls on the "decrease" side.

    reply to this | link to this | view in thread ]

  20. identicon
    Anonymous Coward, Feb 3rd, 2016 @ 2:46pm

    Re: But...the IT staff

    My first thought was... "Was the vendor working for the university, or for the FBI/NSA/Homeland Security?"

    Given some of the APT alerts I've seen coming out of the FBI, it seems that they might possibly have at least had access to this data....

    reply to this | link to this | view in thread ]

  21. identicon
    Whoever, Feb 3rd, 2016 @ 3:29pm

    Napolitano, what did anyone expect?

    What did anyone expect from this woman? She was Secretary of Homeland Security. She must have presided over the spying on millions of Americans.

    reply to this | link to this | view in thread ]

  22. identicon
    @b, Feb 3rd, 2016 @ 8:06pm

    Re: perfectly acceptable??

    >>it's normally clearly stated in policy manuals, rather than installed surreptitiously and cloaked in deep secrecy

    No, it really isn't that way at all. How naive.

    You can go read this professor's book
    http://www.abc.net.au/radionational/programs/latenightlive/algorithms-gone-wild/7136948

    Frank Pasquale
    Professor of Law
    University of Maryland

    The Black Box Society:
    The Secret Algorithms That Control Money and Information

    reply to this | link to this | view in thread ]

  23. identicon
    Anonymous Coward, Feb 3rd, 2016 @ 8:07pm

    Re: Re: perfectly acceptable??

    Obscurity is not security.

    reply to this | link to this | view in thread ]

  24. identicon
    Suomynona, Feb 3rd, 2016 @ 11:14pm

    Really?

    "and has enough local storage to save over 30 days of *all* ("full packet capture")."

    Sounds like a challenge to me. Find the largest (or the most appropriate) file available on the campus and start running wget/curl against it. Ever hear of "while (true)" loops?

    On every system. All of the time. Oh, so the school systems are managed? I'm sure someone or two in the dorm has their own personal system.

    And make sure it's NOT HTTPS so they can more easily read the file, especially if an old piece of trash is being fetched, say the Constitution.

    Why are we importing terrorism? We've already got our own. (We have met the enemy, and he is us.)

    reply to this | link to this | view in thread ]

  25. identicon
    Anonymous Coward, Feb 4th, 2016 @ 1:47am

    Re: Re: Re: Privacy perishes in the absence of security.

    Surveillance is certainly reactive in nature and a brainstorming tool for future ideas.

    Surveillance on its own decrease security, but then we are back to ignoring the potential benefits, like the tech-race (It improves security to prevent surveillance), the scientific effects (Surveillance is making data-comparison easier and therefore increase the chance of finding tendencies and therefore provide an opportunity for rulers to act on these tendencies before they become apparent in other ways) and the notion should be that surveillance is temporary and targeted to avoid haystack problems and permanent reliance on it, which most surveilance nutters haven't understood.

    Because of that the balance is always on the "decrease" side in the short term. In the long term, surveillance can be an "increase"-tool if used with caution and care.

    reply to this | link to this | view in thread ]

  26. identicon
    Anonymous Coward, Feb 4th, 2016 @ 5:33am

    spying on her new underlings so she can blackmail them. That seems pretty standard for Janet's way of doing business.

    reply to this | link to this | view in thread ]

  27. identicon
    Anonymous Coward, Feb 4th, 2016 @ 5:39am

    Re: Re: Legality?

    Even then that does not always stop them from repeating it

    reply to this | link to this | view in thread ]

  28. identicon
    Anonymous Coward, Feb 4th, 2016 @ 5:42am

    Re: Napolitano, what did anyone expect?

    I would have hoped she would be charged with breaking the laws regarding illegal spying against american citizens.

    But apparently she is above the law along with every other government employee.

    reply to this | link to this | view in thread ]

  29. identicon
    Anonymous Coward, Feb 4th, 2016 @ 6:44am

    Maybe prospective students should read their contracts,

    and to take it a step further, perhaps students should review which schools have sued their own students over Intellectual Property rights over the years.

    Branding is pretty much the same in education as in commercial services. The bigger the brand the more sordid the history. The only reason they have as much market share as they do, is because most consumers don't do their research. Advertising isn't about reputations, it is about HIDING reputations.

    reply to this | link to this | view in thread ]

  30. icon
    JonC (profile), Feb 4th, 2016 @ 7:17am

    Executive leaders who are unwilling to, or incapable of, ensuring BOTH privacy and security are either unwilling to do their job, or incapable of doing it. Regardless of which, they need to be removed and replaced with a competent individual with the right outlook and priorities.

    reply to this | link to this | view in thread ]

  31. identicon
    Anonymous Coward, Feb 4th, 2016 @ 9:09am

    When you are as dumb as a hammer ...

    everything is a nail.

    reply to this | link to this | view in thread ]

  32. identicon
    FM Hilton, Feb 4th, 2016 @ 9:43am

    Who's running the show?

    I have no idea why any who would hire a former DHS head and not expect this kind of invasion of privacy.

    After all, DHS is all in favor of US citizens not having any, and they've gone to great lengths to prove it.

    Their motto is "See something? Say something." Spying on one another is true test of citizenship.

    That includes universities and their employees.

    reply to this | link to this | view in thread ]

  33. icon
    tqk (profile), Feb 4th, 2016 @ 11:30am

    Re: Just the tip of the iceberg

    I am a firm [believer] in the idea that just because you can do something doesn't mean you should.

    I've been telling people for decades to get their own net connection and not simply mooch it off their employer. There are far too many ways for that to blow up in your face, and rightly so. Employers have both the right and the duty to protect their network. Our privacy and security, not so much.

    reply to this | link to this | view in thread ]

  34. icon
    tqk (profile), Feb 4th, 2016 @ 11:37am

    Re: Re: You're doing it wrong

    How many universities have a president or other senior officer who used to work for the US government?

    There was a lot of silly stuff that came out of those hippies in Berkeley back in the sixties. Seeing this level of fascist dumbth come out of there too is pretty surprising. That pendulum sure has swung.

    reply to this | link to this | view in thread ]

  35. icon
    tqk (profile), Feb 4th, 2016 @ 11:40am

    Re: Re: Re: perfectly acceptable??

    Obscurity is not security.

    It can be, but it's usually not very good at it.

    reply to this | link to this | view in thread ]

  36. icon
    tqk (profile), Feb 4th, 2016 @ 12:01pm

    Re: Re: But...the IT staff

    Was the vendor working for the university, or for the FBI/NSA/Homeland Security?

    The CIA's been known for a long time for owning front companies and hiding that ownership from everyone. This wouldn't be the first time. This is a pretty sleazy way to make an end run around the Constitution.

    reply to this | link to this | view in thread ]

  37. icon
    tqk (profile), Feb 4th, 2016 @ 12:07pm

    Re: Re: Napolitano, what did anyone expect?

    But apparently she is above the law along with every other government employee.

    I've been trying to understand this phenomenon too. Experts say it's unlikely Hillary Clinton will be charged with anything because they believe she thought she wasn't breaking any law.

    Why didn't that excuse work for Aaron Swartz? He didn't believe he was doing anything wrong either.

    reply to this | link to this | view in thread ]

  38. identicon
    Agent76, Feb 5th, 2016 @ 5:57am

    Spying' purpose

    January 9, 2014 500 Years of History Shows that Mass Spying Is Always Aimed at Crushing Dissent

    *It’s Never to Protect Us From Bad Guys*

    No matter which government conducts mass surveillance, they also do it to crush dissent, and then give a false rationale for why they’re doing it.

    http://www.washingtonsblog.com/2014/01/government-spying-citizens-always-focuses-crushing-dissent -keeping-us-safe.html

    reply to this | link to this | view in thread ]

  39. identicon
    Anonymous Coward, Mar 5th, 2016 @ 2:03am

    It's perfectly acceptable for entities to monitor employees' use of communications equipment.




    Then all of this data/info should be handed over to the students

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
New And For A Limited Time

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.