“Secret monitoring is ongoing.”
Those ominous words captured the attention of many faculty members at the University of California, Berkeley's College of Natural Resources when they received an email message from a colleague telling them that a new system to monitor computer networks had been secretly installed on all University of California campuses months ago, without letting any but a few people know about it.
“The intrusive device is capable of capturing and analyzing all network traffic to and from the Berkeley campus, and has enough local storage to save over 30 days of *all* this data ('full packet capture'). This can be presumed to include your email, all the websites you visit, all the data you receive from off campus or data you send off campus,” said the email from Ethan Ligon, associate professor of agricultural and resource economics. He is one of six members of the Academic Senate-Administration Joint Committee on Campus Information Technology.
Ligon went on to say that UC system officials asked the members of the committee to keep this information to themselves. But, Ligon added, he and other tenured faculty members decided that “continued silence on our part would make us complicit in what we view as a serious violation of shared governance and a serious threat to the academic freedoms that the Berkeley campus has long cherished”.
The professor provided a copy of his email to Inside Higher Ed after The San Francisco Chronicle reported on the controversy over the new monitoring.
The university system is defending the new monitoring as necessary, and says that it is not routinely reviewing anyone's email. While some faculty leaders may yet be convinced about the need for the system, many are speaking out against the secretive way that it was deployed without going through standard faculty committees that in the past have had the chance to be briefed on technology security measures.
Rachael Nava, executive vice-president of the UC system, sent a letter to faculty leaders in January after some expressed concern about the new monitoring system.
Her letter does not provide many details on the new security system, but said that the changes were prompted by “a serious cyber attack” against the University of California, Los Angeles that involved the records of up to 4.5 million patients who used UCLA medical systems. After UCLA informed those patients, 17 lawsuits – all still pending – were filed against the university, Nava's letter said. She said that those lawsuits limited what the university could say about security at UCLA and elsewhere in the system.
But Nava noted that “a recent report from Verizon described educational institutions as experiencing ‘near-pervasive infections across the majority of underlying organizations’, and observed that educational institutions have, on average, more than twice the number of malware attacks than the financial and retail sectors combined”.
The letter went on to say that the university is working to improve computer security, is collaborating with faculty committees on how to do so and respects faculty members' privacy, but the vulnerability of university networks to cyberattacks is itself a danger to privacy. "Privacy perishes in the absence of security," she wrote.
The university's Electronic Communications Policy says that while it “establishes an expectation of privacy in an individual’s electronic communications transmitted using university systems, it tempers this expectation with the recognition that privacy requires a reasonable level of security to protect sensitive data from unauthorized access. For this reason, the ECP expressly permits routine analysis of network activity ‘for the purpose of ensuring reliability and security of university electronic communications resources and services.’”
Further, Nava said that there are numerous protocols in place to protect privacy rights, and that the university is not in fact checking on the email messages sent by professors. The letter said that the university leaders welcome more discussions with faculty members about these issues.
Ligon said that there were several problems with Nava's response. He said that individual UC campuses such as Berkeley already have computer security policies and that they work well. He also said those policies call for transparency, and that by definition UC's actions – installing this new system without telling anyone – demonstrated a lack of transparency. He said that by telling faculty members that they couldn't share information, as he was told, the system office violated Berkeley's policies, and likely those of other campuses.
Benjamin E. Hermalin, the Thomas and Alison Schneider distinguished professor of finance at Berkeley, and chair of the Academic Senate there, stressing that he is not an expert on computer security, said that he didn't know enough to say whether the new system was needed. But he said that, to date, he hasn't been given a reason to believe the new system is necessary.
Hermalin said that the issue he is concerned about now is the lack of faculty consultation as a new system for monitoring them was imposed.
"There are a spectrum of views [among professors] on the trade-off between monitoring security and privacy," he said. "But most faculty understand the need for security."
As a public institution, Berkeley already tells faculty members that much of their electronic communication is subject to open-records requests, so professors know their email isn't strictly secret. But he said that these rules “are understood” and are reviewed by faculty committees and communicated to new faculty members.
Universities, he said, “are set up on principles of consultation and openness”, but this new system was put in place “at odds with these norms”.
Hermalin said that he did not know about the new system until a few faculty members came to him in December and said that they had learned about it. He has, since then, been trying to learn more. He said that he has yet to find answers to key questions. “What is being collected has never been clear,” he said. “And how it will be gotten rid of" when no longer needed is also unclear. These are big questions, he said, that would normally be discussed through the faculty governance process.
Tracy Mitrano, academic dean of the University of Massachusetts’ Cybersecurity Certificate Programs, said the goals of the new security system "may be perfectly legitimate", but there are many "unanswered questions". She advocated for the release of the contracts or other documents that would provide details on the new system.
She also said it was "unfortunate" that UC did not inform everyone of the new measures as they were taking place, because "more than ever we need to educate our campus community about information security". She said if the secrecy was to "not let the enemy know" (as in those who attack computer networks), that was "rather naive".
And if the secrecy was "because it was a broad systemwide effort and the UC system wanted to get its arms around the issues before they went public, I might imagine a very short-term embargo to get all the facts straight but nothing that should last beyond that very short term".
Steve Montiel, press secretary for the UC Office of the President, asked about the issue of faculty consultation, said via email: "There is and has been ongoing faculty and campus consultation regarding steps taken to counter cyberthreats to locations across the UC system. Faculty voices have been included on the committee that's guiding our cybersecurity strategy."
As to the secrecy, Montiel added: "We try our best to avoid broadcasting sensitive security and legal matters. It's good common sense, and we want to avoid giving a road map for potential attacks on our network. UC policies are very clear that network security is a basic feature. Now that steps are under way to expand network security efforts for a longer horizon, briefings were scheduled, including one planned at UC Berkeley for the middle of next week."