If you work at a large university, use Gmail or shop on Amazon, chances are you are being subjected to the same type of online monitoring as faculty members at the University of California, cybersecurity experts say.
Faculty members in the UC system have been up in arms since Ethan Ligon, associate professor of agricultural and resource economics at the Berkeley campus, last month revealed that the university system in August installed network-monitoring hardware and told IT staffers to keep it a secret.
The network-monitoring program, Ligon wrote, can log all the traffic coming and going on the university’s network and store it for 30 days. “This can be presumed to include your email, all the websites you visit, all the data you receive from off campus or data you send off campus,” he added.
Since then, as faculty members have needled the UC system Office of the President for what they say is a lack of transparency, new details about cybersecurity measures have emerged.
In a conference call Wednesday afternoon, UC system information officers Tom Andriola and David Rusting assured campus IT leaders that the Office of the President can’t trace any of the data collected by the network-monitoring program back to an individual faculty member. They said the program only collects metadata, pieces of information that explain the what, when and where of network traffic -- not the content. If a hacker gained access to a university email account, the metadata could reveal where the hacker was located, for example.
In light of those details, cybersecurity experts said the security measures at the UC system are no more restrictive than those seen elsewhere on the Internet. The university's lack of communication, however, is drawing criticism from privacy advocates.
“Most universities collect metadata about communications within their networks and about interactions with their digital platforms,” Elana J. Zeide, a privacy research fellow at the New York University Information Law Institute, said in an email. Moreover, she added, “Most commercial platforms like Gmail and retail sites collect similar information about users’ communication and click patterns.”
In an email, Ligon said he disagreed with the comparison. The issue is not the act of collecting information about users, he wrote, but what that information can be used for.
“It’s a tool, which can be put to good ends or bad ends,” he wrote. “It happens to be quite a powerful tool for monitoring data, so it could be put to very bad ends. Whether the ends are good or bad depends entirely on the policy (e.g., things that are searched and stored) implemented on the device. And here's the central point: that policy is not under the control of Berkeley IT staff.”
Exactly how widespread metadata collection is in higher education is not clear. Fidelis Cybersecurity, which the UC system has hired to run the monitoring program, declined to comment for this article or say how many universities it works with. FireEye, a network security company whose customers include Pennsylvania State University (another target of sophisticated cyberattacks), also declined to comment.
Donald J. Welch, chief information security officer at the University of Michigan at Ann Arbor, said he believes metadata collection is not an unusual way for a university to monitor its network. He called it a “prudent step” for the UC system, which estimates the personal information of 4.5 million people was compromised after a 2015 cyberattack that targeted the UCLA Health System.
“You’ll find more and more universities are doing this,” Welch said in an interview.
Metadata collection is not without controversy, however. After National Security Agency leaker Edward Snowden in 2013 exposed the U.S. government’s surveillance efforts, privacy activists have argued metadata can be used to build profiles about users’ online habits.
Zeide said the UC system will use the network monitoring program for a somewhat similar purpose, using the data collected to discover patterns that hint at security risks.
“In implementing this policy, UC is being proactive about trying to protect sensitive data from hackers, but may end up undermining the traditional intellectual privacy and academic freedom afforded higher education institutions,” Zeide wrote. “This surveillance may ultimately have negative effects by chilling free expression and intellectual experimentation.”
The fact that the UC system kept the monitoring secret may exacerbate that chilling effect, but it is also an example of how matters of cybersecurity force universities to make decisions about how to balance confidentiality and transparency. If a university publicly details how it protects its network from cyberattacks, hackers might alter their strategies to avoid the security measures, for example. Colleges therefore carefully choreograph their media strategies following an attack, sometimes withholding information about a data breach for months to ensure the threat has been contained and measures to prevent future attacks have been put in place.
Shutting the public out of that process is one thing; shutting out faculty members is another, said Chris Conley, a technology and civil liberties policy attorney with the American Civil Liberties Union of Northern California.
“It means it’s not a partnership with the people who are affected,” Conley said in an interview. “There are needs for network security, but there has to be a discussion about how to do that in ways that protect speech as well. … We have always advocated for having this conversation at the planning stage.”
University IT staffers are also usually loath to comment on or criticize another university’s handling of a cyberattack. One university information security officer, for example, called situation at the UC system a “highly charged issue.”
Welch, who declined to criticize the system’s response to the UCLA cyberattack, said that universities in general can “tailor” their network security measures by maintaining an open dialogue with the faculty. Because of the severity of the UCLA hack, the UC system may have “short-circuited” that process by not telling faculty members about the metadata collection program, Welch said.
“Faculty are smart. They want to be involved. They have a say in the governance of the institution. Making sure that their voices are heard is important with any decision that you make,” Welch said. “In [the UC system’s] defense, I would say that they were reacting to an attack, and so they might not have taken those communication steps that they would have liked to.”
Andriola, Academic Senate Vice Chair James A. Chalfant, UC Santa Cruz chief campus counsel Michael A. Troncoso and others plan to meet at Berkeley on Tuesday to further discuss the network monitoring program. Andriola declined to comment for this article.