Privacy, Data Security, and Governance in the University of California

BY HENRY REICHMAN

Over the weekend Phil Matier and Andrew Ross of the San Francisco Chronicle broke a story [behind a paywall] that revealed growing concerns among UC Berkeley faculty about a previously secret decision by University of California President Janet Napolitano, former Secretary of Homeland Security, to install new computer hardware capable of monitoring computer activity, including all e-mails going in and out of the UC system. This morning Scott Jaschik published a longer and informative account of the controversy on insidehighered.com.  And UC Santa Barbara professor Chris Newfield has posted the texts of two faculty emails about the subject on his Remaking the University blog.  Newfield has also added to that post the full text of a long January 19 letter to concerned faculty from UC Executive Vice President-Chief Operating Officer Rachael Nava, which the university released publicly yesterday.  That letter had previously been labeled confidential owing to attorney-client privilege.

Here, briefly, is what’s happened:  Some time in June, university officials learned of “a serious cyber attack” against the University of California at Los Angeles Medical Center that involved the records of up to 4.5 million patients who used UCLA medical systems. After UCLA informed those patients, 17 lawsuits were filed against the university.  In August at Napolitano’s order the system hired an outside vendor to operate network monitoring equipment at all campuses.  Only after this monitoring began, on August 27, did the system issue a new cybersecurity policy under the heading of “Coordinated Monitoring Threat Response.” The policy describes how the system administration would initiate “Coordinated Monitoring” of campus networks.

At Berkeley this information soon became known to members of the Senate-Administration Joint Committee on Campus Information Technology (JCCIT), who were instructed not to reveal the information publicly.  However, the six tenured faculty members on that committee eventually agreed that “continued silence on our part would make us complicit in what we view as a serious violation of shared governance and a serious threat to the academic freedoms that the Berkeley campus has long cherished.”  In December several Berkeley faculty members sent a letter to UC President Janet Napolitano requesting more information and asking that the monitoring cease.

On December 21, UC Vice President and CIO Tom Andiola met with most of the faculty who signed the letter, the Berkeley Associate Vice Chancellor and CIO, and the Berkeley Academic Senate chair.  Andiola confirmed that monitoring equipment was installed at the Berkeley campus by an outside vendor but reportedly promised it would be removed promptly and publicly disclosed.   However, on January 12 the Berkeley JCCIT was informed that UC had decided to continue the outside monitoring and not disclose any aspects of it to students or faculty.  The faculty members of JCCIT then decided to write an open letter that would come from a group of tenured faculty, stating that “We are UC Berkeley faculty who have reason to believe that extensive monitoring and storage of inbound and outbound Internet traffic at UC Berkeley is being performed by an outside vendor at the request of the UC Office of the President [UCOP], with no disclosure to UC Berkeley faculty or students….” A draft letter was circulated to all senior faculty who signed the previous letter, and eleven individuals signed it.

“The intrusive device is capable of capturing and analyzing all network traffic to and from the Berkeley campus, and has enough local storage to save over 30 days of *all* this data (‘full packet capture’). This can be presumed to include your email, all the websites you visit, all the data you receive from off campus or data you send off campus,” said Ethan Ligon, associate professor of agricultural and resource economics and one of the faculty members of the JCCIT.

Benjamin E. Hermalin, the Thomas and Alison Schneider Distinguished Professor of Finance at Berkeley and chair of the Academic Senate, expressed concern about the lack of faculty consultation as the monitoring system was imposed.  “There are a spectrum of views on the trade-off between monitoring security and privacy,” he said. “But most faculty understand the need for security.” Hermalin added that he did not know about the new system until faculty members approached him about it in December. He said that he has yet to find answers to key questions. “What is being collected has never been clear,” he said. “And how it will be gotten rid of” when no longer needed is also unclear.”

These developments raise important issues not only for Berkeley and the entire UC system, but for faculty members everywhere.  The AAUP’s 2013 policy report on Academic Freedom and Electronic Communications acknowledged genuine concerns about hacking and cybersecurity, concluding that “universities are well advised to devote resources to protecting their electronic-communications networks. However, every effort should also be made to balance the need for security with the fundamental principles of open scholarly communication.”

With respect to privacy, that report acknowledged, “By its very nature, electronic communication incurs certain risks that have no print counterpart—for example, the potential invasion of the system by hackers, despite the institution’s best efforts to discourage and even prevent such intrusions. Some of these risks are simply part of the reality of the digital age and a result of our extensive reliance on computer networks for the conduct of academic discourse. . . . Privacy risks are likely to increase as institutions are called on to address more aggressively the security of college and university networks, as researchers increasingly use digital instead of printed resources, and as distance education and electronic communications technologies are more generally relied on to execute institutional missions.”

On this basis the report recommended that institutional electronic communications policies:

  • recognize the value of privacy as a condition for academic freedom and the benefits that privacy and autonomy bring to the individual, to groups, and to the culture of an institution. The institution should recognize that faculty members have a reasonable expectation of privacy in their electronic communications and traffic data.
  • clearly state that the university does not examine or disclose the contents of electronic communications and traffic data without the consent of the individual participating in the communication except in rare and clearly defined cases.
  • enumerate narrow circumstances where institutions can gain access to traffic logs and content unrelated to the technical operation of these services. If a need arises to get access to electronic-communications data, a designated university official should document and handle the request, and all parties to the communication should be notified in ample time for them to pursue protective measures—save in the rare case where any such delay would create imminent risk to human safety or university property. Accessed data may not be used or disseminated more widely than the basis for such exceptional action may warrant.

The policy also concluded that “Faculty members must participate, preferably through representative institutions of shared governance, in the formulation and implementation of policies governing electronic-communications technologies.”

The concerns of UC faculty members are focused in three areas: the nature of the surveillance and the extent to which faculty privacy and academic freedom may be violated; the implications of the system policy for individual campus policies and procedures governing electronic communications; and the role of transparency and shared governance.

The Nature and Extent of the Surveillance

One UC faculty member who is a nationally recognized expert on electronic privacy law wrote:  “My main concern with the policy is that it is boundless in duration—once one puts an appliance like this on the network, it becomes impossible to turn off because other intrusions are detected, and because there are constant new attempts to steal our Calnet credentials.”

The appliance itself is a Fidelis XPS, described on the vendor’s website in these terms:

Decode and analyze content in real-time, no matter how deeply embedded it is. Our Deep Session Inspection engine sees every single packet that traverses the network, reassembles those packets into session buffers in RAM, and recursively decodes and analyzes the protocols, applications and content objects in those session buffers in real-time – while the sessions are occurring. This allows us to “see deeper” into applications and, in particular the content that’s flowing over the network.

Investigate what attackers have done in the past. By collecting and storing rich content-level metadata from both the network and the endpoint, XPS provides a lighter, faster and less expensive way to analyze historical data.

According to the expert faculty member, “These appliances, depending on how they are configured, can be privacy doomsday machines. One could interrupt encrypted sessions to inspect their contents, or more generally just read everyone’s email. A decade ago, in conversations with Raytheon, they showed me their system that could not only read all emails, it could stop them selectively, for instance if the email contained trade secrets or other property of the client, even if this data were obfuscated.  The layered review is a good approach, but it could be the case that the appliance itself does the content review. It could even decide to do so on its own, depending on how it is configured. . .”

Not surprisingly, this has raised fears among faculty members.  Napolitano’s office defends the action “by relying on secret legal determinations and painting lurid pictures of ‘advanced persistent threat actors’ from which we must be kept safe,” Professor Ligon wrote. UC officials “further promise not to invade our privacy unnecessarily, while the same time implementing systems designed to do exactly that.”

“This is a university. The students are not employees,” Ligon told the Chronicle, noting that the UC system could easily sweep up their correspondence with professors. For faculty members, Ligon said, “the conditions of employment very explicitly do not include any restrictions on our speech.”

“We are not interested in any way in the content of anyone’s personal e-mails — we are interested in security across the system,” a system representative responded. “You can’t have privacy without security.”  And in her now-public letter to faculty and staff, Chief Operating Officer Nava acknowledged “that some faculty members may be concerned about storage and use of data collected through network security analysis, including questions about data being used by the university for other, unrelated purposes.” She emphasized, however, that UC policy “forbids the university from using such data for nonsecurity purposes.”

According to Nava, the university’s Electronic Communications Policy (ECP) “establishes an expectation of privacy in an individual’s electronic communications transmitted using university systems,” but “it tempers this expectation with the recognition that privacy requires a reasonable level of security to protect sensitive data from unauthorized access. For this reason, the ECP expressly permits routine analysis of network activity ‘for the purpose of ensuring reliability and security of university electronic communications resources and services.'”

That is certainly true, but as one faculty leader put it, “Whatever the statements are about the intentions of the present administrators and technical staff, this ‘appliance’ has the capability to be used for widespread and serious violations of privacy and fourth amendment protections. You can be sure that if the capability is there, it will be used eventually.”

Centralization or Campus Control?

“This is Berkeley,” Ligon noted. “We have both a vibrant, expressive population of faculty and students, and also a very highly qualified set of IT people who are already charged with dealing with security and privacy on our network.” Indeed, among the most prominent criticisms of the policy are that it was enacted “over the objections of our campus IT and security experts;” that UCOP “required that our  IT staff keep these facts secret from faculty and others on the Berkeley campus;” and that “the intrusive hardware is not under the control of local IT staff–it sends data on network activity to [the system office] and to the vendor.”

The expert on electronic privacy added that “the call for harmonization is actually a plea to reduce the protections that campuses such as Berkeley have implemented. We should resist this and consider other approaches, such as reducing the number of systems that are Calnet connected or by adoption of 2-factor systems.”

Individual UC campuses such as Berkeley already have computer security policies and they work well, Ligon said. He also said those policies call for transparency, and that by definition UC’s actions — installing this new system without telling anyone — demonstrated a lack of transparency. He said that by telling faculty members that they couldn’t share information, as he was told, the system office violated Berkeley’s policies, and likely those of other campuses.

“It is very far from clear that UCOP has a better plan or better qualified IT security people or infrastructure than does the Berkeley campus, and they’ve shut these qualified people out of the picture,” concluded one of the emails posted by Newfield.

Transparency and Shared Governance

Steve Montiel, press secretary for UCOP, told Inside Higher Ed: “There is and has been ongoing faculty and campus consultation regarding steps taken to counter cyberthreats to locations across the UC system. Faculty voices have been included on the committee that’s guiding our cybersecurity strategy.”  As to the secrecy, Montiel added, “We try our best to avoid broadcasting sensitive security and legal matters. It’s good common sense, and we want to avoid giving a road map for potential attacks on our network. UC policies are very clear that network security is a basic feature. Now that steps are underway to expand network security efforts for a longer horizon, briefings were scheduled, including one planned at UC Berkeley for the middle of next week.”

But many faculty members were unpersuaded.  For example, leaders of the Council of University of California Faculty Associations, an AAUP partner organization, have focused on concerns about shared governance in their discussions of the controversy. Once again, “this comes down to a shared governance issue, or lack thereof” one professor wrote.  “But the lack of consultation seems to have been a deliberate choice, not a slip,” added another.  “So it may be more chipping away at shared governance rather than just assuming faculty have nothing to offer.”

“Universities,” Berkeley Senate Chair Hermalin concluded, “are set up on principles of consultation and openness,” but this new system was put in place “at odds with these norms.”

In her letter COO Nava sought to address these concerns:

With specific reference to faculty governance, the President has reinforced with senior management the need for ongoing dialogue with our faculty and Senate leadership. The Senate has a robust presence at the CRGC [Cyber Risk Governance Committee], and I believe the CRGC is the best forum to develop mechanisms and policies for further ensuring that Senate leadership is fully engaged in policy development and briefed in a timely way regarding ongoing security matters and practices.

I also welcome a discussion about how to harmonize broader cybersecurity efforts with existing, campus-specific information governance guidelines. Some campus-level guidelines, established as part of system-wide information governance initiatives, limit the specific technologies and methods that may be used for network security activities, including some methods in ordinary use at other University locations and use of which may be necessary to comply with legal duties or to effectively evaluate a specific threat that may implicate multiple locations.

Given the difficult and shifting challenges worldwide in terms of cybersecurity, there is no monopoly on wisdom here. It is my intention to approach these issues with humility and openness, believing that our efforts will only be enriched by an exchange of ideas and viewpoints. I welcome your engagement on these issues and look forward to a deeper, joint effort to protect the privacy of our users and the security of the University’s systems.

Whether these promises will sufficiently address the fears raised at Berkeley and now spreading throughout the system remains to be seen.  But many UC faculty members remain skeptical and concerned.  Their concern should be shared by others at universities across the country, where similar controversies are bound to emerge.


UPDATE:

The following letter (minus attachments) from UC President Napolitano was just released to faculty:

Dear Colleagues:

A group of faculty members at the Berkeley campus has articulated concerns regarding some of the security measures we adopted in the wake of the UCLA cyberattack last year. The concerns focus on two primary issues: whether systemwide cyber threat detection is necessary and whether it complies with the University’s Electronic Communications Policy (ECP); and why University administrators failed to publicly share information about our response to the cyberattack. The Berkeley faculty members have shared their concerns with colleagues at other campuses and with various media outlets. Unfortunately, many have been left with the impression that a secret initiative to snoop on faculty activities is underway. Nothing could be further from the truth.

I attach a letter from Executive Vice President and Chief Operating Officer Nava explaining the rationale for these security measures. As you know, leadership at all levels, including The Regents, Academic Senate leadership, and campus leadership, has been kept apprised of these matters, including through the establishment and convening of the Cyber Risk Governance Committee (CRGC). The CRGC, comprises each campus’s Cyber Risk Responsible Executive (CRE), as well as a representative of the University’s faculty Senate, the General Counsel, and other individuals from this office with responsibility for systemwide cybersecurity initiatives. I encourage you to share Executive Vice President Nava’s letter with your faculty.

While we cannot share every detail of the actions we took in direct response to the UCLA incident (we are defending 17 class action lawsuits demanding millions of dollars of damages), or of the security measures we have instituted since that time (disclosure of details of our cybersecurity infrastructure and our readiness posture would only facilitate exploitation of identified vulnerabilities by those intent on attacking us), I have from the beginning directed my staff to make every effort to actively engage with all stakeholders and to minimize to the extent possible the amount of information that is not shared widely. I have also now asked that a website be created this week to further disseminate relevant information and developments.

In the meantime, I hope that you will convey to your local communities the following information:

  1. Institutions of higher education are a prime target of cyberattacks. We create, collect, store, and use valuable information about our research and discoveries, our employees’ personnel information, our students’ educational records, and more. These attacks pose a serious risk to individual privacy, to the valuable intellectual property we create, and to our financial position. It is our legal and our moral responsibility as stewards of the data we maintain to protect it. When, notwithstanding our best efforts, a security incident threatens that information, we are exposed to enormous legal, financial, and reputational risk. The UCLA incident alone will cost us many millions of dollars before it is fully resolved, millions of dollars that we will not be able to invest in our research, teaching, and service mission.
  2. At the system level and at every individual campus, we have subjected every proposal to enhance our ability to prevent and detect attacks to evaluation against industry standards and to analysis under the University’s Electronic Communications Policy, and we are absolutely committed to doing so going forward. Also attached is a document that describes how cyber threat detection generally, and our implementation of it both in the wake of the UCLA cyberattack and going forward, is entirely consistent with the letter and the spirit of the ECP.
  3. When we announced the UCLA cyberattack, we very publicly disclosed some of the measures we had taken in response, including engagement of a leading cybersecurity firm to actively monitor our network.
  4. Personal privacy and academic freedom are paramount in everything we do. But we cannot make good on our commitment to protect individual privacy without ensuring a sound cybersecurity infrastructure. While we have absolutely no interest in the content of any individual’s emails or browsing history, we must accept that active network monitoring is a critical element of a sound cybersecurity infrastructure and the interconnectedness of the University and all of its locations requires that such monitoring be coordinated centrally. Executive Vice President Nava’s attached letter and description of how cyber threat detection initiatives are implemented at the University set forth in more detail the kind of monitoring that might be performed and the extraordinary efforts the University makes to avoid any intrusive measures or, when those prove absolutely necessary, to minimize them.
  5. A Faculty Senate representative is and has since its inception been a member of the Cyber Risk Governance Committee. In addition, Senate members are among the industry leaders we have invited to participate on the CRGC’s expert Advisory Committee, and Executive Vice President Nava and Chief Information Officer Andriola are actively engaging with the Chair and Vice Chair of the Academic Senate, the Senate’s Academic Computing Committee, the Chair of the Berkeley Senate, and others.

I invite further robust discussion and debate on this topic at upcoming meetings of the CRGC and COC. In the meantime, please direct any questions to Executive Vice President Nava or to Chief Information Officer Andriola.

Yours very truly,

Janet Napolitano
President

Your comments are welcome. They must be relevant to the topic at hand and must not contain advertisements, degrade others, or violate laws or considerations of privacy. We encourage the use of your real name, but do not prohibit pseudonyms as long as you don't impersonate a real person.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s