Saturday, January 30, 2016

UC Email Spyware Disclosed

From the San Francisco Chronicle:

Cal professors fear UC bosses will snoop on them

By Matier & Ross January 29, 2016

UC Berkeley faculty members are buzzing over news that University of California President Janet Napolitano ordered the installation of computer hardware capable of monitoring all e-mails going in and out of the UC system.

“The intrusive device is capable of capturing and analyzing all network traffic to and from the Berkeley campus and has enough local storage to save over 30 days of all this data,” Ethan Ligon, one of six members of the school’s Senate-Administration Joint Committee on Campus Information Technology, wrote in an e-mail Thursday to fellow faculty members.

Information that the hardware gathers, Ligon wrote, “can be presumed to include your e-mail, all the websites you visit, all the data you receive from off campus or data you send off campus.”

Napolitano’s office defends the action “by relying on secret legal determinations and painting lurid pictures of ‘advanced persistent threat actors’ from which we must be kept safe,” Ligon wrote. UC officials “further promise not to invade our privacy unnecessarily, while the same time implementing systems designed to do exactly that.

“This secret monitoring is ongoing.”

UC spokesman Steve Montiel confirmed that Napolitano, former head of the federal Department of Homeland Security, had a security system installed after a cyberattack on the UCLA Medical Center in July in which medical records of an estimated 4.5 million people were hacked into. Montiel said the system is capable of monitoring e-mails, but UC officials have no intention of peeking at professors’ correspondence or checking their website visits.

“We are not interested in any way in the content of anyone’s personal e-mails — we are interested in security across the system,” Montiel said. “You can’t have privacy without security.”

In a Jan. 18 letter to faculty and staff, UC Chief Operating Officer Rachael Nava said, “I understand that some faculty members may be concerned about storage and use of data collected through network security analysis, including questions about data being used by the university for other, unrelated purposes.”

She added, however, that UC policy “forbids the university from using such data for nonsecurity purposes.”

Benjamin Hermalin, chairman of the UC Berkeley Academic Senate, said the faculty understood the need for tighter security in the wake of the UCLA breach — but questioned how it was being done.

“What has upset a lot of the faculty was that the surveillance was put in place without consulting the faculty,” he said. “In fact, the people installing the system were under strict instructions not to reveal it was taking place.

Hermalin said there were also concerns about how and where the data would be stored and who would have access to it — questions that remain unanswered.

“This is a university. The students are not employees,” Ligon said in an interview, noting that the UC system could easily sweep up their correspondence with professors.

For faculty members, Ligon said, “the conditions of employment very explicitly do not include any restrictions on our speech.”

“And finally,” Ligon added, “this is Berkeley. We have both a vibrant, expressive population of faculty and students, and also a very highly qualified set of IT people who are already charged with dealing with security and privacy on our network.”

Full column at

No comments: